Network Engineer--Network Planning and Design Case Study (8)

Case number one:

The networking scheme of a campus is shown in the following figure, and the data planning is shown in the following table. The analysis is performed according to the following chart:

Case study one:

Take Switch3 as an example to configure an access-layer switch, and add the following command snippets:

<HUAWEI>(1)

[HUAWEI]sysname Switch3

[Switch3]vlan batch(2)

[Switch3]interface GigabitEthernet 0/0/3

[Switch3-GigabitEthernet 0/0/3]port link-type(3)

[Switch3-GigabitEthernet 0/0/3]port trunk allow-pass vlan 10 20

[Switch3-GigabitEthernet 0/0/3]quit

[Switch3]interface GigabitEthernet 0/0/1

[Switch3-GigabitEthernet 0/0/1]port link-type (4)

[Switch3-GigabitEthernet 0/0/1]port default vlan 10

[Switch3-GigabitEthernet 0/0/1]quit

[Switch3]stp bpdu-protection

Answer: (1) system-view

Analysis: According to the context, this is the most basic command. The function of the statement is to enter the switch system view from the user view, or write sys

(2)10 20 

Analysis: The function of the vlan batch command is to create VLANs in batches. According to the meaning of the question, it is configured on Switch3. According to the data planning table, Switch3 contains two VLANs, namely VLAN10 and VLAN20, so fill in 10 20 here.

(3)trunk

Analysis: According to the command [Switch3-GigabitEthernet 0/0/3]port trunk allow-pass vlan 10 20, it can be judged that the port link type is trunk

(4)access

Analysis: Combined with the command [Switch3-GigabitEthernet 0/0/1]port default vlan 10, it can be determined that the interface link type is access, because VLAN 10 is the host terminal computer, and the connection between the host and the switch is of the access type

Case study two:

Take Switch1 as an example to configure a core-layer switch, create a VLAN that communicates with the access switch, backup device, and egress router, and add the following commands:

<HUAWEI>system-view

[HUAWEI]sysname Switch1

[Switch1]vlan batch (5)

[Switch1]interface GigabitEthernet0/0/1

[Switch1-GigabitEthernet0/0/1]port link-type trunk

[Switch1-GigabitEthernet0/0/1]port trunk allow-pass (6)

[Switch1-GigabitEthernet0/0/1]quit

[Switch1]interface Vlanif 10

[Switch1-Vlanif10]ip address 192.168.10.1 24

[Switch1-Vlanif10]quit

[Switch1]interface Vlanif 20

[Switch1-Vlanif20]ip address 192.168.20.1 24

[Switch1-Vlanif20]quit

[Switch1]interface GigabitEthernet0/0/7

[Switch1-GigabitEthernet0/0/7]port link-type trunk

[Switch1-GigabitEthernet0/0/7]port trunk allow-pass vlan10

[Switch1-GigabitEthernet0/0/7]quit

[Switch1]interface Vlanif 100

[Switch1-Vlanif100]ip address (7)

[Switch1-Vlanif100]quit

[Switch1]interface GigabitEthernet0/0/5

[Switch1-GigabitEthernet0/0/5]port link-type access

[Switch1-GigabitEthernet0/0/5]port default vlan300

[Switch1-GigabitEthernet0/0/5]quit

[Switch1]interface Vlanif 300

[Switch1-Vlanif300]ip address (8)

[Switch1-Vlanif300]quit

Answer: (5) 10 20 30 100 300

Analysis: vlan batch is a command to create vlans in batches. According to the data planning table, the vlans of Switch1 are vlan10, vlan20, vlan30, vlan100, and vlan300; just create the vlans shown in the following table.

