Case 1: The networking scheme of an enterprise is shown in the figure below, and the network interface plan is shown in the table below. Both internal employees and external guests of the company can access the enterprise network through the wireless network. The SSID of the wireless network for internal employees is Employee, and the SSID is Visitor
Case study one:
The NAT function is configured in front of the firewall for public and private network address translation. At the same time, a security policy is configured to divide the area where the end users of the internal network are located into the Trust area and the external network into the UNtrust area to protect the enterprise internal network from external network attacks. Blanks in table content:
Note: local represents the firewall local area; srcip represents the source IP
Answer: (1) 200.1.1.1/32
Resolution: According to the network interface planning table, it should be the IP address of GE1/0/0 of the firewall, that is, 200.1.1.1/32
(2)local
Analysis: According to untrust_local, it can be inferred that local should be filled in here, the two are opposite
(3)any
Analysis: NAT is done on the firewall, the purpose before the translation is arbitrary, and the service is also arbitrary, you should fill in any
Case study two:
In a point-to-point environment, to configure an IPSec VPN tunnel, you need to specify the peer address and authentication method.
Resolution: (1) To configure a point-to-point IPSec VPN tunnel configuration on the firewall, you need to configure the peer address to make the route reachable
(2) Configure shared key authentication to achieve security authentication
(3) VPN (Virtual Private Network) concept: virtual private network, a technology that uses a public network to establish a private network through tunneling technology
(4) Application of VPN:
① Remote office: People who are on business trips can access the company's internal LAN resources through VPN technology.
② Remote networking: Group companies and subsidiaries in different regions access each other's local area network resources.
③ Over the wall: cross-border access to external resources.
(5) VPN common protocols:
① IPSec protocol (with authentication and encryption functions, can be used with other tunnel protocols, high security)
② GRE protocol (multipoint tunnel can be established, generally used together with IPSec to improve security)
③ SSL VPN (easy and safe to use)
(6) Currently popular VPN technologies: SSL VPN, IPSec VPN, GRE+IPSec VPN
① SSL VPN: Applied in the remote office type, the client directly accesses internal resources by entering the login account and password in the web page through the browser. But the LAN side needs a dedicated SSL VPN gateway device.
② IPSec VPN: It is used in the remote office type. The client needs to support the IPSec system (windows generally supports it), and a dedicated VPN connection needs to be established. The operation is more complicated, and the LAN side needs to purchase a dedicated gateway device or router.
③ GRE+IPSec VPN: It is applied to the interconnection between local area networks, and a dedicated gateway device or router can be used.
Case study three:
Configure an ACL on Switch1 to prohibit guests from accessing the internal network, and complete the following blank items in the Switch1 data planning table:
Answer: (6) 104
Analysis: According to the meaning of the question, the guest is prohibited from accessing the internal network. The guest VLAN is 104, and the VLAN where the guest is located should be filled in here, which is 104.
(7)192.168.104.0/0.0.0.255
Resolution: The guest network address is 192.168.104.0, so the source IP is 192.168.104.0/0.0.0.255, here is the reverse mask
(8) Discard
Analysis: According to the meaning of the question, visitors are prohibited from accessing the internal network, so fill in and discard, because the destination addresses are all internal network addresses
Case study four:
The WLAN service is deployed on the AP controller, direct forwarding is adopted, the AP goes online across Layer 3, and the authentication method: wireless users access through the pre-shared secret key, and GE0/0/2 on Switch1 is connected to the AP controller, and the interface type is access mode, where the VLAN is VLAN10
Analysis: (1) The difference between the ACCESS mode and the TRUNK mode: the connection objects are different, the data processing methods are different, and the functions are different.
① Connection objects are different
TRUNK mode: can allow multiple VLANs to pass through, can receive and send multiple VLAN packets, generally used for switches and switch-related interfaces
ACCESS mode: can allow multiple VLANs to pass through, can receive and send multiple VLAN packets, can be used for the connection between switches and also can be used to connect user computers
② Send data processing methods are different
When receiving data in ACCESS mode and TRUNK mode, the processing methods are the same, but when sending data: ACCESS mode can allow packets of multiple vlans to be untagged, while TRUNK mode only allows packets of the default vlan to be untagged. Hybrid and trunk cannot coexist on the same switch
③ Different functions
TRUNK mode is mainly used for interconnection between switches, so that different VLANs on switches share lines.
