当前位置: 首页 > article >正文

12.19问答解析

概述

某中小型企业有四个部门,分别是市场部、行政部、研发部和工程部,请合理规划IP地址和VLAN,实现企业内部能够互联互通,同时要求市场部、行政部和工程部能够访问外网环境(要求使用OSPF协议),研发部不能访问外网环境(通过访问控制列表实现)。为了保证网络的可靠性,配置MSTP+VRRP多备份组,实现负载均衡,解决单点故障问题。同时在出口路由器上实现NAT地址转换,使企业内部主机使用ISP提供的内部全局地址访问外网环境,提高网络整体的安全性。
2、配置要求
(1)四个部门分别在不同网段、不同 VLAN,实现VLAN间通信;
(2) LSW1和LSW2为接入交换机,LSW3和LSW4为核心交换机,R1为出口路由器;
(3)市场部和研发部属于MSTP实例1, VRRP主路由器为LSW3,备份路由器为LSW4;
(4)行政部和工程部属于MSTP实例2, VRRP主路由器为LSW4,备份路由器为LSW3;
(5)ISP分配给该企业的内部全局地址为1.1.1.0网段;
(6)外网服务器IP地址为200.0.0.0/24网段;
(7)合理规划核心交换机和路由器之间的互联地址;
(8)访问控制要求:研发部不能访问外网。
企业网络拓扑结构如图1所示:
问答来自CSDN @weixin_44257060

实验拓扑

实验配置

1.创建vlan并划分相关接口

交换机之间采用trunk,交换机和路由或终端设备使用access

vlan b 10 20 30 40 11(vlan11用于与路由器相接)

p l t

p t a v 10 20 30 40 11

2.配置MSTP

stp region-configuration

instance 1 vlan 10 30  
instance 2 vlan 20 40

region-name HHH  
revision-level 1

active region-configuration

stp instance 2 root primary 
stp instance 1 root secondary 

3.配置相关IP地址

服务器地址

4.设置vrrp组

int vlan 10

vrrp vrid 10 virtual-ip 172.16.10.254
 

int vlan 20

vrrp vrid 20 virtual-ip 172.16.20.254

vrrp vrid 20 priority 120

vrrp vrid 20 track interface g0/0/1 reduced 40 

int vlan 30

vrrp vrid 30 virtual-ip 172.16.30.254

int vlan 40

vrrp vrid 40 virtual-ip 172.16.40.254

vrrp vrid 40 priority 120

vrrp vrid 40 track interface g0/0/1 reduced 40 

5.配置ospf

交换机可ping通服务器

有邻居建立

此时pc可ping通服务器

6.ACL限制研发部访问200.0.0.0网段

  rule 5 deny ip source 172.16.30.0 0.0.0.255 destination 200.0.0.0 0.0.0.255 

限制研发部访问,接口下调用研发部无法访问200.0.0.0网段

全局配置

SW1


[SW1]dis current-configuration 
#
sysname SW1
#
vlan batch 10 to 11 20 30 40
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

SW2

[SW2]dis current-configuration 
#
sysname SW2
#
vlan batch 10 to 11 20 30 40
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 40
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

SW3

[SW3]dis current-configuration 
#
sysname SW3
#
vlan batch 10 to 11 20 30 40
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 172.16.10.10 255.255.255.0
 vrrp vrid 10 virtual-ip 172.16.10.254
 vrrp vrid 10 priority 120
 vrrp vrid 10 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif11
 ip address 1.1.1.1 255.255.255.252
#
interface Vlanif20
 ip address 172.16.20.10 255.255.255.0
 vrrp vrid 20 virtual-ip 172.16.20.254
#
interface Vlanif30
 ip address 172.16.30.10 255.255.255.0
 vrrp vrid 30 virtual-ip 172.16.30.254
 vrrp vrid 30 priority 120
 vrrp vrid 30 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif40
 ip address 172.16.40.10 255.255.255.0
 vrrp vrid 40 virtual-ip 172.16.40.254
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 11
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/22
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface NULL0
#
ospf 1
 area 0.0.0.0
  network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return

SW4

[SW4]dis current-configuration 
#
sysname SW4
#
vlan batch 10 to 11 20 30 40
#
stp instance 1 root secondary
stp instance 2 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 172.16.10.20 255.255.255.0
 vrrp vrid 10 virtual-ip 172.16.10.254
#
interface Vlanif11
 ip address 1.1.1.6 255.255.255.252
#
interface Vlanif20
 ip address 172.16.20.20 255.255.255.0
 vrrp vrid 20 virtual-ip 172.16.20.254
 vrrp vrid 20 priority 120
 vrrp vrid 20 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif30
 ip address 172.16.30.20 255.255.255.0
 vrrp vrid 30 virtual-ip 172.16.30.254
#
interface Vlanif40
 ip address 172.16.40.20 255.255.255.0
 vrrp vrid 40 virtual-ip 172.16.40.254
 vrrp vrid 40 priority 120
 vrrp vrid 40 track interface GigabitEthernet0/0/1 reduced 40
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 11
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/22
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface NULL0
#
ospf 1
 area 0.0.0.0
  network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return

AR1

[AR1]dis current-configuration 
[V200R003C00]
#
 sysname AR1
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 2001  
#
acl number 3001  
 rule 5 deny ip source 172.16.30.0 0.0.0.255 destination 200.0.0.0 0.0.0.255 
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 1.1.1.2 255.255.255.252 
 traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.5 255.255.255.252 
 traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/2
 ip address 200.0.0.1 255.255.255.252 
#
interface NULL0
#
ospf 1 
 area 0.0.0.0 
  network 0.0.0.0 255.255.255.255 
  network 1.1.1.0 0.0.0.255 
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

AR2

[AR2]dis current-configuration 
[V200R003C00]
#
 sysname AR2
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 200.0.0.254 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
 ip address 200.0.0.2 255.255.255.252 
#
interface NULL0
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return


http://www.kler.cn/a/448332.html

相关文章:

  • SpringBoot相关漏洞学习资料
  • MacOS 命令行详解使用教程
  • Neo4j 图数据库安装与操作指南(以mac为例)
  • Java基于SSM框架的无中介租房系统小程序【附源码、文档】
  • CCF-GESP 等级考试 2023年9月认证C++一级真题解析
  • LabVIEW深海气密采水器测控系统
  • 常用网络协议简述
  • Java-web安全01
  • Python小游戏开发:实现带道具加成的经典打砖块游戏
  • 【JetPack】WorkManager笔记
  • Java 集合框架中的 List、ArrayList 和 泛型 实例
  • 数据库的范式
  • 学技术学英文:java CyclicBarrier 和 CountDownLatch用法区别,举例生动看完不会忘
  • Unity中通过代码设置材质HDR颜色的方法参考
  • opencv 项目--图像匹配
  • (13)CT137A- 简易音乐盒设计
  • sentinel学习笔记4-SPI 在 Sentinel 中的应用
  • 本地电脑生成SSH公钥私钥对,用于SSH远程连接服务器
  • 【从零开始入门unity游戏开发之——C#篇25】C#面向对象动态多态——virtual、override 和 base 关键字、抽象类和抽象方法
  • 泛型(2)
  • 开源!自制一个桌面宠物(STM32CUBEMX HAL库 PWM波 小项目)
  • 在 CUDA C/C++ 中使用共享內存
  • 路径规划之启发式算法之二十一:禁忌搜索算法(Tabu Search,TS)
  • Linux 端口操作
  • 【游戏设计原理】21 - 解谜游戏的设计
  • 【Mac】安装 PaddleOCR