星级酒店的网络改造方案.docx
- 文档编号:23569337
- 上传时间:2023-05-18
- 格式:DOCX
- 页数:10
- 大小:113.42KB
星级酒店的网络改造方案.docx
《星级酒店的网络改造方案.docx》由会员分享,可在线阅读,更多相关《星级酒店的网络改造方案.docx(10页珍藏版)》请在冰豆网上搜索。
星级酒店的网络改造方案
本文由酒店it论坛发布,转载请保留此声明,否则追究责任
星级酒店的网络改造方案
技术范围:
Vlanacl、Arpacl
技术关键词:
访问控制列表
案例描述:
此饭店为22层楼,其中一些有办公平台的楼层使用cisco2950系统交换机,其它楼层(即只有客房)使用傻瓜式TP-Link交换机,且客房里有机顶盒,客人通过机顶盒可以使用VOD和上网冲浪。
解决思路:
由于饭店环境由四部分组成,所以划分了四个vlan, 分别为vlan10为饭店的酒管系,vlan20为饭店的财务系统,vlan30饭店的办公系统,vlan70为VOD系统。
酒管系统的服务器为192.168.10.199,财务系统的服务器为192.168.20.254,VOD的服务器为192.168.70.254,网关分别为10.1,20.1,30.1,70.1;并且只要求vlan30可以访问外网,vlan30的部分PC(经理级别的)可以访问酒管服务器、财务服务器和VOD服务器;其它vlan之间的PC不允许访问。
最后把除vlan70以外的所有pc进行IP和MAC绑定,以阻止非法电脑进入网内。
配 置:
核心(3750上的配置)
3750#showrun
Buildingconfiguration...
Currentconfiguration:
5519bytes
version12.2
noservicepad
servicetimestampsdebuguptime
servicetimestampsloguptime
noservicepassword-encryption
!
hostname3750
!
enablepasswordmb
!
noaaanew-model
switch1provisionws-c3750-48ts
vtpmodetransparent
ipsubnet-zero
iprouting (启用三层功能)
noipdomain-lookup
ipdhcpexcluded-address192.168.70.1(从dhcp地址池中排除网关的IP地址)
ipdhcpexcluded-address192.168.70.254(从dhcp地址池中排除服务器的IP地址)
!
ipdhcppoolvlan70 (为Vlan70创建一个dhcp地址池并指定网关和DNS)
network192.168.70.0255.255.255.0
default-router192.168.70.1
dns-server202.106.196.115
lease3 (IP地址的租期,lease天数,小时数)
!
iparpinspectionvlan10,20,30 (为Vlan10,20和30启用动态ARP检测)
iparpinspectionfilterv10vlan 10 (把arp访问控制列V10表应用在Vlan10上)
iparpinspectionfilterv20vlan 20 (把arp访问控制列V10表应用在Vlan20上)
iparpinspectionfilterv30vlan 30 (把arp访问控制列V10表应用在Vlan30上)
!
!
!
nofileverifyauto
spanning-treemodepvst
spanning-treeextendsystem-id
!
vlaninternalallocationpolicyascending
!
vlan10,20,30,70(创建Vlan)
!
interfaceFastEthernet1/0/1
!
interfaceFastEthernet1/0/2
interfaceFastEthernet1/0/3
!
interfaceFastEthernet1/0/4
!
interfaceFastEthernet1/0/5
!
interfaceFastEthernet1/0/6
!
interfaceFastEthernet1/0/7
descriptionconnect17floor2950
switchporttrunkencapsulationdot1q(封装trunk链路)
switchportmodetrunk
!
interfaceFastEthernet1/0/8
descriptionconnect21floor2950
switchporttrunkencapsulationdot1q
switchportmodetrunk
!
interfaceFastEthernet1/0/9
!
interfaceFastEthernet1/0/10
!
interfaceFastEthernet1/0/11
!
interfaceFastEthernet1/0/12
descriptionconnect12floor
switchportaccessvlan70 (把此端口指给vlan70)
switchportmodeaccess
!
interfaceFastEthernet1/0/13
!
interfaceFastEthernet1/0/14
!
interfaceFastEthernet1/0/15
descriptionconnect15floor
switchportaccessvlan70
switchportmodeaccess
!
interfaceFastEthernet1/0/16
descriptionconnect16floor
switchportaccessvlan70
switchportmodeaccess
!
interfaceFastEthernet1/0/17
descriptionconnect17floor
switchportaccessvlan70
switchportmodeaccess
!
interfaceFastEthernet1/0/18
descriptionconnect18floor
switchportaccessvlan70
switchportmodeaccess
!
interfaceFastEthernet1/0/19
descriptionconnect19floor
switchportaccessvlan70
switchportmodeaccess
!
interfaceFastEthernet1/0/20
descriptionconnect20floor
switchportaccessvlan70
switchportmodeaccess
!
interfaceFastEthernet1/0/21
descriptionconnect21floor
switchportaccessvlan70
switchportmodeaccess
!
interfaceFastEthernet1/0/22
!
interfaceFastEthernet1/0/23
!
