dangquangminh
11-05-2008, 06:04 PM
Lab 3: Lab VLAN Trunking trên ASA5500
1. Sơ đồ kết nối:
- Gắn cáp như hình vẽ.
(Internet)—WAN-Router---ASA----Switch2960---PC (vlan 10)
- Trên WAN router gắn vào mạng LAN của VnPro. Cấu hình WAN router để xin IP từ LAN của VnPro.
- Cấu hình NAT trên WAN router.
2. Yêu cầu cấu hình:
- Cấu hình NAT overload trên WAN router, cấu hình default routing trên WAN router.
- Cấu hình WAN router dùng DNS server 203.162.4.190
- Cấu hình cổng outside của ASA, dùng subnet 192.168.1.0/24.
- Cấu hình ba vlan 10, vlan 20, vlan 30 trên switch 2960. cấu hình trunking trên ASA.
- Thực hiện trunking trên ASA.
- Gắn một PC1 vào vlan 10, dùng IP là 10.10.10.10/24. PC này có default gateway là 10.10.10.1. Đặt một router dùng để đấu nối về chi nhánh về sau. Đặt tên cho router là ToBranch. Gán địa chỉ cổng F0/0 của ToBranch là 10.40.10.10/24. Cấu hình routing trên ToBranch Router dùng OSPF sao cho có thể ping được PC1.
- Cấu hình giao thức OSPF giữa WAN Router, ASA và ToBranch Router.
- Cấu hình DHCP server trên ASA. Điều chỉnh chế độ cài đặt IP của PC sao cho có thể xin được IP từ DHCP là ASA.
3. Kiểm tra
- Hãy đảm bảo từ PC có thể đi ra trang web vnpro.org
- Hãy đảm bảo từ PC có thể ping được toBranch router.
- Hãy đảm bảo từ ASA có thể ping được subnet 10.40.10.10/24.
4. Các bước thực hiện như sau:
Cấu hình trên ASA5510
show run
:
ASA Version 7.2(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
vlan 10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif inside2
security-level 90
ip address 10.20.20.1 255.255.255.0
!
interface Ethernet0/1.30
vlan 30
nameif inside3
security-level 80
ip address 10.30.30.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list aclout extended permit icmp any any
access-list aclout extended permit icmp any any echo
access-list aclout extended permit icmp any any echo-reply
access-list aclout extended permit ip any any
access-list aclout extended permit tcp any any
access-list aclin extended permit icmp any any
access-list aclin extended permit icmp any any echo-reply
access-list aclin extended permit tcp any any
access-list aclin extended permit ip any any
pager lines 24
mtu inside 1500
mtu inside2 1500
mtu inside3 1500
mtu outside 1500
access-group aclin in interface inside
access-group aclin in interface inside2
access-group aclin in interface inside3
access-group aclout in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!
router ospf 1
network 10.10.10.0 255.255.255.0 area 0
network 10.20.20.0 255.255.255.0 area 0
network 10.30.30.0 255.255.255.0 area 0
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.10.3-10.10.10.254 inside
dhcpd dns 203.162.4.190 interface inside
dhcpd enable inside
!
dhcpd address 10.20.20.3-10.20.20.254 inside2
dhcpd dns 203.162.4.190 interface inside2
dhcpd enable inside2
!
dhcpd address 10.30.30.3-10.30.30.254 inside3
dhcpd dns 203.162.4.190 interface inside3
dhcpd enable inside3
!
prompt hostname context
Cryptochecksum:02bfb4982d7ab8efc2699f506a258d2c
: end
Kiểm tra ACL trên ASA ASA# show run access-list
access-list aclout extended permit icmp any any
access-list aclout extended permit icmp any any echo
access-list aclout extended permit icmp any any echo-reply
access-list aclout extended permit ip any any
access-list aclout extended permit tcp any any
access-list aclin extended permit icmp any any
access-list aclin extended permit icmp any any echo-reply
access-list aclin extended permit tcp any any
access-list aclin extended permit ip any any
ASA# show run access-group
access-group aclin in interface inside
access-group aclin in interface inside2
access-group aclin in interface inside3
access-group aclout in interface outside
Cấu hình router Chi nhánh BRANCH Router.
BRANCH#show run
!
