实验拓扑图：

实验要求：

1,内网IP地址使用172.16.0.0/16分配

2,SW1和SW2之间互为备份

3,VRRP/STP/VLAN/Eth-trunk均使用

4,所有PC均通过DHCP获取IP地址

5,ISP只能配置IP地址

6,所有电脑可以正常访问ISP路由器环回

实验步骤：

步骤1：基础IP配置

目标：为所有设备接口分配IP地址，确保基础连通性。

R1配置：

[R1] interface GigabitEthernet0/0/0

[R1-GigabitEthernet0/0/0] ip address 12.0.0.1 255.255.255.0  # 连接ISP的接口

[R1-GigabitEthernet0/0/0] quit

[R1] interface GigabitEthernet0/0/1

[R1-GigabitEthernet0/0/1] ip address 172.16.0.130 255.255.255.192  # 连接SW1的VLAN10

[R1-GigabitEthernet0/0/1] quit

[R1] interface GigabitEthernet0/0/2

[R1-GigabitEthernet0/0/2] ip address 172.16.0.194 255.255.255.192  # 连接SW2的VLAN20

[R1-GigabitEthernet0/0/2] quit

ISP路由器配置：

[ISP] interface GigabitEthernet0/0/0

[ISP-GigabitEthernet0/0/0] ip address 12.0.0.2 255.255.255.0

[ISP-GigabitEthernet0/0/0] quit

[ISP] interface LoopBack0

[ISP-LoopBack0] ip address 2.2.2.2 255.255.255.255  # 环回接口

[ISP-LoopBack0] quit

步骤2：配置Eth-Trunk（SW1与SW2互联）

目标：通过Eth-Trunk增加带宽和冗余。

SW1配置：

[SW1] interface Eth-Trunk0

[SW1-Eth-Trunk0] mode lacp  # LACP模式

[SW1-Eth-Trunk0] port link-type trunk

[SW1-Eth-Trunk0] port trunk allow-pass vlan 2 3 10 20  # 允许VLAN2、3、10、20通过

[SW1-Eth-Trunk0] quit

# 将GE0/0/1和GE0/0/2加入Eth-Trunk0

[SW1] interface GigabitEthernet0/0/1

[SW1-GigabitEthernet0/0/1] eth-trunk 0

[SW1-GigabitEthernet0/0/1] quit

[SW1] interface GigabitEthernet0/0/2

[SW1-GigabitEthernet0/0/2] eth-trunk 0

[SW1-GigabitEthernet0/0/2] quit

SW2配置：

[SW2] interface Eth-Trunk0

[SW2-Eth-Trunk0] mode lacp

[SW2-Eth-Trunk0] port link-type trunk

[SW2-Eth-Trunk0] port trunk allow-pass vlan 2 3 10 20

[SW2-Eth-Trunk0] quit

# 将GE0/0/1和GE0/0/2加入Eth-Trunk0

[SW2] interface GigabitEthernet0/0/1

[SW2-GigabitEthernet0/0/1] eth-trunk 0

[SW2-GigabitEthernet0/0/1] quit

[SW2] interface GigabitEthernet0/0/2

[SW2-GigabitEthernet0/0/2] eth-trunk 0

[SW2-GigabitEthernet0/0/2] quit

步骤3：配置VLAN与接口

目标：划分VLAN，配置Access/Trunk端口。

SW3和SW4（二层交换机）配置

[SW3] vlan batch 2 3  # 创建VLAN2和VLAN3

# PC接入端口配置（Access模式）

[SW3] interface GigabitEthernet0/0/1

[SW3-GigabitEthernet0/0/1] port link-type access

[SW3-GigabitEthernet0/0/1] port default vlan 2  # PC1属于VLAN2

[SW3-GigabitEthernet0/0/1] quit

[SW3] interface GigabitEthernet0/0/2

