最近通过某个平台接的单子,最后Kali做的测试没有公开可以私聊给教程。
下面是规划与配置
1.vlan方面:推荐一个vlan下的所有主机为一个子网网段
连接电脑和http客户端的接口配置为access接口
交换机与交换机或路由器连接的接口配置为trunk接口---也可以配置为access接口但是为了扩展性,trunk接口更佳,允许vlan10到vlan100通过
对汇聚层交换配置对应的vlanif的ip地址
两个汇聚层交换机间配置eth-trunk,模式采用静态lacp
配置代码:
交换机1
sys
sys sw1
vlan 10
quit
int g0/0/3
port link-type access
port defult vlan 10
int g0/0/4
port link-type access
port defult vlan 10
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 100
交换机2:
sys
sys sw2
vlan batch 20 30
int g0/0/3
port link-type access
port defult vlan 30
int g0/0/4
port link-type access
port defult vlan 20
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 100
交换机3:
sys
sys sw3
vlan batch 40 50
int g0/0/5
port link-type access
port defult vlan 40
int g0/0/3
port link-type access
port defult vlan 50
int g0/0/4
port link-type access
port defult vlan 50
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 100
交换机4:
sys
sys sw4
vlan 60
quit
int g0/0/3
port link-type access
port defult vlan 60
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 100
交换机5
sys
sys sw5
vlan batch 10 20 30 91 92
int eth-trunk 1
mode lacp
quit
int g0/0/2
eth-trunk 1
int g0/0/6
eth-trunk 1
quit
lacp priority 100 //将优先级配置为100,使改侧成为主动端
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/3
port link-type trunk
port trunk allow-pass vlan 10 to 100
int eth-trunk 1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/4
port link-type access
port defult vlan 91
int g0/0/5
port link-type access
port defult vlan 92
int vlanif 10
ip address 172.22.10.100 24
int vlanif 20
ip address 172.22.20.100 24
int vlanif 30
ip address 172.22.30.100 24
int vlanif 91
ip address 172.22.1.1 24
int vlanif 92
ip address 172.22.2.1 24
交换机6:
sys
sys sw6
vlan batch 10 20 30 93 94
int eth-trunk 1
mode lacp
quit
int g0/0/2
eth-trunk 1
int g0/0/6
eth-trunk 1
quit
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/3
port link-type trunk
port trunk allow-pass vlan 10 to 100
int eth-trunk 1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/4
port link-type access
port defult vlan 93
int g0/0/5
port link-type access
port defult vlan 94
int vlanif 10
ip address 172.22.10.200 24
int vlanif 20
ip address 172.22.20.200 24
int vlanif 30
ip address 172.22.30.200 24
int vlanif 93
ip address 172.22.3.1 24
int vlanif 94
ip address 172.22.4.1 24
交换机7:
sys
sys sw7
vlan batch 40 50 60 95 96
int eth-trunk 1
mode lacp
quit
int g0/0/1
eth-trunk 1
int g0/0/7
eth-trunk 1
quit
lacp priority 100 //将优先级配置为100,使改侧成为主动端
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/3
port link-type trunk
port trunk allow-pass vlan 10 to 100
int eth-trunk 1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/4
port link-type access
port default vlan 95
int g0/0/5
port link-type access
port default vlan 96
int vlanif 40
ip address 172.22.40.100 24
int vlanif 50
ip address 172.22.50.100 24
int vlanif 60
