星级酒店的网络改造方案

本文由酒店it论坛发布，转载请保留此声明,否则追究责任星级酒店的网络改造方案技术范围：Vlanacl、Arpacl技术关键词：访问控制列表案例描述：此饭店为22层楼，其中一些有办公平台的楼层使用cisco2950系统交换机，其它楼层(即只有客房)使用傻瓜式TP-Link交换机，且客房里有机顶盒，客人通过机顶盒可以使用VOD和上网冲浪。解决思路：由于饭店环境由四部分组成,所以划分了四个vlan，分别为vlan10为饭店的酒管系，vlan20为饭店的财务系统，vlan30饭店的办公系统，vlan70为VOD系统。酒管系统的服务器为192.168.10.199，财务系统的服务器为192.168.20.254，VOD的服务器为192.168.70.254，网关分别为10.1,20.1,30.1,70.1;并且只要求vlan30可以访问外网，vlan30的部分PC（经理级别的）可以访问酒管服务器、财务服务器和VOD服务器；其它vlan之间的PC不允许访问。最后把除vlan70以外的所有pc进行IP和MAC绑定，以阻止非法电脑进入网内。配置:核心（3750上的配置）3750#showrunBuildingconfiguration...Currentconfiguration:5519bytesversion12.2noservicepadservicetimestampsdebuguptimeservicetimestampsloguptimenoservicepassword-encryption!hostname3750!enablepasswordmb!noaaanew-modelswitch1provisionws-c3750-48tsvtpmodetransparentipsubnet-zeroiprouting(启用三层功能)noipdomain-lookupipdhcpexcluded-address192.168.70.1(从dhcp地址池中排除网关的IP地址)ipdhcpexcluded-address192.168.70.254(从dhcp地址池中排除服务器的IP地址)!ipdhcppoolvlan70(为Vlan70创建一个dhcp地址池并指定网关和DNS)network192.168.70.0255.255.255.0default-router192.168.70.1dns-server202.106.196.115lease3(IP地址的租期,lease天数,小时数)!iparpinspectionvlan10,20,30(为Vlan10,20和30启用动态ARP检测)iparpinspectionfilterv10vlan10(把arp访问控制列V10表应用在Vlan10上)iparpinspectionfilterv20vlan20(把arp访问控制列V10表应用在Vlan20上)iparpinspectionfilterv30vlan30(把arp访问控制列V10表应用在Vlan30上)!!!nofileverifyautospanning-treemodepvstspanning-treeextendsystem-id!vlaninternalallocationpolicyascending!vlan10,20,30,70(创建Vlan)!interfaceFastEthernet1/0/1!interfaceFastEthernet1/0/2interfaceFastEthernet1/0/3!interfaceFastEthernet1/0/4!interfaceFastEthernet1/0/5!interfaceFastEthernet1/0/6!interfaceFastEthernet1/0/7descriptionconnect17floor2950switchporttrunkencapsulationdot1q(封装trunk链路)switchportmodetrunk!interfaceFastEthernet1/0/8descriptionconnect21floor2950switchporttrunkencapsulationdot1qswitchportmodetrunk!interfaceFastEthernet1/0/9!interfaceFastEthernet1/0/10!interfaceFastEthernet1/0/11!interfaceFastEthernet1/0/12descriptionconnect12floorswitchportaccessvlan70(把此端口指给vlan70)switchportmodeaccess!interfaceFastEthernet1/0/13!interfaceFastEthernet1/0/14!interfaceFastEthernet1/0/15descriptionconnect15floorswitchportaccessvlan70switchportmodeaccess!interfaceFastEthernet1/0/16descriptionconnect16floorswitchportaccessvlan70switchportmodeaccess!interfaceFastEthernet1/0/17descriptionconnect17floorswitchportaccessvlan70switchportmodeaccess!interfaceFastEthernet1/0/18descriptionconnect18floorswitchportaccessvlan70switchportmodeaccess!interfaceFastEthernet1/0/19descriptionconnect19floorswitchportaccessvlan70switchportmodeaccess!interfaceFastEthernet1/0/20descriptionconnect20floorswitchportaccessvlan70switchportmodeaccess!interfaceFastEthernet1/0/21descriptionconnect21floorswitchportaccessvlan70switchportmodeaccess!interfaceFastEthernet1/0/22!interfaceFastEthernet1/0/23!...............!interfaceFastEthernet1/0/47!interfaceFastEthernet1/0/48descriptionconnectfanghuoqiangnoswitchportipaddress172.16.10.5255.255.255.0!interfaceGigabitEthernet1/0/1descriptionconnect6floor2950Gswitchporttrunkencapsulationdot1qswitchportmodetrunk!interfaceGigabitEthernet1/0/2descriptionconnect9floor2950Gswitchporttrunkencapsulationdot1qswitchportmodetrunk!interfaceGigabitEthernet1/0/3descriptionconnect10floor2950Gswitchporttrunkencapsulationdot1qswitchportmodetrunk!interfaceGigabitEthernet1/0/4descriptionconnect11floor2950Gswitchporttrunkencapsulationdot1qswitchportmodetrunk!interfaceVlan1ipaddress192.168.1.2255.255.255.0(vlan1的管理IP地址)!interfaceVlan10ipaddress192.168.10.1255.255.255.0(Vlan10的网关)ipaccess-groupvlan10_inin(把vlan10_in的访问控制列表应用在vlan10的入方向上)!interfaceVlan20ipaddress192.168.20.1255.255.255.0(Vlan20的网关)ipaccess-groupvlan20_inin(把vlan20_in的访问控制列表应用在vlan20的入方向上)!interfaceVlan30ipaddress192.168.30.1255.255.255.0(Vlan30的网关)ipaccess-groupvlan30_inin!interfaceVlan70ipaddress192.168.70.1255.255.255.0(Vlan70的网关)ipaccess-groupvlan70_inin!ipclasslessiproute0.0.0.00.0.0.0172.16.10.1iphttpserver!ipaccess-listextendedv10_in(建立允许vlan30的部分主机访问10.199的服务器的访问控制列表)permitiphost192.168.10.199host192.168.30.2permitiphost192.168.10.199host192.168.30.3permitiphost192.168.10.199host192.168.30.4permitiphost192.168.10.199host192.168.30.5permitiphost192.168.10.199host192.168.30.6permitiphost192.168.10.199host192.168.30.7permitiphost192.168.10.199host192.168.30.8permitiphost192.168.10.199host192.168.30.9permitiphost192.168.10.199host192.168.30.10permitiphost192.168.10.199host192.168.30.11permitiphost192.168.10.199host192.168.30.12permitiphost192.168.10.199host192.168.30.13permitiphost192.168.10.199host192.168.30.14permitiphost192.168.10.199host192.168.30.15permitipanyhost192.168.30.254ipaccess-listextendedv20_in(建立允许vlan30的部分主机访问20.254的服务器的访问控制列表)permitiphost192.168.20.254host192.168.30.2permitiphost192.168.20.254host192.168.30.3permitiphost192.168.20.254host192.168.30.4permitiphost192.168.20.254host192.168.30.5permitiphost192.168.20.254host192.168.30.15permitipanyhost192.168.30.254ipaccess-lsitextendedv30_in(由于VAcl的访问是双向的,所以在vlan30的方向上也要做相应的acl)permitiphost192.168.30.254anypermit