ACCESS mode: mainly realizes high isolation wavelength division and multiplexing.
(2) According to the network interface planning table, it can be seen that the VLAN to which the AP controller belongs is VLAN 10
==============================Boundary Line==================== ===================
Case 2:
The network topology of a unit is shown in the following figure:
Case study one:
1. Based on the above network topology diagram, complete the content of the SwitchA service data planning table (as shown in the following figure):
2. According to the ACL policy in the table below, the business department cannot access (5) network segment
Answer: (1) GE2/0/3
Analysis: According to the network topology, the management machine and switch SwitchA are connected through the interface GE2/0/3, so fill in GE2/0/3 here
(2)0.0.0.0/0
Resolution: According to the above network topology, the default route should be SwitchA to AR2200, so fill in 0.0.0.0/0 here.
This means that the next hop to any network is sent to 10.103.1.2. The route with the network address and subnet mask of zero is the default route. The limit of route summarization is the default route, and the default route has the lowest priority.
(3)10.103.1.2
Analysis: According to the above network topology, the default route should be SwitchA going to AR2200, and the next hop should be the GE6/0/0 interface of the router, so that intranet services can access the extranet, 10.103.1.2 should be filled in here.
(4) GE2 / 0/3
Analysis: According to the ACL policy in the above figure, all data flows from the source address to the destination address are rejected, the destination address 10.104.1.1/24 is exactly the IP of the management machine, and the data flow from the business and administration to the management machine is rejected, that is to say, the business And the administration cannot access the management machine, and the application interface selects the egress direction of SwitchA, that is, the GE2/0/3 interface.
(5)10.104.1.0/24
Resolution: The network segment that cannot be accessed by the business department is not the IP address of the VLAN. It should be filled in. The network address of the management machine: 10.104.1.0/24, and the IP address of VLAN202 should not be filled in.
Case study two:
According to the above diagram, in order to protect the internal network and implement the packet filtering function, location A should deploy a firewall device , which works in transparent mode
Analysis: The device that can protect the network and directly implement the packet filtering function in the internal and external networks is the firewall. The firewall has 3 modes:
① Route mode: The firewall interface has an IP address
② Transparent mode: the firewall interface has no IP address
③ Mixed mode: Some interfaces of the firewall have IP addresses, and some interfaces do not have IP addresses
In this question, the router AR2200 has the routing function, so the firewall does not need to assume the routing function, and only needs to be configured in transparent mode.
Case study three:
According to the company's network topology above, the company uses two links to access the Internet. Among them, ISP2 is a PPPOE link , and some configurations of the router AR2200 are as follows:
detect-group 1
detect-list 1 ip address 142.1.1.1
timer loop 5
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 100
ip route-static 0.0.0.0 0.0.0.0 142.1.1.1.1 preference 60 detect-group 1
From the above configuration, users can access the Internet through ISP1 by default.
The network functions implemented by this configuration fragment are: configure detection group 1, the detection period is 5 seconds, two default routes are used as redundant link backups, one goes out from the dial-up port to access ISP2, and the next hop is ISP1, which is accessed through ISP1 by default. Internet
Analysis: (1) Command detect-group 1 is dial detection group 1, command detect-list 1 ip address 142.1.1.1 is dial detection list 1; command timer loop 5 is dial cycle 5 seconds; Dialer 0 is dial port, we can see that is a PPPOE dial-up connection, all ISP2 is a PPPOE link
(2) The command ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 100 In order to access the internal network traffic through Dialer 0 to the external network, the priority is 100
(3) The command ip route-static 0.0.0.0 0.0.0.0 142.1.1.1.1 preference 60 detect-group 1 is to access the internal network traffic through IP 142.1.1.1.1 to the external network, the priority is 60, the priority here The smaller the value, the higher the priority, so the user defaults to ISP1 to access the external network
(4) The function of this command snippet: configure detection group 1, the detection period is 5 seconds, two default routes are used as redundant link backups, one goes out from the dial-up port to access ISP2, and the next hop is ISP1, which accesses the Internet through ISP1 by default.