ip address 172.22.60.100 24
int vlanif 95
ip address 172.22.5.1 24
int vlanif 96
ip address 172.22.6.1 24
交换机8:
sys
sys sw8
vlan batch 40 50 60 97 98
int eth-trunk 1
mode lacp
quit
int g0/0/1
eth-trunk 1
int g0/0/6
eth-trunk 1
quit
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/3
port link-type trunk
port trunk allow-pass vlan 10 to 100
int eth-trunk 1
port link-type trunk
port trunk allow-pass vlan 10 to 100
int g0/0/4
port link-type access
port default vlan 97
int g0/0/5
port link-type access
port default vlan 98
int vlanif 40
ip address 172.22.40.200 24
int vlanif 50
ip address 172.22.50.200 24
int vlanif 60
ip address 172.22.60.200 24
int vlanif 97
ip address 172.22.7.1 24
int vlanif 98
ip address 172.22.8.1 24
路由器1:---IP地址配置
sys
sys r1
int g5/0/3
ip address 172.22.1.2 24
int g0/0/1
ip address 172.22.3.2 24
int g0/0/2
ip address 172.22.5.2 24
int g0/0/0
ip address 172.22.7.2 24
int g5/0/0
ip address 172.22.9.1 24
int g5/0/1
ip address 115.200.60.1 24
int g5/0/2
ip address 172.22.70.1 24
int loop 1
ip address 1.1.1.1 32 //用于组播和测试
路由器2:---IP地址配置
sys
sys r2
int g0/0/0
ip address 172.22.2.2 24
int g0/0/1
ip address 172.22.4.2 24
int g0/0/2
ip address 172.22.6.2 24
int g2/0/0
ip address 172.22.8.2 24
int g2/0/1
ip address 172.22.9.2 24
int g2/0/2
ip address 223.104.244.1 24
int g2/0/3
ip address 172.22.80.1 24
int loop 1
ip address 2.2.2.2 32 //用于组播
2.dhcp方面:在汇聚层交换机上配置dhcp用于给接入层的主机分配地址---http客户端可能得自己设置地址不能dhcp自动获得,因此在配置dhcp地址池的时候应预先保留一部分的地址空间
交换机5:
sys
dhcp enable
ip pool forvlan10
gateway-list 172.22.10.254
network 172.22.10.0 mask 24
lease day 1
excluded-ip-address 172.22.10.100 172.22.10.253
ip pool forvlan20
gateway-list 172.22.20.254
network 172.22.20.0 mask 24
lease day 1
excluded-ip-address 172.22.20.100 172.22.20.253
ip pool forvlan30
gateway-list 172.22.30.254
network 172.22.30.0 mask 24
lease day 1
excluded-ip-address 172.22.30.100 172.22.30.253
interface vlanif 10
dhcp select global
interface vlanif 20
dhcp select global
interface vlanif 30
dhcp select global
交换机6:
sys
dhcp enable
ip pool forvlan10
gateway-list 172.22.10.254
network 172.22.10.0 mask 24
lease day 1
excluded-ip-address 172.22.10.1 172.22.10.100
excluded-ip-address 172.22.10.200 172.22.10.253
ip pool forvlan20
gateway-list 172.22.20.254
network 172.22.20.0 mask 24
lease day 1
excluded-ip-address 172.22.20.1 172.22.20.100
excluded-ip-address 172.22.20.200 172.22.20.253
ip pool forvlan30
gateway-list 172.22.30.254
network 172.22.30.0 mask 24
lease day 1
excluded-ip-address 172.22.30.1 172.22.30.100
excluded-ip-address 172.22.30.200 172.22.30.253
interface vlanif 10
dhcp select global
interface vlanif 20
dhcp select global
interface vlanif 30
dhcp select global
交换机7:
sys
dhcp enable
ip pool forvlan40
gateway-list 172.22.40.254
network 172.22.40.0 mask 24
lease day 1
excluded-ip-address 172.22.40.100 172.22.40.253
