网络设计:模拟小型企业网络
网络设计:模拟小型企业网络
拓扑图
说明
- 按照下面配置即可网络全部通畅,如果需要控制网络在总部路由器、分部路由器、防火墙三个设备上配置 ACL 即可。
- 下面步骤有逻辑顺序,按照顺序配置每个大节后可以进行测试。本文没有直接回答各网络边缘终端的详细配置,这个可以根据个人情况自行配置。
提示:下面唯一设置 ACL 的地方是防火墙。为了方便测试,所以只配置了一条可以任意出入站所有数据的 ACL,实际上应该根据需求设置不同的 ACL 配置。
个人疑问:只使用 ACL 在防火墙中实现下面情况?
- 总部可以自由访问分部
- 分部不可以访问总部
注:排除使用 NAT 技术,以及其它设备。在只有一个 5506 防火墙的情况下,只使用 ACL 是否可以实现上面情况。有知道的朋友可以在评论区留言,谢谢 🙏
配置
总部:接入层和汇聚层
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-汇聚1
########################################
enable
configure terminal
# 创建 VLAN
vlan 10
vlan 20
vlan 30
vlan 40
exit
# 配置 VLAN 以及 VRRP
interface vlan 10
ip address 192.168.10.1 255.255.255.0
standby 10 ip 192.168.10.252
standby 10 priority 120
standby 10 preempt
standby 10 track fastEthernet0/1
standby 10 track fastEthernet0/2
exit
interface vlan 20
ip address 192.168.20.1 255.255.255.0
standby 20 ip 192.168.20.252
standby 20 priority 120
standby 20 preempt
standby 20 track fastEthernet0/1
standby 20 track fastEthernet0/2
exit
interface vlan 30
ip address 192.168.30.1 255.255.255.0
standby 30 ip 192.168.30.252
standby 30 priority 110
standby 30 preempt
standby 30 track fastEthernet0/1
standby 30 track fastEthernet0/2
exit
interface vlan 40
ip address 192.168.40.1 255.255.255.0
standby 40 ip 192.168.40.252
standby 40 priority 110
standby 40 preempt
standby 40 track fastEthernet0/1
standby 40 track fastEthernet0/2
exit
# 配置上行接口
interface fastEthernet0/1
no switchport
ip address 192.168.2.2 255.255.255.0
no shutdown
exit
interface fastEthernet0/2
no switchport
ip address 192.168.4.2 255.255.255.0
no shutdown
exit
ip routing
# 生成树协议 STP
spanning-tree mode pvst
spanning-tree vlan 10,20 root primary
spanning-tree vlan 30,40 root secondary
# 配置下行接口
interface range fastEthernet0/3-6
switchport trunk encapsulation dot1q
switchport mode trunk
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-汇聚2
########################################
enable
configure terminal
vlan 10
vlan 20
vlan 30
vlan 40
exit
interface vlan 10
ip address 192.168.10.2 255.255.255.0
standby 10 ip 192.168.10.252
standby 10 priority 110
standby 10 preempt
standby 10 track fastEthernet0/1
standby 10 track fastEthernet0/2
exit
interface vlan 20
ip address 192.168.20.2 255.255.255.0
standby 20 ip 192.168.20.252
standby 20 priority 110
standby 20 preempt
standby 20 track fastEthernet0/1
standby 20 track fastEthernet0/2
exit
interface vlan 30
ip address 192.168.30.2 255.255.255.0
standby 30 ip 192.168.30.252
standby 30 priority 120
standby 30 preempt
standby 30 track fastEthernet0/1
standby 30 track fastEthernet0/2
exit
interface vlan 40
ip address 192.168.40.2 255.255.255.0
standby 40 ip 192.168.40.252
standby 40 priority 120
standby 40 preempt
standby 40 track fastEthernet0/1
standby 40 track fastEthernet0/2
exit
interface fastEthernet0/1
no switchport
ip address 192.168.3.2 255.255.255.0
no shutdown
exit
interface fastEthernet0/2
no switchport
ip address 192.168.5.2 255.255.255.0
no shutdown
exit
ip routing
spanning-tree mode pvst
spanning-tree vlan 10,20 root secondary
spanning-tree vlan 30,40 root primary
interface range fastEthernet0/3-6
switchport trunk encapsulation dot1q
switchport mode trunk
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-接入1
########################################
enable
configure terminal
# 创建 VLAN
vlan 10
vlan 20
vlan 30
vlan 40
exit
# 配置上行接口
interface range fastEthernet0/1-2
switchport mode trunk
exit
# 配置下行接口
interface range fastEthernet0/3-4
switchport mode access
switchport access vlan 10
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-接入2
########################################
enable
configure terminal
vlan 10
vlan 20
vlan 30
vlan 40
exit
interface range fastEthernet0/1-2
