ENSP模拟搭建典型中小型企业网架构

小型公司网络

网络拓扑图

规划 vlan

销售 vlan 10
市场 vlan 20
产品 vlan 30
服务器 vlan 40
DMZ vlan 50
老板位 vlan 88

配置vlan

SW3

[SW3]vlan 10    //创建vlan
[SW3-vlan10]description xiaoshou  //描述[SW3-vlan10]vlan 20    
[SW3-vlan20]description shicahng  [SW3-vlan20]vlan 30    
[SW3-vlan30]description chanpin[SW3-vlan30]vlan 88
[SW3-vlan88]description BOSS[SW3-vlan88]vlan 40    
[SW3-vlan40] description Server[SW3-vlan40]vlan 50    
[SW3-vlan50]description DMZ

SW1

[SW1]vlan 10    //创建vlan
[SW1-vlan10]description xiaoshou  //描述[SW1-vlan10]vlan 20    
[SW1-vlan20]description shicahng  [SW1-vlan20]vlan 30    
[SW1-vlan30]description chanpin

SW2

[SW2]vlan 10    //创建vlan
[SW2-vlan10]description xiaoshou  //描述[SW2-vlan10]vlan 20    
[SW2-vlan20]description shicahng  [SW2-vlan20]vlan 30    
[SW2-vlan30]description chanpin

为接口划分vlan

SW1

[SW1]int e 0/0/1
[SW1-Ethernet0/0/1]port link acc
[SW1-Ethernet0/0/1]port default vlan 10     //销售部[SW1-Ethernet0/0/1]int e0/0/2
[SW1-Ethernet0/0/2]por lin acc
[SW1-Ethernet0/0/2]port def vlan 20    		//市场部[SW1-Ethernet0/0/2]int e0/0/3
[SW1-Ethernet0/0/3]port lin acc
[SW1-Ethernet0/0/3]port def vlan 30   //产品部

SW2

[SW2]int e 0/0/1
[SW2-Ethernet0/0/1]por lin acc
[SW2-Ethernet0/0/1]por de vlan 10				//销售部[SW2-Ethernet0/0/1]int e 0/0/02
[SW2-Ethernet0/0/2]por lin acc
[SW2-Ethernet0/0/2]por def vla 20				//市场部[SW2-Ethernet0/0/2]int e 0/0/3
[SW2-Ethernet0/0/3]por lin ac
[SW2-Ethernet0/0/3]por def vla 30				//产品部[SW2-Ethernet0/0/3]int e 0/0/4
[SW2-Ethernet0/0/4]por lin acc
[SW2-Ethernet0/0/4]por de vla 88				//BOSS

SW3

SW3-GigabitEthernet0/0/2]int g0/0/3
[SW3-GigabitEthernet0/0/3]por lin acc
[SW3-GigabitEthernet0/0/3]por def vlan 50   	//DMZ[SW3-GigabitEthernet0/0/3]int g 0/0/4
[SW3-GigabitEthernet0/0/4]por lin ac
[SW3-GigabitEthernet0/0/4]por de vlan 40			//Server

配置其他接口类型

SW3

[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]por lin tru
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30    //允许SW1的流量通行[SW3-GigabitEthernet0/0/1]int g 0/0/2
[SW3-GigabitEthernet0/0/2]port link trun
[SW3-GigabitEthernet0/0/2]port trun all vlan 10 20 30 88				//允许SW2的流量通行[SW3-GigabitEthernet0/0/2]int g0/0/3
[SW3-GigabitEthernet0/0/3]por lin acc
[SW3-GigabitEthernet0/0/3]por def vlan 50[SW3-GigabitEthernet0/0/3]int g 0/0/4
[SW3-GigabitEthernet0/0/4]por lin ac
[SW3-GigabitEthernet0/0/4]por de vlan 40

SW1

[SW1]int g 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk 
[SW1-GigabitEthernet0/0/1]port trunk all vlan 10 20 30

SW2

[SW2]int g 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]por trun all vlan 10 20 30 88

规划IP地址

vlan10 ---- 192.168.10.0/24 
vlan20 ---- 192.168.20.0/24
vlan30 ---- 192.168.30.0/24
vlan40 ---- 192.168.40.0/24
vlan50 ---- 192.168.50.0/24
vlan88 ---- 192.168.88.0/24svi相当于给每个vlan配置一个逻辑ip
ip基本上都是做vlan的网关

