12.19问答解析

news/2024/12/24 1:58:19 标签: 网络协议, 网络, 信息与通信, 服务器, 运维

概述

某中小型企业有四个部门,分别是市场部、行政部、研发部和工程部,请合理规划IP地址和VLAN,实现企业内部能够互联互通,同时要求市场部、行政部和工程部能够访问外网环境(要求使用OSPF协议),研发部不能访问外网环境(通过访问控制列表实现)。为了保证网络的可靠性,配置MSTP+VRRP多备份组,实现负载均衡,解决单点故障问题。同时在出口路由器上实现NAT地址转换,使企业内部主机使用ISP提供的内部全局地址访问外网环境,提高网络整体的安全性。
2、配置要求
(1)四个部门分别在不同网段、不同 VLAN,实现VLAN间通信;
(2) LSW1和LSW2为接入交换机,LSW3和LSW4为核心交换机,R1为出口路由器;
(3)市场部和研发部属于MSTP实例1, VRRP主路由器为LSW3,备份路由器为LSW4;
(4)行政部和工程部属于MSTP实例2, VRRP主路由器为LSW4,备份路由器为LSW3;
(5)ISP分配给该企业的内部全局地址为1.1.1.0网段;
(6)外网服务器IP地址为200.0.0.0/24网段;
(7)合理规划核心交换机和路由器之间的互联地址;
(8)访问控制要求:研发部不能访问外网。
企业网络拓扑结构如图1所示:
问答来自CSDN @weixin_44257060

实验拓扑

实验配置

1.创建vlan并划分相关接口

交换机之间采用trunk,交换机和路由或终端设备使用access

vlan b 10 20 30 40 11(vlan11用于与路由器相接)

p l t

p t a v 10 20 30 40 11

2.配置MSTP

stp region-configuration

instance 1 vlan 10 30  
instance 2 vlan 20 40

region-name HHH  
revision-level 1

active region-configuration

stp instance 2 root primary 
stp instance 1 root secondary 

3.配置相关IP地址

服务器地址

4.设置vrrp组

int vlan 10

vrrp vrid 10 virtual-ip 172.16.10.254
 

int vlan 20

vrrp vrid 20 virtual-ip 172.16.20.254

vrrp vrid 20 priority 120

vrrp vrid 20 track interface g0/0/1 reduced 40 

int vlan 30

vrrp vrid 30 virtual-ip 172.16.30.254

int vlan 40

vrrp vrid 40 virtual-ip 172.16.40.254

vrrp vrid 40 priority 120

vrrp vrid 40 track interface g0/0/1 reduced 40 

5.配置ospf

交换机可ping通服务器

有邻居建立

此时pc可ping通服务器

6.ACL限制研发部访问200.0.0.0网段

  rule 5 deny ip source 172.16.30.0 0.0.0.255 destination 200.0.0.0 0.0.0.255 

限制研发部访问,接口下调用研发部无法访问200.0.0.0网段

全局配置

SW1


[SW1]dis current-configuration 
#
sysname SW1
#
vlan batch 10 to 11 20 30 40
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

SW2

[SW2]dis current-configuration 
#
sysname SW2
#
vlan batch 10 to 11 20 30 40
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 40
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

SW3

[SW3]dis current-configuration 
#
sysname SW3
#
vlan batch 10 to 11 20 30 40
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 172.16.10.10 255.255.255.0
 vrrp vrid 10 virtual-ip 172.16.10.254
 vrrp vrid 10 priority 120
 vrrp vrid 10 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif11
 ip address 1.1.1.1 255.255.255.252
#
interface Vlanif20
 ip address 172.16.20.10 255.255.255.0
 vrrp vrid 20 virtual-ip 172.16.20.254
#
interface Vlanif30
 ip address 172.16.30.10 255.255.255.0
 vrrp vrid 30 virtual-ip 172.16.30.254
 vrrp vrid 30 priority 120
 vrrp vrid 30 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif40
 ip address 172.16.40.10 255.255.255.0
 vrrp vrid 40 virtual-ip 172.16.40.254
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 11
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/22
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface NULL0
#
ospf 1
 area 0.0.0.0
  network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return

