Cyber_Security_Notes/B. 第二阶段/拓扑练习/0903_项目实战C - 内外网互联.md

# 项目实战 - 内外网互联

![image-20240903154304067](https://picgo-noriu.oss-cn-beijing.aliyuncs.com/Images/image-20240903154304067.png)

- **需求**
  - SW5通过vlanif15和出口设备R1互联
  - SW6通过vlanif16和出口设备R1互联
  - 在SW5/SW6与出口设备R1中配置路由，实现SW5/SW6与R1的互通
  - 公司出口设备 R1连接外网，公司租用的公网网段：100.1.1.0/29
  - 公司内网主机有访问外网的需求，所以在R1上配置默认路由，下一跳为公网网关
  - 使用ACL来定义允许那些部门和网段访问外网
  - 部署地址池NAT或者Easy-ip，实现内网主机访问外网
  - 配置VRRP的上行链路跟踪
- 配置基于`0903_实战项目B - 内网优化.md`

### 一、IP & VLAN & Routing

- **AR1**

  ```
  [AR1]int g0/0/0
  [AR1-GigabitEthernet0/0/0]ip add 192.168.15.1 24
  [AR1-GigabitEthernet0/0/0]int g0/0/1
  [AR1-GigabitEthernet0/0/1]ip add 192.168.16.1 24
  [AR1-GigabitEthernet0/0/1]int g0/0/2
  [AR1-GigabitEthernet0/0/2]ip add 100.1.1.1 29
  ```

- **AR2**

  ```
  [AR2]int g0/0/0
  [AR2-GigabitEthernet0/0/0]ip add 100.1.1.2 29
  [AR2-GigabitEthernet0/0/0]int g0/0/1
  [AR2-GigabitEthernet0/0/1]ip add 200.1.1.254 24
  ```

- **SW5**

  ```
  [SW5]vlan batch 15 16
  [SW5]int Vlanif 15
  [SW5-Vlanif15]ip add 192.168.15.5 24
  [SW5-Vlanif15]quit
  [SW5]int g0/0/4
  [SW5-GigabitEthernet0/0/4]port link-type access
  [SW5-GigabitEthernet0/0/4]port default vlan 15
  [SW5-GigabitEthernet0/0/4]quit
  [SW5]ip route-static 0.0.0.0 0 192.168.15.1
  ```

- **SW6**

  ```
  [SW6]vlan batch 15 16
  [SW6]int Vlanif 16
  [SW6-Vlanif16]ip add 192.168.16.6 24
  [SW6-Vlanif16]quit
  [SW6]int g0/0/4
  [SW6-GigabitEthernet0/0/4]port link-type access
  [SW6-GigabitEthernet0/0/4]port default vlan 16
  [SW6-GigabitEthernet0/0/4]quit
  [SW6]ip route-static 0.0.0.0 0 192.168.16.1
  ```

- **AR1**

  ```
  [AR1]ip route-static 192.168.10.0 24 192.168.15.5
  [AR1]ip route-static 192.168.10.0 24 192.168.16.6 preference 100
  [AR1]ip route-static 192.168.20.0 24 192.168.15.5
  [AR1]ip route-static 192.168.20.0 24 192.168.16.6 preference 100
  [AR1]ip route-static 192.168.30.0 24 192.168.16.6
  [AR1]ip route-static 192.168.30.0 24 192.168.15.5 preference 100
  [AR1]ip route-static 0.0.0.0 0 100.1.1.2
  ```

### 二、NAT

- **AR1**

  ```
  [AR1]nat address-group 1 100.1.1.3 100.1.1.5
  [AR1]acl 2000
  [AR1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255
  [AR1-acl-basic-2000]rule 20 permit source 192.168.20.0 0.0.0.255
  [AR1-acl-basic-2000]rule 30 permit source 192.168.30.0 0.0.0.255
  [AR1-acl-basic-2000]quit
  [AR1]int g0/0/2
  [AR1-GigabitEthernet0/0/2]nat outbound 2000 address-group 1
  ```

### 三、VRRP上行接口监控

- **HX - SW5**

  ```
  [SW5]int vlan 10
  [SW5-Vlanif10]vrrp vrid 10 track int g0/0/4 reduced 50
  [SW5-Vlanif10]int vlan 20
  [SW5-Vlanif20]vrrp vrid 20 track int g0/0/4 reduced 50
  ```

- **HX - SW6**

  ```
  [SW6]int Vlanif 30
  [SW6-Vlanif30]vrrp vrid 30 track int g0/0/4 reduced 50
  ```

### 四、测试

- **PC1  PING  Server1**

  ```
  PC1>ping 200.1.1.1
  
  Ping 200.1.1.1: 32 data bytes, Press Ctrl_C to break
  From 200.1.1.1: bytes=32 seq=1 ttl=252 time=79 ms
  From 200.1.1.1: bytes=32 seq=2 ttl=252 time=78 ms
  From 200.1.1.1: bytes=32 seq=3 ttl=252 time=78 ms
  From 200.1.1.1: bytes=32 seq=4 ttl=252 time=78 ms
  From 200.1.1.1: bytes=32 seq=5 ttl=252 time=62 ms
  
  --- 200.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 62/75/79 ms
  ```