Cyber_Security_Notes/B. 第二阶段/拓扑练习/0903_项目实战B - 内网优化.md

226 lines
5.9 KiB
Markdown
Raw Normal View History

2024-09-03 15:53:00 +08:00
# 项目实战 - 内网优化
2024-09-03 16:48:02 +08:00
![image-20240903155919145](https://picgo-noriu.oss-cn-beijing.aliyuncs.com/Images/image-20240903155919145.png)
2024-09-03 15:53:00 +08:00
- **需求**
- 所有部门中都使用了网关冗余技术,为了增强网关稳定性和冗余性
- 交换机之间存在很多冗余链路,必须防止环路的发生,并且能够提高链路的利用率,要求每个部门的主机访问其他主机时,使用的都是最优的转发路径
- VLAN30的主机通过SW6与DHCP服务器通信获取IP地址所以SW6也是DHCP中继
### 一、IP、VLAN、Routing
- **PC**
- **SW1**
```
[SW1]vlan 10
[SW1-vlan10]quit
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]quit
[SW1]port-group group-member g0/0/2 g0/0/3
[SW1-port-group]port link-type trunk
[SW1-port-group]port trunk allow-pass vlan all
```
- **SW2**
```
[SW2]vlan 20
[SW2-vlan20]quit
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 20
[SW2-GigabitEthernet0/0/1]quit
[SW2]port-group group-member g0/0/2 g0/0/3
[SW2-port-group]port link-type trunk
[SW2-port-group]port trunk allow-pass vlan all
```
- **SW3**
```
[SW3]vlan 30
[SW3-vlan30]quit
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]quit
[SW3]port-group group-member g0/0/2 g0/0/3
[SW3-port-group]port link-type trunk
[SW3-port-group]port trunk allow-pass vlan all
```
- **SW5**
```
[SW5]vlan batch 10 20 30 50
[SW5]port-group group-member g0/0/1 to g0/0/3 g0/0/6
[SW5-port-group]port link-type trunk
[SW5-port-group]port trunk allow-pass vlan all
[SW5-port-group]quit
[SW5]int g0/0/5
[SW5-GigabitEthernet0/0/5]port link-type access
[SW5-GigabitEthernet0/0/5]port default vlan 50
[SW5-GigabitEthernet0/0/5]quit
[SW5]int Vlanif 50
[SW5-Vlanif50]ip add 192.168.50.251 24
[SW5-Vlanif50]int Vlanif 10
[SW5-Vlanif10]ip add 192.168.10.251 24
[SW5-Vlanif10]int Vlanif 20
[SW5-Vlanif20]ip add 192.168.20.251 24
[SW5-Vlanif20]int Vlanif 30
[SW5-Vlanif30]ip add 192.168.30.251 24
```
- **SW6**
```
[SW6]vlan batch 10 20 30 50
[SW6]port-group group-member g0/0/1 to g0/0/3 g0/0/6
[SW6-port-group]port link-type trunk
[SW6-port-group]port trunk allow-pass vlan all
[SW6-port-group]quit
[SW6]int Vlanif 10
[SW6-Vlanif10]ip add 192.168.10.252 24
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]ip add 192.168.20.252 24
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]ip add 192.168.30.252 24
[SW6-Vlanif30]int Vlanif 50
[SW6-Vlanif50]ip add 192.168.50.252 24
```
- **AR3 - DHCP**
```
[AR3-DHCP]int g0/0/0
[AR3-DHCP-GigabitEthernet0/0/0]ip add 192.168.50.1 24
[AR3-DHCP-GigabitEthernet0/0/0]quit
[AR3-DHCP]ip route-static 0.0.0.0 0 192.168.50.251
```
### 二、VRRP
- **SW5**
```
[SW5]int Vlanif 10
[SW5-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW5-Vlanif10]vrrp vrid 10 priority 130
[SW5-Vlanif10]quit
[SW5]int Vlanif 20
[SW5-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW5-Vlanif20]vrrp vrid 20 priority 130
[SW5-Vlanif20]quit
[SW5]int Vlanif 30
[SW5-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
```
- **SW6**
```
[SW6]int Vlanif 10
[SW6-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW6-Vlanif30]vrrp vrid 30 priority 130
```
### 三、MSTP
- **SW1/SW2/SW3/SW5/SW6 统一配置MSTP**
```
[SW1]stp region-configuration
[SW1-mst-region]region-name ntd2407
[SW1-mst-region]instance 5 vlan 50
[SW1-mst-region]instance 10 vlan 10
[SW1-mst-region]instance 20 vlan 20
[SW1-mst-region]instance 30 vlan 30
[SW1-mst-region]active region-configuration
```
- **HX_SW5是实例10和实例20的主根**
```
[SW5]stp instance 5 priority 8192
[SW5]stp instance 10 priority 4096
[SW5]stp instance 20 priority 4096
[SW5]stp instance 30 priority 8192
```
- **HX_SW6是实例30和实例5的主根**
```
[SW5]stp instance 5 priority 8192
[SW6]stp instance 10 priority 8192
[SW6]stp instance 20 priority 8192
[SW6]stp instance 30 priority 4096
```
### 四、DHCP
- **AR3 - DHCP**
```
[AR3-DHCP]dhcp enable
[AR3-DHCP]ip pool vlan10
[AR3-DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[AR3-DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[AR3-DHCP-ip-pool-vlan10]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan10]quit
[AR3-DHCP]ip pool vlan20
[AR3-DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[AR3-DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
[AR3-DHCP-ip-pool-vlan20]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan20]quit
[AR3-DHCP]ip pool vlan30
[AR3-DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
[AR3-DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
[AR3-DHCP-ip-pool-vlan30]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan30]quit
2024-09-03 17:49:09 +08:00
[AR3-DHCP]int g0/0/0
2024-09-03 15:53:00 +08:00
[AR3-DHCP-GigabitEthernet0/0/1]dhcp select global
```
- **SW5 - DHCP中继**
```
[SW5]dhcp enable
[SW5]int Vlanif 10
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.50.1
[SW5-Vlanif10]int Vlanif 20
[SW5-Vlanif20]dhcp select relay
[SW5-Vlanif20]dhcp relay server-ip 192.168.50.1
[SW5-Vlanif20]int Vlanif 30
[SW5-Vlanif30]dhcp select relay
[SW5-Vlanif30]dhcp relay server-ip 192.168.50.1
```
- **SW6 - DHCP中继**
```
[SW6]dhcp enable
[SW6]int Vlanif 10
[SW6-Vlanif10]dhcp select relay
[SW6-Vlanif10]dhcp relay server-ip 192.168.50.1
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]dhcp select relay
[SW6-Vlanif20]dhcp relay server-ip 192.168.50.1
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]dhcp select relay
[SW6-Vlanif30]dhcp relay server-ip 192.168.50.1
```
### 五、验证
- 所有PC都可以通过dhcp获取IP地址
- 所有PC都可以互联互通