토폴로지 2( 풀이 ) 1. 요구사항 가. 주어진자료 ( 토폴로지 2.pka) 를참고하여네트워크구성작업을완성하시오. 2. 작업내용가. 설명 - 현재토폴로지에이미통신이가능한모든설정이되어있습니다. - 그러나, 보안문제로지금부터주어진조건으로설정을다시하고자합니다. - 총 4개

토폴로지 2( 풀이 ) 1. 요구사항 가. 주어진자료 ( 토폴로지 2.pka) 를참고하여네트워크구성작업을완성하시오. 2. 작업내용가. 설명 - 현재토폴로지에이미통신이가능한모든설정이되어있습니다. - 그러나, 보안문제로지금부터주어진조건으로설정을다시하고자합니다. - 총 4개의네트워크를모두분리하고자동으로 IP를할당하도록설정하려합니다. * 라우터와서버를포함한모든 PC는이전의네트워크설정이되어있습니다. * 서버에는 DNS, 웹서비스가미리설정되어있습니다. 나. 장비초기화 - 라우터의설정상태를초기화시킨후다음작업을이어서합니다. - 서버를포함한모든 PC의 IP 설정을추후주어지는조건에맞게고쳐야합니다. Router#erase startup-config Erasing the nvram filesystem will remove all configuration files Continue? [confirm] [ 엔터 ] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram Router#reload Proceed with reload? [confirm] [ 엔터 ] ##############< 생략 > Continue with configuration dialog? [yes/no]: no Router> 다. 시스템설정 1) 이름설정 - 라우터와스위치의 hostname 을토폴로지에 Display Name 과동일하게수정하시오. Switch(config)#hostname S1 S1(config)# 라우터는 Router 로이름을변경할필요없음 Switch(config)#hostname S2 S2(config)# 2) 암호설정 - R1, S1, S2의 Priviege mode 에접속하기위한 password 를 PassWorD 로설정하시오. - R1의암호는 MD5로암호화되어야하고, S1,S2는암호화되지않은평문형태로저장하시오. Router(config)#enable secret PassWorD S2(config)#enable password PassWorD S2(config)#enable password PassWorD - 1 -

토폴로지 2( 풀이 ) 3) history 설정및콘솔설정 - 라우터에콘솔접속시 password를 PassWorD 로설정하고, 접속을허용하시오. - 콘솔암호는암호화되어저장되어야합니다. - R1 라우터에콘솔로접속시 history size가 20이되도록설정하시오. Router(config)#line con 0 Router(config-line)#password PassWorD Router(config-line)# Router(config-line)#history size 20 Router(config)#service password-encryption 4) DNS 룩업설정 - S1에잘못된명령어가 DNS 쿼리로인해장비가 Hold 되지않도록설정하시오. S1(config)#no ip domain-lookup 라. IP 설정 1) IP 기본설정 - 서버를제외한모든 PC를 dhcp 로설정합니다. - S1 의 vlan 10, S2 의 vlan 30 에 IP 및디폴트게이트웨이를설정하시오. 네트워크구분이름 (VLAN ID) 네트워크 호스트 ( 포트 ) IP 주소 Server_net(VLAN 10) 110.192.0.0/13 Router (fa0/0.10) 110.192.0.1 Server 110.192.0.2 ( 이미설정됨 ) Router (fa0/0.20) 110.200.0.1 Manage_net(VLAN 20) 110.200.0.0/13 PC0 DHCP(110.200.0.11 ~ 110.200.0.20) S1 110.200.0.2 Router (fa0/1.30) 110.208.0.1 Student_net(VLAN 30) 110.208.0.0/13 PC1 DHCP(110.208.0.11 ~ 110.208.0.20) S2 110.208.0.2 Teacher_net(VLAN 40) 110.216.0.0/13 Router (fa0/1.40) 110.216.0.1 PC2 DHCP(110.216.0.11 ~ 110.216.0.20) <Server> <PC0> <PC1> <PC2> S1(config)#int vlan 10 S1(config-if)#ip add 110.200.0.2 255.248.0.0 S1(config-if)#no shut S1(config-if)#exit S1(config)#ip default-gateway 110.200.0.1 S2(config)#int vlan 10 S2(config-if)#ip add 110.208.0.2 255.248.0.0 S2(config-if)#no shut S2(config)#ip default-gateway 110.208.0.1 S2(config)# - 2 -

토폴로지 2( 풀이 ) 라. VLAN 설정 1) 표를참고하여 s1, s2에 vlan를생성하시오. 장치이름 VLAN 이름 (ID) port Server_net (VLAN 10) Fa 0/1 0/10 S1 Manage_net (VLAN 20) Fa 0/11 0/20 S2 Student_net (VLAN 30) Fa 0/1 0/10 Teacher_net (VLAN 40) Fa 0/11 0/20 2) vlan 생성시이름을위표와동일하게설정하시오. 3) 포트할당 : 위표를참고하여포트를 vlan 에할당하시오. S1(config)#vlan 10 S1(config-vlan)#name Server_net S1(config-vlan)#vlan 20 S1(config-vlan)#name Manage_net S1(config-vlan)#exit S2(config)#vlan 30 S2(config-vlan)#name Student_net S2(config-vlan)#vlan 40 S2(config-vlan)#name Teacher_net S2(config-vlan)#exit S1(config)#int range fa0/1 - fa0/10 S1(config-if-range)# S1(config-if-range)# S2(config)#int range fa0/1 - fa0/10 S2(config-if-range)#sw moac S2(config-if-range)#sw a vlan 30 S1(config-if-range)#int range fa0/11 - fa0/20 S1(config-if-range)# S1(config-if-range)# S2(config-if-range)#int range fa0/11 - fa0/20 S2(config-if-range)# S2(config-if-range)# < 확인,vlan 번호, 이름, 해당포트들..> S1(config-if-range)#do sh vlan < 확인 > S2(config-if-range)#do sh vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 10 Server_net active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10 20 Manage_net active Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 30 Student_net active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10 40 Teacher_net active Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20-3 -

