当前位置：文档库 › VLAN+NAT上网实验(有拓扑和配置文件)

VLAN+NAT上网实验(有拓扑和配置文件)

三层交换机多VLAN+NA T上网实验配置（有拓扑和配置文件）

说明：

适用中心三层交换机划多VLAN（间不能互访），VLAN通过路由NAT上网配置文件如下：

router1#show run

Building configuration...

Current configuration : 745 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname router1

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

interface Serial1/0

ip address 172.16.0.2 255.255.255.0 serial restart-delay 0

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

no ip http server

control-plane

line con 0

line aux 0

line vty 0 4

End

router2#show run

Building configuration...

Current configuration : 989 bytes

version 12.4

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption

hostname router2

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0 ip nat inside

ip virtual-reassembly

speed 100

full-duplex

interface Serial1/0

ip address 172.16.0.1 255.255.255.0

ip nat outside

ip virtual-reassembly

serial restart-delay 0

interface Serial1/1

no ip address

shutdown

serial restart-delay 0

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

ip http server

ip route 192.168.0.0 255.255.0.0 192.168.0.2

ip nat inside source list 101 interface Serial1/0 overload !

access-list 101 permit ip 192.168.0.0 0.0.255.255 any !

control-plane

line con 0

line aux 0

line vty 0 4

End

sw1#show run

Building configuration...

Current configuration : 1284 bytes

version 12.4

service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption

hostname sw1

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

interface FastEthernet1/0

interface FastEthernet1/1

no switchport

ip address 192.168.0.2 255.255.255.0 !

interface FastEthernet1/2

interface FastEthernet1/3

switchport access vlan 10

vlan-id dot1q 10

exit-vlan-config

interface FastEthernet1/4

switchport access vlan 20

interface FastEthernet1/5

interface FastEthernet1/6

interface FastEthernet1/7

interface FastEthernet1/8

interface FastEthernet1/9

interface FastEthernet1/10

interface FastEthernet1/11

interface FastEthernet1/12

interface FastEthernet1/13

interface FastEthernet1/14

interface FastEthernet1/15

interface Vlan1

no ip address

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

interface Vlan20

ip address 192.168.20.1 255.255.255.0

no ip http server

ip route 0.0.0.0 0.0.0.0 192.168.0.1

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 permit ip any any

control-plane

line con 0

line aux 0

line vty 0 4

End

pc1#show run

Building configuration...

Current configuration : 385 bytes

version 12.2

service timestamps debug uptime service timestamps log uptime

no service password-encryption

hostname pc1

ip subnet-zero

no ip routing

interface FastEthernet0/0

ip address 192.168.10.10 255.255.255.0 no ip route-cache

speed 100

full-duplex

ip default-gateway 192.168.10.1

ip classless

ip http server

line con 0

line aux 0

line vty 0 4

End

pc2#show run

Building configuration...

Current configuration : 385 bytes

version 12.2

service timestamps debug uptime service timestamps log uptime

no service password-encryption

hostname pc2

ip subnet-zero

no ip routing

interface FastEthernet0/0

ip address 192.168.20.10 255.255.255.0 no ip route-cache

speed 100

full-duplex

ip default-gateway 192.168.20.1

ip classless

ip http server

line con 0

line aux 0

line vty 0 4

End

三层交换机配置多VLAN和DHCP服务器实例（转）

2008-07-18 12:04

因为公司的网络升级需要划分VLAN，多VLAN下所有的客户端要使用DHCP来自动分配IP地址。其实DHCP服务器我们使用多的是Windows的DHCP，Linux下的DHCP服务。但是3550本身也是可以担当DHCP服务器的。经过简单配置测试通过。详细配置过程作为日后参考。