配置SVI

SVI(switch virtual interface)相当于给每个vlan配置一个逻辑ip
ip基本上都是做vlan的网关
SW3

[SW3]int vlan 10
[SW3-Vlanif10]ip add 192.168.10.254 24[SW3-Vlanif10]int vlan 20
[SW3-Vlanif20]ip add 192.168.20.254 24[SW3-Vlanif20]int vlan 30
[SW3-Vlanif30]ip add 192.168.30.254 24[SW3-Vlanif30]int vlan 40
[SW3-Vlanif40]ip add 192.168.40.254 24[SW3-Vlanif40]int vlanif 50
[SW3-Vlanif50]ip add 192.168.50.254 24[SW3-Vlanif50]int vlan 88
[SW3-Vlanif88]ip add 192.168.88.254 24

配置DHCP

三层交换机集成了二层交换功能与三层路由功能，同时支持DHCP服务为客户端分配IP地址
xiaoshou shichang chanpin
配置DHCP为这三个vlan 提供服务
设置租约为7天
SW3

[SW3]dhcp enable
[SW3]ip pool xiaoshou							//创建地址池名
[SW3-ip-pool-xiaoshou]gateway-list 192.168.10.254          //设置默认网关
[SW3-ip-pool-xiaoshou]network 192.168.10.0 mask 255.255.255.0     //设置地址池
[SW3-ip-pool-xiaoshou]dns-list 8.8.8.8									//设置默认DNS服务器
[SW3-ip-pool-xiaoshou]lease day 7								//租约设置7 天[SW3-ip-pool-xiaoshou]ip pool shichang
[SW3-ip-pool-shichang]gateway-list 192.168.20.254
[SW3-ip-pool-shichang]network 192.168.10.0 mask 255.255.255.0
[SW3-ip-pool-shichang]dns-list 8.8.8.8
[SW3-ip-pool-shichang]lease day 7[SW3-ip-pool-shichang]ip pool chanpin
[SW3-ip-pool-chanpin]gateway-list 192.168.30.254
[SW3-ip-pool-chanpin]network 192.168.30.0 mask 255.255.255.0
[SW3-ip-pool-chanpin]dns 8.8.8.8
[SW3-ip-pool-chanpin]lease day 7[SW3]int vlan 10
[SW3-Vlanif10]dhcp select global 
//可以使用global、或者之间选择接口 interface[SW3-Vlanif10]int vlan 20
[SW3-Vlanif20]dhcp select global [SW3-Vlanif20]int vlan 30
[SW3-Vlanif30]dhcp select global 

给老板设置静态IP，888，发发发

给主机设置DHCP动态获取地址就ok了

查看分配的IP地址


尝试销售PC1ping市场PC2

尝试BOSS ping 销售PC1

到这里内网已经全部可以ping通了

防火墙配置接口

FW

[FW]int g 0/0/0
[FW-GigabitEthernet0/0/0]ip add 192.168.50.1 24[FW]int g 0/0/1
[FW-GigabitEthernet0/0/1]ip add 202.1.1.1 24

防火墙划分接口安全区域

FW

[FW]firewall zone trust 
[FW-zone-trust]add interface GigabitEthernet 0/0/0[FW]firewall zone untrust 
[FW-zone-untrust]add interface g 0/0/1

• GE0/0/0：接内网，属于 trust，安全级别高（85）
• GE0/0/1：接外网，属于 untrust，安全级别低（5）

配置防火墙安全策略

FW

[FW]policy interzone trust untrust outbound      
//旧版使用`policy interzone` 命令；新版本推荐使用 `security-policy`
//`trust untrust`指 从 `trust` 区域 → `untrust` 区域
//`outbound`流量方向为“出站”（即内网访问外网）
[FW-policy-interzone-trust-untrust-outbound]policy 1   //策略编号1，编号越小，优先级越高
[FW-policy-interzone-trust-untrust-outbound-1]action permit    //匹配规则就放行
[FW-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 mask 16    //来自这个网段的ip全部放行

允许来自 trust 区域的特定内网用户（192.168.0.0/16）访问 untrust 区域（互联网），方向为 出站（outbound）

配置NAT

FW

[FW]nat-policy interzone trust untrust outbound 
[FW-nat-policy-interzone-trust-untrust-outbound]policy 1  		//策略编号1，编号越小，优先级越高
[FW-nat-policy-interzone-trust-untrust-outbound-1]action source-nat 				//源地址转换，内网ip转为公网ip[FW-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 mask 16  //指定源IP
[FW-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet 0/0/1

easy-ip

• 一种 简化版的 NAT 方式
• 使用外网接口的 IP 地址本身作为转换后的公网 IP

配置路由

# SW3
[SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.50.1   //配置默认路由
# FW
[FW]ip route-static 192.168.0.0 255.255.0.0 192.168.50.254    //配置回程路由

尝试使用销售部PC1 访问 untrust 区域