0.概况
1)实地情况
- 实验中心有近十个机房以及十余间实验室,每间机房有学生机近百台,每间实验室有十几到几十台不等的用网设备。
- 实验中心有一间教师办公室。
- 实验中心内部设置中心机房1间,放置核心网络设备、服务器等。
- 除有线网络外,实验中心内部还部署无线局域网。通过AC来配置和管理AP。AC部署在实验中心的中心机房内。
2 )构建要求
- 根据教学需要,每个实验室/机房,是一个独立的广播域。每个机房/实验室内部中的有线网和无线网属于同一个广播域。
- 实现对实验中心网络中,各网络设备、服务器的集中、远程配置管理。
- 部署全网运维监控系统,实现对实验中心网络中,各网络设备、服务器的集中、远程、可视化运维监控。
- 部署全网认证体系,各机房/实验室在进入实验中心网络时,必须要通过认证。认证所需的账号由学生自定。
3)服务提供
- 提供DHCP服务:在实验中心内部部署DHCP服务器,为全网提供IP地址管理。
- 提供NTP服务:在实验中心内部部署NTP服务器,实现全网设备时间同步。
- 提供DNS服务:在实验中心内部部署DNS服务器,对实验中心网络内部提供域名解析服务。
- 提供FTP服务:在实验中心内部部署FTP服务器。实验中心内部的部分房间/实验室,可以访问FTP。其他房间不能访问FTP服务器。校园网中指定网段(
100.64.201.0/24)的用户,也能访问该FTP服务器。
4)接入校园网
- 接入地址要求:实验中心网络除了实现内部通信外,还要接入校园网。经过申请,学校网络中心分配给实验中心的IP地址块是
100.64.200.1/26。 - 接入方式要求:实验中心网络以NAT方式接入校园网。不仅如此,由于工作需求,实验中心管理员希望在进行NAT时,能够将不同机房的网络(采用内网地址)转换为不同的、固定的外网地址。例如,第1机房所有主机在访问校园网时,NAT转换为
100.64.200.10;第2机房所有主机在访问校园网时,NAT转换为100.64.200.11;第3机房所有主机在访问校园网时,NAT转换为100.64.200.12,以此类推。不再是多对一。 - 访问校园网的要求:实验中心的办公室始终可以访问校园网,而机房和实验室只能在上班时间访问校园网。(注意,必须先通过认证,才能访问校园网)
1.网络规划
1)拓扑设计
2)设备选型
| 设备 | 型号 | 接口卡 |
| 防火墙 | USG6000V | |
| 边界路由器 | AR2220 | 2*4GEW-T |
| 服务器路由器 | AR2220 | 1*4GEW-T、1*24GE |
| 教室路由器 | AR2240 | 1*4GEW-T、2*24GE |
| 路由交换机 | S5700 | |
| 交换机 | S3700 | |
| AC | AC6605 | |
| AP | AP3030 |
3)设备命名
| 边缘路由器 | A-R |
| 服务器路由器 | B-R |
| 服务器防火墙 | B-FW |
| 服务器路由交换机 | B-RS |
| 教室路由器 | C-R |
| 机房1防火墙 | C-1-FW |
| 机房1路由交换机 | C-1-RS |
| 机房1交换机1 | C-1-SW-1 |
| 机房1交换机2 | C-1-SW-2 |
| 机房1路由AP | C-1-AP |
| 实验室1防火墙 | C-2-FW |
| 办公室防火墙 | T-FW |
| 办公室路由交换机 | T-RS |
| 办公室AP | T-AP |
4)接口&IP&VLAN
所有教室(机房、实验室、办公室)
| 网段 | VLAN ID | 网关 | SW-1管理接口 | SW-2管理接口 | |
| C-1(机房1) | 192.168.0.0/24 | 10 | C-1-RS VlanIf 10 192.168.0.1 | C-1-SW-1:VlanIf 10 192.168.0.200 | C-1-SW-2:VlanIf 10 192.168.0.201 |
| C-2(机房2) | 192.168.1.0/24 | 10 | C-1-RS VlanIf 10 192.168.1.1 | C-2-SW-1:VlanIf 10 192.168.1.200 | C-2-SW-2:VlanIf 10 192.168.1.201 |
教室无线局域网
| 网段 | VLAN ID | 网关 | |
| C-1-RS~C-1-AP-X | 10.0.10.0/29 | 2000 | C-1-RS VlanIf 2000 10.0.10.1 |
| C-2-RS~C-2-AP-X | 10.0.10.8/29 | 2000 | C-2-RS VlanIf 2000 10.0.10.9 |
教室接入网络准备间,C-R ~ C-X-RS
| C-R GE8/0/0 | VlanIf 100 10.0.0.1/30 | ACCESS,100 |
| C-1-FW GE 1/0/0 | 10.0.0.2/30 | 路由模式 |
| C-1-FW GE 1/0/1 | 10.0.100.1/30 | 路由模式 |
| C-1-RS GE0/0/24 | VlanIf 100 10.0.0.2/30 | ACCESS,100 |
| C-1-FW LoopBack 0 | 10.0.255.1/32 | 管理接口 |
| C-R GE8/0/1 | VlanIf 100 10.0.0.5/30 | ACCESS,100 |
| C-2-RS GE0/0/24 | VlanIf 100 10.0.0.6/30 | ACCESS,100 |
| C-2-FW LoopBack 0 | 10.0.255.2/32 | 管理接口 |
核心路由间网络
10.1.0.0/24,路由间使用一个/30段
ABC间网络为area 0;B-R网络为area 2;C-R网络为area 3
| C-R GE6/0/0 | B-R GE6/0/0 |
| 10.1.0.2/30 | 10.1.0.2/30 |
| B-R GE6/0/1 | A-R GE6/0/0 |
| 10.1.0.5/30 | 10.1.0.6/30 |
| A-R GE6/0/1 | C-R GE6/0/1 |
| 10.1.0.9 | 10.1.0.10/30 |
服务器区域接入核心路由器
| B-R GE 5/0/0 | VlanIf 200 10.0.1.1/30 | ACCESS,200 |
| B-FW GE 1/0/0 | 10.0.1.2/30 | 路由模式 |
| B-FW GE 1/0/1 | 10.0.200.1/30 | 路由模式 |
| B-RS GE0/0/24 | VlanIf 200 10.0.200.2/30 | ACCESS,200 |
| B-FW LoopBack 0 | 10.0.254.1/32 | 管理接口 |
服务器路由交换机 ~ 服务器
| FTP | 172.16.0.10/24 | 网关:B-R VlanIf 1000 172.16.0.1/24 GE0/0/1 |
| DHCP | 172.16.1.10/24 | 网关:B-R VlanIf 1001 172.16.1.1/24 GE0/0/2 |
| DNS | 172.16.2.10/24 | 网关:B-R VlanIf 1002 172.16.2.1/24 GE0/0/3 |
| NTP | 172.16.3.10/24 | 网关:B-R VlanIf 1003 172.16.3.1/24 GE0/0/4 |
| Management | 172.16.4.10/24 | 网关:B-R VlanIf 1004 172.16.4.1/24 GE0/0/5 |
