Cisco's small and medium-sized business network 02/24 Update SLTechnology News&Howtos

Cisco's small and medium-sized business network

2025-02-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

The network architecture is as follows:

A network architecture scheme design

1.1 description of the scenario

The corporate network consists of the core layer and the access layer, and the core layer is the backbone of the network.

Different departments use different VLAN

Publish the servers in vlan154 to the extranet and make VM1 accessible

Enable the vlan155 network segment to access the public network

Management vlan is vlan100

Enhance the security of the network with ACL

1.2 IP address Plannin

Vlan154:172.16.154.0/24 Gateway: 172.16.154.254

Vlan155:172.16.155.0/24 Gateway: 172.16.155.254

Vlan100:172.16.100.0/24 Gateway: 172.16.100.254

Implementation of the second plan

Establish vlan, configure VTP synchronization, sw1 and sw2 operations are consistent:

SW_R (config) # hostname sw_r

Sw_r (config) # ip routing

Sw_r (config) # vlan 100

Sw_r (config-vlan) # vlan

Sw_r#show vlan-switch

VLAN Name Status Ports

1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3

Fa1/4, Fa1/5, Fa1/6, Fa1/7

Fa1/8, Fa1/9, Fa1/10, Fa1/11

Fa1/12, Fa1/13, Fa1/14, Fa1/15

100 VLAN0100 active

154 VLAN0154 active

155 VLAN0155 active

Sw_r (config) # int range f1max 1, f1max 3

Sw_r (config-if-range) # sw mode trunk

Sw_r (config) # vtp domain cisco

Sw_r (config) # vtp password cisco

Sw_r (config) # vtp mode server

Sw_r (config) # vtp pruning

Sw1 (config) # hostname sw1

Sw1 (config) # int f1and1

Sw1 (config-if) # sw mo tr

Sw1 (config) # vtp domain cisco

Sw1 (config) # vtp password cisco

Sw1 (config) # vtp mode client

Sw1#show vlan-switch

VLAN Name Status Ports

1 default active Fa1/0, Fa1/2, Fa1/3, Fa1/4

Fa1/5, Fa1/6, Fa1/7, Fa1/8

Fa1/9, Fa1/10, Fa1/11, Fa1/12

Fa1/13, Fa1/14, Fa1/15

100 VLAN0100 active

154 VLAN0154 active

155 VLAN0155 active

Sw1 (config) # int range f1amp 2-10

Sw1 (config-if-range) # sw mo access

Sw1 (config-if-range) # sw ac vlan

Sw1 (config) # int range f1amp 11-15

Sw1 (config-if-range) # sw mo access

Sw1 (config-if-range) # sw ac vlan

Sw1#show vlan-switch

VLAN Name Status Ports

1 default active Fa1/0

100 VLAN0100 active

154 VLAN0154 active Fa1/2, Fa1/3, Fa1/4, Fa1/5

Fa1/6, Fa1/7, Fa1/8, Fa1/9

Fa1/10

155 VLAN0155 active Fa1/11, Fa1/12, Fa1/13, Fa1/14

Fa1/15

Sw1#show int trunk

Port Mode Encapsulation Status Native vlan

Fa1/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa1/1 1-1005

Configure the IP address:

Sw_r (config) # int F1 Compact 4

Sw_r (config-if) # no switchport

Sw_r (config-if) # ip add 192.168.1.1 255.255.255.252

Sw_r (config-if) # no sh

Sw_r (config) # int vlan 100

Sw_r (config-if) # ip add 172.16.100.254 255.255.255.0

Sw_r (config-if) # no sh

Sw_r (config-if) # int vlan

Sw_r (config-if) # ip add 172.16.154.254 255.255.255.0

Sw_r (config-if) # no sh

Sw_r (config-if) # int vlan

Sw_r (config-if) # ip add 172.16.155.254 255.255.255.0

Sw_r (config-if) # no sh

Sw_r#show ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES unset administratively down down

