Cyber_Security_Notes/B. 第二阶段/拓扑练习/0903_项目实战B - 内网优化.md

项目实战 - 内网优化

• 需求
  • 所有部门中都使用了网关冗余技术，为了增强网关稳定性和冗余性
  • 交换机之间存在很多冗余链路，必须防止环路的发生，并且能够提高链路的利用率，要求每个部门的主机访问其他主机时，使用的都是最优的转发路径
  • VLAN30的主机通过SW6与DHCP服务器通信，获取IP地址，所以SW6也是DHCP中继

一、IP、VLAN、Routing

• PC

• SW1

  [SW1]vlan 10
  [SW1-vlan10]quit
  [SW1]int g0/0/1
  [SW1-GigabitEthernet0/0/1]port link-type access 
  [SW1-GigabitEthernet0/0/1]port default vlan 10
  [SW1-GigabitEthernet0/0/1]quit
  [SW1]port-group group-member g0/0/2 g0/0/3
  [SW1-port-group]port link-type trunk
  [SW1-port-group]port trunk allow-pass vlan all
  

• SW2

  [SW2]vlan 20
  [SW2-vlan20]quit
  [SW2]int g0/0/1
  [SW2-GigabitEthernet0/0/1]port link-type access
  [SW2-GigabitEthernet0/0/1]port default vlan 20
  [SW2-GigabitEthernet0/0/1]quit
  [SW2]port-group group-member g0/0/2 g0/0/3
  [SW2-port-group]port link-type trunk
  [SW2-port-group]port trunk allow-pass vlan all
  

• SW3

  [SW3]vlan 30
  [SW3-vlan30]quit
  [SW3]int g0/0/1
  [SW3-GigabitEthernet0/0/1]port link-type access
  [SW3-GigabitEthernet0/0/1]port default vlan 30
  [SW3-GigabitEthernet0/0/1]quit
  [SW3]port-group group-member g0/0/2 g0/0/3
  [SW3-port-group]port link-type trunk
  [SW3-port-group]port trunk allow-pass vlan all
  

• SW5

  [SW5]vlan batch 10 20 30 50
  [SW5]port-group group-member g0/0/1 to g0/0/3 g0/0/6	
  [SW5-port-group]port link-type trunk
  [SW5-port-group]port trunk allow-pass vlan all
  [SW5-port-group]quit
  [SW5]int g0/0/5
  [SW5-GigabitEthernet0/0/5]port link-type access
  [SW5-GigabitEthernet0/0/5]port default vlan 50
  [SW5-GigabitEthernet0/0/5]quit
  [SW5]int Vlanif 50
  [SW5-Vlanif50]ip add 192.168.50.251 24
  [SW5-Vlanif50]int Vlanif 10
  [SW5-Vlanif10]ip add 192.168.10.251 24
  [SW5-Vlanif10]int Vlanif 20
  [SW5-Vlanif20]ip add 192.168.20.251 24
  [SW5-Vlanif20]int Vlanif 30
  [SW5-Vlanif30]ip add 192.168.30.251 24
  

• SW6

  [SW6]vlan batch 10 20 30 50
  [SW6]port-group group-member g0/0/1 to g0/0/3 g0/0/6
  [SW6-port-group]port link-type trunk
  [SW6-port-group]port trunk allow-pass vlan all
  [SW6-port-group]quit
  [SW6]int Vlanif 10
  [SW6-Vlanif10]ip add 192.168.10.252 24
  [SW6-Vlanif10]int Vlanif 20
  [SW6-Vlanif20]ip add 192.168.20.252 24
  [SW6-Vlanif20]int Vlanif 30
  [SW6-Vlanif30]ip add 192.168.30.252 24
  [SW6-Vlanif30]int Vlanif 50
  [SW6-Vlanif50]ip add 192.168.50.252 24
  

• AR3 - DHCP

  [AR3-DHCP]int g0/0/0
  [AR3-DHCP-GigabitEthernet0/0/0]ip add 192.168.50.1 24
  [AR3-DHCP-GigabitEthernet0/0/0]quit
  [AR3-DHCP]ip route-static 0.0.0.0 0 192.168.50.251
  

