中小型企业网络规划及实施方案

switchport mode trunk no shutdown exit interface aggregateport 1 //创建聚合接口AGI switchport mode access switchport mode trunk //配置AG模式为trunk exit interface range fa 0/1-2 //进入接口0/1和0/2 port-group 1 //配置接口0/1和0/2属于AGI exit spanning-tree //开启生成树协议 spanning-tree mode rstp //指定生成树协议的类型为RSTP interface vlan 40 //配置SVI ip address 172.16.40.1 255.255.255.0 no shutdown exit interface vlan 50 ip address 172.16.50.1 255.255.255.0 no shutdown exit interface vlan 60 ip address 172.16.60.1 255.255.255.0 no shutdown exit interface fa 0/24 no switchport ip address 20.2.2.2 255.255.255.0 no shutdown exit

interface fa 0/6 no switchport ip address 192.168.1.1 255.255.255.0 no shutdown exit ip route 0.0.0.0 0.0.0.0 20.2.2.1 inter range fa 0/5-23 //进入一组端口的配置模式 switchport mode access switchport port-security //配置交换机的端口安全功能 switchport port-security maximum 4 //设置最大允许连接数量为4 switchport port-security violation shutdown //配置安全违例的处理方式为shutdown exit inter vlan 10 standby 2 priority 200 //配置优先级 standby 2 ip 172.16.10.254 //配置vrrp组和虚拟路由器的IP地址 inter vlan 20 standby 2 priority 160 //配置优先级 standby 2 ip 172.16.20.254 //配置vrrp组和虚拟路由器的IP地址 inter vlan 30 standby 2 priority 120 //配置优先级 standby 2 ip 172.16.30.254 //配置vrrp组和虚拟路由器的IP地址 Exit access-list 101 permit tcp 172.16.10.0 0.0.0.255 172.16.70.0 0.0.0.255 eq ftp //允许172.16.10.0网段访问172.16.70.0网段上TCP协议的FTP服务器 access-list 101 deny tcp any 172.16.70.0 0.0.0.255 eq ftp //拒绝任何主机访问172.16.70.0网段上TCP协议的FTP服务器 access-list 101 permit tcp any 172.16.70.0 0.0.0.255 eq www //允许任何主机访问172.16.70.0网段上TCP协议的FTP服务器

access-list 101 permit ip any any interface fa0/6 //把编号为101的扩展访问控制列表应用到fa0/6端口 ip access-group 101 out exit config t Hostname r1 interface fa 0/0 //在特权模式下进入F0/0口 ip address 10.1.1.1 255.255.255.0 //给F0/0配置IP地址 no shutdown exit interface fa 0/1 ip address 20.2.2.1 255.255.255.0 no shutdown exit interface se 0/1/0 //在特权模式下进入S0/1/0口 R1（注：此代ip address 172.16.1.1 255.255.255.0 //给S0/1/0配置IP地址 码在特权模clock rate 64000 //设置时钟同步 式下输入） no shutdown exit router rip //创建RIP路由进程 version 2 //启动RIP版本2进程 network 10.0.0.0 //发布自己所关联的网络 network 20.0.0.0 //发布自己所关联的网络 network 172.16.1.0 //发布自己所关联的网络 ip route 0.0.0.0 0.0.0.0 10.1.1.2 //配置一条到达IP为10.1.1.2的认路由 ip route 0.0.0.0 0.0.0.0 20.2.2.2 //配置一条到达IP为20.2.2.2的默认路由 ip route 0.0.0.0 0.0.0.0 172.16.1.2 username R2 password 0 123 //以对方的主机名作为用户名,密码为123 interface s0/1/0

encapsulation ppp //把该接口封装为PPP协议 ppp authentication pap // PPP启用PAP方式认证 config t Hostname r2 interface se 0/1/0 //在特权模式下进入S0/1/0口 ip address 100.1.1.1 255.255.255.0 //给S0/1/0配置IP地址 clock rate 64000 no shutdown exit interface se 0/0/0 ip address 172.16.1.2 255.255.255.0 no shutdown exit crypto isakmp policy 10 // ipsec第一阶段，定义ISAKMP策略 R2（注：此代encryption 3des //加密方法使用3des 码在特权模hash md5 //散列算法使用md5 式下输入） authentication pre-share //认证方法使用预共享密钥 crypto isakmp key hx address 200.1.1.2 //将ISAKMP预共享密钥和对等体关联，预共享密钥为“hx”。 crypto ipsec transform-set tim esp-3des esp-md5-hmac //设置ipsec转换(交换)集。 access-list 101 permit ip 172.16.1.0 0.0.0.255 202.100.10.0 0.0.0.255 //创建感兴趣数据流 crypto map tom 10 ipsec-isakmp //ipsec第二阶段,设置加密图 match address 101 set peer 200.1.1.2 //加载感兴趣流 set transform-set tim //设置对等体地址 interface se 0/1/0 crypto map tom //在接口上应用加密图 router rip //创建RIP路由进程