两层网络架构综合实验配置

2023-10-13 13:01:52

一、实验要求

1、企业内网划分多个vlan,减少广播域大小,提高网络稳定性。
2、用户的网关配置在核心交换机
3、所有用户均自动获取IP地址
4、出口配置NAT
5、在企业出口将内网服务器的80端口映射出去,允许外网访问
6、企业财务服务器不允许vlan30的用户访问,并禁止192.168.10.200访问外网
7、所有设备在任何位置都可以telnet远程管理
8、配置vlan修剪,以减少广播发送的范围,进一步提升网络稳定性。
两层网络架构综合实验配置

二、划分vlan

LSW1:
vlan batch 10 30 999 #999作为管理vlan,其他为业务vlan
int e0/0/1
port link-type access
port default vlan 10
int e0/0/2
port link-type access
port default vlan 30
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all

LSW2:
vlan batch 200 999
port-group group-member e0/0/1 to e0/0/2
port link-type access
port default vlan 200
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all

LSW3:
vlan batch 10 30 200 800 999
port-group group-member gi0/0/1 to gi0/0/2
port link-type trunk
port trunk allow-pass vlan all
int gi0/0/3
port link-type access
port default vlan 800

access配在交换机和PC连接的接口上,access不携带标签
trunk配在交换机和交换机接口上,trunk可以携带标签

三、核心交换机配置网关

LSW3:
int vlanif 10
ip add 192.168.10.1 24
int vlanif 30
ip add 192.168.30.1 24
int vlanif 200
ip add 192.168.200.1 24
int vlanif 800
ip add 192.168.168.1 24

注意:一个SVI虚拟接口UP的条件(有属于改vlan的access口或者有trunk接口允许改vlan报文通过

四、自动获取DHCP

LSW3:
dhcp enable 开启DHCP服务
ip pool a 创建地址池a
gateway-list 192.168.10.1
dns-list 114.114.114.114
network 192.168.10.0 mask 24
ip pool b
gateway-list 192.168.30.1
dns-list 114.114.114.114
network 192.168.30.0 mask 24
int vlanif 10 在虚拟接口下分配IP
dhcp select global
int vlanif 30
dhcp select global

五、出口NAT配置

配置去包回包路由
LSW3:
ip route-static 0.0.0.0 0 192.168.168.2
AR1:
[Huawei]int gi0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.168.2 24
[Huawei-GigabitEthernet0/0/0]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 190.168.168.1 24
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 0.0.0.0 0 190.168.168.6
[Huawei]ip route-static 192.168.0.0 16 192.168.168.1

[Huawei]acl 2000
[Huawei-acl-basic-2000]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]nat outbound 2000

六、内网端口映射

作用:使外网访问内网服务器的同时保护了服务器的安全
AR1
[Huawei]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]nat server protocol tcp global 190.168.168.2 80 ins
ide 192.168.200.10 80
两层网络架构综合实验配置

客户端访问时需要通过映射的公网地址去访问内网
两层网络架构综合实验配置

七、ACL配置

1、使用高级ACL禁止源访问目标
LSW3:
禁止vlan 30的用户访问财务服务器
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule 5 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0
[Huawei-acl-adv-3000]q
全局调佣acl
[Huawei]traffic-filter vlan 200 outbound acl 3000

禁止192.168.10.200访问外网
注意:需要在进方向调用才会生效,这是为防止NAT转化后找不到要拒绝的IP
AR1:
[Huawei]acl 2001
[Huawei-acl-basic-2001]rule 10 deny source 192.168.10.200 0
[Huawei-acl-basic-2001]int gi0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-filter inbound acl 2001

八、所有设备telnet远程管理

注意:
1、管理流量和业务流量一般需要分开,避免业务流量受到攻击导致托管
2、接入层需要配置指向核心交换机的缺省路由,因为接入层交换机要给核心交换机回包,需要有路由才能到达
LSW3:
[Huawei]int vlanif 999
[Huawei-Vlanif999]ip add 192.168.254.3 24
[Huawei-Vlanif999]q

创建aaa用户并设置服务类型
[Huawei]aaa
[Huawei-aaa]local-user aa privilege level 3 password cipher 123
Info: Add a new user.
[Huawei-aaa]local-user aa service-type telnet
[Huawei-aaa]q
设置认证模式
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa

LSW2:
[Huawei]int vlanif 999
[Huawei-Vlanif999]ip add 192.168.254.2 24
[Huawei-Vlanif999]q
设置缺省路由
[Huawei]ip route-static 0.0.0.0 0 192.168.254.3

[Huawei]aaa
[Huawei-aaa]local-user aa privilege level 3 password cipher 123
Info: Add a new user.
[Huawei-aaa]local-user aa service-type telnet
[Huawei-aaa]q
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa

LSW1:
[Huawei]int vlanif 999
[Huawei-Vlanif999]ip add 192.168.254.1 24
[Huawei-Vlanif999]q
[Huawei]ip route-static 0.0.0.0 0 192.168.254.3

[Huawei]aaa
[Huawei-aaa]local-user aa privilege level 3 password cipher 123
Info: Add a new user.
[Huawei-aaa]local-user aa service-type telnet
[Huawei-aaa]q
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa

AR1:
[Huawei]aaa
[Huawei-aaa]local-user aa privilege level 3 password cipher 123
Info: Add a new user.
[Huawei-aaa]local-user aa service-type telnet
[Huawei-aaa]q
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa

模拟器上PC不支持telnet可以通过路由器模拟
路由器自动获取IP
dhcp enable
int e0/0/0
ip add dhcp-alloc 自动获取IP地址和网关
<>模式下telnet

九、vlan修剪配置

作用:防止不需要的Vlan发送到别的trunk链路上,通过修剪进一步提高网络稳定性。
LSW3:
[Huawei]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]undo port trunk allow-pass vlan all
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 30 999
[Huawei-GigabitEthernet0/0/1]int gi0/0/2
[Huawei-GigabitEthernet0/0/2]undo port trunk allow-pass vlan all
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 200 999

LSW2:
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]undo port trunk allow-pass vlan all
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 200 999

LSW1:
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]undo port trunk allow-pass vlan all
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 10 30 999

上一篇:SqlServer中循环和条件语句


下一篇:SpringMVC01