背景介绍:下图是模拟某学校网络拓扑结构在该学校网络接入层采用S5130接入层交换机划分了办公网VLAN2和学生网VLAN4VLAN2和VLAN4通过汇聚层交换机E328B与路由器A相连另E328B上有一个VLAN3存放一台网管机networkadmin=192168301224。路由器A与B通过路由协议获取路由信息后办公网可以访问B路由器后的WEBserver 。为了防止学生网内的主机访问重要的W
注意:由于实验涉及到网络设备的配置,如果你不具备相关知识和技能,请勿尝试,以免造成不可逆的损失。
- 还原设备至最初状态 在每个设备上执行以下命令:
reset saved-configuration
reboot
- 创建VLAN并添加接口 在S5130上执行以下命令:
system-view
vlan batch 2 4
interface gigabitethernet 0/0/10 to 0/0/15
port link-type access
port default vlan 2
interface gigabitethernet 0/0/16 to 0/0/20
port link-type access
port default vlan 4
在E328B上执行以下命令:
system-view
vlan batch 2 3 4
interface gigabitethernet 0/0/10 to 0/0/12
port link-type access
port default vlan 3
- 配置冗余链路和生成树 在S5130上执行以下命令:
system-view
stp mode rstp
interface gigabitethernet 0/0/5
port link-type trunk
port trunk allow-pass vlan all
interface gigabitethernet 0/0/6
port link-type trunk
port trunk allow-pass vlan all
在E328B上执行以下命令:
system-view
stp mode rstp
interface gigabitethernet 0/0/5
port link-type trunk
port trunk allow-pass vlan all
interface gigabitethernet 0/0/6
port link-type trunk
port trunk allow-pass vlan all
- E328B和RA互连 在E328B上执行以下命令:
system-view
interface vlanif 3
ip address 192.168.30.1 24
interface gigabitethernet 0/0/5
port link-type trunk
port trunk allow-pass vlan all
interface gigabitethernet 0/0/6
port link-type trunk
port trunk allow-pass vlan all
interface gigabitethernet 0/0/0
ip address 202.99.1.2 30
vrrp vrid 1 virtual-ip 202.99.1.1
在RA上执行以下命令:
system-view
interface gigabitethernet 0/0/0
ip address 192.168.10.1 24
interface serial 0/0
ip address 202.99.1.1 30
- VLAN间互连 在E328B上执行以下命令:
system-view
interface vlanif 2
ip address 192.168.20.1 24
interface vlanif 4
ip address 192.168.40.1 24
interface gigabitethernet 0/0/5
port link-type trunk
port trunk allow-pass vlan all
interface gigabitethernet 0/0/6
port link-type trunk
port trunk allow-pass vlan all
- 配置PPPoE链路 在RA上执行以下命令:
system-view
interface serial 0/0
ppp chap user test
ppp chap password test123
在RB上执行以下命令:
system-view
interface serial 0/0
ppp chap user test
ppp chap password test123
- 配置静态路由 在RA上执行以下命令:
system-view
ip route-static 0.0.0.0 0.0.0.0 202.99.1.2
在RB上执行以下命令:
system-view
ip route-static 0.0.0.0 0.0.0.0 192.168.50.1
- 配置访问列表 在RA上执行以下命令:
system-view
acl number 2000
rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 65.154.12.8 0.0.0.0
rule 10 permit ip source any destination any
interface gigabitethernet 0/0/0
ip address 192.168.10.1 24
packet-filter 2000 inbound
- 配置NAT 在RA上执行以下命令:
system-view
nat enable
acl number 2001
rule 5 permit source 192.168.30.0 0.0.0.255
interface vlanif 3
nat outbound 2001 interface serial 0/0
- 配置端口映射 在RA上执行以下命令:
system-view
nat server protocol tcp global current-interface 80 inside 192.168.30.12 80
acl number 2000
rule 5 permit tcp source any destination 202.99.1.1 80
interface serial 0/0
packet-filter 2000 inbound
- 端口安全措施 在S5130上执行以下命令:
system-view
interface vlanif 2
mac-address learning disable
port-security enable
port-security max-mac-num 1
- 显示配置结果 在每个设备上执行以下命令:
display current-configuration
display interface brief
display vlan
display stp
display ip routing-table
display acl all
display nat session all
display port-security
- 导出配置文件 在每个设备上执行以下命令:
save
并将文件备份至安全的位置
原文地址: https://www.cveoy.top/t/topic/fHIh 著作权归作者所有。请勿转载和采集!