目录
目的意义:
基本原理:
方案设计
附件1:网络拓扑图
附件2:IPv4地址规划表
方案实现
1(vlan):
2(省略)
3(OSPF)
4(链路聚合)
5(DHCP)
6(接入安全)
7(ACL访问控制安全)
8(FW)
接口服务:
区域划分:
安全策略:
NAT策略:
安全防护:
结果验证与展示:
1(Vlan)
2 省略
3 (OSPF)
4(链路聚合)
5(DHCP)
6 (用户接入安全)
7(访问控制)
8(FW)
CK | G1/0/0 | G1/0/1 | G1/0/2 | Etrunk 1 |
10.0.0.1/30 | 11.0.0.1/30 | 22.0.0.1/30 | 20.0.0.1/30 | |
YD | G0/0/0 | |||
11.0.0.2/30 | ||||
LT | G0/0/0 | |||
22.0.0.2/30 | ||||
HX | G1/0/0 | G1/0/1 | G1/0/2 | G1/0/3 |
10.0.0.2/30 | 10.0.11.1/30 | 10.0.12.1/30 | 10.0.13.1/30 | |
SW1 | SVI 200 (G0/0/1) | SVI 10 (XS1) | SVI 20 (XS2) | |
10.0.11.2/30 | 192.168.10.254/24 | 192.168.20.254/24 | ||
SW2 | SVI 200 (G0/0/1) | SVI 30 (RS1) | SVI 40 (RS2) | |
10.0.12.2/30 | 192.168.30.254/24 | 192.168.40.254/24 | ||
SW3 | SVI 200 (G0/0/1) | SVI 50 (JS1) | SVI 60 (JS2) | |
10.0.13.2/30 | 192.168.50.254/24 | 192.168.60.254/24 | ||
SW4 | Etrunk 1 | SVI 100 (Server) | ||
20.0.0.2/30 | 192.168.100.254/24 | |||
DNS | E0/0/0 | |||
192.168.100.1/24 | ||||
WEB | E0/0/0 | |||
192.168.100.2/24 |
SW1: Vlan 10 Vlan 20 interface GigabitEthernet0/0/1 port link-type access port default vlan 200 # interface GigabitEthernet0/0/2 port link-type access port default vlan 10 # interface GigabitEthernet0/0/3 port link-type access port default vlan 20 SW2: Vlan 30 Vlan 40 interface GigabitEthernet0/0/1 port link-type access port default vlan 200 # interface GigabitEthernet0/0/2 port link-type access port default vlan 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 40 SW3: Vlan 50 Vlan 60 interface GigabitEthernet0/0/1 port link-type access port default vlan 200 # interface GigabitEthernet0/0/2 port link-type access port default vlan 50 # interface GigabitEthernet0/0/3 port link-type access port default vlan 60 SW4: Vlan 100 interface GE1/0/3 shutdown port default vlan 100 # interface GE1/0/4 shutdown port default vlan 100 # interface Eth-Trunk1 mode lacp-static service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit
CK: ospf 100 default-route-advertise always area 0.0.0.0 network 10.0.0.1 0.0.0.0 network 20.0.0.1 0.0.0.0 # interface GigabitEthernet1/0/0 ospf network-type p2p # interface Eth-Trunk1 ospf network-type p2p HX: ospf 100 area 0.0.0.0 network 1.1.1.1 0.0.0.0 network 10.0.0.2 0.0.0.0 network 10.0.11.1 0.0.0.0 network 10.0.12.1 0.0.0.0 network 10.0.13.1 0.0.0.0 # interface GE1/0/0 ospf network-type p2p # interface GE1/0/1 ospf network-type p2p # interface GE1/0/2 ospf network-type p2p # interface GE1/0/3 ospf network-type p2p SW1: ospf 100 area 0.0.0.0 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 network 10.0.11.2 0.0.0.0 # interface Vlanif200 ospf network-type p2p SW2: ospf 100 area 0.0.0.0 network 192.168.30.0 0.0.0.255 network 192.168.40.0 0.0.0.255 network 10.0.12.2 0.0.0.0 # interface Vlanif200 ospf network-type p2p SW3: ospf 100 area 0.0.0.0 network 192.168.50.0 0.0.0.255 network 192.168.60.0 0.0.0.255 network 10.0.13.2 0.0.0.0 # interface Vlanif200 ospf network-type p2p SW4: ospf 100 area 0.0.0.0 network 20.0.0.2 0.0.0.0 network 192.168.100.0 0.0.0.255 # interface Eth-Trunk1 ospf network-type p2p
CK: interface Eth-Trunk1 mode lacp-static load-balance src-dst-ip # interface GigabitEthernet1/0/3 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/4 undo shutdown eth-trunk 1 SW4: interface Eth-Trunk1 mode lacp-static load-balance src-dst-ip # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/2 undo shutdown eth-trunk 1