ip pool forvlan50
gateway-list 172.22.50.254
network 172.22.50.0 mask 24
lease day 1
excluded-ip-address 172.22.50.100 172.22.50.253
ip pool forvlan60
gateway-list 172.22.60.254
network 172.22.60.0 mask 24
lease day 1
excluded-ip-address 172.22.60.100 172.22.60.253
interface vlanif 40
dhcp select global
interface vlanif 50
dhcp select global
interface vlanif 60
dhcp select global
交换机8:
sys
dhcp enable
ip pool forvlan40
gateway-list 172.22.40.254
network 172.22.40.0 mask 24
lease day 1
excluded-ip-address 172.22.40.1 172.22.40.100
excluded-ip-address 172.22.40.200 172.22.40.253
ip pool forvlan50
gateway-list 172.22.50.254
network 172.22.50.0 mask 24
lease day 1
excluded-ip-address 172.22.50.1 172.22.50.100
excluded-ip-address 172.22.50.200 172.22.50.253
ip pool forvlan60
gateway-list 172.22.60.254
network 172.22.60.0 mask 24
lease day 1
excluded-ip-address 172.22.60.1 172.22.60.100
excluded-ip-address 172.22.60.200 172.22.60.253
interface vlanif 40
dhcp select global
interface vlanif 50
dhcp select global
interface vlanif 60
dhcp select global
至此各个vlan的主机ping 172.22.x.100和 172.22.x.200 都能ping通
3.mstp方面:接入层和汇聚层的交换机配置mstp协议,实现不同vlan对应的mstp实例的根桥不同以实现负载分担和主备备份-----注意:对于一个vlan来说mstp的根桥和vrrp的主交换机应该一致
交换机5:
sys
stp region-configuration
region-name campusnet1
revision-level 1
instance 1 vlan 10
instance 2 vlan 20
instance 3 vlan 30
active region- configuration
stp instance 1 root primary
stp instance 2 root secondary
stp instance 3 root secondary
交换机6:
sys
stp region-configuration
region-name campusnet1
revision-level 1
instance 1 vlan 10
instance 2 vlan 20
instance 3 vlan 30
active region-configuration
quit
stp instance 1 root secondary
stp instance 2 root primary
stp instance 3 root primary
交换机1:
sys
stp region-configuration
region-name campusnet1
revision-level 1
instance 1 vlan 10
active region-configuration
交换机2:
sys
stp region-configuration
region-name campusnet1
revision-level 1
instance 2 vlan 20
instance 3 vlan 30
active region-configuration
交换机7:
sys
stp region-configuration
region-name campusnet2
revision-level 1
instance 1 vlan 40
instance 2 vlan 50
instance 3 vlan 60
active region-configuration
stp instance 2 root primary
stp instance 1 root secondary
stp instance 3 root secondary
交换机8:
sys
stp region-configuration
region-name campusnet2
revision-level 1
instance 1 vlan 40
instance 2 vlan 50
instance 3 vlan 60
active region-configuration
quit
stp instance 2 root secondary
stp instance 1 root primary
stp instance 3 root primary
交换机3:
sys
stp region-configuration
region-name campusnet2
revision-level 1
instance 1 vlan 40
instance 2 vlan 50
active region-configuration
交换机4:
sys
stp region-configuration
region-name campusnet2
revision-level 1
instance 3 vlan 60
active region-configuration
4.vrrp方面:对汇聚层和核心层的交换机路由器配置vrrp协议,实现不同vlan的主备备份和负载分担-----注意:对于一个vlan来说mstp的根桥和vrrp的主交换机应该一致