(6)VLAN 10 20

Analysis: Switch is connected to Switch3 through trunk link port GigabitEthernet0/0/1. The vlans of department A and department B under Switch3 are respectively: vlan10 and vlan20, that is, the GigabitEthernet0/0/1 port of Switch1 can pass through vlan10 and vlan20

(7) 172.16.10.1 24 or 172.16.10.1 255.255.255.0

Analysis: The command [Switch1-Vlanif100]ip address is used to configure an IP address for vlan100. According to the data planning table, the address of vlanif is 172.16.10.1/24, so fill in 172.16.10.1 24 here, note: 172.16.10.1 24 and 172.16. 10.1/24 means the same thing, that is, 24 is used in the configuration state, and /24 is used in the calculation and writing state. For example, it is 172.16.10.1 24 in the vlanif interface view, and the calculated route aggregation can be written in the format of 192.168.1.129 /24, 192.168.1.133/24

① VLAN if interface and VLAN port define
VLAN port: it is a physical port. Usually, we configure access VLAN 10 so that the physical interface belongs to VLAN 10.
VLAN if: The interface VLAN is a logical port. Usually, this interface address is used as the gateway for users under the VLAN, such as interface VLAN 10 IP add 192.168.10.254 255.255.255.0

② The difference between VLAN if interface and VLAN port:

(1) VLAN port: It is a physical port. Usually, we configure access VLAN 10 to make a physical interface belong to VLAN 10

(2) VLAN if: The interface VLAN is a logical port. Typically, this interface address is used as the gateway for users in the VLAN.

③ What is the difference between a VLAN if interface and a VLAN port?
VLAN means virtual local area network. By default, switch ports belong to a group (VLAN). When you want to divide switch ports into multiple groups, you need to establish multiple VLANs and associate the port with the corresponding VLAN, in short, a port is a member of a VLAN.

④ What is the relationship between VLAN and VLANIF?
Its full name is a virtual local area network (VLAN). Its function is to divide hosts connected to the same switch into smaller logical network segments, thereby reducing the number of broadcasts. Communication between different VLANs is not possible, so broadcasts are limited to VLANs of hosts requiring the same service. Even if they are connected to the same switch, different VLANs will not receive ARP broadcast requests! If they need to communicate with each other, they can only use routers or layer 3 switches

⑤ What does VLANif mean? what's the effect? Under what circumstances is it used?
A Vlanif interface is a VLAN-based Layer 3 logical interface that can be configured with an IP address. After VLAN division, users in the same VLAN can communicate with each other, but users in different VLANs cannot communicate directly. In order to realize the communication between VLANs, you can configure the logical Layer 3 interface vlaif interface.

(8) 172.16.30.1 24 or 172.16.30.1 255.255.255.0

Analysis: In the same way as above, the IP address can be obtained by querying the data planning table

Case study three:

If static routes are configured to implement network communication, supplement the command snippets configured on Switch1 and Router:

[Swith1]ip route-static (9)

[Swith1]ip route-static  0.0.0.0  0.0.0.0 172.16.30.2 preference 70

[Router]ip route-static  (10)

[Router]ip route-static 192.168.10.0 255.255.255.0 172.16.10.1

[Router]ip route-static 192.168.10.0 255.255.255.0 172.16.20.1 preference 70

[Router]ip route-static 192.168.20.0 255.255.255.0 172.16.10.1

[Router]ip route-static 192.168.20.0 255.255.255.0 172.16.20.1 preference 70

Answer: (9) 0.0.0.0 0.0.0.0 172.16.10.2 

Resolution: The next hop of Switch1 is the GE0/0/1 interface of the Router, and the IP address of the internal network interface of the GE0/0/1 interface is

172.16.10.2 /24

The ip route-static command is used to configure static routes. The command format is as follows:

ip route-static 0.0.0.0  0.0.0.0  172.16.10.2 

(1) The first 0.0.0.0 represents the destination network to be reached

(2) The second 0.0.0.0 represents the subnet mask of the destination network to be reached

(3) 172.16.10.2 The IP address of the next hop, that is, the port address of the adjacent router

(4) Priority of routing: the smaller the value, the greater the priority

① Direct route default priority: 0

② OSPF default priority: 10

③ Static route default priority: 60

④ RIP default priority: 100

⑤ BGP default priority: 255

(10)0.0.0.0  0.0.0.0 202.101.111.1

Analysis: According to the data planning table, a default route needs to be configured at the router egress to forward intranet traffic to the Internet. The data planning table shows that the router's public network gateway address is 202.101.111.1/30, and the next hop is 202.101.111.1

=============================Boundary line====================== =============

Case 2:

The following figure shows the networking scheme between an enterprise branch and the headquarters. The enterprise branch network planning is shown in the following table:

Networking instructions for enterprise branches and headquarters:

1. The enterprise branch uses dual links to access the Internet. The ADSL wired link is used as the main Internet interface of the enterprise branch, and the 3G/LTE Cellular wireless link is used as the backup Internet interface of the enterprise branch.

