VLAN配置
建6个VLAN
conf t
vlan 100-105
show vlan
配置服务器的vlan地址
int vlan 100
ip add 192.168.80.254 255.255.255.0
no shut
配置各个小组的
vlan VLAN 101
int vlan 101
ip add 172.20.101.254 255.255.255.0
VLAN 102
int vlan 102
ip add 172.20.102.254 255.255.255.0
VLAN 103
int vlan 103
ip add 172.20.103.254 255.255.255.0
VLAN 104
int vlan 104
ip add 172.20.104.254 255.255.255.0
VLAN 105
int vlan 105
ip add 172.20.105.254 255.255.255.0
end
conf t
配置网口为access
int e1/0/1-20
switch mo access exit
给每个vlan划分3个网口
VLAN 101
int e1/0/1-3
sw access vlan 101
VLAN 102
int e1/0/4-6
sw access vlan 102
VLAN 103
int e1/0/7-9
sw access vlan 103
VLAN 104
int e1/0/10-12
sw access vlan 104
VLAN 105
int e1/0/13-15
sw access vlan 105
划分2个管理口
int e1/0/19-20
sw access vlan 100
划分4个数据口为trunk
int e1/0/21-24
sw mo trunk
sw trunk allowed vlan all
ACL配置
ip access-list extended HZ101
permit udp any-source any-destination d-port range 67 68
从设备靶机能获取到主设备上的DHCP
deny ip any-source host-destination 172.20.101.253
拒绝选手访问到253的dhcp地址
permit ip 172.20.101.0 0.0.0.255 172.20.101.0 0.0.0.255
前半个小时能访问自己的靶机
permit ip 172.20.0.0 0.0.255.255 172.20.0.0 0.0.255.255
半个小时后大家能互相访问各自的靶机
permit tcp any-source host-destination 192.168.80.1 d-port 80
只能访问服务器80端口
permit tcp any-source host-destination 192.168.80.1 d-port range 8000 9000
让虚拟机VNC的端口可以访问
deny ip any-source any-destination 拒绝所有
exit
firewall enable
开启防火墙
vacl ip access-group HZ101 in vlan 101
应用到vlan
网友评论