switchport mode trunk
exit
interface range fastEthernet0/3-5
switchport mode access
switchport access vlan 20
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-接入3
########################################
enable
configure terminal
vlan 10
vlan 20
vlan 30
vlan 40
exit
interface range fastEthernet0/1-2
switchport mode trunk
exit
interface range fastEthernet0/3-4
switchport mode access
switchport access vlan 30
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-接入4
########################################
enable
configure terminal
vlan 10
vlan 20
vlan 30
vlan 40
exit
interface range fastEthernet0/1-2
switchport mode trunk
exit
interface range fastEthernet0/3-4
switchport mode access
switchport access vlan 40
总部:核心层
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-核心1
########################################
enable
configure terminal
# 配置 上行接口
interface fastEthernet0/1
no switchport
ip address 192.168.254.2 255.255.255.0
no shutdown
exit
# 配置 下行接口
interface fastEthernet0/4
no switchport
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
interface fastEthernet0/5
no switchport
ip address 192.168.3.1 255.255.255.0
no shutdown
exit
ip routing
# 以太口聚合
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
exit
interface range fastEthernet0/2-3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-核心2
########################################
enable
configure terminal
interface fastEthernet0/1
no switchport
ip address 192.168.253.2 255.255.255.0
no shutdown
exit
interface fastEthernet0/4
no switchport
ip address 192.168.4.1 255.255.255.0
no shutdown
exit
interface fastEthernet0/5
no switchport
ip address 192.168.5.1 255.255.255.0
no shutdown
exit
ip routing
interface port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
exit
interface range fastEthernet0/2-3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# 防火墙
########################################
enable
configure terminal
# 配置出站接口
interface gigabitEthernet1/1
ip address 192.168.1.2 255.255.255.0
no shutdown
security-level 0
nameif outcore
exit
# 配置入站接口
interface gigabitEthernet1/2
ip address 192.168.254.1 255.255.255.0
security-level 100
nameif incore-1
no shutdown
exit
interface gigabitEthernet1/3
ip address 192.168.253.1 255.255.255.0
security-level 100
nameif incore-2
no shutdown
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Router: 总部
########################################
enable
configure terminal
# 总部网络
interface fastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
# 外网网络
interface serial0/3/0
ip address 10.16.0.2 255.255.0.0
clock rate 64000
no shutdown
exit
# 分部网络
interface serial0/3/1
ip address 172.16.0.1 255.255.255.0
clock rate 64000
no shutdown
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-汇聚1
########################################
enable
configure terminal
# 配置 OSPF 路由
router ospf 10
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-汇聚2
########################################
enable
configure terminal
router ospf 20
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-核心1
########################################
enable
configure terminal
router ospf 30
network 192.168.254.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 总部-核心2
########################################
enable
configure terminal
router ospf 40
network 192.168.253.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# 防火墙
########################################
enable
configure terminal
router ospf 50
network 192.168.1.0 255.255.255.0 area 0
network 192.168.253.0 255.255.255.0 area 0
network 192.168.254.0 255.255.255.0 area 0
exit
# 配置防火墙 ACL 规则,此处是任意通信
access-list fx extended permit ip any any
access-group fx out in incore-1