2. Specify Router1 as the enterprise egress gateway, and Router1 will assign IP addresses to intranet users of the enterprise

3. Configure a default route on the Router so that the intranet traffic of the enterprise branch can access the Internet through xDSL and 3G/LTE Cellular wireless links

4. The 3G/LTE Cellular wireless link between the enterprise branch and the headquarters adopts encrypted transmission

Case study one:

According to the networking scheme, configure the Internet interface card for the enterprise branch Router1, which should be configured in (1) and  (2) boards.

Answer (1) xDSL

Analysis: As shown in the figure above, Router1 has two links to connect to the Internet: one is connected to DSLAM, which is an xDSL device at the central office, so xDSL should be filled in

(2)3G/LTE

Analysis: As in the above question, Router1 has two links to connect to the Internet: the other one is connected to 3G/LTE, which is a wireless 3G line, so 3G/LTE should be filled in

Case study two:

The command snippet for configuring the DHCP service on Router1 is as follows. Please complete the relevant content:

[Huawei]dhcp enable

[Huawei]interface vlanif 123

[Huawei-vlanif123]dhcp select global   //(3)

[Huawei-vlanif123]quit 

[Huawei] ip (4) lan

[Huawei-ip-pool-lan]gateway-list (5)

[Huawei-ip-pool-lan]network 192.168.100.0 mask 24

[Huawei-ip-pool-lan]quit

Answer: (3) DHCP enables global address pool

Analysis: The command dhcp select global means that DHCP enables the global address pool, just remember the knowledge points

(4)pool

Resolution: To configure a DHCP address pool, you should fill in the pool, or you can also judge according to the next command [Huawei-ip-pool-lan]. [Huawei]ip pool lan means to create an IP address pool on the router.

(5)192.168.100.1 

Analysis: Configure the gateway of the address pool. According to the figure below, we know that the gateway address is 192.168.100.1. [Huawei-ip-pool-lan] network 192.168.100.0 mask 24 means adding an IP address network segment to the IP address pool.

Case study three:

The commands for configuring uplink interfaces on the Router are as follows. Please complete the relevant content:

#Configure NAT address translation

[Huawei]acl number 3002

[Huawei-acl-adv-3002]rule 5 permit ip source 192.168.100.0 0.0.0.255

[Huawei-acl-adv-3002]quit

[Huawei]interface virtual-template 10      //(6)

[Huawei-virtual-template 10]ip address ppp-negotiate

[Huawei-virtual-template 10]nat outbound (7)

[Huawei-virtual-template 10]quit

#Configure the ATM interface

[Huawei]interface atm 1/0/0

[Huawei-Atm 1/0/0]pvc voip 1/35

[Huawei-atm-pvc-Atm1/0/0-1/35-voip]map ppp virtual-template 10

[Huawei-atm-pvc-Atm1/0/0-1/35-voip]quit

[Huawei-Atm 1/0/0]standby interface cellular 0/0/0    //(8)

[Huawei-Atm 1/0/0]quit

#Configure APN and network connection mode

[Huawei]apn profile 3gprofile

[Huawei-apn-profile-3gprofile]apn wcdma

[Huawei-apn-profile-3gprofile]quit

[Huawei]interface cellular 0/0/0

[Huawei-cellular 0/0/0]mode wcdma (9)

[Huawei-cellular 0/0/0]dialer enable-circular

[Huawei-cellular 0/0/0]apn-profile(10)