[SW3-GigabitEthernet0/0/2] port link-type access

[SW3-GigabitEthernet0/0/2] port default vlan 3  # PC2属于VLAN3

[SW3-GigabitEthernet0/0/2] quit

# 上联口配置Trunk（与SW1/SW2互联）

[SW3] interface GigabitEthernet0/0/3

[SW3-GigabitEthernet0/0/3] port link-type trunk

[SW3-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3  # 允许VLAN2和VLAN3通过

[SW3-GigabitEthernet0/0/3] quit

# SW4的配置（与SW3对称）

[SW4] vlan batch 2 3

[SW4] interface GigabitEthernet0/0/1

[SW4-GigabitEthernet0/0/1] port link-type access

[SW4-GigabitEthernet0/0/1] port default vlan 2  # PC3属于VLAN2

[SW4-GigabitEthernet0/0/1] quit

[SW4] interface GigabitEthernet0/0/2

[SW4-GigabitEthernet0/0/2] port link-type access

[SW4-GigabitEthernet0/0/2] port default vlan 3  # PC4属于VLAN3

[SW4-GigabitEthernet0/0/2] quit

[SW4] interface GigabitEthernet0/0/3

[SW4-GigabitEthernet0/0/3] port link-type trunk

[SW4-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3

[SW4-GigabitEthernet0/0/3] quit

SW1和SW2（三层交换机）配置

[SW1] vlan batch 2 3 10 20  # 创建VLAN2、3、10、20

# 上联R1的接口（Access模式）

[SW1] interface GigabitEthernet0/0/5

[SW1-GigabitEthernet0/0/5] port link-type access

[SW1-GigabitEthernet0/0/5] port default vlan 10  # 属于VLAN10

[SW1-GigabitEthernet0/0/5] quit

# 连接到SW3/SW4的接口配置Trunk

[SW1] interface GigabitEthernet0/0/3

[SW1-GigabitEthernet0/0/3] port link-type trunk

[SW1-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3  # 允许VLAN2和VLAN3通过

[SW1-GigabitEthernet0/0/3] quit

# SW2的配置（与SW1对称）

[SW2] vlan batch 2 3 10 20

[SW2] interface GigabitEthernet0/0/5

[SW2-GigabitEthernet0/0/5] port link-type access

[SW2-GigabitEthernet0/0/5] port default vlan 20  # 属于VLAN20

[SW2-GigabitEthernet0/0/5] quit

[SW2] interface GigabitEthernet0/0/3

[SW2-GigabitEthernet0/0/3] port link-type trunk

[SW2-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3

[SW2-GigabitEthernet0/0/3] quit

步骤4：配置VRRP（网关冗余）

目标：SW1为主设备，SW2为备设备，实现网关高可用。

SW1配置（主设备）：

# VLAN2的VRRP配置

[SW1] interface Vlanif2

[SW1-Vlanif2] ip address 172.16.0.1 255.255.255.192

[SW1-Vlanif2] vrrp vrid 1 virtual-ip 172.16.0.62  # 虚拟IP

[SW1-Vlanif2] vrrp vrid 1 priority 120  # 主设备优先级高（默认100）

[SW1-Vlanif2] vrrp vrid 1 track interface GigabitEthernet0/0/5 reduced 30  # 跟踪上联R1的接口

