In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Blog catalogue
1. The topology diagram is as follows:
1. Demand analysis:
2. Start the configuration:
3. Verify:
1. The topology diagram is as follows:
1. Demand analysis:
1) PC1 and PC2 can ping the 172.16.1.100 server (web server) in the dmz area
2) PC1 and PC2 can ping 202.16.3.1, and Easy-IP NAT is required.
3) 202.96.2.1 the host uses the http protocol to access the IP address 202.96.1.50 published by dmz to the untrust area server
2. Start the configuration:
Configure IP address and gateway on intranet PC
The SW1 configuration is as follows:
[S1] vlan batch 10 30 40 # batch creation vlan 10 30 and 40 [S1] int vlan 10 # enter vlan 10 [S1-Vlanif10] ip add 192.168.10.254 24 # configure IP address [S1-Vlanif10] undo shutdown # enable vlan 10 [S1-Vlanif10] int vlan 30 # enter vlan 30 [S1-Vlanif30] ip add 192.168.30.1 24 # configure IP address [S1-Vlanif30] undo shutdown # launch With vlan 30 [S1-Vlanif30] quit # related repeated comments, I will not comment one by one [S1] int vlan 40 [S1-Vlanif40] ip add 192.168.40.1 24 [S1-Vlanif40] undo shutdown [S1-Vlanif40] people [S1] int eth0/0/1 # enter interface [S1-Ethernet0/0/1] port link-type trunk # configured as trunk link [S1-Ethernet0/0/1] port trunk allow-pass vlan all # allows all Vlan [S1-Ethernet0/0/1] people [S1] int Ethernet0/0/4 # enter interface [S1-Ethernet0/0/4] port link-type access # is configured as access link [S1-Ethernet0/0/4] port default vlan 40 # vlan 40 join interface [S1-Ethernet0/0/4] quitsS1] int Eth-Trunk 1 # create link aggregation Number 1 [S1-Eth-Trunk1] S1-Ethernet0/0/3 [S1] int eth0/0/2 # enter interface [S1-Ethernet0/0/2] eth-trunk 1 # configure as link aggregation [S1-Ethernet0/0/2] quits1] int eth0/0/3 # enter interface [S1-Ethernet0/0/3] eth-trunk 1 # configure as link aggregation [S1-Ethernet0/0/3] quits1] int Eth-Trunk1 # enter Interface [S1-Eth-Trunk1] port link-type trunk # is configured as trunk link [S1-Eth-Trunk1] port trunk allow-pass vlan all # to allow all vlan [S1-Eth-Trunk1] quitters [S1] rip 1 # configuration rip [S1-rip-1] version 2 # version 2 [S1-rip-1] network 192.168.10.0 # declare the directly connected network [S1-rip-1] network 192.168.30.0 # Declare directly connected network [S1-rip-1] network 192.168.40.0 # declare directly connected network [S1-rip-1] S1-bgp [S1] bgp 300 # configure bgp AS number 300 [S1-bgp] peer 192.168.40.2 as-number 200 # establish neighbor [S1-bgp] peer 192.168.30.2 as-number 300 # and AS 30.2 establish neighbor [S1-bgp] peer 192.168 .30.2 next-hop-local # configuration 30.2 next hop can reach [S1-bgp] quit
The SW2 configuration is as follows: (for related notes, please refer to SW1)
[S2] vlan batch 20 30 50 [S2] int vlan 20 [S2-Vlanif20] ip add 192.168.20.254 24 [S2-Vlanif20] undo shutdown [S2-Vlanif20] quit[S2] int vlan 30 [S2-Vlanif30] ip add 192.168.30.2 24 [S2-Vlanif30] undo shutdown [S2-Vlanif30] quit[S2] int vlan 50 [S2-Vlanif50] ip add 192.168.50.1 24 [S2-Vlanif50] undo shutdown [S2-Vlanif50] quit[S2] int eth0/0/1 [ S2-Ethernet0/0/1] port link-type trunk [S2-Ethernet0/0/1] port trunk allow-pass vlan all [S2-Ethernet0/0/1] quit[S2] int eth0/0/4 [S2-Ethernet0/0/4] port link-type access [S2-Ethernet0/0/4] port default vlan 50 [S2-Ethernet0/0/4] quit[S2] int Eth-Trunk1 [S2-Eth-Trunk1] quit[S2] int eth0/0/2 [S2-Ethernet0/0/2] eth -trunk 1 [S2-Ethernet0/0/2] quitsS2] int eth0/0/3 [S2-Ethernet0/0/3] eth-trunk 1 [S2-Ethernet0/0/3] quitS2] int Eth-Trunk1 [S2-Eth-Trunk1] port link-type trunk [S2-Eth-Trunk1] port trunk allow-pass vlan all [S2-Eth-Trunk1] quitsS2 rip 1 [S2rip-1] version 2 [S2-rip-1] network 192.168.20.0 [S2-rip-1 ] network 192.168.30.0 [S2-rip-1] network 192.168.50.0 [S2-rip-1] quit[S2] bgp 300 [S2-bgp] peer 192.168.50.2 as-number 200 [S2-bgp] peer 192.168.30.1 as-number 300 [S2-bgp] peer 192.168.30.1 next-hop-local [S2-bgp] network 192.168.10.0 [S2-bgp] network 192.168.20.0 [S2-bgp] quit