| SNMP | 172.16.5.10/24 | 网关:B-R VlanIf 1005 172.16.5.1/24 GE0/0/6 |
| RADIUS | 172.16.6.10/24 | 网关:B-R VlanIf 1006 172.16.6.1/24 GE0/0/7 |
| AC | 172.16.50.10/24 | 网关:B-R VlanIf 2000 172.16.50.1/24 GE0/0/23 |
2.仿真实现
1)基本全网通信
1.以机房1为例,配置机房以及实验室
配置二层交换机C-1-SW-1
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname C-1-SW-1
//创建管理接口
[C-1-SW-1]vlan 10
[C-1-SW-1-vlan10]quit
[C-1-SW-1]interface Vlanif 10
[C-1-SW-1-Vlanif10]ip address 192.168.0.200 24
[C-1-SW-1-Vlanif10]quit
[C-1-SW-1]interface GigabitEthernet 0/0/1
[C-1-SW-1-GigabitEthernet0/0/1]port link-type access
[C-1-SW-1-GigabitEthernet0/0/1]port default vlan 10
[C-1-SW-1-GigabitEthernet0/0/1]quit
//使管理接口可达
[C-1-SW-1]ip route-static 0.0.0.0 0 192.168.0.1配置路由交换机C-1-RS
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname C-1-RS
[C-1-RS]vlan 10
[C-1-RS-vlan10]quit
[C-1-RS]interface Vlanif 10
[C-1-RS-Vlanif10]ip address 192.168.0.1 24
[C-1-RS-Vlanif10]quit
[C-1-RS]vlan 100
[C-1-RS-vlan100]quit
[C-1-RS]interface Vlanif 100
[C-1-RS-Vlanif100]ip address 10.0.100.2 30
[C-1-RS-Vlanif100]quit
[C-1-RS]interface GigabitEthernet 0/0/1
[C-1-RS-GigabitEthernet0/0/1]port link-type access
[C-1-RS-GigabitEthernet0/0/1]port default vlan 10
[C-1-RS-GigabitEthernet0/0/1]quit
[C-1-RS]interface GigabitEthernet 0/0/24
[C-1-RS-GigabitEthernet0/0/24]port link-type access
[C-1-RS-GigabitEthernet0/0/24]port default vlan 100
[C-1-RS-GigabitEthernet0/0/24]quit
//宣告OSPF
[C-1-RS]ospf 1
[C-1-RS-ospf-1]area 1
[C-1-RS-ospf-1-area-0.0.0.1]network 192.168.0.0 0.0.0.255
[C-1-RS-ospf-1-area-0.0.0.1]network 10.0.100.0 0.0.0.3
[C-1-RS-ospf-1-area-0.0.0.1]quit
[C-1-RS-ospf-1]quit配置防火墙C-1-FW
防火墙默认用户名admin,默认密码Admin@123,首次登陆需修改密码
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]sysname C-1-FW
[C-1-FW]interface GigabitEthernet 1/0/0
[C-1-FW-GigabitEthernet1/0/0]ip address 10.0.0.2 30
//允许此接口上所有管理服务
[C-1-FW-GigabitEthernet1/0/0]service-manage all permit
[C-1-FW-GigabitEthernet1/0/0]quit
[C-1-FW]interface GigabitEthernet 1/0/1
[C-1-FW-GigabitEthernet1/0/1]ip address 10.0.100.1 30
[C-1-FW-GigabitEthernet1/0/1]quit
[C-1-FW]ospf 1
[C-1-FW-ospf-1]area 1
[C-1-FW-ospf-1-area-0.0.0.1]network 10.0.0.0 0.0.0.3
[C-1-FW-ospf-1-area-0.0.0.1]network 10.0.100.0 0.0.0.3
[C-1-FW-ospf-1-area-0.0.0.1]quit
//配置规则,允许所有报文通过
[C-1-FW]firewall zone trust
[C-1-FW-zone-trust]add interface GigabitEthernet 1/0/1
[C-1-FW-zone-trust]quit
[C-1-FW]firewall zone untrust
[C-1-FW-zone-untrust]add interface GigabitEthernet 1/0/0
[C-1-FW-zone-untrust]quit
[C-1-FW]security-policy
[C-1-FW-policy-security]rule name allow-any
[C-1-FW-policy-security-rule-allow-any]source-address any
[C-1-FW-policy-security-rule-allow-any]destination-address any
[C-1-FW-policy-security-rule-allow-any]service any
[C-1-FW-policy-security-rule-allow-any]action permit
[C-1-FW-policy-security-rule-allow-any]quit
[C-1-FW-policy-security]quit
//配置本地地址,用于管理
[C-1-FW]interface LoopBack 0
[C-1-FW-LoopBack0]ip address 10.0.255.1 32
[C-1-FW-LoopBack0]quit2.配置路由器
C-R
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname C-R
[C-R]vlan 100
[C-R-vlan100]quit
[C-R]interface Vlanif 100
[C-R-Vlanif100]ip address 10.0.0.1 30
[C-R-Vlanif100]quit
[C-R]interface GigabitEthernet 8/0/0
[C-R-GigabitEthernet8/0/0]port link-type access
[C-R-GigabitEthernet8/0/0]port default vlan 100
[C-R-GigabitEthernet8/0/0]quit
[C-R]interface GigabitEthernet 6/0/0
