• 如果您觉得本站非常有看点,那么赶紧使用Ctrl+D 收藏吧

二层架构网络学习笔记

互联网 diligentman 1周前 (11-22) 7次浏览

二层架构网络学习笔记

实验要求:

① 企业内网划分多个vlan ,减少广播域大小,提高网络稳定性
② 用户的网关配置在核心交换机
③ 所有用户均为自动获取ip地址
④ 出口配置NAT
⑤ 在企业出口将内网服务器的80端口映射出去,允许外网用户访问
⑥ 企业财务服务器,不允许(vlan 30)的员工访问。并禁止192.168.10.200 的用户访问外网。
⑦ 所有设备,在任何位置都可以telnet远程管理
模拟外网环境
 sysname R2
#
interface GigabitEthernet0/0/0
 ip address 12.1.1.6 255.255.255.248 
#
interface GigabitEthernet0/0/1
 ip address 7.7.7.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
#模拟外网网站地址
interface LoopBack1
 ip address 9.9.9.9 255.255.255.0 
#
return
R1(出口路由)
 sysname R1
#
acl number 2000  
 rule 5 permit source 192.168.0.0 0.0.255.255 
acl number 2001  
 rule 5 deny source 192.168.10.200 0 
 #
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user test password cipher 123
 local-user test privilege level 3
 local-user test service-type telnet
 local-user admin password simple admin
 local-user admin service-type http
#
interface GigabitEthernet0/0/0
 ip address 192.168.254.2 255.255.255.0 
 traffic-filter inbound acl 2001
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.1 255.255.255.248 
 nat server protocol tcp global 12.1.1.2 www inside 192.168.200.10 www
 nat outbound 2000
#
interface GigabitEthernet0/0/2
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.6
ip route-static 192.168.0.0 255.255.0.0 192.168.254.1
#
return
CORE(核心交换机)
sysname CORE
#
undo info-center enable
#
vlan batch 10 30 200 800 999
#
dhcp enable
#
acl number 3000  
 rule 5 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.20 0 
#
ip pool vlan30
 gateway-list 192.168.30.1 
 network 192.168.30.0 mask 255.255.255.0 
 excluded-ip-address 192.168.30.2 192.168.30.100 
 static-bind ip-address 192.168.30.254 mac-address 5489-98ad-2b38 
 dns-list 114.114.114.114 61.147.37.1 
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user test password cipher 123
 local-user test privilege level 3
 local-user test service-type telnet
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif10
 description PC
 ip address 192.168.10.1 255.255.255.0 
 dhcp select interface
 dhcp server excluded-ip-address 192.168.10.2 192.168.10.100 
 dhcp server dns-list 114.114.114.114 61.147.37.1 
#
interface Vlanif30
 description PC
 ip address 192.168.30.1 255.255.255.0 
 dhcp select global
#
interface Vlanif200
 description server
 ip address 192.168.200.1 255.255.255.0 
#
interface Vlanif800
 description CORE_G0/0/3-R1_G0/0/0
 ip address 192.168.254.1 255.255.255.0 
#
interface Vlanif999
 description manager
 ip address 192.168.255.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 description CORE_G0/0/1-SW1_G0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 30 999
#
interface GigabitEthernet0/0/2
 description CORE_G0/0/2-SW2_G0/0/1
 port link-type trunk
 port trunk allow-pass vlan 200 999
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 800
#
ip route-static 0.0.0.0 0.0.0.0 192.168.254.2
#
traffic-filter vlan 200 outbound acl 3000
#
user-interface con 0
user-interface vty 0 4
 authentication-mode aaa
#
return 
SW1(汇聚)
sysname SW1
#
undo info-center enable
#
vlan batch 10 30 999
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user test password cipher 123
 local-user test privilege level 3
 local-user test service-type telnet
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif999
 ip address 192.168.255.2 255.255.255.0 
#
interface Ethernet0/0/1
 description PC
 port link-type access
 port default vlan 10
#
interface Ethernet0/0/2
 description PC
 port link-type access
 port default vlan 10
#
interface Ethernet0/0/3
 description PC
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/1
 description SW1_G0/0/1-CORE_G0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 30 999
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.1
#
user-interface con 0
user-interface vty 0 4
 authentication-mode aaa
#
return 
SW2(汇聚)
sysname sw2
#
undo info-center enable
#
vlan batch 200 999
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user test password cipher 123
 local-user test privilege level 3
 local-user test service-type telnet
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif999
 ip address 192.168.255.3 255.255.255.0 
#
interface Ethernet0/0/2
 description WEB
 port link-type access
 port default vlan 200
#
interface Ethernet0/0/3
 description CAIWU
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/1
 description SW2_G0/0/1-CORE_G0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200 999
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.1
#
user-interface con 0
user-interface vty 0 4
 authentication-mode aaa
#
return 

命令解释

[CORE-1]ip route-static 0.0.0.0 0.0.0.0 192.168.254.2    #出包路由
[R1]ip route-static 0.0.0.0 0.0.0.0 192.168.254.2    #出包路由
[R1]ip route-static 192.168.0.0 16 192.168.254.1    #回包路由
[R1]acl 2000    #创建acl2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255    #允许源地址是192.168.0.0网段的地址
[R1-acl-basic-2000]int g0/0/1
[R1-GigabitEthernet0/0/1]nat outbound 2000    #出口nat转换引用acl2000
traffic-filter vlan 200 outbound acl 3000    #全局下在vlan下调用acl适应在复杂网络环境下
[SW1]aaa    #进入aaa认证
[SW1-aaa]local-user test privilege level 3 password cipher 123    #创建测试账户test权限为level3 密码为123
[SW1-aaa]local-user test service-type telnet    #test账户的服务类型为 telnet

[SW1]user-interface vty 0 4    #进入vty 0 4 虚拟路线
[SW1-ui-vty0-4]authentication-mode aaa    #认证模式为aaa

喜欢 (0)