Noriu/Cyber_Security_Notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
fed6023ddf
Cyber_Security_Notes/B. 第二阶段/拓扑练习/0903_项目实战B - 内网优化.md
Noriu fed6023ddf 2024年9月3日 17:49:10
2024-09-03 17:49:13 +08:00

226 lines
5.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 项目实战 - 内网优化
![image-20240903155919145](https://picgo-noriu.oss-cn-beijing.aliyuncs.com/Images/image-20240903155919145.png)
- **需求**
- 所有部门中都使用了网关冗余技术,为了增强网关稳定性和冗余性
- 交换机之间存在很多冗余链路,必须防止环路的发生,并且能够提高链路的利用率,要求每个部门的主机访问其他主机时,使用的都是最优的转发路径
- VLAN30的主机通过SW6与DHCP服务器通信获取IP地址所以SW6也是DHCP中继
### 一、IP、VLAN、Routing
- **PC**
- **SW1**
```
[SW1]vlan 10
[SW1-vlan10]quit
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]quit
[SW1]port-group group-member g0/0/2 g0/0/3
[SW1-port-group]port link-type trunk
[SW1-port-group]port trunk allow-pass vlan all
```
- **SW2**
```
[SW2]vlan 20
[SW2-vlan20]quit
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 20
[SW2-GigabitEthernet0/0/1]quit
[SW2]port-group group-member g0/0/2 g0/0/3
[SW2-port-group]port link-type trunk
[SW2-port-group]port trunk allow-pass vlan all
```
- **SW3**
```
[SW3]vlan 30
[SW3-vlan30]quit
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]quit
[SW3]port-group group-member g0/0/2 g0/0/3
[SW3-port-group]port link-type trunk
[SW3-port-group]port trunk allow-pass vlan all
```
- **SW5**
```
[SW5]vlan batch 10 20 30 50
[SW5]port-group group-member g0/0/1 to g0/0/3 g0/0/6
[SW5-port-group]port link-type trunk
[SW5-port-group]port trunk allow-pass vlan all
[SW5-port-group]quit
[SW5]int g0/0/5
[SW5-GigabitEthernet0/0/5]port link-type access
[SW5-GigabitEthernet0/0/5]port default vlan 50
[SW5-GigabitEthernet0/0/5]quit
[SW5]int Vlanif 50
[SW5-Vlanif50]ip add 192.168.50.251 24
[SW5-Vlanif50]int Vlanif 10
[SW5-Vlanif10]ip add 192.168.10.251 24
[SW5-Vlanif10]int Vlanif 20
[SW5-Vlanif20]ip add 192.168.20.251 24
[SW5-Vlanif20]int Vlanif 30
[SW5-Vlanif30]ip add 192.168.30.251 24
```
- **SW6**
```
[SW6]vlan batch 10 20 30 50
[SW6]port-group group-member g0/0/1 to g0/0/3 g0/0/6
[SW6-port-group]port link-type trunk
[SW6-port-group]port trunk allow-pass vlan all
[SW6-port-group]quit
[SW6]int Vlanif 10
[SW6-Vlanif10]ip add 192.168.10.252 24
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]ip add 192.168.20.252 24
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]ip add 192.168.30.252 24
[SW6-Vlanif30]int Vlanif 50
[SW6-Vlanif50]ip add 192.168.50.252 24
```
- **AR3 - DHCP**
```
[AR3-DHCP]int g0/0/0
[AR3-DHCP-GigabitEthernet0/0/0]ip add 192.168.50.1 24
[AR3-DHCP-GigabitEthernet0/0/0]quit
[AR3-DHCP]ip route-static 0.0.0.0 0 192.168.50.251
```
### 二、VRRP
- **SW5**
```
[SW5]int Vlanif 10
[SW5-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW5-Vlanif10]vrrp vrid 10 priority 130
[SW5-Vlanif10]quit
[SW5]int Vlanif 20
[SW5-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW5-Vlanif20]vrrp vrid 20 priority 130
[SW5-Vlanif20]quit
[SW5]int Vlanif 30
[SW5-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
```
- **SW6**
```
[SW6]int Vlanif 10
[SW6-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW6-Vlanif30]vrrp vrid 30 priority 130
```
### 三、MSTP
- **SW1/SW2/SW3/SW5/SW6 统一配置MSTP**
```
[SW1]stp region-configuration
[SW1-mst-region]region-name ntd2407
[SW1-mst-region]instance 5 vlan 50
[SW1-mst-region]instance 10 vlan 10
[SW1-mst-region]instance 20 vlan 20
[SW1-mst-region]instance 30 vlan 30
[SW1-mst-region]active region-configuration
```
- **HX_SW5是实例10和实例20的主根**
```
[SW5]stp instance 5 priority 8192
[SW5]stp instance 10 priority 4096
[SW5]stp instance 20 priority 4096
[SW5]stp instance 30 priority 8192
```
- **HX_SW6是实例30和实例5的主根**
```
[SW5]stp instance 5 priority 8192
[SW6]stp instance 10 priority 8192
[SW6]stp instance 20 priority 8192
[SW6]stp instance 30 priority 4096
```
### 四、DHCP
- **AR3 - DHCP**
```
[AR3-DHCP]dhcp enable
[AR3-DHCP]ip pool vlan10
[AR3-DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[AR3-DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[AR3-DHCP-ip-pool-vlan10]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan10]quit
[AR3-DHCP]ip pool vlan20
[AR3-DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[AR3-DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
[AR3-DHCP-ip-pool-vlan20]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan20]quit
[AR3-DHCP]ip pool vlan30
[AR3-DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
[AR3-DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
[AR3-DHCP-ip-pool-vlan30]dns-list 8.8.8.8
[AR3-DHCP-ip-pool-vlan30]quit
[AR3-DHCP]int g0/0/0
[AR3-DHCP-GigabitEthernet0/0/1]dhcp select global
```
- **SW5 - DHCP中继**
```
[SW5]dhcp enable
[SW5]int Vlanif 10
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.50.1
[SW5-Vlanif10]int Vlanif 20
[SW5-Vlanif20]dhcp select relay
[SW5-Vlanif20]dhcp relay server-ip 192.168.50.1
[SW5-Vlanif20]int Vlanif 30
[SW5-Vlanif30]dhcp select relay
[SW5-Vlanif30]dhcp relay server-ip 192.168.50.1
```
- **SW6 - DHCP中继**
```
[SW6]dhcp enable
[SW6]int Vlanif 10
[SW6-Vlanif10]dhcp select relay
[SW6-Vlanif10]dhcp relay server-ip 192.168.50.1
[SW6-Vlanif10]int Vlanif 20
[SW6-Vlanif20]dhcp select relay
[SW6-Vlanif20]dhcp relay server-ip 192.168.50.1
[SW6-Vlanif20]int Vlanif 30
[SW6-Vlanif30]dhcp select relay
[SW6-Vlanif30]dhcp relay server-ip 192.168.50.1
```
### 五、验证
- 所有PC都可以通过dhcp获取IP地址
- 所有PC都可以互联互通
Reference in New Issue View Git Blame Copy Permalink