|
案例名称:
《某大饭店网络改造》
技术范围:
Vlan acl、Arp acl
技术关键词:
访问控制列表
案例描述:
此饭店为22层楼,其中一些有办公平台的楼层使用cisco2950系统交换机,其它楼层(即只有客房)使用傻瓜式TP-Link交换机,且客户里有机顶盒,客人通过机顶盒可以使用VOD和上网冲浪。
解决思路:
由于饭店环境由四部分组成,所以划分了四个vlan, 分别为vlan10为饭店的酒管系,vlan20为饭店的财务系统,vlan30饭店的办公系统,vlan70为VOD系统。酒管系统的服务器为192.168.10.199,财务系统的服务器为192.168.20.254,VOD的服务器为192.168.70.254,网关分别为10.1,20.1,30.1,70.1;并且只要求vlan30可以访问外网,vlan30的部分PC(经理级别的)可以访问酒管服务器、财务服务器和VOD服务器;其它vlan之间的PC不允许访问。最后把除vlan70以外的所有pc进行IP和MAC绑定,以阻止非法电脑进入网内。
配 置:核心(3750上的配置)
3750#show run
Building configuration...
Current configuration : 5519 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3750
!
enable password mb
!
no aaa new-model
switch 1 provision ws-c3750-48ts
vtp mode transparent
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 192.168.70.1
ip dhcp excluded-address 192.168.70.254
!
ip dhcp pool vlan70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 202.106.196.115
lease 3
!
ip arp inspection vlan 10,20,30
ip arp inspection filter v10 vlan 10
ip arp inspection filter v20 vlan 20
ip arp inspection filter v30 vlan 30
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10,20,30,70
!
interface FastEthernet1/0/1
!
interface FastEthernet1/0/2
interface FastEthernet1/0/3
!
interface FastEthernet1/0/4
!
interface FastEthernet1/0/5
!
interface FastEthernet1/0/6
!
interface FastEthernet1/0/7
description connect 17floor 2950
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/8
description connect 21floor 2950
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet1/0/9
!
interface FastEthernet1/0/10
!
interface FastEthernet1/0/11
!
interface FastEthernet1/0/12
description connect 12floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
description connect 15floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/16
description connect 16floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/17
description connect 17floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/18
description connect 18floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/19
description connect 19floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/20
description connect 20floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/21
description connect 21floor
switchport access vlan 70
switchport mode access
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
!
interface FastEthernet1/0/24
!
interface FastEthernet1/0/25
!
interface FastEthernet1/0/26
!
interface FastEthernet1/0/27
!
interface FastEthernet1/0/28
!
interface FastEthernet1/0/29
!
interface FastEthernet1/0/30
!
interface FastEthernet1/0/31
!
interface FastEthernet1/0/32
!
interface FastEthernet1/0/33
interface FastEthernet1/0/34
!
interface FastEthernet1/0/35
!
interface FastEthernet1/0/36
!
interface FastEthernet1/0/37
!
interface FastEthernet1/0/38
!
interface FastEthernet1/0/39
!
interface FastEthernet1/0/40
!
interface FastEthernet1/0/41
!
interface FastEthernet1/0/42
!
interface FastEthernet1/0/43
!
interface FastEthernet1/0/44
!
interface FastEthernet1/0/45
!
interface FastEthernet1/0/46
!
interface FastEthernet1/0/47
!
interface FastEthernet1/0/48
description connect fanghuoqiang
no switchport
ip address 172.16.10.5 255.255.255.0
!
interface GigabitEthernet1/0/1
description connect 6floor 2950G
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
description connect 9floor 2950G
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/3
description connect 10floor 2950G
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/4
description connect 11floor 2950G
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group vlan10_in in
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group vlan20_out in
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group vlan30_out in
!
interface Vlan70
ip address 192.168.70.1 255.255.255.0
ip access-group vlan70_out in
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.10.1
ip http server
!
ip access-list extended v10_in
permit ip host 192.168.10.199 host 192.168.30.2
permit ip host 192.168.10.199 host 192.168.30.3
permit ip host 192.168.10.199 host 192.168.30.4
permit ip host 192.168.10.199 host 192.168.30.5
permit ip host 192.168.10.199 host 192.168.30.6
permit ip host 192.168.10.199 host 192.168.30.7
permit ip host 192.168.10.199 host 192.168.30.8
permit ip host 192.168.10.199 host 192.168.30.9
permit ip host 192.168.10.199 host 192.168.30.10
permit ip host 192.168.10.199 host 192.168.30.11
permit ip host 192.168.10.199 host 192.168.30.12
permit ip host 192.168.10.199 host 192.168.30.13
permit ip host 192.168.10.199 host 192.168.30.14
permit ip host 192.168.10.199 host 192.168.30.15
permit ip any host 192.168.30.254
ip access-list extended v20_in
permit ip host 192.168.20.254 host 192.168.30.2
permit ip host 192.168.20.254 host 192.168.30.3
permit ip host 192.168.20.254 host 192.168.30.4
permit ip host 192.168.20.254 host 192.168.30.5
permit ip host 192.168.20.254 host 192.168.30.15
permit ip any host 192.168.30.254
ip access-lsit extended v30_in
permit ip host 192.168.30.254 any
permit ip host 192.168.30.2 host 192.168.10.199
permit ip host 192.168.30.3 host 192.168.10.199
permit ip host 192.168.30.4 host 192.168.10.199
permit ip host 192.168.30.5 host 192.168.10.199
permit ip host 192.168.30.6 host 192.168.10.199
permit ip host 192.168.30.7 host 192.168.10.199
permit ip host 192.168.30.8 host 192.168.10.199
permit ip host 192.168.30.9 host 192.168.10.199
permit ip host 192.168.30.10 host 192.168.10.199
permit ip host 192.168.30.11 host 192.168.10.199
permit ip host 192.168.30.12 host 192.168.10.199
permit ip host 192.168.30.13 host 192.168.10.199
permit ip host 192.168.30.14 host 192.168.10.199
permit ip host 192.168.30.15 host 192.168.10.199
permit ip host 192.168.30.2 host 192.168.20.254
permit ip host 192.168.30.3 host 192.168.20.254
permit ip host 192.168.30.4 host 192.168.20.254
permit ip host 192.168.30.5 host 192.168.20.254
permit ip host 192.168.30.15 host 192.168.20.254
!
!
ip access-list extended v70_in
deny ip any any
!
arp access-list v30 (此部分为arp访问控制列表,只写了一个例字,没有写全)
permit ip host 192.168.30.9 mac host 001a.928f.3d6e
.
.
arp access-list v20
permit ip host 192.168.20.9 mac host 0011.D867.F6DC
.
.
.
.
!
control-plane
!
!
line con 0
line vty 0 4
password mb
login
line vty 5 15
no login
!
end
3750#
|
下载中心
先飞电脑技术网 →
技术文章 → 网络技术 → 解决方案
版权声明:本站提供的“用访问控制列表实现某大饭店网络改造”版权归文章所有者,转载请注明出处!