Bind the APN template

[Huawei-cellular 0/0/0]shutdown

[Huawei-cellular 0/0/0]undo shutdown

[Huawei-cellular 0/0/0]quit

#Configure the polling DCC dial-up connection

[Huawei]dialer-rule

[Huawei-dialer-rule]dialer-rule 1 ip permit

[Huawei-dialer-rule]quit

[Huawei]interface cellular 0/0/0

[Huawei-cellular 0/0/0]link-protocol ppp

[Huawei-cellular 0/0/0]ip address ppp-negotiate

[Huawei-cellular 0/0/0]dialer-group 1

[Huawei-cellular 0/0/0]dialer timer idle (11)

[Huawei-cellular 0/0/0]dialer number *99#

[Huawei-cellular 0/0/0]nat outbound 3002

[Huawei-cellular 0/0/0]quit

Answer: (6) Create a virtual interface template 10

Analysis: The command interface virtual-template 10 is to create a virtual interface template 10

(7)3002

Analysis: The command nat outbound 3002 means that the NAT translation direction is outbound in the egress direction, which matches the intranet traffic ACL, and 3002 should be filled in.

(8) Configure the 3G interface as the backup interface

Analysis: The command standby interface cellular 0/0/0 means to set the standby interface as CE0/0/0, configure the 3G interface as the backup interface, and the default priority is 0

(9)wcdma-only

Analysis: The command mode wcdma wcdma-only means to configure the connection mode of the 3G modem. According to the upgrade, it should be wcdma-only.

(10)3gprofile

Analysis: The command [Huawei]apn profile 3gprofile means to create an APN template 3gprofile, so 3gprofile should be filled in here

(11)100

Analysis: The meaning of the command dialer timer idle is the idle time of dialing. According to the dialing mode promotion information shown in the above figure, it should be filled in 100.

 

Case study four:

On the basis of the existing networking scheme, in order to ensure the security of data transmission between the branch and the headquarters, configure the (12) protocol to realize the end-to-end (13)

Answer: (12) IPSec

Analysis: In order to ensure the security of data transmission between the branch and the headquarters, the IPSec protocol should be configured at the network layer.

(1) IPSec definition: IPSec (Internet Protocol Security) is an industry standard network security protocol that provides transparent security services for IP network communications, protects TCP/IP communications from eavesdropping and tampering, and can effectively resist network attacks while maintaining easy access. usability.

(2) IPSec has two basic goals: 1) to protect the security of IP data packets; 2) to provide protection measures against network attacks.

(3) IPSec is based on an end-to-end security model, which encrypts the passing communication data, and only the sender and receiver master the data encryption and decryption method. Other routers in the network responsible for forwarding do not need to support IPSec.

(4) Basic principle of IPSec: Before two IPSec computers exchange data, they must establish a certain agreement. This agreement is called "Security Association (SA)", which means that both parties need to share information on how to protect and exchange information. Security settings are agreed and keys are securely exchanged for connection use. IKE provides a method for two computers to establish a Security Association (SA).

  ① IKE (Internet Key Exchange Protocol) Internet Key Exchange Protocol:

  Mainly responsible for the centralized management of SA (Security Associations) and the generation and management of keys

    ② SA (Security Associations) security associations:

  Defines how computers communicate using security services (such as encryption) and is a one-way logical connection. The content includes which IPSec protocol (AH or ESP), operating mode (transmission mode or tunnel mode), authentication algorithm, encryption algorithm, encryption key, key lifetime, and anti-replay window are used, thus determining what and how to protect protection and who will protect

(5) IPSec negotiation process

  IKE uses a two-phase ISAKMP (Internet Security Association and Key Management Protocol)

(13) Data encryption process

Analysis: The IPSec protocol of the network layer can realize end-to-end secure authentication and encrypted transmission

===============================Demarcation Line==================== =================

Case three:

Read the following instructions, answer the questions and fill in the answers on the answer sheet:

The network topology is shown in the following figure, the network interface planning table is shown in the following figure, the VLAN planning table is shown in the following figure, and the network requirements are as follows:

1. The switch SwitchA acts as a gateway for wired terminals and also acts as a DHCP server to assign IP addresses to wireless terminals and wired terminals. At the same time, configure ACL to control the access rights of different users, and control the camera (camera area) to only communicate with the DMZ area server. Wireless guests are prohibited from accessing the business server area and employee wired network

2. The interface of each access switch is added to the VLAN, and the traffic is forwarded at Layer 2

3. Configure the NAT function on the egress firewall for public and private network address translation, configure security policies, and control Internet access.