Current configuration : 799 bytes
!
version 12.4
hostname BRANCH
!
interface FastEthernet0/0
description Connect to VLAN 30
ip address 10.30.30.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description connect to another branch router
ip address 10.40.40.1 255.255.255.0
no keepalive
no shut
!
router ospf 1
log-adjacency-changes
network 10.30.30.0 0.0.0.255 area 0
network 10.40.40.0 0.0.0.255 area 0
!
ip http server
!
end
Kiểm tra bảng định tuyến của router Branch
BRANCH#show ip route
Gateway of last resort is 10.30.30.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 4 subnets
C 10.40.40.0 is directly connected, FastEthernet0/1
C 10.30.30.0 is directly connected, FastEthernet0/0
O 10.20.20.0 [110/11] via 10.30.30.1, 00:02:01, FastEthernet0/0
O 10.10.10.0 [110/11] via 10.30.30.1, 00:02:01, FastEthernet0/0
O 192.168.1.0/24 [110/11] via 10.30.30.1, 00:02:01, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 10.30.30.1, 00:02:01, FastEthernet0/0
Cấu hình trên Catalyst Switch 2960
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2
10 VLAN0010 active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
20 VLAN0020 active Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15
30 VLAN0030 active Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Switch#show run
!
Current configuration : 2435 bytes
!
version 12.2
!
hostname Switch
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/24
switchport mode trunk
!
Kiểm tra các cổng trunking trên switch.
Switch#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/24 1-4094
Port Vlans allowed and active in management domain
Fa0/24 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,10,20,30
Cấu hình router WAN
WAN#show run
!
version 12.4
!
hostname WAN
!
ip name-server 203.162.4.190
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 10.215.219.254
!
!
ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
end
WAN#show ip route
Gateway of last resort is 10.215.219.254 to network 0.0.0.0
10.0.0.0/24 is subnetted, 5 subnets
C 10.215.219.0 is directly connected, FastEthernet0/0
O 10.40.40.0 [110/12] via 192.168.1.2, 00:01:06, FastEthernet0/1
O 10.30.30.0 [110/11] via 192.168.1.2, 00:01:06, FastEthernet0/1
O 10.20.20.0 [110/11] via 192.168.1.2, 00:01:06, FastEthernet0/1
O 10.10.10.0 [110/11] via 192.168.1.2, 00:01:06, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.215.219.254
1. Sơ đồ kết nối:
- Gắn cáp như hình vẽ.
(Internet)—WAN-Router---ASA----Switch2960---PC (vlan 10)
- Trên WAN router gắn vào mạng LAN của VnPro. Cấu hình WAN router để xin IP từ LAN của VnPro.
- Cấu hình NAT trên WAN router.
2. Yêu cầu cấu hình:
- Cấu hình NAT overload trên WAN router, cấu hình default routing trên WAN router.
- Cấu hình WAN router dùng DNS server 203.162.4.190
- Cấu hình cổng outside của ASA, dùng subnet 192.168.1.0/24.
- Cấu hình ba vlan 10, vlan 20, vlan 30 trên switch 2960. cấu hình trunking trên ASA.
- Thực hiện trunking trên ASA.
- Gắn một PC1 vào vlan 10, dùng IP là 10.10.10.10/24. PC này có default gateway là 10.10.10.1. Đặt một router dùng để đấu nối về chi nhánh về sau. Đặt tên cho router là ToBranch. Gán địa chỉ cổng F0/0 của ToBranch là 10.40.10.10/24. Cấu hình routing trên ToBranch Router dùng OSPF sao cho có thể ping được PC1.
- Cấu hình giao thức OSPF giữa WAN Router, ASA và ToBranch Router.
- Cấu hình DHCP server trên ASA. Điều chỉnh chế độ cài đặt IP của PC sao cho có thể xin được IP từ DHCP là ASA.
3. Kiểm tra
- Hãy đảm bảo từ PC có thể đi ra trang web vnpro.org
- Hãy đảm bảo từ PC có thể ping được toBranch router.
- Hãy đảm bảo từ ASA có thể ping được subnet 10.40.10.10/24.
