[Computer Network] End-of-term course design ENSP network comprehensive experiment (with engineering documents)

Table of contents

foreword

Early preparation

Networking requirements

start networking

branch 1

Branch 2

Core switch configuration

Realize the construction of internal server

acl_deny partial user and server exit

Configure egress firewall

(Amendment) Firewall implements Internet access restrictions

dhcp assigns ip

epilogue

---

foreword

This time, the network planning course is designed as the experimental part of an engineering college course in Henan. There is no way that the course is too rushed and there is no networking experiment in the middle, so it may be difficult for novices to start.

Fortunately, two years ago, I was exposed to this kind of networking operation (Cisco was still popular at the time). And then successfully obtained the computer technology and software professional technical qualification (level) examination network engineer certificate. Since it is also past the peak of knowledge, the operation commands of many switches and routers are not very clear. I also consulted various materials and spent an afternoon finally completing this networking experiment.

Early preparation

Software Wireshark-win64-3.0.0.exe packet capture software can assist experiments and analyze the packet sending process

WinPcap_4_1_3.exe small patch can be installed when ensp cannot be opened

VirtualBox-5.2.22-126460-Win.exe Installing a virtual network card can realize the connection between the virtual machine and the ensp, and importing the firewall package is also used

eNSP V100R003C00 Setup.exe The most important Huawei emulator contains a large number of Huawei devices

When the usg firewall package in the vfw_usg.vdi.vdi simulator tries to open the firewall, it will prompt you to import the package, find this import

 I won’t elaborate on the installation of the previous software.

Answer a few common questions for novices
1. The download order of the software does not matter
2. The incompatible version of VirtualBox is too high or cannot be opened! You can change the version (contact me on QQ)
3. Do not type commands directly when you come up, because it is the user page, system first enters the system setting page
4. Save it under the user page and save>save (be sure to save otherwise, all previous efforts will be wasted, open the file again and restart all devices) No configuration)
5. The page pops up log messages from time to time, how to make it not appear undo in en
? 6. Mine is different from yours, and the interface port is not displayed! enter settings

Networking requirements

A company has a headquarters and two branches. It has applied for the public network IP address of 22.22.22.0/27 and gateway 22.22.22.1. The headquarters has about 10 internal servers, 5 financial servers, 100 employees, and 20 Financial personnel; Branch 1 has 150 employees and 5 financial personnel; Branch 2 has 200 employees and 8 financial personnel.
Requirements:
1. The computers used by employees and financial personnel of the headquarters, branch 1 and branch 2 have independent broadcast domains, and internal servers and financial servers also have independent broadcast domains.
2. Employees' computers can access the Internet, but financial personnel's computers, internal servers and financial servers cannot access the Internet.
3. The computers used by employees and financial personnel can all access the internal server and financial server, and can access each other. According to the overall topology diagram given below, plan and design a company's network, and give the specific configuration in the ENSP simulator.

Refer to the ip plan in the document

 Note that the VLAN of the firewall does not need to be configured with a VLAN, whether it is an internal port or an external port.
We replaced vlan50 with 120, vlan60 with 220, and the uplink firewall of the headquarters with vlan50, keeping the vlans on both sides consistent.
It is also possible to follow the division on the table. I changed this for a clearer thinking.

start networking

We are going to build up the equipment little by little starting from the demand in this way

branch 1

 The financial clinet is configured with an IP of 192.168.110.2 (1 for the gateway) (here the gateway is wrongly configured from 119 to 110)

 Employee pc1 configures 192.168.100.2 (1 for the gateway)

GE0/0/1 of 1_5700 configures interface vlan110 with an address of 192.168.110.1/24

The GE0/0/2 configuration interface vlan100 address of 1_5700 is 192.168.100.1/24

GE0/0/3 of 1_5700 configures interface vlan120 with an address of 10.10.10.1/30

1_5700 To configure the default static route to achieve connectivity with the headquarters branch network

1_5700 configuration command reference

vlan batch 110 100 120 //创建多个vlan 并配置ip地址

int vlanif 100 ip address 192.168.100.1 24

int vlanif 110 ip address 192.168.110.1 24

int vlanif 120 ip address 10.10.10.1 30

//Enter the interface configuration

int g 0/0/1
port link-type access
port default vlan 110

int g 0/0/2 port
link-type access
port default vlan 100

int g 0/0/3
port link-type access
​​​​​​​port default vlan 120

 //Configure a static default route

ip route-static 0.0.0.0 0.0.0.0 10.10.10.2

 After this set of commands is configured, Client1 and pc1 can communicate with each other, both of which can access their own gateways and have default routes to route to unknown network segments (test later)

Branch 2

In fact, the configuration of branch 2 is the same as the configuration of branch 1.