交换机5:
sys
int vlanif 10
vrrp vrid 1 virtual-ip 172.22.10.254
vrrp vrid 1 priority 110
vrrp vrid 1 preempt-mode timer delay 3
vrrp vrid 1 authentication-mode md5 campus
int vlanif 20
vrrp vrid 2 virtual-ip 172.22.20.254
vrrp vrid 2 priority 90
vrrp vrid 2 preempt-mode timer delay 3
vrrp vrid 2 authentication-mode md5 campus
int vlanif 30
vrrp vrid 3 virtual-ip 172.22.30.254
vrrp vrid 3 priority 90
vrrp vrid 3 preempt-mode timer delay 3
vrrp vrid 3 authentication-mode md5 campus
交换机6:
sys
int vlanif 10
vrrp vrid 1 virtual-ip 172.22.10.254
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 3
vrrp vrid 1 authentication-mode md5 campus
int vlanif 20
vrrp vrid 2 virtual-ip 172.22.20.254
vrrp vrid 2 priority 110
vrrp vrid 2 preempt-mode timer delay 3
vrrp vrid 2 authentication-mode md5 campus
int vlanif 30
vrrp vrid 3 virtual-ip 172.22.30.254
vrrp vrid 3 priority 110
vrrp vrid 3 preempt-mode timer delay 3
vrrp vrid 3 authentication-mode md5 campus
交换机7:
sys
int vlanif 40
vrrp vrid 1 virtual-ip 172.22.40.254
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 3
vrrp vrid 1 authentication-mode md5 campus
int vlanif 50
vrrp vrid 2 virtual-ip 172.22.50.254
vrrp vrid 2 priority 110
vrrp vrid 2 preempt-mode timer delay 3
vrrp vrid 2 authentication-mode md5 campus
int vlanif 60
vrrp vrid 3 virtual-ip 172.22.60.254
vrrp vrid 3 priority 90
vrrp vrid 3 preempt-mode timer delay 3
vrrp vrid 3 authentication-mode md5 campus
交换机8:
sys
int vlanif 40
vrrp vrid 1 virtual-ip 172.22.40.254
vrrp vrid 1 priority 110
vrrp vrid 1 preempt-mode timer delay 3
vrrp vrid 1 authentication-mode md5 campus
int vlanif 50
vrrp vrid 2 virtual-ip 172.22.50.254
vrrp vrid 2 priority 90
vrrp vrid 2 preempt-mode timer delay 3
vrrp vrid 2 authentication-mode md5 campus
int vlanif 60
vrrp vrid 3 virtual-ip 172.22.60.254
vrrp vrid 3 priority 110
vrrp vrid 3 preempt-mode timer delay 3
vrrp vrid 3 authentication-mode md5 campus
5.nat方面:在核心层交换机的出口流量处配置nat映射,acl设置成对内网已知的网段允许nat映射
路由器1和路由器2:
sys
acl 2999
rule 5 permit source 0.0.0.0 0.0.255.255
quit
int g5/0/1 | int g2/0/2
nat out bound 2999
quit
6.ospf方面:
交换机5:
sys
ospf 1
area 0
network 172.22.10.100 0.0.0.255
network 172.22.20.100 0.0.0.255
network 172.22.30.100 0.0.0.255
network 172.22.1.1 0.0.0.255
network 172.22.2.1 0.0.0.255
交换机6:
sys
ospf 1
area 0
network 172.22.10.200 0.0.0.255
network 172.22.20.200 0.0.0.255
network 172.22.30.200 0.0.0.255
network 172.22.3.1 0.0.0.255
network 172.22.4.1 0.0.0.255
交换机7:
sys
ospf 1
area 0
network 172.22.40.100 0.0.0.255
network 172.22.50.100 0.0.0.255
network 172.22.60.100 0.0.0.255
network 172.22.5.1 0.0.0.255
network 172.22.6.1 0.0.0.255
交换机8:
sys
ospf 1
area 0
network 172.22.40.200 0.0.0.255
network 172.22.50.200 0.0.0.255
network 172.22.60.200 0.0.0.255
network 172.22.7.1 0.0.0.255
network 172.22.8.1 0.0.0.255
路由器1:
sys
ospf 1
area 0
