某大饭店的网络改造

案例名称:
   《某大饭店网络改造》
技术范围:
    Vlan acl、Arp acl
技术关键词:
    访问控制列表
案例描述:
    此饭店为22层楼,其中一些有办公平台的楼层使用cisco2950系统交换机,其它楼层(即只有客房)使用傻瓜式TP-Link交换机,且客房里有机顶盒,客人通过机顶盒可以使用VOD和上网冲浪。
解决思路:
     由于饭店环境由四部分组成,所以划分了四个vlan, 分别为vlan10为饭店的酒管系,vlan20为饭店的财务系统,vlan30饭店的办公系统,vlan70为VOD系统。酒管系统的服务器为192.168.10.199,财务系统的服务器为192.168.20.254,VOD的服务器为192.168.70.254,网关分别为10.1,20.1,30.1,70.1;并且只要求vlan30可以访问外网,vlan30的部分PC(经理级别的)可以访问酒管服务器、财务服务器和VOD服务器;其它vlan之间的PC不允许访问。最后把除vlan70以外的所有pc进行IP和MAC绑定,以阻止非法电脑进入网内。

配 置:核心(3750上的配置)
 

3750#show run
Building configuration...
 
Current configuration : 5519 bytes
 
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3750
!
enable password mb
!
no aaa new-model
switch 1 provision ws-c3750-48ts
vtp mode transparent
ip subnet-zero
ip routing      (启用三层功能)
no ip domain-lookup
ip dhcp excluded-address 192.168.70.1 (从dhcp地址池中排除网关的IP地址)
ip dhcp excluded-address 192.168.70.254(从dhcp地址池中排除服务器的IP地址)

!
ip dhcp pool vlan70  (为Vlan70创建一个dhcp地址池并指定网关和DNS)
network 192.168.70.0 255.255.255.0
   default-router 192.168.70.1
   dns-server 202.106.196.115
   lease 3   (IP地址的租期,lease 天数,小时数)
!
ip arp inspection vlan 10,20,30  (为Vlan10,20和30启用动态ARP检测)
ip arp inspection filter v10 vlan  10    (把arp访问控制列V10表应用在Vlan10上)  
ip arp inspection filter v20 vlan  20    (把arp访问控制列V10表应用在Vlan20上)
ip arp inspection filter v30 vlan  30    (把arp访问控制列V10表应用在Vlan30上)
!
!
!
no file verify auto  
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending   
!
vlan 10,20,30,70 (创建Vlan)
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
 
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
 description connect 17floor 2950
 switchport trunk encapsulation dot1q(封装trunk链路)
 switchport mode trunk
!
interface FastEthernet1/0/8
 description connect 21floor 2950
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
 description connect 12floor
 switchport access vlan 70    (把此端口指给vlan70)
 switchport mode access
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
 description connect 15floor
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet1/0/16
 description connect 16floor
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet1/0/17
 description connect 17floor
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet1/0/18
 description connect 18floor
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet1/0/19
 description connect 19floor
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet1/0/20
 description connect 20floor
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet1/0/21
 description connect 21floor
 switchport access vlan 70
 switchport mode access
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
...
...
...
...
...
!
interface FastEthernet1/0/47
!
interface FastEthernet1/0/48
 description connect fanghuoqiang
 no switchport
 ip address 172.16.10.5 255.255.255.0
!
interface GigabitEthernet1/0/1
 description connect 6floor 2950G
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 description connect 9floor 2950G
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 description connect 10floor 2950G
switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/4
 description connect 11floor 2950G
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0(vlan1的管理IP地址)
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0(Vlan10的网关)
 ip access-group vlan10_in in(把vlan10_in的访问控制列表应用在vlan10 的入方向上)
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0(Vlan20的网关)
 ip access-group vlan20_in in(把vlan20_in的访问控制列表应用在vlan20 的入方向上)
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0(Vlan30的网关)
 ip access-group vlan30_in in
!
interface Vlan70
 ip address 192.168.70.1 255.255.255.0(Vlan70的网关)
 ip access-group vlan70_in in
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.10.1
ip http server
!
ip access-list extended v10_in(建立允许vlan30的部分主机访问10.199的服务器的访问控制列表)
permit ip host 192.168.10.199 host 192.168.30.2
permit ip host 192.168.10.199 host 192.168.30.3
permit ip host 192.168.10.199 host 192.168.30.4
permit ip host 192.168.10.199 host 192.168.30.5
permit ip host 192.168.10.199 host 192.168.30.6
permit ip host 192.168.10.199 host 192.168.30.7
permit ip host 192.168.10.199 host 192.168.30.8
permit ip host 192.168.10.199 host 192.168.30.9
permit ip host 192.168.10.199 host 192.168.30.10
permit ip host 192.168.10.199 host 192.168.30.11
permit ip host 192.168.10.199 host 192.168.30.12
permit ip host 192.168.10.199 host 192.168.30.13
permit ip host 192.168.10.199 host 192.168.30.14
permit ip host 192.168.10.199 host 192.168.30.15
permit ip any host 192.168.30.254
    
 
 
ip access-list extended v20_in(建立允许vlan30的部分主机访问20.254的服务器的访问控制列表)

permit ip host 192.168.20.254 host 192.168.30.2
permit ip host 192.168.20.254 host 192.168.30.3
permit ip host 192.168.20.254 host 192.168.30.4
permit ip host 192.168.20.254 host 192.168.30.5
permit ip host 192.168.20.254 host 192.168.30.15
permit ip any host 192.168.30.254
 
ip access-lsit extended v30_in(由于VAcl的访问是双向的,所以在vlan30的方向上也要做相应的acl)
permit ip host 192.168.30.254 any
permit ip host 192.168.30.2 host 192.168.10.199
permit ip host 192.168.30.3 host 192.168.10.199
permit ip host 192.168.30.4 host 192.168.10.199
permit ip host 192.168.30.5 host 192.168.10.199
permit ip host 192.168.30.6 host 192.168.10.199
permit ip host 192.168.30.7 host 192.168.10.199
permit ip host 192.168.30.8 host 192.168.10.199
permit ip host 192.168.30.9 host 192.168.10.199
permit ip host 192.168.30.10 host 192.168.10.199
permit ip host 192.168.30.11 host 192.168.10.199
permit ip host 192.168.30.12 host 192.168.10.199
permit ip host 192.168.30.13 host 192.168.10.199
permit ip host 192.168.30.14 host 192.168.10.199
permit ip host 192.168.30.15 host 192.168.10.199
permit ip host 192.168.30.2 host 192.168.20.254
permit ip host 192.168.30.3 host 192.168.20.254
permit ip host 192.168.30.4 host 192.168.20.254
permit ip host 192.168.30.5 host 192.168.20.254
permit ip host 192.168.30.15 host 192.168.20.254
!
!
ip access-list extended v70_in
deny ip any any
!
arp access-list v30 (此部分为arp访问控制列表,只写了一个例字,没有写全)
 permit ip host 192.168.30.9 mac host 001a.928f.3d6e
 .
 .
arp access-list v20 (vlan20的arp访问控制列表)
 permit ip host 192.168.20.9 mac host 0011.D867.F6DC
 .
 .
 .
 .
!
control-plane
!
!
line con 0
line vty 0 4
 password mb
 login
line vty 5 15
no login
!
end
 
3750#

你可能感兴趣的:(网络,ARP,休闲,51CTO博客出书,访问列表)