Noriu/Cyber_Security_Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9d62896506
Cyber_Security_Notes/B. 第二阶段/拓扑练习/0903_项目实战C - 内外网互联.md
Noriu ef1f0bacf3 2024年9月3日 17:58:59
2024-09-03 17:59:02 +08:00

3.5 KiB
Raw Blame History

项目实战 - 内外网互联

image-20240903154304067

  • 需求

    • SW5通过vlanif15和出口设备R1互联
    • SW6通过vlanif16和出口设备R1互联
    • 在SW5/SW6与出口设备R1中配置路由实现SW5/SW6与R1的互通
    • 公司出口设备 R1连接外网公司租用的公网网段100.1.1.0/29
    • 公司内网主机有访问外网的需求所以在R1上配置默认路由下一跳为公网网关
    • 使用ACL来定义允许那些部门和网段访问外网
    • 部署地址池NAT或者Easy-ip实现内网主机访问外网
    • 配置VRRP的上行链路跟踪

  • 配置基于0903_实战项目B - 内网优化.md

一、IP & VLAN & Routing

  • AR1

    [AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.15.1 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 192.168.16.1 24
[AR1-GigabitEthernet0/0/1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip add 100.1.1.1 29

  • AR2

    [AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 100.1.1.2 29
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 200.1.1.254 24

  • SW5

    [SW5]vlan batch 15 16
[SW5]int Vlanif 15
[SW5-Vlanif15]ip add 192.168.15.5 24
[SW5-Vlanif15]quit
[SW5]int g0/0/4
[SW5-GigabitEthernet0/0/4]port link-type access
[SW5-GigabitEthernet0/0/4]port default vlan 15
[SW5-GigabitEthernet0/0/4]quit
[SW5]ip route-static 0.0.0.0 0 192.168.15.1

  • SW6

    [SW6]vlan batch 15 16
[SW6]int Vlanif 16
[SW6-Vlanif16]ip add 192.168.16.6 24
[SW6-Vlanif16]quit
[SW6]int g0/0/4
[SW6-GigabitEthernet0/0/4]port link-type access
[SW6-GigabitEthernet0/0/4]port default vlan 16
[SW6-GigabitEthernet0/0/4]quit
[SW6]ip route-static 0.0.0.0 0 192.168.16.1

  • AR1

    [AR1]ip route-static 192.168.10.0 24 192.168.15.5
[AR1]ip route-static 192.168.10.0 24 192.168.16.6 preference 100
[AR1]ip route-static 192.168.20.0 24 192.168.15.5
[AR1]ip route-static 192.168.20.0 24 192.168.16.6 preference 100
[AR1]ip route-static 192.168.30.0 24 192.168.16.6
[AR1]ip route-static 192.168.30.0 24 192.168.15.5 preference 100
[AR1]ip route-static 0.0.0.0 0 100.1.1.2

二、NAT

  • AR1

    [AR1]nat address-group 1 100.1.1.3 100.1.1.5
[AR1]acl 2000
[AR1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255
[AR1-acl-basic-2000]rule 20 permit source 192.168.20.0 0.0.0.255
[AR1-acl-basic-2000]rule 30 permit source 192.168.30.0 0.0.0.255
[AR1-acl-basic-2000]quit
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]nat outbound 2000 address-group 1

三、VRRP上行接口监控

  • HX - SW5

    [SW5]int Vlanif 10
[SW5-Vlanif10]vrrp vrid 10 track int g0/0/4 reduced 50
[SW5-Vlanif10]int vlan 20
[SW5-Vlanif20]vrrp vrid 20 track int g0/0/4 reduced 50

  • HX - SW6

    [SW6]int Vlanif 30
[SW6-Vlanif30]vrrp vrid 30 track int g0/0/4 reduced 50

四、测试

  • PC1 PING Server1

    PC1>ping 200.1.1.1

Ping 200.1.1.1: 32 data bytes, Press Ctrl_C to break
From 200.1.1.1: bytes=32 seq=1 ttl=252 time=79 ms
From 200.1.1.1: bytes=32 seq=2 ttl=252 time=78 ms
From 200.1.1.1: bytes=32 seq=3 ttl=252 time=78 ms
From 200.1.1.1: bytes=32 seq=4 ttl=252 time=78 ms
From 200.1.1.1: bytes=32 seq=5 ttl=252 time=62 ms

--- 200.1.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 62/75/79 ms