Noriu/Cyber_Security_Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
bd14913d82
Cyber_Security_Notes/B. 第二阶段/拓扑练习/0903_项目实战B - 内网优化.md
Noriu fed6023ddf 2024年9月3日 17:49:10
2024-09-03 17:49:13 +08:00

5.9 KiB
Raw Blame History

项目实战 - 内网优化

image-20240903155919145

  • 需求
    • 所有部门中都使用了网关冗余技术,为了增强网关稳定性和冗余性
    • 交换机之间存在很多冗余链路,必须防止环路的发生,并且能够提高链路的利用率,要求每个部门的主机访问其他主机时,使用的都是最优的转发路径
    • VLAN30的主机通过SW6与DHCP服务器通信获取IP地址所以SW6也是DHCP中继

一、IP、VLAN、Routing

  • PC

  • SW1

    [SW1]vlan 10
[SW1-vlan10]quit
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access 
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]quit
[SW1]port-group group-member g0/0/2 g0/0/3
[SW1-port-group]port link-type trunk
[SW1-port-group]port trunk allow-pass vlan all

  • SW2

    [SW2]vlan 20
[SW2-vlan20]quit
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 20
[SW2-GigabitEthernet0/0/1]quit
[SW2]port-group group-member g0/0/2 g0/0/3
[SW2-port-group]port link-type trunk
[SW2-port-group]port trunk allow-pass vlan all

  • SW3

    [SW3]vlan 30
[SW3-vlan30]quit
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]quit
[SW3]port-group group-member g0/0/2 g0/0/3
[SW3-port-group]port link-type trunk
[SW3-port-group]port trunk allow-pass vlan all

  • SW5

    [SW5]vlan batch 10 20 30 50
[SW5]port-group group-member g0/0/1 to g0/0/3 g0/0/6	
[SW5-port-group]port link-type trunk
[SW5-port-group]port trunk allow-pass vlan all
[SW5-port-group]quit
[SW5]int g0/0/5
[SW5-GigabitEthernet0/0/5]port link-type access
[SW5-GigabitEthernet0/0/5]port default vlan 50
[SW5-GigabitEthernet0/0/5]quit
[SW5]int Vlanif 50
[SW5-Vlanif50]ip add 192.168.50.251 24
[SW5-Vlanif50]int Vlanif 10
[SW5-Vlanif10]ip add 192.168.10.251 24
[SW5-Vlanif10]int Vlanif 20
[SW5-Vlanif20]ip add 192.168.20.251 24
[SW5-Vlanif20]int Vlanif 30
[SW5-Vlanif30]ip add 192.168.30.251 24

  • SW6

    [SW6]vlan batch 10 20 30 50
[SW6]port-group group-member g0/0/1 to g0/0/3 g0/0/6
[SW6-port-group]port link-type trunk
[SW6-port-group]port trunk allow-pass vlan all
[SW6-port-group]quit
[SW6]int Vlanif 10
[SW6-Vlanif10]ip add 192.168.10.252 24
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]ip add 192.168.20.252 24
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]ip add 192.168.30.252 24
[SW6-Vlanif30]int Vlanif 50
[SW6-Vlanif50]ip add 192.168.50.252 24

  • AR3 - DHCP

    [AR3-DHCP]int g0/0/0
[AR3-DHCP-GigabitEthernet0/0/0]ip add 192.168.50.1 24
[AR3-DHCP-GigabitEthernet0/0/0]quit
[AR3-DHCP]ip route-static 0.0.0.0 0 192.168.50.251

二、VRRP

  • SW5

    [SW5]int Vlanif 10
[SW5-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW5-Vlanif10]vrrp vrid 10 priority 130
[SW5-Vlanif10]quit
[SW5]int Vlanif 20
[SW5-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW5-Vlanif20]vrrp vrid 20 priority 130
[SW5-Vlanif20]quit
[SW5]int Vlanif 30
[SW5-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254

  • SW6

    [SW6]int Vlanif 10
[SW6-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW6-Vlanif30]vrrp vrid 30 priority 130

三、MSTP

  • SW1/SW2/SW3/SW5/SW6 统一配置MSTP

    [SW1]stp region-configuration
[SW1-mst-region]region-name ntd2407
[SW1-mst-region]instance 5 vlan 50
[SW1-mst-region]instance 10 vlan 10
[SW1-mst-region]instance 20 vlan 20
[SW1-mst-region]instance 30 vlan 30
[SW1-mst-region]active region-configuration

  • HX_SW5是实例10和实例20的主根

    [SW5]stp instance 5 priority 8192
[SW5]stp instance 10 priority 4096
[SW5]stp instance 20 priority 4096
[SW5]stp instance 30 priority 8192

  • HX_SW6是实例30和实例5的主根

    [SW5]stp instance 5 priority 8192
[SW6]stp instance 10 priority 8192
[SW6]stp instance 20 priority 8192
[SW6]stp instance 30 priority 4096

四、DHCP

  • AR3 - DHCP

    [AR3-DHCP]dhcp enable 
[AR3-DHCP]ip pool vlan10
[AR3-DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[AR3-DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[AR3-DHCP-ip-pool-vlan10]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan10]quit
[AR3-DHCP]ip pool vlan20
[AR3-DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[AR3-DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
[AR3-DHCP-ip-pool-vlan20]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan20]quit
[AR3-DHCP]ip pool vlan30
[AR3-DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
[AR3-DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
[AR3-DHCP-ip-pool-vlan30]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan30]quit
[AR3-DHCP]int g0/0/0
[AR3-DHCP-GigabitEthernet0/0/1]dhcp select global

  • SW5 - DHCP中继

    [SW5]dhcp enable
[SW5]int Vlanif 10
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.50.1
[SW5-Vlanif10]int Vlanif 20
[SW5-Vlanif20]dhcp select relay
[SW5-Vlanif20]dhcp relay server-ip 192.168.50.1
[SW5-Vlanif20]int Vlanif 30
[SW5-Vlanif30]dhcp select relay
[SW5-Vlanif30]dhcp relay server-ip 192.168.50.1

  • SW6 - DHCP中继

    [SW6]dhcp enable
[SW6]int Vlanif 10
[SW6-Vlanif10]dhcp select relay
[SW6-Vlanif10]dhcp relay server-ip 192.168.50.1
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]dhcp select relay
[SW6-Vlanif20]dhcp relay server-ip 192.168.50.1
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]dhcp select relay
[SW6-Vlanif30]dhcp relay server-ip 192.168.50.1

五、验证

  • 所有PC都可以通过dhcp获取IP地址
  • 所有PC都可以互联互通