[SW1-Vlanif2] quit

# VLAN3的VRRP配置

[SW1] interface Vlanif3

[SW1-Vlanif3] ip address 172.16.0.65 255.255.255.192

[SW1-Vlanif3] vrrp vrid 2 virtual-ip 172.16.0.126

[SW1-Vlanif3] vrrp vrid 2 priority 120

[SW1-Vlanif3] quit

SW2配置（备设备）：

# VLAN2的VRRP配置

[SW2] interface Vlanif2

[SW2-Vlanif2] ip address 172.16.0.2 255.255.255.192

[SW2-Vlanif2] vrrp vrid 1 virtual-ip 172.16.0.62  # 虚拟IP需与SW1一致

[SW2-Vlanif2] vrrp vrid 1 priority 100  # 备设备优先级低

[SW2-Vlanif2] quit

# VLAN3的VRRP配置

[SW2] interface Vlanif3

[SW2-Vlanif3] ip address 172.16.0.66 255.255.255.192

[SW2-Vlanif3] vrrp vrid 2 virtual-ip 172.16.0.126

[SW2-Vlanif3] vrrp vrid 2 priority 100

[SW2-Vlanif3] quit

步骤5：配置DHCP服务器

目标：PC通过DHCP获取IP，网关为VRRP虚拟IP。

SW1配置：

# 启用DHCP

[SW1] dhcp enable

# VLAN2的DHCP作用域

[SW1] ip pool VLAN2

[SW1-ip-pool-VLAN2] network 172.16.0.0 mask 255.255.255.192

[SW1-ip-pool-VLAN2] gateway-list 172.16.0.62  # VRRP虚拟IP

[SW1-ip-pool-VLAN2] dns-list 8.8.8.8

[SW1-ip-pool-VLAN2] quit

# VLAN3的DHCP作用域

[SW1] ip pool VLAN3

[SW1-ip-pool-VLAN3] network 172.16.0.64 mask 255.255.255.192

[SW1-ip-pool-VLAN3] gateway-list 172.16.0.126

[SW1-ip-pool-VLAN3] dns-list 8.8.8.8

[SW1-ip-pool-VLAN3] quit

# 绑定VLANIF接口

[SW1] interface Vlanif2

[SW1-Vlanif2] dhcp select global

[SW1-Vlanif2] quit

[SW1] interface Vlanif3

[SW1-Vlanif3] dhcp select global

[SW1-Vlanif3] quit

步骤6：配置STP（生成树协议）

1. SW1（三层交换机）配置

[SW1] stp enable          # 全局启用STP

[SW1] stp mode mstp       # 配置为MSTP模式

[SW1] stp region-configuration  # 进入MST区域配置

[SW1-mst-region] region-name MST_DOMAIN  # 设置MST域名称

[SW1-mst-region] instance 1 vlan 2      # 将VLAN2映射到实例1

[SW1-mst-region] instance 2 vlan 3      # 将VLAN3映射到实例2

[SW1-mst-region] active region-configuration  # 激活配置

[SW1-mst-region] quit

# 指定SW1为VLAN2（实例1）的根桥，SW2为VLAN3（实例2）的根桥

[SW1] stp instance 1 root primary  # 实例1（VLAN2）的根桥

[SW1] stp instance 2 root secondary  # 实例2（VLAN3）的非根桥

2. SW2（三层交换机）配置

[SW2] stp enable

[SW2] stp mode mstp

[SW2] stp region-configuration

[SW2-mst-region] region-name MST_DOMAIN

[SW2-mst-region] instance 1 vlan 2

[SW2-mst-region] instance 2 vlan 3

[SW2-mst-region] active region-configuration

[SW2-mst-region] quit

# 指定SW2为VLAN3（实例2）的根桥，SW1为VLAN2（实例1）的根桥

[SW2] stp instance 1 root secondary  # 实例1（VLAN2）的非根桥

[SW2] stp instance 2 root primary    # 实例2（VLAN3）的根桥

3. SW3（二层交换机）配置

[SW3] stp enable

[SW3] stp mode mstp

[SW3] stp region-configuration

[SW3-mst-region] region-name MST_DOMAIN

[SW3-mst-region] instance 1 vlan 2

[SW3-mst-region] instance 2 vlan 3

[SW3-mst-region] active region-configuration

[SW3-mst-region] quit

4. SW4（二层交换机）配置

[SW4] stp enable

[SW4] stp mode mstp

[SW4] stp region-configuration

[SW4-mst-region] region-name MST_DOMAIN

[SW4-mst-region] instance 1 vlan 2

[SW4-mst-region] instance 2 vlan 3

[SW4-mst-region] active region-configuration

[SW4-mst-region] quit

步骤7：路由器R1配置（内外网通信）

目标：实现内网访问ISP环回地址和外网。

R1配置：

# 1. 静态路由到ISP的环回地址（2.2.2.2）

[R1] ip route-static 2.2.2.2 255.255.255.255 12.0.0.2  # 通过ISP路由器的接口

# 2. 配置NAT（内网网段为172.16.0.0/16）

[R1] acl number 2000

[R1-acl-adv-2000] rule 5 permit source 172.16.0.0 0.0.255.255

[R1-acl-adv-2000] quit

[R1] interface GigabitEthernet0/0/0  # 连接ISP的接口

[R1-GigabitEthernet0/0/0] nat outbound 2000  # 启用NAT

[R1-GigabitEthernet0/0/0] quit

# 3. 配置OSPF（与SW1/SW2互通）

[R1] ospf 1 router-id 1.1.1.1  # 设置Router ID

[R1-ospf-1] area 0.0.0.0

[R1-ospf-1-area-0.0.0.0] network 172.16.0.0 0.0.255.255  # 宣告内网网段

[R1-ospf-1-area-0.0.0.0] network 12.0.0.0 0.0.0.255      # 宣告连接ISP的网段

[R1-ospf-1-area-0.0.0.0] quit

验证配置

PC地址

 

 

同一VLAN间可以通信

不同vlan间也能通信

关闭SW1的VLAN2接口，SW2自动接管虚拟IP，PC仍能正常访问网络。

 

内外网测试