案例三 校园网案例分析
Telnet 服务器10.1.1.4/24www 服务器10.1.1.5/24中心路由器e0/23SWB(L2)e0/1e0/24e0/3e0/210.1.1.1/24e0202.39.2.1/24e1e0/1SWA(L2)e0/23e0/2e0/24PC1外部特定主机202.39.2.3/24PC210.1.1.2/2410.1.1.3/24
说明:
该图为某校园网拓扑图。中心路由器连接学校的核心交换机SWB,SWA和SWB之间进行端口汇聚以增加上行带宽;为了实现资源共享,学校拥有Telnet服务器和www服务器,内部网络可以完全访问学校服务器,公网用户可以访问学校www服务器,但不能访问Telnet服务器,只有外部特定主机可以访问。学校通过中心路由器做NAT上公网。
注意:服务器若用路由器代替,需要做静态路由。
配置参考:
SWA的配置
[H3C]sysname swa
[swa]link-aggregation group 1 mode manual [swa]interface ethernet 0/1 [swa-e0/1]speed 100 [swa-e0/1]duplex full
[swa-e0/1]port link-aggregation group 1 [swa]interface ethernet 0/2 [swa-e0/2]speed 100 [swa-e0/2]duplex full
[swa-e0/2]port link-aggregation group 1
46
SWB的配置
[H3C]sysname swb
[swb]link-aggregation group 1 mode manual [swb]interface ethernet 0/1 [swb-e0/1]speed 100 [swb-e0/1]duplex full
[swb-e0/1]port link-aggregation group 1 [swb]interface ethernet 0/2 [swb-e0/2]speed 100 [swb-e0/2]duplex full
[swb-e0/2]port link-aggregation group 1
中心路由器配置
[H3C]firewall enable [H3C]acl number 3000
[H3C-acl-adv-3000]rule permit tcp source 202.39.2.3 0 destination 10.1.1.4 0 destination-port eq 23
[H3C-acl-adv-3000]rule permit tcp source any destination 10.1.1.5 0 destination-port eq 80 [H3C-acl-adv-3000]rule deny tcp source any destination 10.1.1.4 0 destination-port eq 23 [H3C]acl number 3001
[H3C-acl-adv-3001]rule permit ip source 10.1.1.0 0.0.0.255 destination any [H3C-acl-adv-3001]rule deny ip source any destination any [H3C-Ethernet0/1]firewall packet-filter 3000 inbound [H3C-Ethernet0/1]nat outbound 3001
[H3C-Ethernet0/1]nat server protocol tcp global 202.39.2.1 inside 10.1.1.4 telnet [H3C-Ethernet0/11nat server protocol tcp global 202.39.2.1 inside 10.1.1.5 www
47