network 172.22.1.2 0.0.0.255
network 172.22.3.2 0.0.0.255
network 172.22.5.2 0.0.0.255
network 172.22.7.2 0.0.0.255
network 1.1.1.1 0.0.0.0
network 172.22.9.1 0.0.0.255
network 115.200.60.1 0.0.0.255
network 172.22.70.1 0.0.0.255
路由器2:
sys
ospf 1
area 0
network 172.22.2.2 0.0.0.255
network 172.22.4.2 0.0.0.255
network 172.22.6.2 0.0.0.255
network 172.22.8.2 0.0.0.255
network 2.2.2.2 0.0.0.0
network 172.22.9.2 0.0.0.255
network 223.104.244.1 0.0.0.255
network 172.22.80.1 0.0.0.255
至此各个主机ping 1.1.1.1 ;2.2.2.2;115.200.60.2;223.104.244.2都能ping通
7 igmp和pim方面:
交换机5:
sys
multicast routing-enable
int vlanif 10
pim sm
int vlanif 20
pim sm
int vlanif 30
pim sm
int vlanif 91
pim sm
int vlanif 92
pim sm
quit
int vlanif 10
igmp enable
igmp version 2
int vlanif 20
igmp enable
igmp version 2
int vlanif 30
igmp enable
igmp version 2
pim
static-rp 1.1.1.1
交换机6:
sys
multicast routing-enable
int vlanif 10
pim sm
int vlanif 20
pim sm
int vlanif 30
pim sm
int vlanif 93
pim sm
int vlanif 94
pim sm
quit
int vlanif 10
igmp enable
igmp version 2
int vlanif 20
igmp enable
igmp version 2
int vlanif 30
igmp enable
igmp version 2
pim
static-rp 1.1.1.1
交换机7:
sys
multicast routing-enable
int vlanif 40
pim sm
int vlanif 50
pim sm
int vlanif 60
pim sm
int vlanif 95
pim sm
int vlanif 96
pim sm
quit
int vlanif 40
igmp enable
igmp version 2
int vlanif 50
igmp enable
igmp version 2
int vlanif 60
igmp enable
igmp version 2
pim
static-rp 1.1.1.1
交换机8:
sys
multicast routing-enable
int vlanif 40
pim sm
int vlanif 50
pim sm
int vlanif 60
pim sm
int vlanif 97
pim sm
int vlanif 98
pim sm
quit
int vlanif 40
igmp enable
igmp version 2
int vlanif 50
igmp enable
igmp version 2
int vlanif 60
igmp enable
igmp version 2
pim
static-rp 1.1.1.1
路由器1:
sys
multicast routing-enable
int g5/0/3
pim sm
int g0/0/1
pim sm
int g0/0/2
pim sm
int g0/0/0
pim sm
int g5/0/0
pim sm
int loopback 1
pim sm
int g5/0/1
pim sm
int g5/0/2
pim sm
quit
pim
static-rp 1.1.1.1
c-bsr priority 3
c-bsr loopback 1
c-rp priority 1
c-rp loopback 1
quit
路由器1:
sys
multicast routing-enable
int g0/0/0
pim sm
int g0/0/1
pim sm
int g0/0/2
pim sm
int g2/0/0
pim sm
int g2/0/3
pim sm
int loopback 1
pim sm
int g2/0/2
pim sm
int g2/0/1
pim sm
quit
pim
static-rp 1.1.1.1
c-rp priority 3
c-rp loopback 1
quit
至此,各个主机都能收到组播源的数据
8.bfd方面:bfd协议用于辅助vrrp和(ospf协议)实现快速切换主备,以减少流量的丢失提高网络健壮性
交换机5:
sys
bfd
bfd 1
bfd 1 bind peer-ip 172.22.1.2 source-ip 172.22.1.1
discriminator local 11
discriminator remote 21
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 2
bfd 2 bind peer-ip 172.22.2.2 source-ip 172.22.2.1
discriminator local 12
discriminator remote 22
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
int vlanif 10
vrrp vrid 1 track bfd-session 10 reduced 10
vrrp vrid 1 track bfd-session 11 reduced 10
交换机6:
sys
bfd
bfd 3
bfd 3 bind peer-ip 172.22.3.2 source-ip 172.22.3.1
discriminator local 13