[C-R-GigabitEthernet6/0/0]ip address 10.1.0.1 30
[C-R-GigabitEthernet6/0/0]quit
[C-R]interface GigabitEthernet 6/0/1
[C-R-GigabitEthernet6/0/1]ip address 10.1.0.10 30
[C-R-GigabitEthernet6/0/1]quit
[C-R]ospf 1
[C-R-ospf-1]area 0
[C-R-ospf-1-area-0.0.0.0]network 10.1.0.10 0.0.0.3
[C-R-ospf-1-area-0.0.0.0]network 10.1.0.1 0.0.0.3
[C-R-ospf-1-area-0.0.0.0]quit
[C-R-ospf-1]area 1
[C-R-ospf-1-area-0.0.0.1]network 10.0.0.0 0.0.0.255
[C-R-ospf-1-area-0.0.0.1]quit
[C-R-ospf-1]quit
//使防火墙管理接口全网可达
[C-R]ip route-static 10.0.255.1 32 10.0.0.2
[C-R]ospf 1
[C-R-ospf-1]default-route-advertise always
[C-R-ospf-1]quitB-R
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname B-R
[B-R]interface GigabitEthernet 6/0/0
[B-R-GigabitEthernet6/0/0]ip address 10.1.0.2 30
[B-R-GigabitEthernet6/0/0]quit
[B-R]interface GigabitEthernet 6/0/1
[B-R-GigabitEthernet6/0/1]ip address 10.1.0.5 30
[B-R]vlan 200
[B-R-vlan200]quit
[B-R]interface Vlanif 200
[B-R-Vlanif200]ip address 10.0.1.1 30
[B-R-Vlanif200]quit
[B-R]interface GigabitEthernet 5/0/0
[B-R-GigabitEthernet5/0/0]port link-type access
[B-R-GigabitEthernet5/0/0]port trunk allow-pass vlan 200
[B-R-GigabitEthernet5/0/0]quit
[B-R]ospf 1
[B-R-ospf-1]area 0
[B-R-ospf-1-area-0.0.0.0]network 10.1.0.5 0.0.0.3
[B-R-ospf-1-area-0.0.0.0]network 10.1.0.2 0.0.0.3
[B-R-ospf-1-area-0.0.0.0]quit
[B-R-ospf-1]area 2
[B-R-ospf-1-area-0.0.0.2]network 10.0.1.1 0.0.0.3
[B-R-ospf-1-area-0.0.0.2]quit
[B-R-ospf-1]quitA-R
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname A-R
[A-R]interface GigabitEthernet 6/0/0
[A-R-GigabitEthernet6/0/0]ip address 10.1.0.6 30
[A-R-GigabitEthernet6/0/0]quit
[A-R]interface GigabitEthernet 6/0/1
[A-R-GigabitEthernet6/0/1]ip address 10.1.0.9 30
[A-R-GigabitEthernet6/0/1]quit
[A-R]ospf 1
[A-R-ospf-1]area 0
[A-R-ospf-1-area-0.0.0.0]network 10.1.0.6 0.0.0.3
[A-R-ospf-1-area-0.0.0.0]network 10.1.0.9 0.0.0.33.配置网络准备室
B-FW
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]sysname B-FW
[B-FW]interface GigabitEthernet 1/0/0
[B-FW-GigabitEthernet1/0/0]ip address 10.0.1.2 30
[B-FW-GigabitEthernet1/0/0]service-manage all permit
[B-FW-GigabitEthernet1/0/0]quit
[B-FW]interface GigabitEthernet 1/0/1
[B-FW-GigabitEthernet1/0/1]ip address 10.0.200.1 30
[B-FW-GigabitEthernet1/0/1]service-manage all permit
[B-FW-GigabitEthernet1/0/1]quit路由交换机B-RS
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname B-RS
[B-RS]vlan 200
[B-RS-vlan200]quit
[B-RS]interface Vlanif 200
[B-RS-Vlanif200]ip address 10.0.200.2 30
[B-RS-Vlanif200]quit
[B-RS]interface GigabitEthernet 0/0/24
[B-RS-GigabitEthernet0/0/24]port link-type access
[B-RS-GigabitEthernet0/0/24]port default vlan 200
[B-RS-GigabitEthernet0/0/24]quit
//创建服务器所用VLAN
[B-RS]vlan batch 1000 to 1050
//配置FTP服务器接入
[B-RS]interface Vlanif 1000
[B-RS-Vlanif1000]ip address 172.16.0.1 24
[B-RS-Vlanif1000]quit
[B-RS]interface GigabitEthernet 0/0/1
[B-RS-GigabitEthernet0/0/1]port link-type access
[B-RS-GigabitEthernet0/0/1]port default vlan 1000
[B-RS-GigabitEthernet0/0/1]quit
[B-RS]ospf 1
[B-RS-ospf-1]area 2
[B-RS-ospf-1-area-0.0.0.2]network 172.16.0.0 0.0.255.255
[B-RS-ospf-1-area-0.0.0.2]network 10.0.200.0 0.0.0.3
[B-RS-ospf-1-area-0.0.0.2]quit
[B-RS-ospf-1]quitAC
<AC6605>system-view
Enter system view, return user view with Ctrl+Z.
[AC6605]undo info-center enable
Info: Information center is disabled.