 Financial clinet2 is configured with an IP of 192.168.210.2 (1 for the gateway)

Employee pc2 configuration 192.168.200.2 (1 for the gateway)

GE0/0/1 of 2_5700 configures interface vlan210 with an address of 192.168.210.1/24

GE0/0/2 of 2_5700 configures interface vlan200 with an address of 192.168.200.1/24

GE0/0/3 of 2_5700 configures interface vlan220 with an address of 10.10.10.5/30

2_5700 To configure the default static route to achieve connectivity with the headquarters branch network

2_5700 configuration command reference

vlan batch 210 200 220 //创建多个vlan 并配置ip地址

int vlanif 200 
ip address 192.168.200.1 24

int vlanif 210 
ip address 192.168.210.1 24

int vlanif 220 
ip address 10.10.10.5 30

//Enter the interface configuration

int g 0/0/1
port link-type access
port default vlan 210

int g 0/0/2
port link-type access
port default vlan 200

int g 0/0/3
port link-type access
port default vlan 220

//Configure a static default route

ip route-static 0.0.0.0 0.0.0.0 10.10.10.6

headquarters

 Note that the headquarters is different. The switch in the headquarters is 3700, and there is no reference uplink address, so we can configure it in this way so that g0/0/3 of the core switch becomes the gateway interface of pc3 client3. Ethernet0/0/1 is configured as a trunk port

Financial clinet3 is configured with an IP of 192.168.40.2 (1 for the gateway)

Employee pc3 configuration 192.168.30.2 (1 for the gateway)

Headquarters Switch_3700 Configuration Reference

vlan batch 30 40

interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 40

interface Ethernet0/0/2
port link-type access
port default vlan 40

interface Ethernet0/0/3
port link-type access
port default vlan 30 

Next configure their gateways 

Core switch configuration

We need to configure the g 0/0/3 interface of the core switch as the gateway of the headquarters pc3

Do you still remember the uplink address (next hop) of the branch office?

We need to configure g 0/0/1 g 0/0/2 as vlan120:10.10.10.2 and vlan220:10.10.10.6 respectively

vlan batch 30 40 120 220 50

int vlanif 30
ip address 192.168.30.1 24

int vlanif 40
ip address 192.168.40.1 24

int vlanif 120
ip address 10.10.10.2 30

int vlanif 220
ip address 10.10.10.6 30

int vlanif 50 (出接口)
ip address 10.10.10.10 30

interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30 40

int g 0/0/1
port link-type access
port default vlan 120

int g 0/0/2
port link-type access
port default vlan 220

int g 0/0/6
port link-type access
​​​​​​​port default vlan 50

After this configuration, pc3 can communicate with clien3

But can branch pc1 connect to branch pc2? This is not possible because the core switch has no routing yet. Let’s configure static routing this time. Of course, dynamic routing can be configured, but I don’t want to look through the information again.

Routing configuration of the core switch (add a default route at the end)

ip route-static 192.168.100.0 255.255.255.0 10.10.10.1
ip route-static 192.168.110.0 255.255.255.0 10.10.10.1
ip route-static 192.168.200.0 255.255.255.0 10.10.10.5
ip route-static 192.168.210.0 255.255.255.0 10.10.10.5
​​​​​​​ip route-static 0.0.0.0 0.0.0.0 10.10.10.9

After this route is configured, the connection between the headquarters and the branch can be realized theoretically.

