【設備清單】
路由器*1
核心交換機*1
接入交換機*25
【需求】
全網能與醫保系統互通
【大致配置】
路由器
access-list 3198 deny tcp any any eq 135
access-list 3198 deny tcp any any eq 445
access-list 3198 permit ip any any
access-list 3199 deny icmp any any echo
access-list 3199 deny tcp any any eq 135
access-list 3199 deny tcp any any eq 445
access-list 3199 permit ip any any
access-list 99 permit any
dialer-list 1 protocol ip permit
access-list 3198 deny tcp any any eq 445
access-list 3198 permit ip any any
access-list 3199 deny icmp any any echo
access-list 3199 deny tcp any any eq 135
access-list 3199 deny tcp any any eq 445
access-list 3199 permit ip any any
access-list 99 permit any
dialer-list 1 protocol ip permit
interface FastEthernet 0/0
ip nat inside
ip access-group 3198 in
no ip redirects
no ip mask-reply
no ip proxy-arp
ip address 192.168.0.1 255.255.255.0
arp gratuitous-send interval 1 5
arp trust-monitor enable
!
interface FastEthernet 1/0
ip nat outside
ip access-group 3199 in
no ip redirects
no ip mask-reply
no ip proxy-arp
ip address 222.222.222.222 255.255.255.252
no arp trust-monitor enable
duplex auto
speed auto
!
interface FastEthernet 1/1
no arp trust-monitor enable
duplex auto
speed auto
shutdown
!
interface Null 0
!
!
ip nat pool nbr_setup_build_pool prefix-length 24
address 222.222.222.222 222.222.222.222 match interface FastEthernet 1/0
!
ip nat inside source list 99 pool nbr_setup_build_pool
ip nat application qq 1024
ip nat translation per-ip 0.0.0.0 1000
ip nat translation udp-timeout 150
ip nat translation icmp-timeout 30
ip nat translation tcp-timeout 600
ip nat translation finrst-timeout 20
ip nat translation dns-timeout 30
arp attacker-detect enable
security anti-wan-attack level high
security anti-lan-attack drop
security deny wan-ping
!
ip route 0.0.0.0 0.0.0.0 FastEthernet 1/0 222.222.222.223 默認路由去網關
ip route 192.168.0.0 255.255.0.0 192.168.0.2 內網的路由
ip nat inside
ip access-group 3198 in
no ip redirects
no ip mask-reply
no ip proxy-arp
ip address 192.168.0.1 255.255.255.0
arp gratuitous-send interval 1 5
arp trust-monitor enable
!
interface FastEthernet 1/0
ip nat outside
ip access-group 3199 in
no ip redirects
no ip mask-reply
no ip proxy-arp
ip address 222.222.222.222 255.255.255.252
no arp trust-monitor enable
duplex auto
speed auto
!
interface FastEthernet 1/1
no arp trust-monitor enable
duplex auto
speed auto
shutdown
!
interface Null 0
!
!
ip nat pool nbr_setup_build_pool prefix-length 24
address 222.222.222.222 222.222.222.222 match interface FastEthernet 1/0
!
ip nat inside source list 99 pool nbr_setup_build_pool
ip nat application qq 1024
ip nat translation per-ip 0.0.0.0 1000
ip nat translation udp-timeout 150
ip nat translation icmp-timeout 30
ip nat translation tcp-timeout 600
ip nat translation finrst-timeout 20
ip nat translation dns-timeout 30
arp attacker-detect enable
security anti-wan-attack level high
security anti-lan-attack drop
security deny wan-ping
!
ip route 0.0.0.0 0.0.0.0 FastEthernet 1/0 222.222.222.223 默認路由去網關
ip route 192.168.0.0 255.255.0.0 192.168.0.2 內網的路由
核心交換機
劃分N個vlan
vlan 100
!
vlan 100
!
…………………..
!
vlan 121
!
interface GigabitEthernet 2/1
switchport mode trunk
!
vlan 121
!
interface GigabitEthernet 2/1
switchport mode trunk
!
………………… 忽略N多接口封裝TR
interface GigabitEthernet 3/23
no switchport
no ip proxy-arp
ip address 192.168.0.2 255.255.255.0 開啓三層接口與路由器內網接口相連
!
interface GigabitEthernet 3/24
switchport access vlan 1000
!
interface VLAN 100
no ip proxy-arp
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet 3/23
no switchport
no ip proxy-arp
ip address 192.168.0.2 255.255.255.0 開啓三層接口與路由器內網接口相連
!
interface GigabitEthernet 3/24
switchport access vlan 1000
!
interface VLAN 100
no ip proxy-arp
ip address 192.168.100.1 255.255.255.0
!
……….. 忽略N多給VLAN配的地址
!
interface Mgmt 0 管理口
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1 permanent 默認路由去路由器內網接口
!
interface Mgmt 0 管理口
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1 permanent 默認路由去路由器內網接口
接入交換機
vlan 101 劃分VLAN
name 101
vlan 100 劃分管理VLAN
name management
int vlan 100 管理VLAN地址
ip add 192.168.100.2 255.255.255.0
ip def 192.168.1.1 用戶默認網關
vlan 101 劃分VLAN
name 101
vlan 100 劃分管理VLAN
name management
int vlan 100 管理VLAN地址
ip add 192.168.100.2 255.255.255.0
ip def 192.168.1.1 用戶默認網關
int ran g 0/1 – 22 接口劃到VLAN中
sw acc vlan 101
int ran g 0/23 – 24 上聯口封裝TR
sw mo tr