[AC6605]sysname AC
[AC]vlan 2000
[AC-vlan2000]quit
[AC]interface Vlanif 2000
[AC-Vlanif2000]ip address 172.16.50.10 24
[AC-Vlanif2000]quit
[AC]interface GigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1]port link-type access
[AC-GigabitEthernet0/0/1]port default vlan 2000
[AC-GigabitEthernet0/0/1]quit
[AC]capwap source interface Vlanif 2000
[AC]ip route-static 0.0.0.0 0 172.16.50.1搭建FTP服务器,使用eNSP内置Server设备模拟
选择文件夹并启动FTP Server
4.配置无线局域网
C-1-RS
[C-1-RS]dhcp enable
[C-1-RS]interface GigabitEthernet 0/0/23
[C-1-RS-GigabitEthernet0/0/23]port link-type trunk
[C-1-RS-GigabitEthernet0/0/23]port trunk pvid vlan 2000
[C-1-RS-GigabitEthernet0/0/23]port trunk allow-pass vlan 10 2000
[C-1-RS-GigabitEthernet0/0/23]quit
[C-1-RS]vlan 2000
[C-1-RS-vlan2000]quit
[C-1-RS]interface Vlanif 2000
[C-1-RS-Vlanif2000]ip address 10.0.10.1 29
[C-1-RS-Vlanif2000]dhcp select relay
[C-1-RS-Vlanif2000]dhcp relay server-ip 172.16.50.10
[C-1-RS-Vlanif2000]quit
[C-1-RS]ospf 1
[C-1-RS-ospf-1]area 1
[C-1-RS-ospf-1-area-0.0.0.1]network 10.0.10.0 0.0.0.7
[C-1-RS-ospf-1-area-0.0.0.1]quit
[C-1-RS-ospf-1]quitAC
[AC]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.ip
//为C-1创建DHCP地址池
[AC]ip pool pool-C-1
[AC-ip-pool-pool-C-1]network 10.0.10.0 mask 29
[AC-ip-pool-pool-C-1]gateway-list 10.0.10.1
[AC-ip-pool-pool-C-1]option 43 sub-option 2 ip-address 172.16.50.10
[AC-ip-pool-pool-C-1]quit
[AC]interface Vlanif 2000
[AC-Vlanif2000]dhcp select global
[AC-Vlanif2000]quit
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name domain-cfg
[AC-wlan-regulate-domain-domain-cfg]country-code cn
Info: The current country code is same with the input country code.
[AC-wlan-regulate-domain-domain-cfg]quit
[AC-wlan-view]ap auth-mode mac-auth
[AC-wlan-view]ap-group name ap-group-cfg
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC-wlan-ap-group-ap-group-cfg]regulatory-domain-profile domain-cfg
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group-cfg]quit
//添加C-1-AP-1
[AC-wlan-view]ap-id 1 ap-mac 00e0-fc97-0dc0
[AC-wlan-ap-1]ap-name C-1-AP-1
[AC-wlan-ap-1]ap-group ap-group-cfg
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-1]quit
[AC-wlan-view]security-profile name sec-cfg
[AC-wlan-sec-prof-sec-cfg]security wpa-wpa2 psk pass-phrase abcd1111 aes
[AC-wlan-sec-prof-sec-cfg]quit
[AC-wlan-view]ssid-profile name ssid-cfg-1
[AC-wlan-ssid-prof-ssid-cfg-1]ssid wifi-2.4G
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-ssid-cfg-1]quit
[AC-wlan-view]ssid-profile name ssid-cfg-2
[AC-wlan-ssid-prof-ssid-cfg-2]ssid wifi-5G
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-ssid-prof-ssid-cfg-2]quit
[AC-wlan-view]vap-profile name vap-cfg-1
[AC-wlan-vap-prof-vap-cfg-1]forward-mode direct-forward
[AC-wlan-vap-prof-vap-cfg-1]service-vlan vlan-id 10
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-vap-cfg-1]security-profile sec-cfg
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-vap-cfg-1]ssid-profile ssid-cfg-1
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-view]vap-profile name vap-cfg-2
[AC-wlan-vap-prof-vap-cfg-2]forward-mode direct-forward
[AC-wlan-vap-prof-vap-cfg-2]service-vlan vlan-id 10
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-vap-cfg-2]security-profile sec-cfg
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-vap-cfg-2]ssid-profile ssid-cfg-2
Info: This operation may take a few seconds, please wait.done.
[AC-wlan-vap-prof-vap-cfg-2]quit
[AC-wlan-view]ap-group name ap-group-cfg
[AC-wlan-ap-group-ap-group-cfg]vap-profile vap-cfg-1 wlan 1 radio 0
Info: This operation may take a few seconds, please wait...done.
[AC-wlan-ap-group-ap-group-cfg]vap-profile vap-cfg-2 wlan 1 radio 1
Info: This operation may take a few seconds, please wait...done.
[AC-wlan-ap-group-ap-group-cfg]quit2)以NAT接入外部网络
1.模拟校园网
使用路由器模拟校园网,添加路由器Z-R,型号为AR1220,添加接口卡4GEW-T。
将Z-R GE2/0/0连接至A-R GE4/0/0
Z-R
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname Z-R
[Z-R]interface GigabitEthernet 2/0/0
[Z-R-GigabitEthernet2/0/0]ip address 100.64.200.1 26
[Z-R-GigabitEthernet2/0/0]quitA-R
[A-R]interface GigabitEthernet 4/0/0
[A-R-GigabitEthernet4/0/0]ip address 100.64.200.2 26
[A-R-GigabitEthernet4/0/0]quit
//所有来自服务器的流量NAT为10.64.200.5出口
[A-R]nat address-group 1 100.64.200.5 100.64.200.5
[A-R]acl 2000
[A-R-acl-basic-2000]rule permit source 172.16.0.0 0.0.255.255
[A-R-acl-basic-2000]quit
//所有来自C-1的流量NAT为10.64.200.10出口
[A-R]nat address-group 2 100.64.200.10 100.64.200.10
[A-R]acl 2001
[A-R-acl-basic-2001]rule permit source 192.168.0.0 0.0.0.255
[A-R-acl-basic-2001]quit
[A-R]interface GigabitEthernet 4/0/0
[A-R-GigabitEthernet4/0/0]nat outbound 2000 address-group 1 no-pat
[A-R-GigabitEthernet4/0/0]nat outbound 2001 address-group 2 no-pat
[A-R-GigabitEthernet4/0/0]quit
//引入默认路由
[A-R]ip route-static 0.0.0.0 0 100.64.200.1
[A-R]ospf 1