VLAN划分及地址分配：

一台3550EMI交换机，划分7个vlan10、vlan20、vlan30、vlan40、vlan50、vlan60、vlan2。vlan2为服务器所在网络，vlan10、vlan20、vlan30、vlan40、vlan50、vlan60为客户机所在vlan，IP地址段和vlan的对应关系如下：

vlan2、 192.168.251.0 255.255.255.0 网关 192.168.251.1

vlan10、192.168.10.0 255.255.255.0 网关 192.168.10.1

vlan20、192.168.20.0 255.255.255.0 网关 192.168.20.254

vlan30、192.168.30.0 255.255.255.0 网关 192.168.30.254

vlan40、192.168.40.0 255.255.255.0 网关 192.168.40.254

vlan50、192.168.50.0 255.255.255.0 网关 192.168.50.254

vlan60、192.168.60.0 255.255.255.0 网关 192.168.60.254

/*注意：这里在规划的时候各vlan的网关IP就是将来划分vlan是个vlan的接口IP地址*/。

端口1-4默认划到VLAN1（保留备用），端口5-6划分到VLAN60,端口7-8划分到VLAN50，端口9-10划分到VLAN40,端口11-12划分到VLAN30，端口13-14划分到VLAN20,端口15-16划分到VLAN10，端口17-24划分到VLAN2。

DHCP服务器实现功能:

各VLAN保留200-254的IP地址不分配置，VLAN2保留251.1到251.10以及251.101到251.254。

安全要求:

