h3c模拟器网络初级综合实验

最新推荐文章于 2024-04-21 14:54:53 发布

18849911

最新推荐文章于 2024-04-21 14:54:53 发布

阅读量982

点赞数 1

分类专栏：路由交换文章标签：网络服务器运维

本文链接：https://blog.youkuaiyun.com/qq_40168905/article/details/127010981

版权

路由交换专栏收录该内容

37 篇文章

订阅专栏

这里写自定义目录标题

网络规划
- - 三层通信
- - 端口映射
- - 远程登录
  - 端口隔离

网络规划

部门1：销售部门
部门2：财务部门
部门3：技术部门

子网划分
部门1:vlan10,网关:10.10.111.1 ,子网段：10.10.111.0/27
部门2:vlan20,网关:10.10.111.33,子网段：10.10.111.32/27
部门3:vlan30,网关10.10.111.65,子网段：10.10.111.64/27
服务器1-3:vlan200,网关10.10.111.129,子网段 10.10.111.128/27
出口路由器
内网网关:10.10.111.97子,网段10.10.111.96/27
外网移动:ip222.12.12.12,网关222.12.12.1/24
外网电信:ip125.88.56.33,网关125.88.56.1/24

需求

1、为了服务器安全，服务器IP和PC不能在同-网段:
2、每个部门只能访问自己对应的服务器，如销售部门1中的PC不能访问财务和技术部门服务器;
3、三个部门的PC之间不能互访；
4、为防止网络病毒，财务部门的PC之间不能互相访问:（端口隔离）
5、每个部门的人员都能访问他们自己部门的服务器的业务端口TCP80;
6、技术部门为能够维护服务器，可以访问服务器的22、3389等远程端口;
7、公司所有人员都能通过电信公司分配的公网IP 125. 88. 56. 33/24 (网关:125. 88. 56.1)上网:
8、当电信线路出现故障，自动切换到移动线路上222. 12. 12.12/24 (网关:222.12. 12.1)上网:
9、为方便管理所有PC采用自动获取IP, 服务器手工配置IP:
10、接入层到核心层的线路需要冗余:
11、销售部门的服务器要对公网用户提供web服务;
12、省厅分给该局的内网网段为10. 10.111. 0/24.
你现在是公司的网络工程师，请给每个部门及服务器分配IP并完成以上需求。

拓扑图

在这里插入图片描述

配置

二层通讯

核心交换机
[H3C]vlan 10
[H3C]int Vlan-interface 10
[H3C-Vlan-interface10]ip address 10.10.111.1 27
[H3C]vlan 20
[H3C]int Vlan-interface 20
[H3C-Vlan-interface20]ip address 10.10.111.33 27
[H3C]vlan 30
[H3C]int Vlan-interface 30
[H3C-Vlan-interface30]ip address 10.10.111.65 27
[H3C]vlan 100
[H3C]int Vlan-interface 100
[H3C-Vlan-interface100]ip address 10.10.111.98 27
[H3C]vlan 200
[H3C]int Vlan-interface 200
[H3C-Vlan-interface200]ip address 10.10.111.129 27

链路聚合 vlan划分
核心交换机上行接口
[H3C]interface GigabitEthernet1/0/1
[H3C]port link-type access
[H3C]port access vlan 100

核心交换机-接入交换机1上行接口
[H3C]int Bridge-Aggregation 1
[H3C-Bridge-Aggregation1]qu
[H3C]int g 1/0/2
[H3C-GigabitEthernet1/0/2]port link-aggregation group 1
[H3C]int g 1/0/3
[H3C-GigabitEthernet1/0/3]port link-aggregation group 1
[H3C]int Bridge-Aggregation 1
[H3C-Bridge-Aggregation1]port link-type trunk
[H3C-Bridge-Aggregation1]port trunk permit vlan 10 20 30
核心交换机-接入交换机2上行接口
[H3C]int Bridge-Aggregation 2
[H3C-Bridge-Aggregation2]qu
[H3C]int g 1/0/4
[H3C-GigabitEthernet1/0/4]port link-aggregation group 2
[H3C]int g 1/0/5
[H3C-GigabitEthernet1/0/5]port link-aggregation group 2
[H3C]int Bridge-Aggregation 2
[H3C-Bridge-Aggregation1]port link-type trunk
[H3C-Bridge-Aggregation1]port trunk permit vlan 10 20 30
接入交换机4下行接口
[H3C]interface range gi1/0/2 to gi1/0/4
[H3C-if-range]port link-type a
port a vlan 200

接入交换机3上行接口
vlan 30
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 10 20 30

interface GigabitEthernet1/0/2
port link-type access
port access vlan 30

[H3C-GigabitEthernet1/0/3]port link-type trunk
[H3C-GigabitEthernet1/0/3]port trunk permit vlan 10 20 30
接入交换机1-3下行接口
port link-type a
port a vlan 10/20/30

三层通信

ospf动态路由协议
核心交换机
ospf 1
area 0.0.0.0
network 10.10.111.0 0.0.0.31
network 10.10.111.32 0.0.0.31
network 10.10.111.64 0.0.0.31
network 10.10.111.96 0.0.0.31
network 10.10.111.128 0.0.0.31
[H3C]ospf 1
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.0 0.0.0.31
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.32 0.0.0.31
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.64 0.0.0.31
[H3C-ospf-1-area-0.0.0.0]network
10.10.111.96 0.0.0.31
接入交换机4
vlan 200
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 200

interface GigabitEthernet1/0/2
port access vlan 200

interface GigabitEthernet1/0/3
port access vlan 200

interface GigabitEthernet1/0/4
port access vlan 200

出口路由器
[H3C]ip route-static 0.0.0.0 0 125.88.56.1
[H3C]ip route-static 0.0.0.0 0 222.12.12.1
[H3C]ospf 1
[H3C-ospf-1]area 0
[H3C-ospf-1-area-0.0.0.0]network 10.10.111.96 0.0.0.31
[H3C-ospf-1]default-route-advertise

