Table of contents
Realize the construction of internal server
acl_deny partial user and server exit
(Amendment) Firewall implements Internet access restrictions
foreword
This time, the network planning course is designed as the experimental part of an engineering college course in Henan. There is no way that the course is too rushed and there is no networking experiment in the middle, so it may be difficult for novices to start.
Fortunately, two years ago, I was exposed to this kind of networking operation (Cisco was still popular at the time). And then successfully obtained the computer technology and software professional technical qualification (level) examination network engineer certificate. Since it is also past the peak of knowledge, the operation commands of many switches and routers are not very clear. I also consulted various materials and spent an afternoon finally completing this networking experiment.
Early preparation
Software Wireshark-win64-3.0.0.exe packet capture software can assist experiments and analyze the packet sending process
WinPcap_4_1_3.exe small patch can be installed when ensp cannot be opened
VirtualBox-5.2.22-126460-Win.exe Installing a virtual network card can realize the connection between the virtual machine and the ensp, and importing the firewall package is also used
eNSP V100R003C00 Setup.exe The most important Huawei emulator contains a large number of Huawei devices
When the usg firewall package in the vfw_usg.vdi.vdi simulator tries to open the firewall, it will prompt you to import the package, find this import
I won’t elaborate on the installation of the previous software.
Answer a few common questions for novices
1. The download order of the software does not matter
2. The incompatible version of VirtualBox is too high or cannot be opened! You can change the version (contact me on QQ)
3. Do not type commands directly when you come up, because it is the user page, system first enters the system setting page
4. Save it under the user page and save>save (be sure to save otherwise, all previous efforts will be wasted, open the file again and restart all devices) No configuration)
5. The page pops up log messages from time to time, how to make it not appear undo in en
? 6. Mine is different from yours, and the interface port is not displayed! enter settings
Networking requirements
A company has a headquarters and two branches. It has applied for the public network IP address of 22.22.22.0/27 and gateway 22.22.22.1. The headquarters has about 10 internal servers, 5 financial servers, 100 employees, and 20 Financial personnel; Branch 1 has 150 employees and 5 financial personnel; Branch 2 has 200 employees and 8 financial personnel.
Requirements:
1. The computers used by employees and financial personnel of the headquarters, branch 1 and branch 2 have independent broadcast domains, and internal servers and financial servers also have independent broadcast domains.
2. Employees' computers can access the Internet, but financial personnel's computers, internal servers and financial servers cannot access the Internet.
3. The computers used by employees and financial personnel can all access the internal server and financial server, and can access each other. According to the overall topology diagram given below, plan and design a company's network, and give the specific configuration in the ENSP simulator.
Refer to the ip plan in the document
Note that the VLAN of the firewall does not need to be configured with a VLAN, whether it is an internal port or an external port.
We replaced vlan50 with 120, vlan60 with 220, and the uplink firewall of the headquarters with vlan50, keeping the vlans on both sides consistent.
It is also possible to follow the division on the table. I changed this for a clearer thinking.
start networking
We are going to build up the equipment little by little starting from the demand in this way
branch 1
The financial clinet is configured with an IP of 192.168.110.2 (1 for the gateway) (here the gateway is wrongly configured from 119 to 110)
Employee pc1 configures 192.168.100.2 (1 for the gateway)
GE0/0/1 of 1_5700 configures interface vlan110 with an address of 192.168.110.1/24
The GE0/0/2 configuration interface vlan100 address of 1_5700 is 192.168.100.1/24
GE0/0/3 of 1_5700 configures interface vlan120 with an address of 10.10.10.1/30
1_5700 To configure the default static route to achieve connectivity with the headquarters branch network
1_5700 configuration command reference
vlan batch 110 100 120 //创建多个vlan 并配置ip地址
int vlanif 100 ip address 192.168.100.1 24
int vlanif 110 ip address 192.168.110.1 24
int vlanif 120 ip address 10.10.10.1 30
//Enter the interface configuration
int g 0/0/1
port link-type access
port default vlan 110
int g 0/0/2 port
link-type access
port default vlan 100
int g 0/0/3
port link-type access
port default vlan 120
//Configure a static default route
ip route-static 0.0.0.0 0.0.0.0 10.10.10.2
After this set of commands is configured, Client1 and pc1 can communicate with each other, both of which can access their own gateways and have default routes to route to unknown network segments (test later)
Branch 2
In fact, the configuration of branch 2 is the same as the configuration of branch 1.