FastEthernet0/1 unassigned YES unset administratively down down

FastEthernet1/0 unassigned YES unset up down

FastEthernet1/1 unassigned YES unset up up

FastEthernet1/2 unassigned YES unset up down

FastEthernet1/3 unassigned YES unset up up

FastEthernet1/4 192.168.1.1 YES manual up up

FastEthernet1/5 unassigned YES unset up down

FastEthernet1/6 unassigned YES unset up down

FastEthernet1/7 unassigned YES unset up down

FastEthernet1/8 unassigned YES unset up down

FastEthernet1/9 unassigned YES unset up down

FastEthernet1/10 unassigned YES unset up down

FastEthernet1/11 unassigned YES unset up down

FastEthernet1/12 unassigned YES unset up down

FastEthernet1/13 unassigned YES unset up down

FastEthernet1/14 unassigned YES unset up down

FastEthernet1/15 unassigned YES unset up down

Vlan1 unassigned YES unset up up

Vlan100 172.16.100.254 YES manual up up

Vlan154 172.16.154.254 YES manual up up

Vlan155 172.16.155.254 YES manual up up

ROUTER (config) # hostname router

Router (config) # int f0and0

Router (config-if) # ip add 192.168.1.2 255.255.255.252

Router (config-if) # no sh

Router (config-if) # int f1and0

Router (config-if) # ip add 10.1.1.1 255.255.255.252

Router (config-if) # no sh

Router (config-if) # end

Router#show ip int b

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.2 YES manual up up

FastEthernet1/0 10.1.1.1 YES manual up up

FastEthernet2/0 unassigned YES unset administratively down down

Router#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 12-28-64 ms

Sw1 (config-if) # int vlan 100

Sw1 (config-if) # ip add 172.16.100.1 255.255.255.0

Sw1 (config-if) # no sh

Sw1 (config) # ip default-gateway 172.16.100.254

Sw1#show ip int Vlan 100

Vlan100 is up, line protocol is up

Internet address is 172.16.100.1/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

...

Sw1# ping 172.16.100.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:

Sw3 (config) # int vlan 100

Sw3 (config-if) # ip add 172.16.100.3 255.255.255.0

Sw3 (config-if) # no sh

Sw3 (config) # ip default-gateway 172.16.100.254

Sw3#sh ip int vlan 100

Vlan100 is up, line protocol is up

Internet address is 172.16.100.3/24

Broadcast address is 255.255.255.255

Address determined by setup command

...

Sw3#ping 172.16.100.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:

Internet (config) # hostname Internet

Internet (config) # int f0and0

Internet (config-if) # ip add 10.1.1.2 255.255.255.252

Internet (config-if) # no sh

Internet (config-if) # int f1and0

Internet (config-if) # ip add 10.1.1.5 255.255.255.252

Internet (config-if) # no sh

Internet#sh ip int b

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.1.1.2 YES manual up up

FastEthernet1/0 10.1.1.5 YES manual up up

Internet#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Success rate is 80 percent (4amp 5), round-trip min/avg/max = 20-34-48 ms

R8 (config) # hostname R8

R8 (config) # int f0Let0

R8 (config-if) # ip add 10.1.1.6 255.255.255.252

R8 (config-if) # no sh

R8 (config-if) # int f1max 0

R8 (config-if) # ip add 192.168.60.254 255.255.255.0

R8 (config-if) # no sh

Configure routing:

