本文摘自智能改变世界,侵删。
今天有一个4层楼的社区医院项目快完工了,业主主要有两条专线分别是医保网和政务网,还有一条是电信宽带用来访问互联网用的。这个项目采购的是全套H3C网络设备,内部PC等网络终端通过一台核心路由器与外部交互通讯,必须保证各部门只能访问指定的出口网络(且内部PC需要相互通讯)。另外,监控NVR主机可以访问互联网的同时,而且要可以访问政务网络,因为总部需要通过政务网把监控回传过去,上电视墙统一管理。拓扑如下图所示。
简单分析一下这个拓扑,1-3楼使用医保网属于vlan10,4楼一半使用互联网属于vlan20,另外一半使用政务网属于vlan30,所有摄像头属于vlan40,NVR硬盘录像机两条线连接到核心交换机(一条vlan40,另一条vlan30),核心交换机两条线连接到核心路由器,其中一条单独给监控使用,也是走vlan30政务网流量。
配置命令如下:
一、核心路由配置
system-view
[H3C]sysname HX-Route
[HX-Route]interface LoopBack 0
[HX-Route-LoopBack0]ip address 10.0.0.1 30#模拟医保网
[HX-Route]interface LoopBack 1
[HX-Route-LoopBack1]ip address 20.0.0.1 30#模拟互联网
[HX-Route]interface LoopBack 2
[HX-Route-LoopBack2]ip address 30.0.0.1 30#模拟政务网
[HX-Route]interface GigabitEthernet 0/1.1
[HX-Route-GigabitEthernet0/1.1]ip address 192.168.100.130#医保
[HX-Route-GigabitEthernet0/1.1]vlan-type dot1q vid 100#设置子接口封装类型为vlan10通过
[HX-Route]interface GigabitEthernet 0/1.2
[HX-Route-GigabitEthernet0/1.2]ip address 192.168.110.1 30#互联网
[HX-Route-GigabitEthernet0/1.2]vlan-type dot1q vid 110
[HX-Route]interface GigabitEthernet 0/2.1
[HX-Route-GigabitEthernet0/2.1]ip address 192.168.120.1 30#政务
[HX-Route-GigabitEthernet0/2.1]vlan-type dot1q vid 120
[HX-Route]interface GigabitEthernet 0/2.2
[HX-Route-GigabitEthernet0/2.1]ip address 192.168.130.1 30#监控
[HX-Route-GigabitEthernet0/2.1]vlan-type dot1q vid 130
#去往客户端静态路由
[HX-Route]ip route-static 192.168.10.0 255.255.255.0 192.168.100.2
[HX-Route]ip route-static 192.168.20.0 255.255.255.0 192.168.110.2
[HX-Route]ip route-static 192.168.30.0 255.255.255.0 192.168.120.2
[HX-Route]ip route-static 192.168.40.0 255.255.255.0 192.168.130.2
二、核心交换机配置
system-view
[H3C]sysname HX-SW
[HX-SW]vlan 100
[HX-SW]interface Vlan-interface 100
[HX-SW-Vlan-interface100]ip address 192.168.100.2 30
[HX-SW-Vlan-interface100]vlan 110
[HX-SW-vlan110]int vlan 110
[HX-SW-Vlan-interface110]ip address 192.168.110.2 30
[HX-SW-Vlan-interface110]vlan 120
[HX-SW-vlan120]int vlan 120
[HX-SW-Vlan-interface120]ip address 192.168.120.2 30
[HX-SW-Vlan-interface110]vlan 130
[HX-SW-vlan120]int vlan 130
[HX-SW-Vlan-interface120]ip address 192.168.130.2 30
[HX-SW]interface GigabitEthernet 1/0/1
[HX-SW-GigabitEthernet1/0/1]port link-type trunk
[HX-SW-GigabitEthernet1/0/1]port trunk permit vlan all
[HX-SW]interface GigabitEthernet 1/0/2
[HX-SW-GigabitEthernet1/0/2]port link-type trunk
[HX-SW-GigabitEthernet1/0/2]port trunk permit vlan all
[HX-SW]vlan 10
[HX-SW-vlan10]port GigabitEthernet 1/0/3
[HX-SW-vlan10]int vlan 10
[HX-SW-Vlan-interface10]ip address 192.168.10.1 24
[HX-SW]vlan 20
[HX-SW-vlan20]portGigabitEthernet 1/0/4
[HX-SW-vlan20]int vlan 20
[HX-SW-Vlan-interface20]ip address 192.168.20.1 24
[HX-SW]vlan 30
[HX-SW-vlan30]portGigabitEthernet 1/0/5
[HX-SW-vlan30]int vlan 30
[HX-SW-Vlan-interface30]ip address 192.168.30.1 24
[HX-SW]vlan 40
[HX-SW-vlan40]portGigabitEthernet 1/0/6
[HX-SW-vlan20]int vlan 40
[HX-SW-Vlan-interface40]ip address 192.168.40.1 24
#出口静态路由器
ip route-static 0.0.0.0 0 192.168.110.1
ip route-static10.0.0.0 24 192.168.100.1
ip route-static 30.0.0.0 24 192.168.120.1
#定义ACL访问控制列表规则,只允许vlan10(医保网段)访问医保网
[HX-SW]acl advanced 3000
[HX-SW-acl-ipv4-adv-3000]rulepermit ip source 10.0.0.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[HX-SW-acl-ipv4-adv-3000]rule deny ip
#定义ACL访问控制列表规则,只允许vlan20网段访问互联网
[HX-SW]acl advanced 3001
[HX-SW-acl-ipv4-adv-3001]ruledeny ip source 10.0.0.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[HX-SW-acl-ipv4-adv-3001]ruledeny ip source 30.0.0.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#定义ACL访问控制列表规则,只允许vlan30(政务网段)访问政务网
[HX-SW]acl advanced 3002
[HX-SW-acl-ipv4-adv-3002]rulepermit ip source 30.0.0.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[HX-SW-acl-ipv4-adv-3002]rule deny ip
#定义ACL访问控制列表规则,只允许vlan40(监控网段)访问互联网
[HX-SW]acl advanced 3003
[HX-SW-acl-ipv4-adv-3003]ruledeny ip source 10.0.0.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
[HX-SW-acl-ipv4-adv-3003]ruledeny ip source 30.0.0.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
#VLAN100端口应用ACL访问控制列表规则
[HX-SW]interface Vlan-interface 100
[HX-SW-Vlan-interface100]packet-filter 3000 inbound
#VLAN110端口应用ACL访问控制列表规则
[HX-SW]interface Vlan-interface 110
[HX-SW-Vlan-interface110]packet-filter 3001inbound
#VLAN120端口应用ACL访问控制列表规则
[HX-SW]interface Vlan-interface 120
[HX-SW-Vlan-interface120]packet-filter 3002inbound
#VLAN130端口应用ACL访问控制列表规则
[HX-SW]interface Vlan-interface 130
[HX-SW-Vlan-interface130]packet-filter 3003inbound
至此配置完成,检测一下,看配置是否正确。
1、PC3ping10.0.0.1通
2、PC3ping20.0.0.1不通
3、PC3ping30.0.0.1不通
4、内网访问互通
相关阅读 >>
48小时重启免疫系统?哈佛大学20个月“轻断食”研究成果出炉
质量效应传奇版面部mod对整个三部曲中的阿莎丽和人脸进行大修
iphone2017年将新增51个新unicode10表情符号
更多相关阅读请进入《新闻资讯》频道 >>