基于三层交换机的MSTP+VRRP+NAT的部署实例

 拓扑如下所示：

ISP代表运营商 GW为出口路由器 LSW1、LSW2为核心层交换机、LSW3为接入层交换机

配置思路：

LSW3：

1. 3、4口配置access vlan10、vlan20
2. 配置MSTP域、stp的vlan映射并**
3. G0/0/1和G0/0/2配置为trunk,放行vlan10,20

LSW1：

1. 创建svi接口(vlanif10,20,100)。其中vlanif100(192.168.30.2)用于与上联路由器的G0/0/0接口通信。
2. LSW1与G0/0/2和G0/0/3 与LSW2的G0/0/2、G0/0/3创建链路聚合Eth-trunk 1，聚合链路配置为trunk 放行vlan10,20
3. G0/0/1同样配置为trunk,放行vlan10,20
4. 分别进入vlanif10,20配置vrrp（注意修改优先级和监控上联链路）
5. 用ip-prefix匹配vlanif10和20的子网，再用route-policy引入到ospf中

LSW2：同LSW1

GW：

1. 将接口宣告进ospf，并下发一条到ISP的默认路由
2. 用ACL匹配PC1和PC2的流量，在出接口做NAT

上配置！

######LSW3
[LSW3]display current-configuration 
#
sysname LSW3
#
vlan batch 10 20
#
stp region-configuration
 region-name MSTP
 instance 10 vlan 10
 instance 20 vlan 20
 active region-configuration
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 10
 stp edged-port enable
#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 20
 stp edged-port enable
#
port-group 1
 group-member GigabitEthernet0/0/3
 group-member GigabitEthernet0/0/4
#
port-group 2
 group-member GigabitEthernet0/0/1
 group-member GigabitEthernet0/0/2
#
return

######LSW2
[LSW2]display current-configuration 
#
sysname LSW2
#
vlan batch 10 20 100
#
stp instance 10 priority 8192
stp instance 20 priority 4096
#
stp region-configuration
 region-name MSTP
 instance 10 vlan 10
 instance 20 vlan 20
 active region-configuration
#
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.10.2 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254
#
interface Vlanif20
 ip address 192.168.20.2 255.255.255.0
 vrrp vrid 2 virtual-ip 192.168.20.254
 vrrp vrid 2 priority 150
 vrrp vrid 2 track interface GigabitEthernet0/0/4 reduced 60
#
interface Vlanif100
 ip address 192.168.40.2 255.255.255.0
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 eth-trunk 1
#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 100
#
ospf 1
 import-route direct route-policy POLICY
 area 0.0.0.0
  network 192.168.40.0 0.0.0.255
#
route-policy POLICY permit node 10
 if-match ip-prefix vlan10
 apply cost 20
#
route-policy POLICY permit node 20
 if-match ip-prefix vlan20
 apply cost 10
#
ip ip-prefix vlan10 index 10 permit 192.168.10.0 24
ip ip-prefix vlan20 index 10 permit 192.168.20.0 24
#
return

###LSW1
<LSW1>display current-configuration 
#
sysname LSW1
#
vlan batch 10 20 100
#
stp mode stp
stp instance 10 priority 4096
stp instance 20 priority 8192
#
stp region-configuration
 region-name MSTP
 instance 10 vlan 10
 instance 20 vlan 20
 active region-configuration
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.10.1 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.10.254
 vrrp vrid 1 priority 150
 vrrp vrid 1 track interface GigabitEthernet0/0/4 reduced 60
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
 vrrp vrid 2 virtual-ip 192.168.20.254
#
interface Vlanif100
 ip address 192.168.30.2 255.255.255.0
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 eth-trunk 1
#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 100
#
ospf 1
 import-route direct route-policy POLICY
 area 0.0.0.0
  network 192.168.30.0 0.0.0.255
#
route-policy POLICY permit node 10
 if-match ip-prefix vlan10
 apply cost 10
#
route-policy POLICY permit node 20
 if-match ip-prefix vlan20
 apply cost 20
#
ip ip-prefix vlan10 index 10 permit 192.168.10.0 24
ip ip-prefix vlan20 index 10 permit 192.168.20.0 24
#
return

###gw
[gw]display current-configuration 
#
 sysname gw
#
acl number 2000  
 rule 10 permit source 192.168.10.0 0.0.0.255 
 rule 20 permit source 192.168.20.0 0.0.0.255 
#
interface GigabitEthernet0/0/0
 ip address 192.168.30.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 192.168.40.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 58.30.0.1 255.255.255.240 
 nat outbound 2000
#
interface NULL0
#
ospf 1 
 default-route-advertise always
 area 0.0.0.0 
  network 192.168.30.0 0.0.0.255 
  network 192.168.40.0 0.0.0.255 
#
ip route-static 0.0.0.0 0.0.0.0 58.30.0.2
return

文章参考@谢公子