Sw_r (config) # ip route 0.0.0.0 0.0.0.0 192.168.1.2

Router (config) # ip route 0.0.0.0 0.0.0.0 10.1.1.2

Router (config) # ip route 172.16.100.0 255.255.255.0 192.168.1.1

Router (config) # ip route 172.16.154.0 255.255.255.0 192.168.1.1

Router (config) # ip route 172.16.155.0 255.255.255.0 192.168.1.1

R8 (config) # ip route 0.0.0.0 0.0.0.0 10.1.1.5

Configure DHCP services on the core switch

Sw_r (config) # ip dhcp pool vlan154

Sw_r (dhcp-config) # network 172.16.154.0 255.255.255.0

Sw_r (dhcp-config) # default-router 172.16.154.254

Sw_r (dhcp-config) # dns-server 202.96.134.33 202.96.134.133

Sw_r (config) # ip dhcp excluded-address 172.16.154.254

Sw_r (config) # ip dhcp pool vlan155

Sw_r (dhcp-config) # network 172.16.155.0 255.255.255.0

Sw_r (dhcp-config) # dns-server 202.96.134.33 202.96.134.133

Sw_r (dhcp-config) # default-router 172.16.155.254

Sw_r (config) # ip dhcp excluded-address 172.16.155.254

The host of vlan155 obtains the IP:

R6 (config) # int f0Let0

R6 (config-if) # ip add dhcp

R6#sh ip int b

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.155.1 YES DHCP up up

FastEthernet0/1 unassigned YES unset administratively down down

Configure NAT to allow vlan155 access to the public network

ROUTER (config) # access-list 1 permit 172.16.155.0 0.0.0.255

ROUTER (config) # ip nat inside source list 1 interface f1max 0 overload

ROUTER (config) # int f1and0

ROUTER (config-if) # ip nat outside

ROUTER (config) # int f0and0

ROUTER (config-if) # ip nat inside

R6#ping 10.1.1.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:

Success rate is 100 percent (5 amp 5), round-trip min/avg/max = 36 max 68 max 128 ms

View NAT statistics:

ROUTER#sh ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 2 extended)

Outside interfaces:

FastEthernet1/0

Inside interfaces:

FastEthernet0/0

Hits: 54 Misses: 6

CEF Translated packets: 60, CEF Punted packets: 0

Expired translations: 4

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 interface FastEthernet1/0 refcount 2

Appl doors: 0

Normal doors: 0

Queued Packets: 0

View the existing NAT translation entries, provided that there are packets for translation (if there is no packet translation, only static NAT entries can be displayed)

ROUTER#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

Icmp 10.1.1.1:20 172.16.155.1:20 10.1.1.6:20 10.1.1.6:20

Icmp 10.1.1.1:21 172.16.155.1:21 10.1.1.6:21 10.1.1.6:21

Icmp 10.1.1.1:22 172.16.155.1:22 10.1.1.6:22 10.1.1.6:22

Monitor NAT:

ROUTER#sh ip nat translations verbose

Pro Inside global Inside local Outside local Outside global

Icmp 10.1.1.1:24 172.16.155.1:24 10.1.1.6:24 10.1.1.6:24

Create 00:00:03, use 00:00:03 timeout:60000, left 00:00:56, Map-Id (In): 1

Flags:

Extended, use_count: 0, entry-id: 17, lc_entries: 0

Publish the Web server to the public network:

ROUTER (config) # ip nat inside source static tcp 172.16.154.1 80 10.1.1.1 80 extendable

View static ANT entries:

ROUTER#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

Tcp 10.1.1.1VR 80 172.16.154.1 VR 80

Open port 80 on the Web server

Access on the client:

Configure telnet remote management:

ROUTER (config) # line vty 0 4

ROUTER (config-line) # password cisco

ROUTER (config-line) # login

ROUTER (config) # enable secret cisco

Configure SSH remote management:

Sw1 (config) # ip domain-name cisco.com

Sw1 (config) # username best password best1

Sw1 (config) # crypto key generate rsa general-keys modulus 1024

Sw1 (config) # ip ssh version 2

Sw1 (config) # line vty 0 4

Sw1 (config-line) # login local

Sw1 (config-line) # transport input ssh # only allow SSH login

Cisco network equipment: ssh-l best 192.168.1.1

Xshell:ssh 172.16.100.254

Configure the console login password:

Sw1 (config) # line console 0

Sw1 (config-line) # password cisco

Sw1 (config-line) # login

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.