For example, the camera traffic does not need to access the external network, but can communicate with the server in the DMZ area. Configure NATServer to make the web server in the DMZ area open to public network access.

Case study one:

The data plan of the firewall is shown in the following table, which is supplemented completely:

Remarks: Firewall area description: Firewall GE1/0/2 interface is connected to the DMZ area, firewall GE1/0/1 interface is connected to the non-secure area, firewall GE1/0/0 interface is connected to the secure area, and srcip indicates the intranet area

Answer: (1) 10.106.1.1/24

Analysis: According to the question "Controlling the camera (camera area) can only communicate with the DMZ area server", according to the network topology diagram, we know that there is only a web server in the DMZ area, so fill in the ip address of the web server here, and look up the table to get 10.106. 1.1/24, you can also see that the destination address is the address of dmz according to the untrust_dmz context

(2) any (or 0.0.0.0/0)

Resolution: trust accesses the UNtrust zone, that is, the internal network zone accesses the external network zone, the source address is the internal network address srcip, and the destination address is all addresses on the external network, that is, any or 0.0.0.0/0

Case study two:

Fill in the blank items in the data planning table of SwitchA in the following table:

Answer: (3) 10.101.1.0 0.0.0.255

Analysis: According to the text prompting that wireless visitors are prohibited from accessing the service server and employee wired network, it is inferred in conjunction with the second line that the destination IP is the ip address of the service vlan108, so here the source ip fills in the ip address of the wireless visitor vlan101: 10.101.1.0 0.0 .0.255

(4)10.103.1.0 0.0.0.255

Analysis: According to the text prompting that wireless guests are prohibited from accessing the service server and employee wired network", it is inferred from the first line that the source IP is the ip address of the wireless guest vlan101, so here the destination IP fills in the ip address of the employee's wired VLAN 103: 10.103.1.0 0.0.0.255

(5) Allowed

Analysis: According to the meaning of the question, "Control the camera (camera area) can only exchange access with the DMZ area server, other access is prohibited", where 10.104.1.0 is the ip of the camera service vlan, and 10.106.1.0 is the firewall port GE1/0/2 according to the lookup table , the web server is connected to port GE1/0/2, so fill in the permission here

(6)10.104.1.0 0.0.0.255

Analysis: According to the meaning of the title, "Control the camera (camera area) can only communicate with the DMZ area server, other access is prohibited" and the subsequent processing actions are discarded, the ip address of the camera service vlan104 should be filled in here.

Case study three:

Supplement the data planning table of the router, as shown in the following figure:

Answer: (7) 10.101.1.0 24

Resolution: According to the description part of the router data planning table, access the route of the guest wireless terminal, where the destination address should be the network address of the guest vlan, that is, 10.101.1.0 24

(8)10.104.1.0 24

Resolution: According to the description part of the router data planning table, access the route of the camera, where the destination address should be the network address of the camera area vlan, that is, 10.101.1.0 24

(9)10.107.1.2

Resolution: Fill in the default route of SwitchA here, and the next hop here is the GE1/0/0 interface of the firewall. Looking at the network interface planning table, the ip address of the GE1/0/0 interface of the firewall is 10.107.1.2/24, so Fill in 10.107.1.2 here

(10)10.100.1.1

Resolution: Fill in the default route of the AC controller here. The AC controller is connected to the GE0/0/8 interface of SwitchA. The next hop here should fill in the IP address of the GE0/0/8 interface of SwitchA, which belongs to the vlan The ip address is 10.100.1.1/24, so fill in 10.100.1.1 here (why not with /24, see the context of the routing table)

Guess you like

Origin blog.csdn.net/mailtolaozhao/article/details/124100137