[A-R-ospf-1]default-route-advertise always
[A-R-ospf-1]quit2.将eNSP接入公网(选做)
由于接入公网易导致eNSP瘫痪,故这部分选做
创建一个Cloud设备(命名为Bridge),并绑定至物理机有线网卡,此处物理机该网卡所处网段为192.168.0.0/24,网关为192.168.0.1,Z-R GE2/0/3连接至Bridge
Z-R
[Z-R]interface GigabitEthernet 2/0/3
[Z-R-GigabitEthernet2/0/3]ip address 192.168.0.50 24
[Z-R-GigabitEthernet2/0/3]quit
[Z-R]ip route-static 0.0.0.0 0 192.168.0.1
[Z-R]acl 2000
[Z-R-acl-basic-2000]rule permit source 100.64.200.0 0.0.0.63
[Z-R-acl-basic-2000]quit
[Z-R]interface GigabitEthernet 2/0/0
[Z-R-GigabitEthernet2/0/0]nat outbound 2000
[Z-R-GigabitEthernet2/0/0]quit3)使用VMware Workstation与CentOS Stream 9模拟服务器
1.创建模板机
VMware Workstation现已向个人用户免费开放使用
CentOS Stream 9 安装镜像
若以下步骤未额外说明,则默认下一步
向导最后,自定义硬件,配置下载好的ISO镜像文件
开机。安装时,建议选择最小化安装
同时勾选允许
安装完成后,开机
dnf update
dnf install nano epel-release
//安装nano以及epel-release,方便后续使用
poweroff
//关机关机后,如图创建快照
2.搭建DHCP服务器
从模板机克隆
克隆完成后开机
dnf install dhcp-server
//安装DHCP相关软件包
poweroff打开虚拟网络编辑器,如图创建新网卡
随后修改WindowsVMnet10网卡的IP
打开DHCP虚拟机设置,将网卡更改为VMnet10
开机,使用nmtui将IP改为静态172.16.1.10/24,网关172.16.1.1
重启,应用设置
firewall-cmd --permanent --zone=public --add-port=67/udp
systemctl restart firewalld
//在防火墙上允许DHCP服务
systemctl enable dhcpd
//开机启动DHCP服务
nano /etc/dhcp/dhcpd.conf
//编辑文件如下default-lease-time 600;
max-lease-time 7200;
option domain-name-servers 172.16.2.10;
option ntp-servers 172.16.3.10;
subnet 172.16.1.0 netmask 255.255.255.0{
}
subnet 192.168.0.0 netmask 255.255.255.0{
range 192.168.0.2 192.168.0.199;
option routers 192.168.0.1;
}在eNSP中创建一个Cloud设备,并如图绑定VMnet10,接入B-RS
配置B-RS
[B-RS]interface Vlanif 1001
[B-RS-Vlanif1001]ip address 172.16.1.1 24
[B-RS-Vlanif1001]quit
[B-RS]interface GigabitEthernet 0/0/2
[B-RS-GigabitEthernet0/0/2]port link-type access
[B-RS-GigabitEthernet0/0/2]port default vlan 1001
[B-RS-GigabitEthernet0/0/2]quit配置C-1-RS
[C-1-RS]interface Vlanif 10
[C-1-RS-Vlanif10]dhcp select relay
[C-1-RS-Vlanif10]dhcp relay server-ip 172.16.1.10
[C-1-RS-Vlanif10]quit3.搭建DNS服务器
克隆一台DNS虚拟机,开机
dnf install bind
//安装DNS相关软件包
systemctl start named
systemctl enable named
poweroff在eNSP中创建一个Cloud设备,并绑定VMnet11
在B-RS上增添设备
[B-RS]interface Vlanif 1002
[B-RS-Vlanif1002]ip address 172.16.2.1 24
[B-RS-Vlanif1002]quit
[B-RS]interface GigabitEthernet 0/0/3
[B-RS-GigabitEthernet0/0/3]port link-type access
[B-RS-GigabitEthernet0/0/3]port default vlan 1002
[B-RS-GigabitEthernet0/0/3]quit更改物理机VMnet11网卡IP为172.16.2.20/24,在DNS上更改网卡为VMnet11,改为静态IP 172.16.2.10/24,网关172.16.2.1
firewall-cmd --zone=public --add-port=53/udp --permanent
firewall-cmd --zone=public --add-port=53/tcp --permanent
systemctl restart firewalld
//防火墙上开启相关服务
setenforce 0
//暂时关闭SELinux
nano /etc/named.conf
//以下两处修改改为any
nano /etc/named.rfc1912.zones在文件末尾增添一条记录
zone "domain.com" IN {
type master;
file "domain.com.zone";
allow-update { none; };
};nano /var/named/domain.com.zone$TTL 1D
@ IN SOA ns.domain.com. root.domain.com. (
0 ;serial
1D ;refresh
1H ;retry
1W ;expire
3H) ;minimum
@ IN NS ns.domain.com.
ns IN A 172.16.2.10
ftp IN A 172.16.0.10named-checkconf /etc/named.conf
named-checkzone domain.com /var/named/domain.com.zone
//zone domain.com/IN: loaded serial 0
//OK
systemctl restart named4.搭建NTP服务器
克隆一台NTP虚拟机,开机
dnf install chrony
systemctl start chronyd
systemctl enable chronyd
poweroff在eNSP中创建一个Cloud设备,并绑定VMnet12
在B-RS上增添设备
[B-RS]interface Vlanif 1003
[B-RS-Vlanif1003]ip address 172.16.3.1 24
[B-RS-Vlanif1003]quit
[B-RS]interface GigabitEthernet 0/0/4
[B-RS-GigabitEthernet0/0/4]port link-type access
[B-RS-GigabitEthernet0/0/4]port default vlan 1003
[B-RS-GigabitEthernet0/0/4]quit更改物理机VMnet12网卡IP为172.16.3.20/24,在NTP上更改网卡为VMnet12,改为静态IP 172.16.3.10/24,网关172.16.3.1
nano /etc/chrony.conf
//注释掉pool 2.centos.pool.ntp.org iburst
//添加server pool.ntp.org iburst
//allow 0.0.0.0/0
timedatectl set-ntp true
timedatectl set-ntp yes
systemctl restart chronyd
firewall-cmd --zone=public --add-port=123/udp --permanent
systemctl restart firewalld在Linux主机上配置NTP服务器
以DNS为例
nano /etc/chrony.conf
//如图注释掉一行,并新增一行
systemctl restart chronyd在路由器上配置NTP服务器
以A-R为例
[A-R]ntp-service unicast-server 172.16.3.10
[A-R]ntp-service enable 在路由交换机上配置NTP服务器
以B-RS为例
[B-RS]ntp-service unicast-server 172.16.3.10
[B-RS]undo ntp-service disable 在二层交换机上配置NTP服务器
以C-1-SW-1为例
[C-1-SW-1]ntp-service unicast-server 172.16.3.10
[C-1-SW-1]undo ntp-service disable5.接入管理机
新建一个Windows虚拟机,安装PuTTY(此处不建议使用其他SSH软件),虚拟机网卡使用VMnet13
更改物理机VMnet13网卡IP为172.16.4.20/24;Windows虚拟机改为静态IP 172.16.4.10/24,网关172.16.4.1
在B-RS上增添设备
[B-RS]interface Vlanif 1004
[B-RS-Vlanif1004]ip address 172.16.4.1 24
[B-RS-Vlanif1004]quit
[B-RS]interface GigabitEthernet 0/0/5
[B-RS-GigabitEthernet0/0/5]port link-type access
[B-RS-GigabitEthernet0/0/5]port default vlan 1004
[B-RS-GigabitEthernet0/0/5]quit在二层交换机上配置SSH
以C-1-SW-1为例
[C-1-SW-1]stelnet server enable
Info: Succeeded in starting the Stelnet server.