服务器1-3

[H3C]ip route-static 0.0.0.0 0 10.10.111.129

dhcp自动划分ip
核心交换机
[H3C]dhcp enable
[H3C]dhcp server ip-pool 10
[H3C-dhcp-pool-10]gateway-list 10.10.111.1
[H3C-dhcp-pool-10]network 10.10.111.0 27
[H3C-dhcp-pool-10]expired day 1
[H3C]int Vlan-interface 10
[H3C-Vlan-interface10]dhcp server apply ip-pool 10
[H3C]dhcp server ip-pool 20
[H3C-dhcp-pool-10]gateway-list 10.10.111.33
[H3C-dhcp-pool-10]network 10.10.111.32 27
[H3C-dhcp-pool-10]expired day 1
[H3C]int Vlan-interface 20
[H3C-Vlan-interface10]dhcp server apply ip-pool 20
[H3C]dhcp server ip-pool 30
[H3C-dhcp-pool-10]gateway-list 10.10.111.65
[H3C-dhcp-pool-10]network 10.10.111.64 27
[H3C-dhcp-pool-10]expired day 1
[H3C]int Vlan-interface 30
[H3C-Vlan-interface10]dhcp server apply ip-pool 30

在核心交换机上做acl访问控制列表
部门1—>acl
[H3C]acl advanced 3100
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.131 0.0.0.0
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.132 0.0.0.0
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.32 0.0.0.31
[H3C-acl-ipv4-adv-3100]rule deny ip source 10.10.111.0 0.0.0.31
destination 10.10.111.64 0.0.0.31
[H3C]interface Vlan-interface 10
[H3C-Vlan-interface10]packet-filter 3100 inbound

部门2–>acl
[H3C]acl advanced 3200
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.32 0.0.0.31
destination 10.10.111.130 0.0.0.0
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.32 0.0.0.31
destination 10.10.111.132 0.0.0.0
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.32 0.0.0.31
destination 10.10.111.0 0.0.0.31
[H3C-acl-ipv4-adv-3200]rule deny ip source 10.10.111.32 0.0.0.31
destination 10.10.111.64 0.0.0.31
[H3C]interface Vlan-interface 20
[H3C-Vlan-interface10]packet-filter 3200 inbound

部门3acl
[H3C]acl advanced 3300
[H3C-acl-ipv4-adv-3300]rule deny ip source 10.10.111.64 0.0.0.31
destination 10.10.111.130 0.0.0.0
[H3C-acl-ipv4-adv-3300]rule deny ip source 10.10.111.64 0.0.0.31
destination 10.10.111.131 0.0.0.0
[H3C-acl-ipv4-adv-3300]rule deny ip source 10.10.111.64 0.0.0.31
destination 10.10.111.0 0.0.0.31
[H3C-acl-ipv4-adv-3300]rule deny ip source 10.10.111.64 0.0.0.31
destination 10.10.111.32 0.0.0.31
[H3C]interface Vlan-interface 30
[H3C-Vlan-interface10]packet-filter 3300 inbound

acl advanced 3300
rule 1 permit tcp source 10.10.111.64 0.0.0.31 destination 10.10.111.130 0 destination-port eq 22
rule 2 permit tcp source 10.10.111.64 0.0.0.31 destination 10.10.111.130 0 destination-port eq www
rule 4 permit tcp source 10.10.111.64 0.0.0.31 destination 10.10.111.130 0 destination-port eq 3389
rule 5 deny ip source 10.10.111.64 0.0.0.31 destination 10.10.111.131 0
rule 10 deny ip source 10.10.111.64 0.0.0.31 destination 10.10.111.0 0.0.0.31
rule 15 deny ip source 10.10.111.64 0.0.0.31 destination 10.10.111.32 0.0.0.31

nat地址转换
出口路由器
[H3C]acl advanced 3000
[H3C-acl-ipv4-adv-3000]rule permit ip source 10.10.111.0 0.0.0.255
[H3C]nat address-group 10
[H3C-address-group-10]address 125.88.56.33 125.88.56.33
[H3C]int g0/0
[H3C-GigabitEthernet0/0]nat outbound 3000 address-group 10
[H3C]nat address-group 20
[H3C-address-group-20]address 222.12.12.12 222.12.12.12
[H3C]int g0/1
[H3C-GigabitEthernet0/1]nat outbound 3000 address-group 20

端口映射

出口路由器acl
interface GigabitEthernet0/2
ip address 222.12.12.12 255.255.255.0
nat outbound 3000 或者 nat outbound 3000 address-group 20
nat server protocol icmp global 222.12.12.11 inside 10.10.111.130
nat server protocol tcp global 222.12.12.12 8080 inside 10.10.111.130 80

远程登录

核心交换机上做TELNET远程登录
[H3C]telnet server enable
[H3C]local-user lgb
[H3C-luser-manage-ygf]password simple 123456
[H3C-luser-manage-ygf]service-type telnet
[H3C]user-interface vty 0 4
[H3C-line-vty0-1]user-role level-3
[H3C-line-vty0-1]authentication-mode scheme