最近找到一个小企业网的拓扑,就来练练手。先上拓扑:
以下为核心交换机的配置:
Switch#show run
Building configuration...
Building configuration...
Current configuration : 3354 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/1
no switchport
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/2
switchport access vlan 17
!
interface FastEthernet0/3
switchport mode trunk
!
interface FastEthernet0/4
switchport mode trunk
!
interface FastEthernet0/5
switchport mode trunk
!
interface FastEthernet0/6
switchport mode trunk
!
interface FastEthernet0/7
switchport mode trunk
!
interface FastEthernet0/8
switchport mode trunk
!
interface FastEthernet0/9
no switchport
ip address 192.168.100.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan9
no ip address
!
interface Vlan11
ip address 192.168.11.1 255.255.255.0
ip access-group renshi out
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
ip access-group xingzheng out
!
interface Vlan13
ip address 192.168.13.1 255.255.255.0
ip access-group caiwu in
!
interface Vlan14
ip address 192.168.14.1 255.255.255.0
ip access-group yinxiao out
!
interface Vlan15
ip address 192.168.15.1 255.255.255.0
ip access-group shichang out
!
interface Vlan16
ip address 192.168.16.1 255.255.255.0
ip access-group jishu out
!
interface Vlan17
ip address 192.168.17.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
!
access-list 101 deny ip host 192.168.100.3 192.168.0.0 0.0.31.255
access-list 101 permit ip any any
access-list 101 permit ip host 192.168.100.4 192.168.0.0 0.0.31.255
ip access-list extended caiwu
permit ip 192.168.13.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip any any
ip access-list extended renshi
permit ip 192.168.17.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.31.255
permit ip host 192.168.100.4 192.168.11.0 0.0.0.255
ip access-list extended xingzheng
permit ip 192.168.17.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip host 192.168.100.4 192.168.12.0 0.0.0.255
deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.31.255
ip access-list extended yinxiao
permit ip 192.168.17.0 0.0.0.255 192.168.14.0 0.0.0.255
permit ip host 192.168.100.4 192.168.14.0 0.0.0.255
deny ip 192.168.14.0 0.0.0.255 192.168.0.0 0.0.31.255
ip access-list extended shichang
permit ip 192.168.17.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip host 192.168.100.4 192.168.15.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.31.255
ip access-list extended jishu
permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip host 192.168.100.4 192.168.16.0 0.0.0.255
deny ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.31.255
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
!
!
!
end
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/1
no switchport
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/2
switchport access vlan 17
!
interface FastEthernet0/3
switchport mode trunk
!
interface FastEthernet0/4
switchport mode trunk
!
interface FastEthernet0/5
switchport mode trunk
!
interface FastEthernet0/6
switchport mode trunk
!
interface FastEthernet0/7
switchport mode trunk
!
interface FastEthernet0/8
switchport mode trunk
!
interface FastEthernet0/9
no switchport
ip address 192.168.100.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan9
no ip address
!
interface Vlan11
ip address 192.168.11.1 255.255.255.0
ip access-group renshi out
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
ip access-group xingzheng out
!
interface Vlan13
ip address 192.168.13.1 255.255.255.0
ip access-group caiwu in
!
interface Vlan14
ip address 192.168.14.1 255.255.255.0
ip access-group yinxiao out
!
interface Vlan15
ip address 192.168.15.1 255.255.255.0
ip access-group shichang out
!
interface Vlan16
ip address 192.168.16.1 255.255.255.0
ip access-group jishu out
!
interface Vlan17
ip address 192.168.17.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
!
access-list 101 deny ip host 192.168.100.3 192.168.0.0 0.0.31.255
access-list 101 permit ip any any
access-list 101 permit ip host 192.168.100.4 192.168.0.0 0.0.31.255
ip access-list extended caiwu
permit ip 192.168.13.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip any any
ip access-list extended renshi
permit ip 192.168.17.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.31.255
permit ip host 192.168.100.4 192.168.11.0 0.0.0.255
ip access-list extended xingzheng
permit ip 192.168.17.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip host 192.168.100.4 192.168.12.0 0.0.0.255
deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.31.255
ip access-list extended yinxiao
permit ip 192.168.17.0 0.0.0.255 192.168.14.0 0.0.0.255
permit ip host 192.168.100.4 192.168.14.0 0.0.0.255
deny ip 192.168.14.0 0.0.0.255 192.168.0.0 0.0.31.255
ip access-list extended shichang
permit ip 192.168.17.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip host 192.168.100.4 192.168.15.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.31.255
ip access-list extended jishu
permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip host 192.168.100.4 192.168.16.0 0.0.0.255
deny ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.31.255
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
!
!
!
end
感觉在二层交换机上配置ACL可能会更好。但有些懒,就没有配了。。呵呵。
转载于:https://blog.51cto.com/hai123/264355
449
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
