h3c模拟器网络初级综合实验
需求:
1、为了服务器安全,服务器IP和PC不能在同-网段:
2、销售部门PC不能访问财务和技术部门服务器;
3、三个部门的PC之间不能互访:
4、为防止网络病毒,财务部门的PC之间不能互相访问:
5、每个部门的人员都能访问他们自己部门的服务器的业务端口TCP80;
6、技术部门为能够维护服务器,可以访问服务器的22、3389等远程端口;7、公司所有人员都能通过电信公司分配的公网IP 125. 88. 56. 33/24 (网关:125. 88. 56.1)上网:
8、当电信线路出现故障,自动切换到移动线路上222. 12. 12.12/24 (网关:222.12. 12.1)上网:
9、为方便管理所有PC采用自动获取IP, 服务器手工配置IP:
10、接入层到核心层的线路需要冗余:
11、销售部门的服务器要对公网用户提供web服务;
12、省厅分给该局的内网网段为10. 10.111. 0/24.
你现在是公司的网络工程师,请给每个部门及服务器分配IP并完成以上需求。
网络拓扑
二层通信
子网划分
部门1:vlan10,网关:10.10.111.1 ,子网段:10.10.111.0/27
部门2:vlan20,网关:10.10.111.33,子网段:10.10.111.32/27
部门3:vlan30,网关10.10.111.65,子网段:10.10.111.64/27
服务器1-3:vlan200,网关10.10.111.129,子网段 10.10.111.128/27
出口路由器
内网网关:10.10.111.97子,网段10.10.111.96/27
外网移动:ip222.12.12.12,网关222.12.12.1/24
外网电信:ip125.88.56.33,网关125.88.56.1/24
vlan ip配置
核心交换机
[H3C]vlan 10
[H3C]int Vlan-interface 10
[H3C-Vlan-interface10]ip address 10.10.111.1 27
[H3C]vlan 20
[H3C]int Vlan-interface 20
[H3C-Vlan-interface20]ip address 10.10.111.32 27
[H3C]vlan 30
[H3C]int Vlan-interface 30
[H3C-Vlan-interface30]ip address 10.10.111.64 27
[H3C]vlan 100
[H3C]int Vlan-interface 100
[H3C-Vlan-interface100]ip address 10.10.111.96 27
接入交换机4
[H3C]vlan 200
[H3C]int Vlan-interface 200
[H3C-Vlan-interface200]ip address 10.10.111.128 27
链路聚合 vlan划分
核心交换机上行接口
port link-type a
port a vlan 100
核心交换机-接入交换机1上行接口
[H3C]int Bridge-Aggregation 1
[H3C-Bridge-Aggregation1]qu
[H3C]int g 1/0/2
[H3C-GigabitEthernet1/0/2]port link-aggregation group 1
[H3C-GigabitEthernet1/0/3]port link-aggregation group 1
[H3C-Bridge-Aggregation1]port link-type trunk
[H3C-Bridge-Aggregation1]port trunk permit vlan 10 20 30
核心交换机-接入交换机2上行接口
[H3C]int Bridge-Aggregation 2
[H3C-Bridge-Aggregation2]qu
[H3C]int g 1/0/4
[H3C-GigabitEthernet1/0/4]port link-aggregation group 2
[H3C-GigabitEthernet1/0/5]port link-aggregation group 2
[H3C-Bridge-Aggregation1]port link-type trunk
[H3C-Bridge-Aggregation1]port trunk permit vlan 10 20 30
接入交换机4下行接口
0/0/1-0/0/3
port link-type a
port a vlan 200
接入交换机3上行接口
[H3C-GigabitEthernet1/0/3]port link-type trunk
[H3C-GigabitEthernet1/0/3]port trunk permit vlan 10 20 30
接入交换机1-3下行接口
port link-type a
port a vlan 10/20/30
三层通信
ospf动态路由协议
核心交换机
[H3C]ospf 1
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.0 0.0.0.31
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.32 0.0.0.31
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.64 0.0.0.31
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.96 0.0.0.31
接入交换机4
[H3C]ospf 1
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.128 0.0.0.31
出口路由器
[H3C]ospf 1
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.96 0.0.0.31
[H3C]ip route-static 0.0.0.0 0 125.