Financial clinet2 is configured with an IP of 192.168.210.2 (1 for the gateway)
Employee pc2 configuration 192.168.200.2 (1 for the gateway)
GE0/0/1 of 2_5700 configures interface vlan210 with an address of 192.168.210.1/24
GE0/0/2 of 2_5700 configures interface vlan200 with an address of 192.168.200.1/24
GE0/0/3 of 2_5700 configures interface vlan220 with an address of 10.10.10.5/30
2_5700 To configure the default static route to achieve connectivity with the headquarters branch network
2_5700 configuration command reference
vlan batch 210 200 220 //创建多个vlan 并配置ip地址
int vlanif 200
ip address 192.168.200.1 24
int vlanif 210
ip address 192.168.210.1 24
int vlanif 220
ip address 10.10.10.5 30
//Enter the interface configuration
int g 0/0/1
port link-type access
port default vlan 210
int g 0/0/2
port link-type access
port default vlan 200
int g 0/0/3
port link-type access
port default vlan 220
//Configure a static default route
ip route-static 0.0.0.0 0.0.0.0 10.10.10.6
headquarters
Note that the headquarters is different. The switch in the headquarters is 3700, and there is no reference uplink address, so we can configure it in this way so that g0/0/3 of the core switch becomes the gateway interface of pc3 client3. Ethernet0/0/1 is configured as a trunk port
Financial clinet3 is configured with an IP of 192.168.40.2 (1 for the gateway)
Employee pc3 configuration 192.168.30.2 (1 for the gateway)
Headquarters Switch_3700 Configuration Reference
vlan batch 30 40
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 40
interface Ethernet0/0/2
port link-type access
port default vlan 40
interface Ethernet0/0/3
port link-type access
port default vlan 30
Next configure their gateways
Core switch configuration
We need to configure the g 0/0/3 interface of the core switch as the gateway of the headquarters pc3
Do you still remember the uplink address (next hop) of the branch office?
We need to configure g 0/0/1 g 0/0/2 as vlan120:10.10.10.2 and vlan220:10.10.10.6 respectively
vlan batch 30 40 120 220 50
int vlanif 30
ip address 192.168.30.1 24
int vlanif 40
ip address 192.168.40.1 24
int vlanif 120
ip address 10.10.10.2 30
int vlanif 220
ip address 10.10.10.6 30
int vlanif 50 (出接口)
ip address 10.10.10.10 30
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30 40
int g 0/0/1
port link-type access
port default vlan 120
int g 0/0/2
port link-type access
port default vlan 220
int g 0/0/6
port link-type access
port default vlan 50
After this configuration, pc3 can communicate with clien3
But can branch pc1 connect to branch pc2? This is not possible because the core switch has no routing yet. Let’s configure static routing this time. Of course, dynamic routing can be configured, but I don’t want to look through the information again.
Routing configuration of the core switch (add a default route at the end)
ip route-static 192.168.100.0 255.255.255.0 10.10.10.1
ip route-static 192.168.110.0 255.255.255.0 10.10.10.1
ip route-static 192.168.200.0 255.255.255.0 10.10.10.5
ip route-static 192.168.210.0 255.255.255.0 10.10.10.5
ip route-static 0.0.0.0 0.0.0.0 10.10.10.9
After this route is configured, the connection between the headquarters and the branch can be realized theoretically.
