标签:client 其他 协议 ace gateway int 基本 允许 relay
某企业骨干网络拓扑如下图所示:
企业网络要求如下:
实验要求:
1.R1为企业内网设备,R2为ISP供应商网络;
2.企业内网运行MSTP协议保证网络可靠性和负载均衡;
3.PC1、PC2自动获取ip地址且可以互相ping通;
4.R1为企业DHCP服务器;
5.企业内网运行OSPF协议和NAT使得内外网互通;
6.允许Client1所在网络可以访问Server1的所有服务,
且只允许访问Server2的FTP服务;
7.Client2所在的网络仅允许访问server1和Server2的www服务;
8.企业网络设备可以被R2远程管理。
第一步:配置基本网络;
SW1基本配置
sysname SW1
vlan batch 10 20 30 100
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
SW2基本配置
sysname SW2
vlan batch 10 20 30
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
interface Ethernet0/0/3
port link-type access
port default vlan 10
interface Ethernet0/0/4
port link-type access
port default vlan 20
SW3基本配置
sysname SW3
vlan batch 10 20 30
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
interface Ethernet0/0/3
port link-type access
port default vlan 20
interface Ethernet0/0/4
port link-type access
port default vlan 10
R1配置如下
sysname R1
interface g0/0/1
ip address 100.1.1.2 24
interface g0/0/0
ip address 192.168.100.1 24
interface g0/0/2
ip address 192.168.30.254 24
R2配置如下
sysname R2
interface g0/0/0
ip address 100.1.1.1 24
interface g0/0/1
ip address 200.1.1.254 24
第二步:配置STP;
STP配置
SW1配置如下:
stp region-configuration
region-name ntd
instance 10 vlan 10
instance 20 vlan 20
active region-configuration
quit
stp instance 10 priority 8192
stp instance 20 priority 8192
SW2配置如下:
stp region-configuration
region-name ntd
instance 10 vlan 10
instance 20 vlan 20
active region-configuration
quit
stp instance 10 priority 4096
SW3配置如下:
stp region-configuration
region-name ntd
instance 10 vlan 10
instance 20 vlan 20
active region-configuration
quit
stp instance 20 priority 4096
第三步:配置OSPF
SW1配置如下
ospf 1
area 0.0.0.0
network 192.168.100.0 0.0.0.255
area 0.0.0.10
network 192.168.10.0 0.0.0.255
area 0.0.0.20
network 192.168.20.0 0.0.0.255
R1配置如下
ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
ospf 1
default-route-advertise always
area 0.0.0.0
network 192.168.100.0 0.0.0.255
area 0.0.0.30
network 192.168.30.0 0.0.0.255
stub no-summary
第四步:配置DHCP并进行测试;
DHCP配置
R1配置
dhcp enable
ip pool p1
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
lease day 7 hour 0 minute 0
dns-list 8.8.8.8
ip pool p2
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
lease day 7 hour 0 minute 0
dns-list 8.8.8.8
interface GigabitEthernet0/0/0
dhcp select global
quit
SW1配置
dhcp enable
interface Vlanif10
dhcp select relay
dhcp relay server-ip 192.168.100.1
interface Vlanif20
dhcp select relay
dhcp relay server-ip 192.168.100.1
quit
测试如下图:
第五步:配置NAT和ACL,并进行测试;
在企业出口路由器R1进行设置
首先,设置内网acl,使得Client1仅允许访问Server2的FTP服务,Client2仅允许访问Server2的www服务,acl设置如下:
acl number 3000
rule 10 permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.1 0 des
tination-port eq ftp
rule 15 permit tcp source 192.168.10.0 0.0.0.255 destination 192.168.30.1 0 des
tination-port eq ftp-data
rule 20 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.1 0
rule 30 permit tcp source 192.168.20.0 0.0.0.255 destination 192.168.30.1 0 des
tination-port eq www
rule 40 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.1 0
interface GigabitEthernet0/0/2
traffic-filter outbound acl 3000
如下图Client1可以访问Server2的FTP服务,但不可以访问WWW服务:
如下图Client2可以访问Server2的www服务,但不可以访问FTP服务:
其次,设置外网acl,使得Client1仅允许访问Server1的所有服务,Client2仅允许访问Server2的www服务,acl设置如下:
外网acl设置
acl number 3001
rule 10 permit tcp source 192.168.20.0 0.0.0.255 destination 200.1.1.1 0 destin
ation-port eq www
rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 200.1.1.1 0
rule 30 permit ip
quit
interface GigabitEthernet0/0/1
nat outbound 3001
如下图Client2可以访问Server1的www服务,但不可以访问FTP服务,内网中其他设备并不受影响:
至此,企业内网网络配置及验证完成!!!
标签:client 其他 协议 ace gateway int 基本 允许 relay
原文地址:https://blog.51cto.com/11806823/2444493