discriminator remote 23
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 4
bfd 4 bind peer-ip 172.22.4.2 source-ip 172.22.4.1
discriminator local 14
discriminator remote 24
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
int vlanif 20
vrrp vrid 2 track bfd-session 13 reduced 10
vrrp vrid 2 track bfd-session 14 reduced 10
int vlanif 30
vrrp vrid 3 track bfd-session 13 reduced 10
vrrp vrid 3 track bfd-session 14 reduced 10
交换机7:
sys
bfd
quit
bfd 5
bfd 5 bind peer-ip 172.22.5.2 source-ip 172.22.5.1
discriminator local 15
discriminator remote 25
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 6
bfd 6 bind peer-ip 172.22.6.2 source-ip 172.22.6.1
discriminator local 16
discriminator remote 26
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
int vlanif 50
vrrp vrid 2 track bfd-session 15 reduced 10
vrrp vrid 2 track bfd-session 16 reduced 10
交换机8:
sys
bfd
quit
bfd 7
bfd 7 bind peer-ip 172.22.7.2 source-ip 172.22.7.1
discriminator local 17
discriminator remote 27
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 8
bfd 8 bind peer-ip 172.22.8.2 source-ip 172.22.8.1
discriminator local 18
discriminator remote 28
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
int vlanif 40
vrrp vrid 1 track bfd-session 17 reduced 10
vrrp vrid 1 track bfd-session 18 reduced 10
int vlanif 60
vrrp vrid 3 track bfd-session 17 reduced 10
vrrp vrid 3 track bfd-session 18 reduced 10
路由器1:
sys
bfd
quit
bfd 1
bfd 1 bind peer-ip 172.22.1.1 source-ip 172.22.1.2
discriminator local 21
discriminator remote 11
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 3
bfd 3 bind peer-ip 172.22.3.1 source-ip 172.22.3.2
discriminator local 23
discriminator remote 13
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 5
bfd 5 bind peer-ip 172.22.5.1 source-ip 172.22.5.2
discriminator local 25
discriminator remote 15
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 7
bfd 7 bind peer-ip 172.22.7.1 source-ip 172.22.7.2
discriminator local 27
discriminator remote 17
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
路由器2:
sys
bfd
quit
bfd 2
bfd 2 bind peer-ip 172.22.2.1 source-ip 172.22.2.2
discriminator local 22
discriminator remote 12
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 4
bfd 4 bind peer-ip 172.22.4.1 source-ip 172.22.4.2
discriminator local 24
discriminator remote 14
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 6
bfd 6 bind peer-ip 172.22.6.1 source-ip 172.22.6.2
discriminator local 26
discriminator remote 16
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
bfd 8
bfd 8 bind peer-ip 172.22.8.1 source-ip 172.22.8.2
discriminator local 28
discriminator remote 18
detect-multiplier 3
min-tx-interval 100
min-rx-interval 100
commit
quit
display vrrp brief
display vrrp 1
9.端口镜像/防火墙方面:在核心层路由器连接防火墙侧配置端口镜像,使其通过流量同时复制到防火墙,用于入侵检测或者攻击分析
路由器1:
sys