[C-1-SW-1]acl 2000
[C-1-SW-1-acl-basic-2000]rule permit source 172.16.4.0 0.0.0.255
[C-1-SW-1-acl-basic-2000]quit
[C-1-SW-1]user-interface vty 0 4
[C-1-SW-1-ui-vty0-4]authentication-mode aaa
[C-1-SW-1-ui-vty0-4]protocol inbound ssh
[C-1-SW-1-ui-vty0-4]acl 2000 inbound
[C-1-SW-1-ui-vty0-4]idle-timeout 3
[C-1-SW-1-ui-vty0-4]quit
[C-1-SW-1]ssh user user_ssh
Info: Succeeded in adding a new SSH user.
[C-1-SW-1]ssh user user_ssh authentication-type password
[C-1-SW-1]ssh user user_ssh service-type stelnet
[C-1-SW-1]rsa local-key-pair create
The key name will be: C-1-SW-1_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
..++++++++++++
......++++++++++++
........++++++++
..++++++++
[C-1-SW-1]aaa
[C-1-SW-1-aaa]local-user user_ssh password cipher abc@123
Info: Add a new user.
[C-1-SW-1-aaa]local-user user_ssh privilege level 15
[C-1-SW-1-aaa]local-user user_ssh service-type ssh
[C-1-SW-1-aaa]quit在路由器上配置SSH
以B-R为例
[B-R]stelnet server enable
[B-R]acl 2000
[B-R-acl-basic-2000]rule permit source 172.16.4.0 0.0.0.255
[B-R-acl-basic-2000]quit
[B-R]user-interface vty 0 4
[B-R-ui-vty0-4]authentication-mode aaa
[B-R-ui-vty0-4]protocol inbound ssh
[B-R-ui-vty0-4]acl 2000 inbound
[B-R-ui-vty0-4]idle-timeout 3
[B-R-ui-vty0-4]quit
[B-R]aaa
[B-R-aaa]local-user user_ssh password cipher abc@123
Info: Add a new user.
[B-R-aaa]local-user user_ssh privilege level 15
[B-R-aaa]local-user user_ssh service-type ssh
[B-R-aaa]quit
[B-R]rsa local-key-pair create
The key name will be: Host
% RSA keys defined for Host already exist.
Confirm to replace them? (y/n)[n]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
..........................++++++++++++
................++++++++++++
..................++++++++
.............++++++++
在路由交换机上配置SSH
以B-RS为例
[B-RS]stelnet server enable
Info: Succeeded in starting the Stelnet server.
[B-RS]acl 2000
[B-RS-acl-basic-2000]rule permit source 172.16.4.0 0.0.0.255
[B-RS-acl-basic-2000]quit
[B-RS]user-interface vty 0 4
[B-RS-ui-vty0-4]authentication-mode aaa
[B-RS-ui-vty0-4]protocol inbound ssh
[B-RS-ui-vty0-4]acl 2000 inbound
[B-RS-ui-vty0-4]idle-timeout 3
[B-RS-ui-vty0-4]quit
[B-RS]ssh user user_ssh
Info: Succeeded in adding a new SSH user.
[B-RS]ssh user user_ssh authentication-type password
[B-RS]ssh user user_ssh service-type stelnet
[B-RS]rsa local-key-pair create
The key name will be: B-RS_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
...........++++++++++++
....++++++++++++
...........................++++++++
............++++++++
[B-RS]aaa
[B-RS-aaa]local-user user_ssh password cipher abc@123
Info: Add a new user.
