實驗要求:
① 企業內網劃分多個vlan ,減小廣播域大小,提升網絡穩定性
② 用戶的網關配置在覈心交換機
③ 全部用戶均爲自動獲取ip地址
④ 出口配置NAT
⑤ 在企業出口將內網服務器的80端口映射出去,容許外網用戶訪問
⑥ 企業財務服務器,不容許(vlan 30)的員工訪問。並禁止192.168.10.200 的用戶訪問外網。
⑦ 全部設備,在任何位置均可以telnet遠程管理
模擬外網環境
sysname R2 # interface GigabitEthernet0/0/0 ip address 12.1.1.6 255.255.255.248 # interface GigabitEthernet0/0/1 ip address 7.7.7.1 255.255.255.0 # interface GigabitEthernet0/0/2 # #模擬外網網站地址 interface LoopBack1 ip address 9.9.9.9 255.255.255.0 # return
R1(出口路由)
sysname R1 # acl number 2000 rule 5 permit source 192.168.0.0 0.0.255.255 acl number 2001 rule 5 deny source 192.168.10.200 0 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface GigabitEthernet0/0/0 ip address 192.168.254.2 255.255.255.0 traffic-filter inbound acl 2001 # interface GigabitEthernet0/0/1 ip address 12.1.1.1 255.255.255.248 nat server protocol tcp global 12.1.1.2 www inside 192.168.200.10 www nat outbound 2000 # interface GigabitEthernet0/0/2 # ip route-static 0.0.0.0 0.0.0.0 12.1.1.6 ip route-static 192.168.0.0 255.255.0.0 192.168.254.1 # return
CORE(核心交換機)
sysname CORE # undo info-center enable # vlan batch 10 30 200 800 999 # dhcp enable # acl number 3000 rule 5 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0 # ip pool vlan30 gateway-list 192.168.30.1 network 192.168.30.0 mask 255.255.255.0 excluded-ip-address 192.168.30.2 192.168.30.100 static-bind ip-address 192.168.30.254 mac-address 5489-98ad-2b38 dns-list 114.114.114.114 61.147.37.1 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface Vlanif10 description PC ip address 192.168.10.1 255.255.255.0 dhcp select interface dhcp server excluded-ip-address 192.168.10.2 192.168.10.100 dhcp server dns-list 114.114.114.114 61.147.37.1 # interface Vlanif30 description PC ip address 192.168.30.1 255.255.255.0 dhcp select global # interface Vlanif200 description server ip address 192.168.200.1 255.255.255.0 # interface Vlanif800 description CORE_G0/0/3-R1_G0/0/0 ip address 192.168.254.1 255.255.255.0 # interface Vlanif999 description manager ip address 192.168.255.1 255.255.255.0 # interface GigabitEthernet0/0/1 description CORE_G0/0/1-SW1_G0/0/1 port link-type trunk port trunk allow-pass vlan 10 30 999 # interface GigabitEthernet0/0/2 description CORE_G0/0/2-SW2_G0/0/1 port link-type trunk port trunk allow-pass vlan 200 999 # interface GigabitEthernet0/0/3 port link-type access port default vlan 800 # ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 # traffic-filter vlan 200 outbound acl 3000 # user-interface con 0 user-interface vty 0 4 authentication-mode aaa # return
SW1(匯聚)
sysname SW1 # undo info-center enable # vlan batch 10 30 999 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface Vlanif999 ip address 192.168.255.2 255.255.255.0 # interface Ethernet0/0/1 description PC port link-type access port default vlan 10 # interface Ethernet0/0/2 description PC port link-type access port default vlan 10 # interface Ethernet0/0/3 description PC port link-type access port default vlan 30 # interface GigabitEthernet0/0/1 description SW1_G0/0/1-CORE_G0/0/1 port link-type trunk port trunk allow-pass vlan 10 30 999 # ip route-static 0.0.0.0 0.0.0.0 192.168.255.1 # user-interface con 0 user-interface vty 0 4 authentication-mode aaa # return
SW2(匯聚)
sysname sw2 # undo info-center enable # vlan batch 200 999 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface Vlanif999 ip address 192.168.255.3 255.255.255.0 # interface Ethernet0/0/2 description WEB port link-type access port default vlan 200 # interface Ethernet0/0/3 description CAIWU port link-type access port default vlan 200 # interface GigabitEthernet0/0/1 description SW2_G0/0/1-CORE_G0/0/2 port link-type trunk port trunk allow-pass vlan 200 999 # ip route-static 0.0.0.0 0.0.0.0 192.168.255.1 # user-interface con 0 user-interface vty 0 4 authentication-mode aaa # return
PC(模擬PC端)
sysname PC # dhcp enable # interface GigabitEthernet0/0/3 description PC_net ip address dhcp-alloc # return
命令解釋javascript
#出包路由 ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 #出包路由 ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 #回包路由 ip route-static 192.168.0.0 16 192.168.254.1 #建立acl2000 ]acl 2000 #容許源地址是192.168.0.0網段的地址 rule permit source 192.168.0.0 0.0.255.255 int g0/0/1 #出口nat轉換引用acl2000 nat outbound 2000 #全局下在vlan下調用acl適應在複雜網絡環境下 traffic-filter vlan 200 outbound acl 3000 #進入aaa認證 aaa #建立測試帳戶test權限爲level3 密碼爲123 local-user test privilege level 3 password cipher 123 #test帳戶的服務類型爲 telnet local-user test service-type telnet #進入vty 0 4 虛擬路線 user-interface vty 0 4 #認證模式爲aaa authentication-mode aaa