VLAN允许互相访问,但都可以访问服务器所在的VLAN 2,默认访问控制列表的规则是接受所有包. 基本配置命令如下：

Switch>en

Switch#hostname gpcn-core

gpcn-core#ip address 192.168.252.254 255.255.255.0

/*注意：此处配置IP地址主要是我们在远程可以对交换机进行管理以完成下面的配置，当然根据个人的使用习惯也可以用单机使用Consle线缆通过超级终端来配置*/

关键配置命令及步骤如下：

第一步：创建VLAN：

gpcn-core>en

gpcn-core#Vlan Database

gpcn-core(Vlan)>Vlan 2 Name servers

gpcn-core(Vlan)>Vlan 10 Name Clent_Unit

gpcn-core(vlan)>Vlan 20 Name Server_Unit

gpcn-core(Vlan)>Vlan 30 Name QA_Unit

gpcn-core(vlan)>Vlan 40 Name HR_Department

gpcn-core(Vlan)>Vlan 50 Name AP&Guest

gpcn-core(vlan)>Vlan 60 Name OM_Department

第二步：设置VLAN IP地址：

gpcn-core#Config T

gpcn-core(Config)>Int Vlan 2

gpcn-core(Config-vlan)Ip Address 192.168.251.1 255.255.255.0

gpcn-core(Config-vlan)No Shut

gpcn-core(Config-vlan)>Int Vlan 10

gpcn-core(Config-vlan)Ip Address 192.168.10.254 255.255.255.0

gpcn-core(Config-vlan)No Shut

gpcn-core(Config-vlan)>Int Vlan 20

gpcn-core(Config-vlan)Ip Address 192.168.20.254 255.255.255.0

gpcn-core(Config-vlan)No Shut

gpcn-core(Config-vlan)>Int Vlan 30

gpcn-core(Config-vlan)Ip Address 192.168.30.254 255.255.255.0

gpcn-core(Config-vlan)No Shut

gpcn-core(Config-vlan)>Int Vlan 40

gpcn-core(Config-vlan)Ip Address 192.168.40.254 255.255.255.0

gpcn-core(Config-vlan)No Shut

gpcn-core(Config-vlan)>Int Vlan 50

gpcn-core(Config-vlan)Ip Address 192.168.50.254 255.255.255.0

gpcn-core(Config-vlan)No Shut

gpcn-core(Config-vlan)>Int Vlan 60

gpcn-core(Config-vlan)Ip Address 192.168.60.254 255.255.255.0

gpcn-core(Config-vlan)No Shut

gpcn-core(Config-vlan)Exit

/*注意：由于此时没有将端口分配置到各VLAN，所以各VLAN会DOWN掉，待将端口分配到各VLAN后，VLAN会起来*/

第三步：设置端口全局参数

gpcn-core(Config)Interface Range Fa 0/1 - 24

gpcn-core(Config-if-range)Switchport Mode Access

gpcn-core(Config-if-range)Spanning-tree Portfast

/*注意：Spanning-tree Portfast是针对端口连接的设备类型为PC客户端的，如果端口级联的是交换机可以不做设置*/

第四步：将端口添加到对应的各VLAN中，下面的端口范围之间有空格

/*将端口17-24添加到VLAN2*/

gpcn-core(Config)Interface Range Fa 0/17 - 25

gpcn-core(Config-if-range)Switchport Access Vlan 2

/*将端口15-16添加到VLAN 10*/

gpcn-core(Config)Interface Range Fa 0/15 - 16

gpcn-core(Config-if-range)Switchport Access Vlan 10

/*下面依次配置*/

gpcn-core(Config)Interface Range Fa 0/13 - 14

gpcn-core(Config-if-range)Switchport Access Vlan 20

gpcn-core(Config)Interface Range Fa 0/11 - 12

gpcn-core(Config-if-range)Switchport Access Vlan 30

gpcn-core(Config)Interface Range Fa 0/9 - 10

gpcn-core(Config-if-range)Switchport Access Vlan 40

gpcn-core(Config)Interface Range Fa 0/7 - 8

gpcn-core(Config-if-range)Switchport Access Vlan 50

gpcn-core(Config)Interface Range Fa 0/5 - 6

gpcn-core(Config-if-range)Switchport Access Vlan 60

gpcn-core(Config-if-range)Exit

/*经过这一步后，各VLAN会起来*/

第五步配置3550作为DHCP服务器

/*VLAN 2可用地址池和相应参数的配置,有几个VLAN要设几个地址池*/ gpcn-core(Config)Ip Dhcp Pool vlan2

/*设置可分配的子网*/

gpcn-core(Config-pool)Network 192.168.251.0 255.255.255.0

/*设置DNS服务器*/

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133

/*设置该子网的网关*/

gpcn-core(Config-pool)Default-router 192.168.251.254

/*配置VLAN 10所用的地址池和相应参数*/

gpcn-core(Config)Ip Dhcp Pool vlan10

gpcn-core(Config-pool)Network 192.168.10.0 255.255.255.0

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133 gpcn-core(Config-pool)Default-router 192.168.10.254

/*下面依次配置*/

gpcn-core(Config)Ip Dhcp Pool vlan20

gpcn-core(Config-pool)Network 192.168.20.0 255.255.255.0

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133 gpcn-core(Config-pool)Default-router 192.168.20.254

gpcn-core(Config)Ip Dhcp Pool vlan20

gpcn-core(Config-pool)Network 192.168.20.0 255.255.255.0

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133 gpcn-core(Config-pool)Default-router 192.168.20.254

gpcn-core(Config)Ip Dhcp Pool vlan30

gpcn-core(Config-pool)Network 192.168.30.0 255.255.255.0

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133 gpcn-core(Config-pool)Default-router 192.168.30.254

gpcn-core(Config)Ip Dhcp Pool vlan40

gpcn-core(Config-pool)Network 192.168.40.0 255.255.255.0

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133 gpcn-core(Config-pool)Default-router 192.168.40.254

gpcn-core(Config)Ip Dhcp Pool vlan50

gpcn-core(Config-pool)Network 192.168.50.0 255.255.255.0

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133

gpcn-core(Config-pool)Default-router 192.168.50.254

gpcn-core(Config)Ip Dhcp Pool vlan60

gpcn-core(Config-pool)Network 192.168.60.0 255.255.255.0

gpcn-core(Config-pool)Dns-server 210.22.70.3 202.96.209.133

gpcn-core(Config-pool)Default-router 192.168.60.254

第六步:设置DHCP保留不分配的地址

gpcn-core(Config)ip dhcp excluded-address 192.168.10.200 192.168.10.254 gpcn-core(Config)ip dhcp excluded-address 192.168.20.200 192.168.20.254 gpcn-core(Config)ip dhcp excluded-address 192.168.30.200 192.168.30.254 gpcn-core(Config)ip dhcp excluded-address 192.168.40.200 192.168.40.254 gpcn-core(Config)ip dhcp excluded-address 192.168.50.200 192.168.50.254 gpcn-core(Config)ip dhcp excluded-address 192.168.60.200 192.168.60.254 gpcn-core(Config)ip dhcp excluded-address 192.168.251.101