...
...
...
...
...
!
interfaceFastEthernet1/0/47
!
interfaceFastEthernet1/0/48
descriptionconnectfanghuoqiang
noswitchport
ipaddress172.16.10.5255.255.255.0
!
interfaceGigabitEthernet1/0/1
descriptionconnect6floor2950G
switchporttrunkencapsulationdot1q
switchportmodetrunk
!
interfaceGigabitEthernet1/0/2
descriptionconnect9floor2950G
switchporttrunkencapsulationdot1q
switchportmodetrunk
!
interfaceGigabitEthernet1/0/3
descriptionconnect10floor2950G
switchporttrunkencapsulationdot1q
switchportmodetrunk
!
interfaceGigabitEthernet1/0/4
descriptionconnect11floor2950G
switchporttrunkencapsulationdot1q
switchportmodetrunk
!
interfaceVlan1
ipaddress192.168.1.2255.255.255.0(vlan1的管理IP地址)
!
interfaceVlan10
ipaddress192.168.10.1255.255.255.0(Vlan10的网关)
ipaccess-groupvlan10_inin(把vlan10_in的访问控制列表应用在vlan10的入方向上)
!
interfaceVlan20
ipaddress192.168.20.1255.255.255.0(Vlan20的网关)
ipaccess-groupvlan20_inin(把vlan20_in的访问控制列表应用在vlan20的入方向上)
!
interfaceVlan30
ipaddress192.168.30.1255.255.255.0(Vlan30的网关)
ipaccess-groupvlan30_inin
!
interfaceVlan70
ipaddress192.168.70.1255.255.255.0(Vlan70的网关)
ipaccess-groupvlan70_inin
!
ipclassless
iproute0.0.0.00.0.0.0172.16.10.1
iphttpserver
!
ipaccess-listextendedv10_in(建立允许vlan30的部分主机访问10.199的服务器的访问控制列表)
permitiphost192.168.10.199host192.168.30.2
permitiphost192.168.10.199host192.168.30.3
permitiphost192.168.10.199host192.168.30.4
permitiphost192.168.10.199host192.168.30.5
permitiphost192.168.10.199host192.168.30.6
permitiphost192.168.10.199host192.168.30.7
permitiphost192.168.10.199host192.168.30.8
permitiphost192.168.10.199host192.168.30.9
permitiphost192.168.10.199host192.168.30.10
permitiphost192.168.10.199host192.168.30.11
permitiphost192.168.10.199host192.168.30.12
permitiphost192.168.10.199host192.168.30.13
permitiphost192.168.10.199host192.168.30.14
permitiphost192.168.10.199host192.168.30.15
permitipanyhost192.168.30.254
ipaccess-listextendedv20_in(建立允许vlan30的部分主机访问20.254的服务器的访问控制列表)
permitiphost192.168.20.254host192.168.30.2
permitiphost192.168.20.254host192.168.30.3
permitiphost192.168.20.254host192.168.30.4
permitiphost192.168.20.254host192.168.30.5
permitiphost192.168.20.254host192.168.30.15
permitipanyhost192.168.30.254
ipaccess-lsitextendedv30_in(由于VAcl的访问是双向的,所以在vlan30的方向上也要做相应的acl)
permitiphost192.168.30.254any
permitiphost192.168.30.2host192.168.10.199
permitiphost192.168.30.3host192.168.10.199
permitiphost192.168.30.4host192.168.10.199
permitiphost192.168.30.5host192.168.10.199
permitiphost192.168.30.6host192.168.10.199
permitiphost192.168.30.7host192.168.10.199
permitiphost192.168.30.8host192.168.10.199
permitiphost192.168.30.9host192.168.10.199
permitiphost192.168.30.10host192.168.10.199
permitiphost192.168.30.11host192.168.10.199
permitiphost192.168.30.12host192.168.10.199
permitiphost192.168.30.13host192.168.10.199
permitiphost192.168.30.14host192.168.10.199
permitiphost192.168.30.15host192.168.10.199
permitiphost192.168.30.2host192.168.20.254
permitiphost192.168.30.3host192.168.20.254
permitiphost192.168.30.4host192.168.20.254
permitiphost192.168.30.5host192.168.20.254
permitiphost192.168.30.15host192.168.20.254
!
!
ipaccess-listextendedv70_in
denyipanyany
!
arpaccess-listv30(此部分为arp访问控制列表,只写了一个例字,没有写全)
permitiphost192.168.30.9machost001a.928f.3d6e
.
.
arpaccess-listv20(vlan20的arp访问控制列表)
permitiphost192.168.20.9machost0011.D867.F6DC
.
.
.
.
!
control-plane
!
!
linecon0
linevty04
passwordmb
login
linevty515
nologin
!
end
3750#
本文由酒店it论坛发布,转载请保留此声明,否则追究责任
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 星级 酒店 网络 改造 方案