[B-RS-aaa]local-user user_ssh privilege level 15
[B-RS-aaa]local-user user_ssh service-type ssh
[B-RS-aaa]quit6.使用Cacti进行全网设备SNMP采集
克隆一台SNMP虚拟机,开机
在eNSP中创建一个Cloud设备,并绑定VMnet13
在B-RS上增添设备
[B-RS]interface Vlanif 1005
[B-RS-Vlanif1005]ip address 172.16.5.1 24
[B-RS-Vlanif1005]quit
[B-RS]interface GigabitEthernet 0/0/6
[B-RS-GigabitEthernet0/0/6]port link-type access
[B-RS-GigabitEthernet0/0/6]port default vlan 1005
[B-RS-GigabitEthernet0/0/6]quit创建Cacti主机;在Linux主机、网络设备上配置SNMP;在Cacti上采集数据
参见
实验七 – Cacti全网监测(基于华为eNSP & VMware Workstation Pro)
注意最终Cacti虚拟机使用VMnet14网卡,IP为172.16.5.10/24,网关为172.16.5.1
7.搭建RADIUS服务器并实现统一认证
克隆一台RADIUS虚拟机,开机
dnf install freeradius freeradius-utils
systemctl start radiusd
//若出现错误,运行以下命令
//cd /etc/raddb/certs
//make
systemctl status radiusd
firewall-cmd --zone=public --add-port=1645/udp --permanent
firewall-cmd --zone=public --add-port=1646/udp --permanent
firewall-cmd --zone=public --add-port=1812/udp --permanent
firewall-cmd --zone=public --add-port=1813/udp --permanent
systemctl restart firewalld
nano /etc/raddb/clients.conf
//如下添加主机C-1-FWclient C-1-FW {
ipaddr = 10.0.255.1
secret = secret2551
proto = *
}nano /etc/raddb/mods-config/files/authorize
//添加用户stuuser1 Cleartext-Password := "abcd@1234"
teauser1 Cleartext-Password := "abcd@4321"在eNSP中创建一个Cloud设备,并绑定VMnet15
在B-RS上增添设备
[B-RS]interface Vlanif 1006
[B-RS-Vlanif1006]ip address 172.16.6.1 24
[B-RS-Vlanif1006]quit
[B-RS]interface GigabitEthernet 0/0/7
[B-RS-GigabitEthernet0/0/7]port link-type access
[B-RS-GigabitEthernet0/0/7]port default vlan 1006
[B-RS-GigabitEthernet0/0/7]quit更改物理机VMnet15网卡IP为172.16.6.20/24,在RADIUS上更改网卡为VMnet15,改为静态IP 172.16.6.10/24,网关172.16.6.1
打开管理机,浏览器访问10.0.0.2
输入用户名密码
如图新建RADIUS服务器
添加服务器并测试连通性
4)可扩展性
1.为C-1增添第二台交换机C-1-SW-2
C-1-RS
[C-1-RS]interface GigabitEthernet 0/0/2
[C-1-RS-GigabitEthernet0/0/2]port link-type access
[C-1-RS-GigabitEthernet0/0/2]port default vlan 10
[C-1-RS-GigabitEthernet0/0/2]quitC-1-SW-2
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname C-1-SW-2
[C-1-SW-2]vlan 10
[C-1-SW-2-vlan10]quit
[C-1-SW-2]interface Vlanif 10
[C-1-SW-2-Vlanif10]ip address 192.168.0.201 24
[C-1-SW-2-Vlanif10]quit
[C-1-SW-2]interface GigabitEthernet 0/0/1
[C-1-SW-2-GigabitEthernet0/0/1]port link-type access
[C-1-SW-2-GigabitEthernet0/0/1]port default vlan 10
[C-1-SW-2-GigabitEthernet0/0/1]quit
[C-1-SW-2]ip route-static 0.0.0.0 0 192.168.0.12.增添C-2(实验室1)
C-R
[C-R]vlan 101
[C-R-vlan101]quit
[C-R]interface Vlanif 101
[C-R-Vlanif101]ip address 10.0.0.5 30
[C-R-Vlanif101]quit
[C-R]interface GigabitEthernet 8/0/1
[C-R-GigabitEthernet8/0/1]port link-type access
[C-R-GigabitEthernet8/0/1]port default vlan 101
[C-R-GigabitEthernet8/0/1]quit
[C-R]ip route-static 10.0.255.2 32 10.0.0.6
[C-R]ospf 1
[C-R-ospf-1]default-route-advertise always
[C-R-ospf-1]quitC-2-FW
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]sysname C-2-FW
[C-2-FW]interface GigabitEthernet 1/0/0
[C-2-FW-GigabitEthernet1/0/0]ip address 10.0.0.6 30
[C-2-FW-GigabitEthernet1/0/0]service-manage all permit
[C-2-FW-GigabitEthernet1/0/0]quit
[C-2-FW]interface GigabitEthernet 1/0/1
[C-2-FW-GigabitEthernet1/0/1]ip address 10.0.100.5 30
[C-2-FW-GigabitEthernet1/0/1]quit
[C-2-FW]ospf 1
[C-2-FW-ospf-1]area 1
[C-2-FW-ospf-1-area-0.0.0.1]network 10.0.0.6 0.0.0.3
[C-2-FW-ospf-1-area-0.0.0.1]network 10.0.100.5 0.0.0.3
[C-2-FW-ospf-1-area-0.0.0.1]quit
[C-2-FW]firewall zone trust
[C-2-FW-zone-trust]add interface GigabitEthernet 1/0/1
[C-2-FW-zone-trust]quit
[C-2-FW]firewall zone untrust
[C-2-FW-zone-untrust]add interface GigabitEthernet 1/0/0
[C-2-FW-zone-untrust]quit
[C-2-FW]security-policy
[C-2-FW-policy-security]rule name allow-any
[C-2-FW-policy-security-rule-allow-any]source-address any
[C-2-FW-policy-security-rule-allow-any]destination-address any
[C-2-FW-policy-security-rule-allow-any]service any
[C-2-FW-policy-security-rule-allow-any]action permit
[C-2-FW-policy-security-rule-allow-any]quit
[C-2-FW-policy-security]quit
[C-2-FW]interface LoopBack 0
[C-2-FW-LoopBack0]ip address 10.0.255.2 32
[C-2-FW-LoopBack0]quitC-2-RS
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname C-2-RS
[C-2-RS]vlan 10
[C-2-RS-vlan10]quit
[C-2-RS]interface Vlanif 10
[C-2-RS-Vlanif10]ip address 192.168.1.1 24
[C-2-RS-Vlanif10]quit
[C-2-RS]vlan 100