二、VRRP

• SW5

  [SW5]int Vlanif 10
  [SW5-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
  [SW5-Vlanif10]vrrp vrid 10 priority 130
  [SW5-Vlanif10]quit
  [SW5]int Vlanif 20
  [SW5-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
  [SW5-Vlanif20]vrrp vrid 20 priority 130
  [SW5-Vlanif20]quit
  [SW5]int Vlanif 30
  [SW5-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
  

• SW6

  [SW6]int Vlanif 10
  [SW6-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
  [SW6-Vlanif10]int Vlanif 20
  [SW6-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
  [SW6-Vlanif20]int Vlanif 30
  [SW6-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
  [SW6-Vlanif30]vrrp vrid 30 priority 130
  

三、MSTP

• SW1/SW2/SW3/SW5/SW6 统一配置MSTP

  [SW1]stp region-configuration
  [SW1-mst-region]region-name ntd2407
  [SW1-mst-region]instance 5 vlan 50
  [SW1-mst-region]instance 10 vlan 10
  [SW1-mst-region]instance 20 vlan 20
  [SW1-mst-region]instance 30 vlan 30
  [SW1-mst-region]active region-configuration
  

• HX_SW5是实例10和实例20的主根

  [SW5]stp instance 5 priority 8192
  [SW5]stp instance 10 priority 4096
  [SW5]stp instance 20 priority 4096
  [SW5]stp instance 30 priority 8192
  

• HX_SW6是实例30和实例5的主根

  [SW5]stp instance 5 priority 8192
  [SW6]stp instance 10 priority 8192
  [SW6]stp instance 20 priority 8192
  [SW6]stp instance 30 priority 4096
  

四、DHCP

• AR3 - DHCP

  [AR3-DHCP]dhcp enable 
  [AR3-DHCP]ip pool vlan10
  [AR3-DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
  [AR3-DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
  [AR3-DHCP-ip-pool-vlan10]dns-list 8.8.8.8
  [AR3-DHCP-ip-pool-vlan10]quit
  [AR3-DHCP]ip pool vlan20
  [AR3-DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
  [AR3-DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
  [AR3-DHCP-ip-pool-vlan20]dns-list 8.8.8.8
  [AR3-DHCP-ip-pool-vlan20]quit
  [AR3-DHCP]ip pool vlan30
  [AR3-DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
  [AR3-DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
  [AR3-DHCP-ip-pool-vlan30]dns-list 8.8.8.8
  [AR3-DHCP-ip-pool-vlan30]quit
  [AR3-DHCP]int g0/0/1
  [AR3-DHCP-GigabitEthernet0/0/1]dhcp select global
  

• SW5 - DHCP中继

  [SW5]dhcp enable
  [SW5]int Vlanif 10
  [SW5-Vlanif10]dhcp select relay
  [SW5-Vlanif10]dhcp relay server-ip 192.168.50.1
  [SW5-Vlanif10]int Vlanif 20
  [SW5-Vlanif20]dhcp select relay
  [SW5-Vlanif20]dhcp relay server-ip 192.168.50.1
  [SW5-Vlanif20]int Vlanif 30
  [SW5-Vlanif30]dhcp select relay
  [SW5-Vlanif30]dhcp relay server-ip 192.168.50.1
  

• SW6 - DHCP中继

  [SW6]dhcp enable
  [SW6]int Vlanif 10
  [SW6-Vlanif10]dhcp select relay
  [SW6-Vlanif10]dhcp relay server-ip 192.168.50.1
  [SW6-Vlanif10]int Vlanif 20
  [SW6-Vlanif20]dhcp select relay
  [SW6-Vlanif20]dhcp relay server-ip 192.168.50.1
  [SW6-Vlanif20]int Vlanif 30
  [SW6-Vlanif30]dhcp select relay
  [SW6-Vlanif30]dhcp relay server-ip 192.168.50.1
  

五、验证

• 所有PC都可以通过dhcp获取IP地址
• 所有PC都可以互联互通