SW4

[SW4]dis current-configuration 
#
sysname SW4
#
vlan batch 10 to 11 20 30 40
#
stp instance 1 root secondary
stp instance 2 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
 region-name HHH
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 172.16.10.20 255.255.255.0
 vrrp vrid 10 virtual-ip 172.16.10.254
#
interface Vlanif11
 ip address 1.1.1.6 255.255.255.252
#
interface Vlanif20
 ip address 172.16.20.20 255.255.255.0
 vrrp vrid 20 virtual-ip 172.16.20.254
 vrrp vrid 20 priority 120
 vrrp vrid 20 track interface GigabitEthernet0/0/1 reduced 40
#
interface Vlanif30
 ip address 172.16.30.20 255.255.255.0
 vrrp vrid 30 virtual-ip 172.16.30.254
#
interface Vlanif40
 ip address 172.16.40.20 255.255.255.0
 vrrp vrid 40 virtual-ip 172.16.40.254
 vrrp vrid 40 priority 120
 vrrp vrid 40 track interface GigabitEthernet0/0/1 reduced 40
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 11
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/22
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 10 to 11 20 30 40
#
interface NULL0
#
ospf 1
 area 0.0.0.0
  network 0.0.0.0 255.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return

AR1

[AR1]dis current-configuration 
[V200R003C00]
#
 sysname AR1
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 2001  
#
acl number 3001  
 rule 5 deny ip source 172.16.30.0 0.0.0.255 destination 200.0.0.0 0.0.0.255 
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 1.1.1.2 255.255.255.252 
 traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.5 255.255.255.252 
 traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/2
 ip address 200.0.0.1 255.255.255.252 
#
interface NULL0
#
ospf 1 
 area 0.0.0.0 
  network 0.0.0.0 255.255.255.255 
  network 1.1.1.0 0.0.0.255 
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

AR2

[AR2]dis current-configuration 
[V200R003C00]
#
 sysname AR2
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 200.0.0.254 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
 ip address 200.0.0.2 255.255.255.252 
#
interface NULL0
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return


http://www.niftyadmin.cn/n/5797212.html

相关文章

【go每日一题】:并发任务调度器

问题描述 需要实现一个并发的任务调度器&#xff0c;能够处理多个并发任务并限制同时执行的任务数量。 每个任务是一个函数&#xff0c;任务执行可能需要一段时间。 调度器的目的是控制同时执行的任务数量&#xff08;即并发度&#xff09;&#xff0c;以防止任务数过多导致系…

如何详细地遵循RustDesk的步骤来搭建远程访问和自定义服务器?

要详细地遵循RustDesk的步骤来搭建远程访问和自定义服务器&#xff0c;你可以按照以下几个主要步骤进行操作&#xff1a; 下载并安装RustDesk&#xff1a;前往RustDesk的官方网站&#xff08;https://rustdesk.com/&#xff09;下载适用于你的操作系统的安装程序。然后&#xf…

【Leecode】Leecode刷题之路第87天之扰乱字符串

题目出处 87-扰乱字符串-题目出处 题目描述 个人解法 思路&#xff1a; todo代码示例&#xff1a;&#xff08;Java&#xff09; todo复杂度分析 todo官方解法 87-扰乱字符串-官方解法 方法1&#xff1a;动态规划 思路&#xff1a; 代码示例&#xff1a;&#xff08;Java&…

wordpress调用指定分类ID下 相同标签的内容

要在WordPress中调用分类ID为1、3、7的分类下&#xff0c;具有相同标签的前10个内容&#xff0c;可以使用自定义的WordPress查询(WP_Query)。以下是实现此功能的步骤和示例代码&#xff1a; 步骤&#xff1a; 确定共同标签&#xff1a; 首先&#xff0c;你需要确定分类1、3、…

泛型(2)

泛型&#xff08;2&#xff09; 1、泛型在继承上的体现 如果B是A的一个子类型&#xff08;子类或者子接口&#xff09;&#xff0c;而G是具有泛型声明的类或接口&#xff0c;G并不是G的子类型&#xff01; 比如&#xff1a;String是Object的子类&#xff0c;但是List并不是…

网络七层杀伤链

声明&#xff01; 学习视频来自B站up主 **泷羽sec** 有兴趣的师傅可以关注一下&#xff0c;如涉及侵权马上删除文章&#xff0c;笔记只是方便各位师傅的学习和探讨&#xff0c;文章所提到的网站以及内容&#xff0c;只做学习交流&#xff0c;其他均与本人以及泷羽sec团队无关&…

Linux SHELL脚本中的变量与运算

一.SHELL脚本中的变量 1.1.什么是变量 在编写程序时&#xff0c;通常会遇到被操作对象不固定的情况 我们需要用一串固定的字符来表示不固定的值这就是变量存在的根本意义 变量的实现原理就是内存存储单元的一个符号名称 1.2.变量的命名规则 变量的名称中只能包含数字、大…

QT_Demo(1)之实现多线程实现简单的电脑摄像头视频流开关

QT_Demo&#xff08;1&#xff09;之实现多线程实现简单的电脑摄像头视频流开关 使用qt中的多线程进行功能控制&#xff1a;继承QThread直接通过代码进行UI搭建简单示例使用信号与槽 1. 功能介绍 首先想搭一个界面可以交互&#xff0c;从而实现手动开关笔记本摄像头的目的 想…