Foreword
Hello everyone, I'm Mr. LinNetwork engineering case: the configuration of the switch of a school computer room project, let's take a look at what knowledge points are there!
Body
1. School project configuration case
The computer department of a school undertakes the task of computer marking for the municipal high school entrance examination, and the Municipal Education Bureau requires the school to provide 400 computers for the use of teachers who revise the papersAt the same time, 4 servers with high configuration performance are required for 400 client computers to access。The 400 computers of the computer department of the university are distributed in 7 computer rooms, which are composed of 4 IP network segments.
1. Requirements: For the sake of safety, the requirements areComputers in the 4 network segments cannot be accessed from each other, but all computers.
BothAccess to these 4 servers is requiredFigure 13-7 shows the network topology. After research, the above requirements can be achieved by configuring Layer 3 switches.
2. The specific configuration and IP address allocation scheme are as follows:
Hypothesis: computer room.
The network cables of the first and second are connected to the F0 1 and F0 2 ports of the Layer 3 switch respectively.
Room. The network cables of the third and fourth are connected to the F0 6 and F0 7 ports of the Layer 3 switch respectively;
Room. The network cables of 5 and 6 are connected to the F0 11 and F0 12 ports of the Layer 3 switch respectively;
The network cable of computer room 7 is connected to port F0 16 of the Layer 3 switch;
The server is connected to port F0 21 of the Layer 3 switch.
IP address allocation for each data center
Room.
I, II: IP: 192168.7.x 24, gateway: 192168.7.254
Room.
III, IV: IP: 192168.8.x 24, gateway: 192168.8.254
Room.
Five, six: ip: 192168.10.x 24, gateway: 192168.10.254
Computer Room 7:ip:192.168.11.x 24, gateway: 192168.11.254
Server:ip:192.168.12.x 24, gateway: 192168.12.254
3. Network topology diagram.
4. Configure a Layer 3 switch.
In this example, a Cisco Layer 3 switch is used as an example, and the specific configuration commands are as follows: Some duplicate commands will not be commented.
1. Create five VLANs
switch>
switch>en enters privileged mode.
switch config to enter the global configuration mode.
switch(config) hostname 3560 Change hostname to 3560
3560(config) vlan 10 creates vlan 10
3560(config-vlan) vlan 20 creates vlan20
3560(config-vlan)#vlan 30
3560(config-vlan)#vlan 40
3560(config-vlan)#vlan 50
3560(config-vlan)#exit
2. Assign the port to the corresponding VLAN
3560(config) int range f0 1-5 enters ports 1-5
3560(config-if-range) switchport mode access sets the port to access mode.
3560(config-if-range) switchport access vlan10 Add ports 1-5 to vlan10.
3560(config-if-range) exit.
3560(config) int range f0 6-10 into port 6-10, other commands are the same as above.
3560(config-if-range)#switchport mode access
3560(config-if-range)#switchport access vlan20
3560(config-if-range)#exit
3560(config)#int range f0/11-15
3560(config-if-range)#switchport mode access
3560(config-if-range)#switchport access vlan30
3560(config-if-range)#exit
3560(config)#int range f0/16-20
3560(config-if-range)#switchport mode access
3560(config-if-range)#switchporta ccess vlan40
3560(config-if-range)#exit
3560(config)#int range f0/21-22
3560(config-if-range)#switchport mode access
3560(config-if-range)#switchport access vlan50
3560(config-if-range)#exit
Enable routing for Layer 3 switches so that computers can access each other.
3560(config) no ip domain-loo tells Router not to DNS strings it doesn't know.
3560 (config) ip routing starts routing.
3. Configure IP addresses for each VLAN
3560(config) int vlan 10 enters vlan 10
3560(config-if)#ip add 192.168.7.254 255.255.255.0 Assign a subnet mask and IP address to VLAN10.
3560(config-if) no shut to open the port.
3560(config-if) exit.
3560(config)#int vlan 20
3560(config-if)#ip add 192.168.8.254 255.255.255.0
3560(config-if)#no shut
3560(config-if)#exit
3560(config)#int vlan 30
3560(config-if)#ip add 192.168.10.254 255.255.255.0
3560(config-if)#no shut
3560(config-if)#exit
3560(config)#int vlan 40
3560(config-if)#ip add 192.168.11.254 255.255.255.0
3560(config-if)#no shut
3560(config-if)#exit
3560(config)#int vlan 50
3560(config-if)#ip add 192.168.12.254 255.255.255.0
3560(config-if)#no shut
3560(config-if)#exit
4. Create an Access Control List (ACL).
Many friends may ask, what is the use of controlling the access list, let's first understand its function.
An access control list is a list of instructions applied to a router interface that tells the router which packets can be received and which packets need to be rejected.
Reject Network 192168.7.0 24 access to these three IP ranges. 168.11.0 24) while any other traffic is allowed.
3560(config)#access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255
3560(config)#access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
3560(config)#access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.11.0 0.0.0.255
3560(config)#access-list 101 permit ip any any
Reject Network 192168.8.0 24 access to these three IP ranges. 168.11.0 24) while any other traffic is allowed.
3560(config)#access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
3560(config)#access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255
3560(config)#access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.11.0 0.0.0.255
3560(config)#access-list 102 permit ip any any
Reject Network 192168.10.0 24 access to these three IP ranges. 168.11.0 24) while any other traffic is allowed.
3560(config)#access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
3560(config)#access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
3560(config)#access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
3560(config)#access-list 103 permit ip any any
Reject Network 192168.11.0 24 access to these three IP ranges. 168.10.0 24) while any other traffic is allowed.
3560(config)#access-list 104 deny ip 192.168.11.0 0.0.0.255 192.168.7.0 0.0.0.255
3560(config)#access-list 104 deny ip 192.168.11.0 0.0.0.255 192.168.8.0 0.0.0.255
3560(config)#access-list 104 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
3560(config)#access-list 104 permit ip any any
5. Apply the ACL to the corresponding VLAN
3560(config)#int vlan10
3560(config-if)#ipaccess-group 101 in
3560(config-if)#exit
Even if vlan10 can only access the list of 101.
3560(config)#int vlan20
3560(config-if)#ipaccess-group 102 in
3560(config-if)#exit
That is, vlan20 can only access the list of 102.
3560(config)#int vlan30
3560(config-if)#ipaccess-group 103 in
3560(config-if)#exit
That is, vlan30 can only access the list of 103.
3560(config)#int vlan40
3560(config-if)#ipaccess-group 104 in
3560(config-if)#exit
That is, vlan40 can only access the list of 104.
wr Save the configuration file.
5. Verification test.
1. Computer room. The computer of 1 and 2 cannot ping the computer in the network segment, but can ping the server in the network segment 12;
2. Computer room. The computers of the third and fourth networks cannot ping the computers in the network segment, but they can ping the servers in the 12 network segments;
3. Machine room. The computers of the fifth and sixth segments cannot ping the computers in the network segment, but they can ping the servers in the 12th segment;
4. The computer in computer room 7 cannot ping the computer in the network segment, but it can ping the server in the network segment 12.