The SW3 configuration is as follows:
[S3] int eth0/0/3 [S3-Ethernet0/0/3] port link-type trunk [S3-Ethernet0/0/3] port trunk allow-pass vlan all [S3-Ethernet0/0/3] quit[S3] int eth0/0/4 [S3-Ethernet0/0/4] port link-type trunk [S3-Ethernet0/0/4] port trunk allow-pass vlan all [S3-Ethernet0/0/4] quit[S3] vlan batch 10 20 30 [S3] int eth0/0/1 [S3-Ethernet0/ 0/1] port link-type access [S3-Ethernet0/0/1] port default vlan 10 [S3-Ethernet0/0/1] quit[S3] int eth0/0/2 [S3-Ethernet0/0/2] port link-type access [S3-Ethernet0/0/2] port default vlan 20 [S3-Ethernet0/0/2] quit
R1 is configured as follows:
[R1] int g0/0/0 [R1-GigabitEthernet0/0/0] ip add 192.168.40.2 24 [R1-GigabitEthernet0/0/0] int g0/0/1 [R1-GigabitEthernet0/0/1] ip add 192.168.50.2 24 [R1-GigabitEthernet0/0/1] int g0/0/2 [R1-GigabitEthernet0/0/2] ip add 192.168.60.1 24 [R1-GigabitEthernet0/0/2] int loo0 [R1-LoopBack0] ip add 1.1.1. 1 32 [R1-LoopBack0] people [R1] ospf 1 router-id 1.1.1.1 # configure ospf process 1 Router-id is 1.1.1.1 [R1-ospf-1] area 0 # backbone area Area 0 [R1-ospf-1-area-0.0.0.0] network 192.168.60.0 0.0.0.255 # declares that it is directly connected to [R1-ospf-1-area-0.0.0.0] quit [R1-ospf-1] quits200 [R1-bgp] router-id 1.1.1.1 [R1-bgp] peer 192.168.40.1 as-number 300 [R1-bgp] peer 192.168.50.1 as-number 300 [R1-bgp] peer 192.168.60.2 as-number 200 [R1-bgp] peer 192.168.60.2 next-hop-local [R1-bgp] quit
R2 is configured as follows:
[R2] int g0/0/0 [R2-GigabitEthernet0/0/0] ip add 192.168.60.2 24 [R2-GigabitEthernet0/0/0] int g0/0/1 [R2-GigabitEthernet0/0/1] ip add 192.168.70.1 24 [R2-GigabitEthernet0/0/1] int loo0 [R2-LoopBack0] ip add 2.2.2.2 32 [R2-LoopBack0] quit[R2] ospf 1 router-id 2.2.2.2 [R2-ospf-1] area 0 [R2 -ospf-1-area-0.0.0.0] network 192.168.60.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0] quit [R2-ospf-1] quitR2 bgp 2.2.2.2 [R2-bgp] peer 192.168.60.1 as-number 200 [R2-bgp] peer 192.168.70.2 as-number 100 [R2-bgp] peer 192.168. 60.1 next-hop-local [R2-bgp] quit
R3 is configured as follows:
[R3] int g0/0/0 [R3-GigabitEthernet0/0/0] ip add 192.168.70.2 24 [R3-GigabitEthernet0/0/0] int g0/0/1 [R3-GigabitEthernet0/0/1] ip add 192.168.80.1 24 [R3-GigabitEthernet0/0/1] int loo0 [R3-LoopBack0] ip add 3.3.3.3 32 [R3-LoopBack0] quit[R3] bgp 100 [R3-bgp] router-id 3.3.3.3 [R3-bgp] peer 192.168.70.1 as-number 200 [R3-bgp] peer 192.168.80.2 as-number 100 [R3-bgp] peer 192.168.80.2 next-hop-local [R3-bgp] peer 192.168.90.2 as-number 100 [R3-bgp] peer 192.168.90.2 next-hop-local [R3-bgp] quit [R3] rip 1 [R3-rip-1] version 2 [R3-rip-1] network 192.168.80.0 [R3-rip-1] quit
R4 is configured as follows:
[R4] int g0/0/0 [R4-GigabitEthernet0/0/0] ip add 192.168.80.2 24 [R4-GigabitEthernet0/0/0] int g0/0/1 [R4-GigabitEthernet0/0/1] ip add 192.168.90.1 24 [R4-GigabitEthernet0/0/1] int loo0 [R4-LoopBack0] ip add 4.4.4.4 32 [R4-LoopBack0] quit[R4] bgp 100 [R4-bgp] router-id 4.4.4.4 [R4-bgp] peer 192.168.80.1 as-number 100 [R4-bgp] peer 192.168.90.2 as-number 100 [R4-bgp] quit[R4] rip 1 [R4-rip-1] version 2 [R4-rip-1] network 192.168.80.0 [R4-rip-1] network 192.168.90.0 [R4-rip-1] quit
The FW1 configuration is as follows:
[FW1] int g0/0/0 [FW1-GigabitEthernet0/0/0] ip add 192.168.90.2 24 [FW1-GigabitEthernet0/0/0] int g1/0/0 [FW1-GigabitEthernet1/0/0] ip add 172.16.1.254 24 [FW1-GigabitEthernet1/0/0] int g1/0/1 [FW1-GigabitEthernet1/0/1] ip add 202.96.1.10 24 [FW1-GigabitEthernet1/0/1] quit[FW1] bgp 100 [FW1-bgp] router-id 100 .100.100.100 [FW1-bgp] peer 192.168.90.1 as-number 100 [FW1-bgp] peer 192.168.80.1 as-number 100 [FW1-bgp] peer 192.168.80.1 next-hop-local [FW1-bgp] network 0.0.0.0 [FW1-bgp] quit[FW1] rip 1 [FW1-rip-1] version 2 [FW1-rip-1] network 192.168.90.0 [FW1-rip-1] network 172.16.0. 0 [FW1-rip-1] que [FW1] security-policy # configure security policy [FW1-policy-security] rule name local # Security policy name is local [FW1-policy-security-rule-local] source-zone local # define source zone as local [FW1-policy-security-rule-local] destination-zone trust # define target area true [FW1-policy-security-rule-local] destination-zone dmz # define target area dmz [ FW1-policy-security-rule-local] action permit # allows traffic to be configured through [FW1] security-policy # Security Policy [FW1-policy-security] rule name trust_untrust # Security Policy name is trust_ untrust [FW1-policy-security-rule-trust_untrust] source-zone trust # defines the source zone as trust [FW1-policy-security-rule-trust_untrust] destination-zone untrust # defines the target area untrust [FW1-policy-security-rule -trust_untrust] action permit # allows traffic to be configured through [FW1] security-policy # Security Policy [FW1-policy-security] rule name trust_dmz # Security Policy name is trust_ DMZ [FW1-policy-security-rule-trust_dmz] source-zone trust # defines the source zone as trust [FW1-policy-security-rule-trust_dmz] destination-zone dmz # defines the destination area DMZ [FW1-policy-security-rule-trust_dmz ] action permit # allows traffic to be configured through [FW1] security-policy # Security Policy [FW1-policy-security] rule name untrust_to_dmz # Security Policy name is untrust_ DMZ [FW1-policy-security-rule-untrust_to_dmz] source-zone untrust # defines the source zone as untrust [FW1-policy-security-rule-untrust_to_dmz] destination-zone dmz # defines the destination area DMZ [FW1-policy-security-rule-untrust_ To_dmz] service http # enable http protocol [FW1-policy-security-rule-untrust_to_dmz] action permit # allow traffic to pass through [FW1-policy-security-rule-untrust_to_dmz] quit [FW1-policy-security] quitters [FW1] nat-policy # configure NAT policy [FW1-policy-nat] rule name natpolicy # NAPT policy name: natpolicy [FW1-policy-nat-rule-natpolicy] source-zone trust # define the translation source area Domain [FW1-policy-nat-rule-natpolicy] destination-zone untrust # defines the conversion target area [FW1-policy-nat-rule-natpolicy] action nat easy-ip # defines the conversion source and easy-ip establishes a mapping relationship [FW1-policy-nat-rule-natpolicy] quit [FW1-policy-nat] quit
R5 is configured as follows:
[R5] int g0/0/0 [R5-GigabitEthernet0/0/0] ip add 202.96.1.11 24 [R5-GigabitEthernet0/0/0] int g0/0/1 [R5-GigabitEthernet0/0/1] ip add 202.96.2.254 24 [R5-GigabitEthernet0/0/1] int g0/0/2 [R5-GigabitEthernet0/0/2] ip add 202.96.3.254 24 [R5-GigabitEthernet0/0/2] quit
External server and PC configuration IP address:
So far, all the configurations have been completed, and the three requirements of the experiment have been met, and then the verification begins.
3. Verification
1) Pc1 and pc2 can ping the 172.168.1.100 server in the dmz area
2) Pc1 and pc2 can ping 202.96.3.1 need to use easy-IP NAT
3) 202.96.2.1 the host uses the http protocol to access the IP address 202.96.1.50 published by DMZ to the untrust server
WEB server creates web page test files
-this is the end of this article. Thank you for reading-
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