HX: dhcp enable # ip pool XS1 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 dns-list 192.168.100.1 # ip pool XS2 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 192.168.100.1 # ip pool RS1 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 dns-list 192.168.100.1 # ip pool RS2 gateway-list 192.168.40.254 network 192.168.40.0 mask 255.255.255.0 dns-list 192.168.100.1 # ip pool JS1 gateway-list 192.168.50.254 network 192.168.50.0 mask 255.255.255.0 dns-list 192.168.100.1 # ip pool JS2 gateway-list 192.168.60.254 network 192.168.60.0 mask 255.255.255.0 dns-list 192.168.100.1 SW1: dhcp enable # interface Vlanif10 dhcp select relay dhcp relay server-ip 1.1.1.1 # interface Vlanif20 dhcp select relay dhcp relay server-ip 1.1.1.1 SW2: dhcp enable # interface Vlanif30 dhcp select relay dhcp relay server-ip 1.1.1.1 # interface Vlanif40 dhcp select relay dhcp relay server-ip 1.1.1.1 SW3: dhcp enable # interface Vlanif50 dhcp select relay dhcp relay server-ip 1.1.1.1 # interface Vlanif60 dhcp select relay dhcp relay server-ip 1.1.1.1
SW1: dhcp snooping enable # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping trusted # interface GigabitEthernet0/0/2 arp anti-attack check user-bind enable ip source check user-bind enable # interface GigabitEthernet0/0/3 arp anti-attack check user-bind enable ip source check user-bind enable SW2: dhcp snooping enable # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping trusted # interface GigabitEthernet0/0/2 arp anti-attack check user-bind enable ip source check user-bind enable # interface GigabitEthernet0/0/3 arp anti-attack check user-bind enable ip source check user-bind enable SW3: dhcp snooping enable # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping trusted # interface GigabitEthernet0/0/2 arp anti-attack check user-bind enable ip source check user-bind enable # interface GigabitEthernet0/0/3 arp anti-attack check user-bind enable ip source check user-bind enable
SW1: acl number 3000 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.100.0 0.0.0.255 rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.100.0 0.0.0.255 rule 15 permit ip # interface GigabitEthernet0/0/1 traffic-filter outbound acl 3000
CK: interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit # interface GigabitEthernet1/0/0 undo shutdown ip address 10.0.0.1 255.255.255.252 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit # interface GigabitEthernet1/0/1 undo shutdown ip address 11.0.0.1 255.255.255.252 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit # interface GigabitEthernet1/0/2 undo shutdown ip address 22.0.0.1 255.255.255.252 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit # interface Eth-Trunk1 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit
CK: firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/2 # firewall zone dmz set priority 50 add interface Eth-Trunk1
FW: security-policy rule name trust_dmz source-zone trust destination-zone dmz action permit rule name trust_untrust source-zone trust destination-zone untrust action permit
查看vlan信息
查看路由表与ospf邻居
查看聚合接口信息
查看用户是否获取到ip地址
查看dhcp snnoping详细情况
手动配置用户ip发现无法上网
查看ACL配置
Ping命令验证销售部无法访问server(前后对比)
查看防火墙区域
查看防火墙的安全策略
Ping命令验证安全策略配置
Ping命令验证nat策略并抓包查看是否转换成功