192.168.251.254

gpcn-core(Config)ip dhcp excluded-address 192.168.251.1 192.168.251.10

第七步:启用路由

/*路由启用后,各VLAN间主机可互相访问*/

gpcn-core(Config)Ip Routing

gpcn-core(Config-vlan)ip access-group 103 out

gpcn-core(Config-vlan)Int Vlan 4

gpcn-core(Config-vlan)ip access-group 104 out

第八步：设置路由

gpcn-core(Config)ip route 0.0.0.0 0.0.0.0 192.168.251.254

第八步：结束并保存配置

gpcn-core(Config-vlan)End45

gpcn-core#Copy Run Start

2008.12.26简单的实现功能自己测试的实验也成功，拓扑如下：

实验目的：1．路由器1841上做NAT静态转换。

2．交换机3550上做vlan10、20，也不连个网段互不访问

3．交换机3550 上做DHCP服务器，且PC2,PC3转却自动获得个VLAN的IP地址成功且带DNS地址和网关。

配置如下：

路由器1841

Building configuration...

Current configuration : 578 bytes

version 12.4

no service password-encryption

hostname Router

ip ssh version 1

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

duplex auto

speed auto

interface FastEthernet0/1

ip address 172.16.0.1 255.255.255.0

ip nat outside

duplex auto

speed auto

interface Vlan1

no ip address

shutdown

ip nat inside source list 101 interface FastEthernet0/1 overload ip classless

ip route 192.168.0.0 255.255.0.0 192.168.0.2

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

line con 0

line vty 0 4

End

交换机3550上配置：

Building configuration...

Current configuration : 2650 bytes

version 12.2

no service password-encryption

hostname Switch

ip routing

ip ssh version 1

port-channel load-balance src-mac

interface FastEthernet0/1

no switchport

ip address 192.168.0.2 255.255.255.0 duplex auto

speed auto

interface FastEthernet0/2

interface FastEthernet0/3 switchport access vlan 10

interface FastEthernet0/4 switchport access vlan 20

interface FastEthernet0/5 switchport access vlan 10 switchport mode access

interface FastEthernet0/6 switchport access vlan 10 switchport mode access

interface FastEthernet0/7 switchport access vlan 10

interface FastEthernet0/8 switchport access vlan 10 switchport mode access !

interface FastEthernet0/9 switchport access vlan 10 switchport mode access !

interface FastEthernet0/10 switchport access vlan 10 switchport mode access !

interface FastEthernet0/11 switchport access vlan 10 switchport mode access !

interface FastEthernet0/12 switchport access vlan 10 switchport mode access !

interface FastEthernet0/13 switchport access vlan 10 switchport mode access !

interface FastEthernet0/14 switchport access vlan 10 switchport mode access !

interface FastEthernet0/15 switchport access vlan 10 switchport mode access !

interface FastEthernet0/16 switchport access vlan 20 switchport mode access !

interface FastEthernet0/17 switchport access vlan 20 switchport mode access !

interface FastEthernet0/18 switchport access vlan 20

interface FastEthernet0/19 switchport access vlan 20 switchport mode access

interface FastEthernet0/20 switchport access vlan 20 switchport mode access

interface FastEthernet0/21 switchport access vlan 20 switchport mode access

interface FastEthernet0/22 switchport access vlan 20 switchport mode access

interface FastEthernet0/23 switchport access vlan 20 switchport mode access

interface FastEthernet0/24 switchport access vlan 20 switchport mode access

interface GigabitEthernet0/1

interface GigabitEthernet0/2

interface Vlan1

no ip address

shutdown

interface Vlan10

ip address 192.168.10.1 255.255.255.0 ip access-group 101 in

interface Vlan20

ip address 192.168.20.1 255.255.255.0 !

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.1

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 permit ip any any

ip dhcp pool vlan2

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 222.88.88.88

ip dhcp pool vlan20

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 222.88.88.88

line con 0

line vty 0 4

End