본 솔루션은 아래 장비들을 기준으로 만들어졌습니다.
§ Cisco ASA 5506X
§ Cisco 2901 ISR
§ Cisco Catalyst 4321
아래를 참고하여 EX-FW의 인터페이스 맵핑을 구성 하도록 합니다.
Network Adapter ID | ASAv Interface ID |
Network Adapter 1 | Management 0/0 |
Network Adapter 2 | GigabitEthernet 0/0 |
Network Adapter 3 | GigabitEthernet 0/1 |
Network Adapter 4 | GigabitEthernet 0/2 |
Network Adapter 5 | GigabitEthernet 0/3 |
Network Adapter 6 | GigabitEthernet 0/4 |
Network Adapter 7 | GigabitEthernet 0/5 |
Network Adapter 8 | GigabitEthernet 0/6 |
Network Adapter 9 | GigabitEthernet 0/7 |
Network Adapter 10 | GigabitEthernet 0/8 |
아래를 참고하여 EX-R의 인터페이스 맵핑을 구성 하도록 합니다.
Network Adapter ID | ASAv Interface ID |
Network Adapter 1 | GigabitEthernet1 |
Network Adapter 2 | GigabitEthernet2 |
Network Adapter 3 | GigabitEthernet3 |
1) Basic Configuration
모든 장비 및 호스트의 호스트네임을 토폴로지 상의 이름으로 변경
ASA를 제외한 모든 장비
conf t
enable password korea2021##
service password-encryption
clock timezone KST 9 0
EX-FW, CENT-FW
conf t
enable password korea2021##
clock timezone KST 9 0
1) L2 Configuration
WORK-SW1
conf t
int range fa0/21,fa0/22
channel-group 1 mode desirable
int port-channel 1
sw m t
sw trunk allowed vlan 10,20,100
exit
int range fa0/24
sw m t
sw trunk allowed vlan 10,20
sw trunk native vlan 10
exit
vlan 10
name WORK-CLIENT
vlan 20
name WORK-VOICE
vlan 100
name CENT
exit
int fa0/1
sw m ac
sw ac vlan 20
vtp ve 2
vtp domain SKILLS2021
vtp password korea2021##
vtp mode server
spanning-tree portfast edge default
WORK-SW2
conf t
int range fa0/21,fa0/22
channel-group 1 mode auto
exit
int port-channel 1
sw m t
sw trunk allowed vlan 10,20,100
exit
vtp ve 2
vtp domain SKILLS2021
vtp password korea2021##
vtp mode client
int fa0/3
sw m ac
sw ac vlan 10
exit
int range fa0/1-2
sw m ac
sw ac vlan 100
exit
int range fa0/24
sw m ac
sw ac vlan 100
exit
spanning-tree portfast edge default
ip dhcp snooping
ip dhcp snooping vlan 100
no ip dhcp snooping information option
int fa0/24
ip dhcp snooping trust
1) L3 Configuration
ISP
#vim /etc/network/interface
#systemctl restart networking
CENT-SRV
#vim /etc/network/interface
#systemctl restart networking
REMOTE
※ncpa.cpl 실행
WORK-SW1, WORK-SW2
conf t
sdm prefer dual-ipv4-and-ipv6 default
do wr
do reload
WORK-SW1
conf t
int vlan 10
no shut
ipv6 add 2001:10:101:2::10/64
ipv6 enable
exit
ipv6 route ::/0 2001:10:101:2::1
WORK-SW2
conf t
int vlan 100
no shut
ip add 172.16.0.10 255.255.255.0
ipv6 add 2001:10:202:2::10/64
ipv6 enable
exit
ip default-gateway 172.16.0.254
ipv6 route ::/0 2001:10:202:2::FFFF
CENT-FW
conf t
no object network obj_any
policy-map global_policy
class inspection_default
inspect icmp
exit
exit
same-security-traffic permit inter-interface
int gig1/1
no shut
nameif INSIDE
security-level 100
ip add 172.16.0.254 255.255.255.0
ipv6 enable
ipv6 add 2001:10:202:2::FFFF/64
exit
int gig1/8
no shut
nameif OUTSIDE
security-level 0
ip add 10.1.0.1 255.255.255.252
ipv6 enable
ipv6 add 2001:10:202:1::1/64
exit
access-list OUT-TO-IN extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
access-list OUT-TO-IN extended permit ip 2001::/16 2001::/16
access-group OUT-TO-IN in interface OUTSIDE
WORK-R
conf t
ipv6 unicast-routing
int gig0/0/0
no shut
exit
int gig0/0/0.10
en dot1q 10 native
ipv6 enable
ipv6 add 2001:10:101:2::1/64
exit
int gig0/0/0.20
en dot1q 20
ip add 192.168.0.254 255.255.255.0
int gig0/0/1
no shut
ip add 203.230.10.1 255.255.255.252
exit
int lo 0
ip add 1.1.1.1 255.255.255.0
EX-R
conf t
int gig1
no shut
ip add 140.30.2.2 255.255.255.252
int gig0/1001:AAAA::2FFF/6452
5.224
24
2
no shut
ip add 203.230.10.2 255.255.255.252
int gig0/1001:AAAA::2FFF/6452
5.224
24
3
no shut
ip add 107.58.65.2 255.255.255.252
CENT-R
conf t
ipv6 unicast-routing
int gig0/0/0
no shut
ip add 10.1.0.2 255.255.255.252
ipv6 enable
ipv6 add 2001:10:202:1::FFFF/64
exit
int gig0/0/1
no shut
ip add 107.58.65.1 255.255.255.252
exit
int lo 0
ip add 1.1.2.2 255.255.255.0
EX-FW
conf t
policy-map global_policy
class inspection_default
inspect icmp
exit
exit
same-security-traffic permit inter-interface
int gig0/8
no shut
nameif OUTSIDE
security-level 0
ip add 140.30.2.1 255.255.255.252
exit
int gig0/0
no shut
nameif INSIDE
security-level 100
ip add 110.240.50.254 255.255.255.0
exit
access-list OUT-TO-IN extended permit icmp 9.9.9.0 255.255.255.0 110.240.50.0 255.255.255.0
access-list OUT-TO-IN extended permit icmp host 107.58.65.1 110.240.50.0 255.255.255.0
access-group OUT-TO-IN in interface OUTSIDE
'물리서버' 카테고리의 다른 글
[21전국] 3과제 DNS 설정 (0) | 2021.11.10 |
---|---|
[21전국] 3과제 라우팅 및 NTP (0) | 2021.11.10 |
[인프라 기초] 패리티(Parity) (0) | 2021.10.25 |
소프트웨어 RAID와 하드웨어 RAID (0) | 2021.10.25 |
[인프라 기초] RAID 0 (0) | 2021.10.25 |