Realize the construction of internal server
We have two servers connected to the core switch for http and ftp, which can be accessed by internal employees
So configure the core switch again
vlan batch 10 20
int vlanif 10
ip address 192.168.10.1 24
int vlanif 20
ip address 192.168.20.1 24
int g 0/0/4
port link-type access
port default vlan 10
int g 0/0/5
port link-type access
port default vlan 20
After this configuration is completed, all employees of the internal http and internal ftp can access it (because it is directly connected to the core switch)
acl_deny partial user and server exit
To enable employees' computers to access the Internet, financial personnel's computers, internal servers, and financial servers cannot access the Internet. We can configure the core switch acl so that these hosts cannot go out of the g 0/0/6 interface
acl number 2001
rule 5 deny source 192.168.110.0 0.0.0.255
rule 10 deny source 192.168.40.0 0.0.0.255
rule 15 deny source 192.168.210.0 0.0.0.255
rule 20 deny source 192.168.20.0 0.0.0.255
rule 25 deny source 192.168.10.0 0.0.0.255
interface GigabitEthernet0/0/6
traffic-filter outbound acl 2001
Configure egress firewall
The g 0/0/6 interface of the core switch has been configured (10.10.10.10/30) and the default route will be sent to 10.10.10.9
We use pc5 to simulate Internet users. Users who choose any intranet host only need to ping pc5 to complete the experiment.
Configure two interfaces
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.10.9 255.255.255.252
service-manage ping permit
interface GigabitEthernet1/0/1
undo shutdown
ip address 22.22.22.2 255.255.255.224
service-manage ping permit
Increase trust and untrust
firewall zone trust
add int g1/0/0
firewall zone untrust
add int g1/0/1
Allow trust and untrust to communicate
security-policy
rule name internet
source-zone trust
destination-zone untrust
action permit
Implement port conversion for Internet access
nat-policy
rule name internet
source-zone trust
destination-zone untrust
action nat easy-ip
Provide routing for users with access to the Internet
ip route-static 192.168.30.0 255.255.255.0 10.10.10.10
ip route-static 192.168.100.0 255.255.255.0 10.10.10.10
ip route-static 192.168.200.0 255.255.255.0 10.10.10.10
Now ordinary users on the intranet can access the Internet but users who cannot actively access the intranet from the Internet can be seen in the figure below to do NAT port conversion
( Fix ) Firewall realizes Internet access restriction
Didn't the acl_deny server export export before! In fact, you can also use this method of firewall, the final purpose of both is the same. It seems that this is the configuration in the task book. If you have configured acl, it does not matter. You can cancel the configuration again.
Enter the g6 port of the core switch to cancel the acl filter.
int g 0/0/6
undo traffic-filter outbound acl 2001
dis this (查看当前接口下配置)
Enter the firewall policy and match the network segment that can access the Internet as the source network segment, so that the user's Internet access server cannot access the Internet.
security-policy
rule name internet
source-zone trust
destination-zone untrust
source-address 192.168.30.0 24
source-address 192.168.100.0 24
source-address 192.168.200.0 24
action permit
nat-policy
rule name internet
source-zone trust
destination-zone untrust
source-address 192.168.30.0 24
source-address 192.168.100.0 24
source-address 192.168.200.0 24
action nat easy-ip
Finally, add a default route to the firewall (before I also considered that I have already entered the public network and should not use dynamic routing, but in fact it has not yet fully entered the public network or configure the next hop address)
ip route-static 0.0.0.0 0.0.0.0 22.22.22.1
dhcp assigns ip
Previously, our internal PCs were manually configured. Next, we use dhcp distribution. To realize this function, we need to configure dhcp on the gateway interface of each network segment. The command is very simple to find the gateway.
Let me take pc1 as an example. The gateway of pc1 is configured under vlan100 in g0/0/2 of branch 1_5700, so we enter vlan100
Configured and tested with pc1
It can be seen that the ip address has been successfully obtained, and it is 192.168.100.254
epilogue
The complexity of the network is much more than this practice is also a fast and effective method. Due to my limited knowledge level, it is inevitable that I will be stupid in configuration. If you have any better configuration methods or ideas, welcome to communicate
Finally, attach this project file as a reference study. (filtering with the core switch acl has not changed)
Files shared through Baidu Netdisk: ensp networking course...
Link: https://pan.baidu.com/s/1WIWXh5hdAXScZReCiuT5wg?pwd=9uwn
Extraction code: 9uwn
Command dis cu to see all configurations of the device!
Friends, please give me more likes, follow and favorites!