access-group fx out in incore-2
access-group fx out in outcore
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Router: 总部
########################################
enable
configure terminal
router ospf 60
network 10.16.0.0 0.0.255.255 area 0
network 172.16.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
分部
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 分部-核心1
########################################
enable
configure terminal
vlan 10
vlan 20
exit
interface vlan 10
ip address 192.200.10.1 255.255.255.0
standby 10 ip 192.200.10.252
standby 10 preempt
standby 10 track fastEthernet0/1
exit
interface vlan 20
ip address 192.200.20.1 255.255.255.0
standby 20 ip 192.200.20.252
standby 20 preempt
standby 20 track fastEthernet0/1
exit
interface fastEthernet0/1
no switchport
ip address 192.200.1.2 255.255.255.0
no shutdown
exit
ip routing
interface range fastEthernet0/2-3
switchport trunk encapsulation dot1q
switchport mode trunk
exit
spanning-tree mode pvst
spanning-tree vlan 10,20 root primary
router ospf 100
network 192.200.1.0 0.0.0.255 area 0
network 192.200.10.0 0.0.0.255 area 0
network 192.200.20.0 0.0.0.255 area 0
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 分部-接入1
########################################
enable
configure terminal
vlan 10
vlan 20
vlan 30
vlan 40
exit
interface fastEthernet0/1
switchport mode trunk
exit
interface range fastEthernet0/2-3
switchport mode access
switchport access vlan 10
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Switch: 分部-接入2
########################################
enable
configure terminal
vlan 10
vlan 20
vlan 30
vlan 40
exit
interface range fastEthernet0/1
switchport mode trunk
exit
interface range fastEthernet0/2-3
switchport mode access
switchport access vlan 20
exit
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Router: 分部
########################################
enable
configure terminal
interface fastEthernet0/1
ip address 192.200.1.1 255.255.255.0
no shutdown
exit
interface serial0/3/0
ip address 172.16.0.2 255.255.255.0
no shutdown
exit
router ospf 70
network 172.16.0.0 0.0.0.255 area 0
network 192.200.1.0 0.0.0.255 area 0
exit
互联网模拟
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Router: 外网
########################################
enable
configure terminal
# 模拟外网
interface fastEthernet0/1
ip address 10.128.0.1 255.255.0.0
no shutdown
exit
# 总部路由器连接
interface serial0/3/1
ip address 10.16.0.1 255.255.0.0
no shutdown
exit
# 配置 OSPF 路由
router ospf 80
network 10.16.0.0 0.0.255.255 area 0
network 10.128.0.0 0.0.255.255 area 0
exit
总部路由器 NAT
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
# Router: 总部
########################################
enable
configure terminal
# 配置默认路由
ip route 0.0.0.0 0.0.0.0 10.16.0.1
router ospf 60
default-information originate
exit
# 配置 NAT
interface range fastEthernet0/0-1
ip nat inside
exit
interface serial0/3/0
ip nat outside
exit
interface serial0/3/1
ip nat outside
exit
ip nat pool CORE 10.16.0.3 10.16.0.10 netmask 255.255.0.0
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool CORE
结尾
相关资料
- 配置参考自 https://www.bilibili.com/video/BV1kY411w73v/?spm_id_from=333.337.search-card.all.click&vd_source=224405daab1cdb2262d4c944257f2f31
- 防火墙 5506-X 资料比较少,这是思科官方资料 https://www.cisco.com/c/zh_cn/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html
- ACL 参考 https://www.cnblogs.com/romin/p/15680566.html
防火墙内外接口方向
graph LR
IN[inside Fa0/1]
FW[ Fa0/1 防火墙 Fa0/0]
OUT[Fa0/1 outside]
IN -- in --> FW -- out --> OUT
OUT -- in --> FW -- out --> IN
下面是防火墙默认时进出的规则
- 高安全级别到低安全级别:允许
- 低安全级别到高安全级别:拒绝
- 配置 ACL 后,优先级高于默认规则
假设 inside 区域安全级别为 100,outside 区域安全级别为 0
graph LR
IN[inside]
OUT[outside]
IN --> OUT
OUT --x IN