4. Các bước thực hiện như sau:
Cấu hình trên ASA5510
show run
:
ASA Version 7.2(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.10
vlan 10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif inside2
security-level 90
ip address 10.20.20.1 255.255.255.0
!
interface Ethernet0/1.30
vlan 30
nameif inside3
security-level 80
ip address 10.30.30.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list aclout extended permit icmp any any
access-list aclout extended permit icmp any any echo
access-list aclout extended permit icmp any any echo-reply
access-list aclout extended permit ip any any
access-list aclout extended permit tcp any any
access-list aclin extended permit icmp any any
access-list aclin extended permit icmp any any echo-reply
access-list aclin extended permit tcp any any
access-list aclin extended permit ip any any
pager lines 24
mtu inside 1500
mtu inside2 1500
mtu inside3 1500
mtu outside 1500
access-group aclin in interface inside
access-group aclin in interface inside2
access-group aclin in interface inside3
access-group aclout in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!
router ospf 1
network 10.10.10.0 255.255.255.0 area 0
network 10.20.20.0 255.255.255.0 area 0
network 10.30.30.0 255.255.255.0 area 0
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.10.3-10.10.10.254 inside
dhcpd dns 203.162.4.190 interface inside
dhcpd enable inside
!
dhcpd address 10.20.20.3-10.20.20.254 inside2
dhcpd dns 203.162.4.190 interface inside2
dhcpd enable inside2
!
dhcpd address 10.30.30.3-10.30.30.254 inside3
dhcpd dns 203.162.4.190 interface inside3
dhcpd enable inside3
!
prompt hostname context
Cryptochecksum:02bfb4982d7ab8efc2699f506a258d2c
: end
Kiểm tra ACL trên ASA ASA# show run access-list
access-list aclout extended permit icmp any any
access-list aclout extended permit icmp any any echo
access-list aclout extended permit icmp any any echo-reply
access-list aclout extended permit ip any any
access-list aclout extended permit tcp any any
access-list aclin extended permit icmp any any
access-list aclin extended permit icmp any any echo-reply
access-list aclin extended permit tcp any any
access-list aclin extended permit ip any any
ASA# show run access-group
access-group aclin in interface inside
access-group aclin in interface inside2
access-group aclin in interface inside3
access-group aclout in interface outside
Cấu hình router Chi nhánh BRANCH Router.
BRANCH#show run
!
Current configuration : 799 bytes
!
version 12.4
hostname BRANCH
!
interface FastEthernet0/0
description Connect to VLAN 30
ip address 10.30.30.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description connect to another branch router
ip address 10.40.40.1 255.255.255.0
no keepalive
no shut
!
router ospf 1
log-adjacency-changes
network 10.30.30.0 0.0.0.255 area 0
network 10.40.40.0 0.0.0.255 area 0
!
ip http server
!
end
Kiểm tra bảng định tuyến của router Branch
BRANCH#show ip route
Gateway of last resort is 10.30.30.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 4 subnets
C 10.40.40.0 is directly connected, FastEthernet0/1
C 10.30.30.0 is directly connected, FastEthernet0/0
O 10.20.20.0 [110/11] via 10.30.30.1, 00:02:01, FastEthernet0/0
O 10.10.10.0 [110/11] via 10.30.30.1, 00:02:01, FastEthernet0/0
O 192.168.1.0/24 [110/11] via 10.30.30.1, 00:02:01, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 10.30.30.1, 00:02:01, FastEthernet0/0
Cấu hình trên Catalyst Switch 2960
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2
10 VLAN0010 active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
20 VLAN0020 active Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15
30 VLAN0030 active Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Switch#show run
!
Current configuration : 2435 bytes
!
version 12.2
!
hostname Switch
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/24
switchport mode trunk
!
Kiểm tra các cổng trunking trên switch.
Switch#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/24 1-4094
Port Vlans allowed and active in management domain
Fa0/24 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,10,20,30
Cấu hình router WAN
WAN#show run
!
version 12.4
!
hostname WAN
!
ip name-server 203.162.4.190
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 10.215.219.254
!
!
ip http server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
end
WAN#show ip route
Gateway of last resort is 10.215.219.254 to network 0.0.0.0
10.0.0.0/24 is subnetted, 5 subnets
C 10.215.219.0 is directly connected, FastEthernet0/0
O 10.40.40.0 [110/12] via 192.168.1.2, 00:01:06, FastEthernet0/1
O 10.30.30.0 [110/11] via 192.168.1.2, 00:01:06, FastEthernet0/1
O 10.20.20.0 [110/11] via 192.168.1.2, 00:01:06, FastEthernet0/1
O 10.10.10.0 [110/11] via 192.168.1.2, 00:01:06, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.215.219.254