[C-2-RS-vlan100]quit
[C-2-RS]interface Vlanif 100
[C-2-RS-Vlanif100]ip address 10.0.100.6 30
[C-2-RS-Vlanif100]quit
[C-2-RS]interface GigabitEthernet 0/0/1
[C-2-RS-GigabitEthernet0/0/1]port link-type access
[C-2-RS-GigabitEthernet0/0/1]port default vlan 10
[C-2-RS-GigabitEthernet0/0/1]quit
[C-2-RS]interface GigabitEthernet 0/0/24
[C-2-RS-GigabitEthernet0/0/24]port link-type access
[C-2-RS-GigabitEthernet0/0/24]port default vlan 100
[C-2-RS-GigabitEthernet0/0/24]quit
[C-2-RS]ospf 1
[C-2-RS-ospf-1]area 1
[C-2-RS-ospf-1-area-0.0.0.1]network 192.168.1.0 0.0.0.255
[C-2-RS-ospf-1-area-0.0.0.1]network 10.0.100.6 0.0.0.3
[C-2-RS-ospf-1-area-0.0.0.1]quit
[C-2-RS-ospf-1]quit
//WLAN
[C-2-RS]dhcp enable
[C-2-RS]interface GigabitEthernet 0/0/23
[C-2-RS-GigabitEthernet0/0/23]port link-type trunk
[C-2-RS-GigabitEthernet0/0/23]port trunk pvid vlan 2000
[C-2-RS-GigabitEthernet0/0/23]port trunk allow-pass vlan 10 2000
[C-2-RS-GigabitEthernet0/0/23]quit
[C-2-RS]vlan 2000
[C-2-RS-vlan2000]quit
[C-2-RS]interface Vlanif 2000
[C-2-RS-Vlanif2000]ip address 10.0.10.9 29
[C-2-RS-Vlanif2000]dhcp select relay
[C-2-RS-Vlanif2000]dhcp relay server-ip 172.16.50.10
[C-2-RS-Vlanif2000]quit
[C-2-RS]ospf 1
[C-2-RS-ospf-1]area 1
[C-2-RS-ospf-1-area-0.0.0.1]network 10.0.10.9 0.0.0.7
[C-2-RS-ospf-1-area-0.0.0.1]quit
[C-2-RS-ospf-1]quit
//DHCP
[C-2-RS]interface Vlanif 10
[C-2-RS-Vlanif10]dhcp select relay
[C-2-RS-Vlanif10]dhcp relay server-ip 172.16.1.10
[C-2-RS-Vlanif10]quitC-2-SW-1
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname C-2-SW-1
[C-2-SW-1]vlan 10
[C-2-SW-1-vlan10]quit
[C-2-SW-1]interface Vlanif 10
[C-2-SW-1-Vlanif10]ip address 192.168.1.201 24
[C-2-SW-1-Vlanif10]quit
[C-2-SW-1]interface GigabitEthernet 0/0/1
[C-2-SW-1-GigabitEthernet0/0/1]port link-type access
[C-2-SW-1-GigabitEthernet0/0/1]port default vlan 10
[C-2-SW-1-GigabitEthernet0/0/1]quit
[C-2-SW-1]ip route-static 0.0.0.0 0 192.168.1.1AC
[AC]ip pool pool-C-2
[AC-ip-pool-pool-C-2]network 10.0.10.8 mask 29
[AC-ip-pool-pool-C-2]gateway-list 10.0.10.9
[AC-ip-pool-pool-C-2]option 43 sub-option 2 ip-address 172.16.50.10
[AC-ip-pool-pool-C-2]quit
[AC-wlan-view]ap-id 2 ap-mac 00E0-FC43-7760
[AC-wlan-ap-2]ap-name C-2-AP-1
[AC-wlan-ap-2]ap-group ap-group-cfg
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC-wlan-ap-2]quitA-R,NAT
[A-R]nat address-group 3 100.64.200.11 100.64.200.11
[A-R]acl 2002
[A-R-acl-basic-2002]rule permit source 192.168.1.0 0.0.0.255
[A-R-acl-basic-2002]quit
[A-R]interface GigabitEthernet 4/0/0
[A-R-GigabitEthernet4/0/0]nat outbound 2002 address-group 3 no-pat
[A-R-GigabitEthernet4/0/0]quit在DHCP服务器上
nano /etc/dhcp/dhcpd.conf
//增添以下地址池subnet 192.168.1.0 netmask 255.255.255.0{
range 192.168.1.2 192.168.1.254;
option routers 192.168.1.1;
}在RADIUS服务器上
nano /etc/raddb/clients.conf
//添加主机C-2-FWclient C-2-FW {
ipaddr = 10.0.255.2
secret = secret2552
proto = *
}3.增添办公室
更改IP设计,如C-2般创建
3.防火墙策略
1)将FTP服务发布到外部网络
在A-R上将外部IP 100.64.200.50 映射为内部FTP服务器IP 172.16.0.10
[A-R]interface GigabitEthernet 4/0/0
[A-R-GigabitEthernet4/0/0]nat server global 100.64.200.50 inside 172.16.0.10
[A-R-GigabitEthernet4/0/0]quit2)禁止SSH传入服务器网络
B-FW
[B-FW]security-policy
[B-FW-policy-security]undo rule name allow-any
[B-FW-policy-security]rule name no-ssh-inbound
[B-FW-policy-security-rule-no-ssh-inbound]source-zone untrust
[B-FW-policy-security-rule-no-ssh-inbound]destination-zone trust
[B-FW-policy-security-rule-no-ssh-inbound]service ssh
[B-FW-policy-security-rule-no-ssh-inbound]action deny
[B-FW-policy-security-rule-no-ssh-inbound]quit
[B-FW]security-policy
[B-FW-policy-security]rule name allow-any
[B-FW-policy-security-rule-allow-any]source-address any
[B-FW-policy-security-rule-allow-any]destination-address any
[B-FW-policy-security-rule-allow-any]service any
[B-FW-policy-security-rule-allow-any]action permit
[B-FW-policy-security-rule-allow-any]quit
[B-FW-policy-security]quit3)控制上网时间
进入C-X-FW的管理页面
登录,进入如图界面,点击“新建安全策略”
新建地址组
填入服务器地址范围
保存后将该策略优先级移至最高
修改 allow-any 策略,时间段改为 worktime
4)禁止C-2访问FTP服务器
进入C-2-FW的管理页面
新建安全策略 deny-ftp
新建地址,填入FTP服务器地址
动作选择禁止
最后将优先级移高
5)入网认证
以C-1为例,登录C-1-FW,找到如图位置,更改认证服务器
新建用户组
新建用户 stuuser ,并选择 stu 用户组
随后新建认证策略
新建一个地址组,将归属用户的IP范围写入(192.168.0.0/24)
4.验证服务
1.FTP
2.DHCP
3.DNS
4.NTP
5.管理
6.Cacti
全文完
本文作者是 ftc ,在CC BY-SA 4.0下发布,允许有原作者署名的转载,改编必须在相同的条款下共享。