实验要求:
① 企业内网划分多个vlan ,减小广播域大小,提升网络稳定性
② 用户的网关配置在核心交换机
③ 全部用户均为自动获取ip地址
④ 出口配置NAT
⑤ 在企业出口将内网服务器的80端口映射出去,容许外网用户访问
⑥ 企业财务服务器,不容许(vlan 30)的员工访问。并禁止192.168.10.200 的用户访问外网。
⑦ 全部设备,在任何位置均可以telnet远程管理
模拟外网环境
sysname R2 # interface GigabitEthernet0/0/0 ip address 12.1.1.6 255.255.255.248 # interface GigabitEthernet0/0/1 ip address 7.7.7.1 255.255.255.0 # interface GigabitEthernet0/0/2 # #模拟外网网站地址 interface LoopBack1 ip address 9.9.9.9 255.255.255.0 # return
R1(出口路由)
sysname R1 # acl number 2000 rule 5 permit source 192.168.0.0 0.0.255.255 acl number 2001 rule 5 deny source 192.168.10.200 0 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface GigabitEthernet0/0/0 ip address 192.168.254.2 255.255.255.0 traffic-filter inbound acl 2001 # interface GigabitEthernet0/0/1 ip address 12.1.1.1 255.255.255.248 nat server protocol tcp global 12.1.1.2 www inside 192.168.200.10 www nat outbound 2000 # interface GigabitEthernet0/0/2 # ip route-static 0.0.0.0 0.0.0.0 12.1.1.6 ip route-static 192.168.0.0 255.255.0.0 192.168.254.1 # return
CORE(核心交换机)
sysname CORE # undo info-center enable # vlan batch 10 30 200 800 999 # dhcp enable # acl number 3000 rule 5 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0 # ip pool vlan30 gateway-list 192.168.30.1 network 192.168.30.0 mask 255.255.255.0 excluded-ip-address 192.168.30.2 192.168.30.100 static-bind ip-address 192.168.30.254 mac-address 5489-98ad-2b38 dns-list 114.114.114.114 61.147.37.1 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface Vlanif10 description PC ip address 192.168.10.1 255.255.255.0 dhcp select interface dhcp server excluded-ip-address 192.168.10.2 192.168.10.100 dhcp server dns-list 114.114.114.114 61.147.37.1 # interface Vlanif30 description PC ip address 192.168.30.1 255.255.255.0 dhcp select global # interface Vlanif200 description server ip address 192.168.200.1 255.255.255.0 # interface Vlanif800 description CORE_G0/0/3-R1_G0/0/0 ip address 192.168.254.1 255.255.255.0 # interface Vlanif999 description manager ip address 192.168.255.1 255.255.255.0 # interface GigabitEthernet0/0/1 description CORE_G0/0/1-SW1_G0/0/1 port link-type trunk port trunk allow-pass vlan 10 30 999 # interface GigabitEthernet0/0/2 description CORE_G0/0/2-SW2_G0/0/1 port link-type trunk port trunk allow-pass vlan 200 999 # interface GigabitEthernet0/0/3 port link-type access port default vlan 800 # ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 # traffic-filter vlan 200 outbound acl 3000 # user-interface con 0 user-interface vty 0 4 authentication-mode aaa # return
SW1(汇聚)
sysname SW1 # undo info-center enable # vlan batch 10 30 999 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface Vlanif999 ip address 192.168.255.2 255.255.255.0 # interface Ethernet0/0/1 description PC port link-type access port default vlan 10 # interface Ethernet0/0/2 description PC port link-type access port default vlan 10 # interface Ethernet0/0/3 description PC port link-type access port default vlan 30 # interface GigabitEthernet0/0/1 description SW1_G0/0/1-CORE_G0/0/1 port link-type trunk port trunk allow-pass vlan 10 30 999 # ip route-static 0.0.0.0 0.0.0.0 192.168.255.1 # user-interface con 0 user-interface vty 0 4 authentication-mode aaa # return
SW2(汇聚)
sysname sw2 # undo info-center enable # vlan batch 200 999 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user test password cipher 123 local-user test privilege level 3 local-user test service-type telnet local-user admin password simple admin local-user admin service-type http # interface Vlanif999 ip address 192.168.255.3 255.255.255.0 # interface Ethernet0/0/2 description WEB port link-type access port default vlan 200 # interface Ethernet0/0/3 description CAIWU port link-type access port default vlan 200 # interface GigabitEthernet0/0/1 description SW2_G0/0/1-CORE_G0/0/2 port link-type trunk port trunk allow-pass vlan 200 999 # ip route-static 0.0.0.0 0.0.0.0 192.168.255.1 # user-interface con 0 user-interface vty 0 4 authentication-mode aaa # return
PC(模拟PC端)
sysname PC # dhcp enable # interface GigabitEthernet0/0/3 description PC_net ip address dhcp-alloc # return
命令解释javascript
#出包路由 ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 #出包路由 ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 #回包路由 ip route-static 192.168.0.0 16 192.168.254.1 #建立acl2000 ]acl 2000 #容许源地址是192.168.0.0网段的地址 rule permit source 192.168.0.0 0.0.255.255 int g0/0/1 #出口nat转换引用acl2000 nat outbound 2000 #全局下在vlan下调用acl适应在复杂网络环境下 traffic-filter vlan 200 outbound acl 3000 #进入aaa认证 aaa #建立测试帐户test权限为level3 密码为123 local-user test privilege level 3 password cipher 123 #test帐户的服务类型为 telnet local-user test service-type telnet #进入vty 0 4 虚拟路线 user-interface vty 0 4 #认证模式为aaa authentication-mode aaa