88.56.1
[H3C]ip route-static 0.0.0.0 0 222.12.
12.1
[H3C-ospf-1]default-route-advertise
服务器1-3
[H3C]ip route-static 0.0.0.0 0 10.1
0.111.129
dhcp自动划分ip
核心交换机
[H3C]dhcp enable
[H3C]dhcp server ip-pool 10
[H3C-dhcp-pool-10]gateway-list 10.10.111.1
[H3C-dhcp-pool-10]network 10.10.111.0 27
[H3C-dhcp-pool-10]expired day 1
[H3C]int Vlan-interface 10
[H3C-Vlan-interface10]dhcp server apply ip-pool 10
[H3C]dhcp server ip-pool 20
[H3C-dhcp-pool-10]gateway-list 10.10.111.33
[H3C-dhcp-pool-10]network 10.10.111.32 27
[H3C-dhcp-pool-10]expired day 1
[H3C]int Vlan-interface 20
[H3C-Vlan-interface10]dhcp server apply ip-pool 20
[H3C]dhcp server ip-pool 30
[H3C-dhcp-pool-10]gateway-list 10.10.111.65
[H3C-dhcp-pool-10]network 10.10.111.64 27
[H3C-dhcp-pool-10]expired day 1
[H3C]int Vlan-interface 30
[H3C-Vlan-interface10]dhcp server apply ip-pool 30
acl访问控制列表
部门1acl
[H3C]acl advanced 3100
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.131 0.0.0.0
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.132 0.0.0.0
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.32 0.0.0.31
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.64 0.0.0.31
[H3C-GigabitEthernet1/0/2]packet-filter 3100 inbound
[H3C-GigabitEthernet1/0/3]packet-filter 3100 inbound
部门2acl
[H3C]acl advanced 3200
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.130 0.0.0.0
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.132 0.0.0.0
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.64 0.0.0.31
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.32 0.0.0.31
[H3C-GigabitEthernet1/0/4]packet-filter 3200 inbound
[H3C-GigabitEthernet1/0/5]packet-filter 3200 inbound
部门3acl
[H3C]acl advanced 3300
[H3C-acl-ipv4-adv-3300]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.130 0.0.0.0
[H3C-acl-ipv4-adv-3300]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.131 0.0.0.0
[H3C-GigabitEthernet1/0/6]packet-filter 3300 inbound
nat地址转换
出口路由器
[H3C]acl advanced 3000
[H3C-acl-ipv4-adv-3000]rule permit ip source 10.10.111.0 0.0.0.255
[H3C]nat address-group 10
[H3C-address-group-10]address 125.88.56.33 125.88.56.33
[H3C]int g0/0
[H3C-GigabitEthernet0/0]nat outbound 3000 address-group 10
[H3C]nat address-group 20
[H3C-address-group-20]address 222.12.12.12 222.12.12.12
[H3C]int g0/1
[H3C-GigabitEthernet0/1]nat outbound 3000 address-group 20
端口映射
出口路由器acl
[H3C-GigabitEthernet0/1]nat server protocol tcp global 222.12.12.1
8080 inside 10.10.111.130 80
TELNET远程登录
[H3C-GigabitEthernet0/0]ip address 192.168.10.2 255.255.255.0
[H3C]user-interface vty 0 1
[H3C-line-vty0-1]user-role level-3
[H3C-line-vty0-1]authentication-mode scheme
[H3C]local-user ygf
[H3C-luser-manage-ygf]password simple 130377
[H3C-luser-manage-ygf]service-type telnet
[H3C]telnet server enable