Realize the construction of internal server

We have two servers connected to the core switch for http and ftp, which can be accessed by internal employees

 So configure the core switch again

vlan batch 10 20
int vlanif 10
ip address 192.168.10.1 24
int vlanif 20
ip address 192.168.20.1 24

int g 0/0/4
port link-type access
port default vlan 10

int g 0/0/5
port link-type access
port default vlan 20

After this configuration is completed, all employees of the internal http and internal ftp can access it (because it is directly connected to the core switch)

acl_deny partial user and server exit

To enable employees' computers to access the Internet, financial personnel's computers, internal servers, and financial servers cannot access the Internet. We can configure the core switch acl so that these hosts cannot go out of the g 0/0/6 interface

acl number 2001
rule 5 deny source 192.168.110.0 0.0.0.255
rule 10 deny source 192.168.40.0 0.0.0.255
rule 15 deny source 192.168.210.0 0.0.0.255
rule 20 deny source 192.168.20.0 0.0.0.255
rule 25 deny source 192.168.10.0 0.0.0.255

interface GigabitEthernet0/0/6
​​​​​​​traffic-filter outbound acl 2001

Configure egress firewall

The g 0/0/6 interface of the core switch has been configured (10.10.10.10/30) and the default route will be sent to 10.10.10.9

We use pc5 to simulate Internet users. Users who choose any intranet host only need to ping pc5 to complete the experiment.

Configure two interfaces

interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.10.9 255.255.255.252
service-manage ping permit

interface GigabitEthernet1/0/1
undo shutdown
ip address 22.22.22.2 255.255.255.224
service-manage ping permit

Increase trust and untrust

firewall zone trust
add int g1/0/0
​​​​​​​firewall zone untrust
add int g1/0/1

Allow trust and untrust to communicate

security-policy
rule name internet
source-zone trust
destination-zone untrust
action permit

Implement port conversion for Internet access

nat-policy
rule name internet
source-zone trust
destination-zone untrust
action nat easy-ip

Provide routing for users with access to the Internet

ip route-static 192.168.30.0 255.255.255.0 10.10.10.10
ip route-static 192.168.100.0 255.255.255.0 10.10.10.10
​​​​​​​ip route-static 192.168.200.0 255.255.255.0 10.10.10.10

Now ordinary users on the intranet can access the Internet but users who cannot actively access the intranet from the Internet can be seen in the figure below to do NAT port conversion

( Fix ) Firewall realizes Internet access restriction

Didn't the acl_deny server export export before! In fact, you can also use this method of firewall, the final purpose of both is the same. It seems that this is the configuration in the task book. If you have configured acl, it does not matter. You can cancel the configuration again.
Enter the g6 port of the core switch to cancel the acl filter.
 

int g 0/0/6
undo ​​​​​​​traffic-filter outbound acl 2001
dis this (查看当前接口下配置)

Enter the firewall policy and match the network segment that can access the Internet as the source network segment, so that the user's Internet access server cannot access the Internet.

security-policy
  rule name internet
  source-zone trust
  destination-zone untrust
  source-address 192.168.30.0 24
  source-address 192.168.100.0 24
  source-address 192.168.200.0 24
  action permit

nat-policy
  rule name internet
  source-zone trust
  destination-zone untrust
  source-address 192.168.30.0 24
  source-address 192.168.100.0 24
  source-address 192.168.200.0 24
  action nat easy-ip

Finally, add a default route to the firewall (before I also considered that I have already entered the public network and should not use dynamic routing, but in fact it has not yet fully entered the public network or configure the next hop address)

ip route-static 0.0.0.0 0.0.0.0 22.22.22.1

dhcp assigns ip

Previously, our internal PCs were manually configured. Next, we use dhcp distribution. To realize this function, we need to configure dhcp on the gateway interface of each network segment. The command is very simple to find the gateway.

Let me take pc1 as an example. The gateway of pc1 is configured under vlan100 in g0/0/2 of branch 1_5700, so we enter vlan100

 Configured and tested with pc1

 It can be seen that the ip address has been successfully obtained, and it is 192.168.100.254

epilogue

The complexity of the network is much more than this practice is also a fast and effective method. Due to my limited knowledge level, it is inevitable that I will be stupid in configuration. If you have any better configuration methods or ideas, welcome to communicate

Finally, attach this project file as a reference study. (filtering with the core switch acl has not changed)
Files shared through Baidu Netdisk: ensp networking course...
Link: https://pan.baidu.com/s/1WIWXh5hdAXScZReCiuT5wg?pwd=9uwn 
Extraction code: 9uwn

Command dis cu to see all configurations of the device!

Friends, please give me more likes, follow and favorites!