observe-port interface GigabitEthernet 5/0/2
int g5/0/3
mirror to observe-port both
int g0/0/1
mirror to observe-port both
int g0/0/2
mirror to observe-port both
int g0/0/0
mirror to observe-port both
int g5/0/0
mirror to observe-port both
int g5/0/1
mirror to observe-port both
路由器2:
sys
observe-port interface GigabitEthernet 2/0/3
int g0/0/0
mirror to observe-port both
int g0/0/1
mirror to observe-port both
int g0/0/2
mirror to observe-port both
int g2/0/0
mirror to observe-port both
int g2/0/2
mirror to observe-port both
int g2/0/1
mirror to observe-port both
10.配置kali虚拟机到目标网络
配置VMware中的虚拟网卡(此配置为172.22.30.x网段),并将其连接到交换机上(注意交换机要配置端口类型为access;并确保无ip地址冲突—真机的ip地址; kali虚拟机从交换机的dhcp服务器上获取ip地址)
kali注意要先nat联网下载Dsniff套装工具集,之后再连接到ensp虚拟环境(切记不要在nat模式下使用macof)
macof的攻击指令 sudo macof
交换机2:(实际是在所有上下行接口配置,此处演示需要只在一个接口配置)
sys
int g0/0/5
port-security enable
port-security protect-action shutdown
port-security max-mac-num 50
port-security aging-time 1000
arp anti-attack entry-check fixed-all enable
arp gratuitous-arp send enable
arp gratuitous-arp send interval 1
(启用ip报文转发模式:echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward)
arp欺骗的指令:sudo arpspoof -i eth0 -t 172.22.30.199 172.22.30.254
arp –d:清理arp表
arp –a 查看arp表
第一条配置arp固化,实验中没法显示(将本来接入的正常主机替换为攻击的kali机再发送arp欺骗时,可能可以显示效果)
第二第三条,配置免费arp并设置时间间隔为0.5s,只能在一定程度上抵抗已经接入的“可信”主机
还可以配置dhcp snooping,并在其基础上配置动态arp检测,以在新主机接入时就防范于未然
还可以直接在主机上指定静态arp来预防
11.端口安全和密钥方面:vrrp中使用了md5认证,交换机2配置了端口安全用于限制mac地址最大学习数量,交换机2.5.6配置了免费arp和arp固话用于预防arp欺骗,telnet远程认证配置了aaa认证,nat配置了对应的acl
12.主机侧的http
学习到的:
1~~~导入已有的包需要设置tomcat环境,配置项目结构
2~~~leaflet的access_token已经过期,需要自己去Account | Mapbox注册账号并替换
3~~~leaflet的地图库似乎更新了,需要更换参数和导入方式
注意:要开启mysql服务
ensp虚拟环境的任意http客户端通过该网址获取内容:http://223.104.244.33:8888/Idea_war_exploded/index.html (主机记得关闭防火墙,否则ping不通)
13.telnet配置交换机和路由器
路由器1、2和交换机5-8:
sys
aaa
local-user campaus privilege level 15
local-user campaus password cipher campaus
quit
user-interface vty 0 4
authentication-mode aaa
quit
ctrl+]退出telnet界面
13.ftp:在外网服务器上直接开启ftp服务即可
14.dns:
交换机5,6:
sys
ip pool forvlan10
dns-list 223.104.244.2
ip pool forvlan20
dns-list 223.104.244.2
ip pool forvlan30
dns-list 223.104.244.2
交换机7,8:
sys
ip pool forvlan40
dns-list 223.104.244.2
ip pool forvlan50
dns-list 223.104.244.2
ip pool forvlan60
dns-list 223.104.244.2
15.m0n0wall防火墙:于172.22.70.x网段处配置了m0n0wall防火墙,可用于如流量控制,流量监控的作用
16.wireshark 统计---捕获文件属性,协议分级
snmp-agent
snmp-agent community read campaus
snmp-agent community read campaus1
snmp-agent sys-info version all
snmp-agent target-host trap-hostname zjut address 223.104.244.33 udp-port 162 trap-paramsname zjut
snmp-agent trap enable
开启步骤:主机联网并关闭防火墙(kali虚拟机端的云可能需要手动undo shutdown下)--->开启kali虚拟机和windows虚拟机(windows 7为snmp用)
有待改进的地方:
内网ospf可以划分多个区域,将核心层至出口路由器组成区域0,核心层和汇聚层间的路由器/三层交换机组成区域x
snmp-网管系统;dhcp安全àipsg(防止用户私自修改ip或防止非法用户使用静态ip地址私自接入)和dai(新开个端口接入设备模拟arp和dhcp攻击),mac地址防漂移