12.19问答解析
概述
某中小型企业有四个部门,分别是市场部、行政部、研发部和工程部,请合理规划IP地址和VLAN,实现企业内部能够互联互通,同时要求市场部、行政部和工程部能够访问外网环境(要求使用OSPF协议),研发部不能访问外网环境(通过访问控制列表实现)。为了保证网络的可靠性,配置MSTP+VRRP多备份组,实现负载均衡,解决单点故障问题。同时在出口路由器上实现NAT地址转换,使企业内部主机使用ISP提供的内部全局地址访问外网环境,提高网络整体的安全性。
2、配置要求
(1)四个部门分别在不同网段、不同 VLAN,实现VLAN间通信;
(2) LSW1和LSW2为接入交换机,LSW3和LSW4为核心交换机,R1为出口路由器;
(3)市场部和研发部属于MSTP实例1, VRRP主路由器为LSW3,备份路由器为LSW4;
(4)行政部和工程部属于MSTP实例2, VRRP主路由器为LSW4,备份路由器为LSW3;
(5)ISP分配给该企业的内部全局地址为1.1.1.0网段;
(6)外网服务器IP地址为200.0.0.0/24网段;
(7)合理规划核心交换机和路由器之间的互联地址;
(8)访问控制要求:研发部不能访问外网。
企业网络拓扑结构如图1所示:
问答来自CSDN @weixin_44257060
实验拓扑
实验配置
1.创建vlan并划分相关接口
交换机之间采用trunk,交换机和路由或终端设备使用access
vlan b 10 20 30 40 11(vlan11用于与路由器相接)
p l t
p t a v 10 20 30 40 11
2.配置MSTP
stp region-configuration
instance 1 vlan 10 30
instance 2 vlan 20 40
region-name HHH
revision-level 1
active region-configuration
stp instance 2 root primary
stp instance 1 root secondary
3.配置相关IP地址
服务器地址
4.设置vrrp组
int vlan 10
vrrp vrid 10 virtual-ip 172.16.10.254
int vlan 20
vrrp vrid 20 virtual-ip 172.16.20.254
vrrp vrid 20 priority 120
vrrp vrid 20 track interface g0/0/1 reduced 40
int vlan 30
vrrp vrid 30 virtual-ip 172.16.30.254
int vlan 40
vrrp vrid 40 virtual-ip 172.16.40.254
vrrp vrid 40 priority 120
vrrp vrid 40 track interface g0/0/1 reduced 40
5.配置ospf
交换机可ping通服务器
有邻居建立
此时pc可ping通服务器
6.ACL限制研发部访问200.0.0.0网段
rule 5 deny ip source 172.16.30.0 0.0.0.255 destination 200.0.0.0 0.0.0.255
限制研发部访问,接口下调用研发部无法访问200.0.0.0网段
全局配置
SW1
[SW1]dis current-configuration
#
sysname SW1
#
vlan batch 10 to 11 20 30 40
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name HHH
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
SW2
[SW2]dis current-configuration
#
sysname SW2
#
vlan batch 10 to 11 20 30 40
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name HHH
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
SW3
[SW3]dis current-configuration
#
sysname SW3
#
vlan batch 10 to 11 20 30 40
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name HHH
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 172.16.10.10 255.255.255.0
vrrp vrid 10 virtual-ip 172.16.10.254
vrrp vrid 10 priority 120
vrrp vrid 10 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif11
ip address 1.1.1.1 255.255.255.252
#
interface Vlanif20
ip address 172.16.20.10 255.255.255.0
vrrp vrid 20 virtual-ip 172.16.20.254
#
interface Vlanif30
ip address 172.16.30.10 255.255.255.0
vrrp vrid 30 virtual-ip 172.16.30.254
vrrp vrid 30 priority 120
vrrp vrid 30 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif40
ip address 172.16.40.10 255.255.255.0
vrrp vrid 40 virtual-ip 172.16.40.254
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 11
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/22
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return
SW4
[SW4]dis current-configuration
#
sysname SW4
#
vlan batch 10 to 11 20 30 40
#
stp instance 1 root secondary
stp instance 2 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name HHH
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 172.16.10.20 255.255.255.0
vrrp vrid 10 virtual-ip 172.16.10.254
#
interface Vlanif11
ip address 1.1.1.6 255.255.255.252
#
interface Vlanif20
ip address 172.16.20.20 255.255.255.0
vrrp vrid 20 virtual-ip 172.16.20.254
vrrp vrid 20 priority 120
vrrp vrid 20 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif30
ip address 172.16.30.20 255.255.255.0
vrrp vrid 30 virtual-ip 172.16.30.254
#
interface Vlanif40
ip address 172.16.40.20 255.255.255.0
vrrp vrid 40 virtual-ip 172.16.40.254
vrrp vrid 40 priority 120
vrrp vrid 40 track interface GigabitEthernet0/0/1 reduced 40
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 11
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/22
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 10 to 11 20 30 40
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return
AR1
[AR1]dis current-configuration
[V200R003C00]
#
sysname AR1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
acl number 2001
#
acl number 3001
rule 5 deny ip source 172.16.30.0 0.0.0.255 destination 200.0.0.0 0.0.0.255
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.252
traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/1
ip address 1.1.1.5 255.255.255.252
traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/2
ip address 200.0.0.1 255.255.255.252
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 0.0.0.0 255.255.255.255
network 1.1.1.0 0.0.0.255
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
AR2
[AR2]dis current-configuration
[V200R003C00]
#
sysname AR2
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 200.0.0.254 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
ip address 200.0.0.2 255.255.255.252
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return