토폴로지 2( 풀이 ) 마. 라우터설정 1) Inter-VLAN - Router의 Fa0/0 및 Fa0/1 에서브인터페이스를설정하시오. - 서브인터페이스번호는각네트워크의 vlan ID와동일한번호를사용하시오. - VLAN통신을위하여각서브인터페이스에 IEEE 802.1q 프로토콜을적용하시오. - 라. IP 설정 --> 1) IP 기본설정 표를참고하여 IP를설정하시오. - Router와연결된 S1, S2 의포트는모든 vlan 정보가전송되도록설정하시오. Router(config)#int fa0/0 Router(config-if)#no shut Router(config-if)#int fa0/0.10 Router(config-subif)#encapsulation dot1q 10 Router(config-subif)#ip add 110.192.0.1 255.248.0.0 Router(config-subif)#int fa0/0.20 Router(config-subif)#en do 20 Router(config-subif)#ip add 110.200.0.1 255.248.0.0 <S1 트렁킹 > S1(config)#int fa0/23 S1(config-if)#switchport mode trunk Router(config-subif)#int fa0/1 Router(config-if)#no shut Router(config-if)#int fa0/1.30 Router(config-subif)#en do 30 Router(config-subif)#ip add 110.208.0.1 255.248.0.0 <S2 트렁킹 > S2(config)#int fa0/24 S2(config-if)#sw mo tr Router(config-subif)#int fa0/1.40 Router(config-subif)#en do 40 Router(config-subif)#ip add 110.216.0.1 255.248.0.0 서브넷마스크 /13 ==> 낯설을뿐이지못푸는문제가아님. /29? 많이해봐서 255.255.255.248 오케이? /13 => 11111111.11111000.0000000.0000000 => 255.248.0.0 Tip. 100.192.0.0/13 의사용가능한범위는? 서브넷마스크가 2 번째옥텟에서끝나므로네트워크주소중 192 만 2 진수로아래와같이표현한다. 100.11000000.0.0 => 이중서브넷마스크 /13 을고정시키면 100.11000000.0.0 가됩니다. 100.11000000.0.0 ~ 100.11000111.255.255 => 100.192.0.0 ~ 100.199.255.255 ( 처음, 끝을빼면 ) => 100.192.0.1 ~ 100.199.255.254-4 -

토폴로지 2( 풀이 ) 2) DHCP 설정 - 서버를제외한모든 PC에서자동으로 IP를받아와야합니다. - 라. IP 설정 --> 1) IP 기본설정 표를참고하여각 PC에자동으로 IP를할당해주기위한 DHCP를구성하시오. - DHCP 영역이름은해당 VLAN 이름과동일한이름을사용하시오. - 게이트웨이는해당라우터의서브인터페이스주소가할당되도록하시오. - DNS 주소는서버주소가할당되도록하시오. Router(config)#ip dhcp pool Manage_net Router(dhcp-config)#network 110.200.0.0 255.248.0.0 Router(dhcp-config)#default-router 110.200.0.1 Router(dhcp-config)#dns-server 110.192.0.2 Router(dhcp-config)#ex Router(config)#ip dhcp excluded-address 110.200.0.1 110.200.0.10 Router(config)#ip dhcp excluded-address 110.200.0.21 110.200.255.255 Router(config)#ip dhcp pool Student_net Router(dhcp-config)#network 110.208.0.0 255.248.0.0 Router(dhcp-config)#default-router 110.208.0.1 Router(dhcp-config)#dns-server 110.192.0.2 Router(dhcp-config)#ex Router(config)#ip dhcp excluded-address 110.208.0.1 110.208.0.10 Router(config)#ip dhcp excluded-address 110.208.0.21 110.208.255.255 Router(config)#ip dhcp pool Teacher_net Router(dhcp-config)#ne 110.216.0.0 255.248.0.0 Router(dhcp-config)#defa 110.216.0.1 Router(dhcp-config)#dns 110.192.0.2 Router(dhcp-config)#ex Router(config)#ip dhcp ex 110.216.0.1 110.216.0.10 Router(config)#ip dhcp ex 110.216.0.21 110.216.255.255-5 -

바. 보안설정 1) 학생용네트워크와교사용네트워크는상호테이터전송을할수없도록설정합니다. - ACL 10 : 교사망에학생들이접근못하도록설정 - ACL 20 : 학생망에교사들이접근못하도록설정 ACL(access-list) 이라는것은기본적으로라우터포트에서트래픽을보고있다가출발지 IP 와매치되는리스트가 있으면폐기하거나전송한다. 1 Router(config)#access-list 10 deny 110.208.0.0 0.7.255.255 2 Router(config)#ccess-list 10 permit any 3 Router(config)#int fa0/1.40 4 Router(config-subif)#ip access-group 10 out Router(config-subif)#ex 1 은 10번이라는리스트를만들어놓고, 110.208.0.0 ( 학생네트워크 ) 를출발지로하는신호가오면 deny( 거부 ) 해라 2 그외의다른출발지에서오는신호들은허용 (permit) 해줘라 3 교사망이있는게이트웨이에들어가서 4 10번으로정의한 ACL 리스트를교사망으로나갈때 (out) 검열한다. 위에서 2를해줘야하는이유는 ACL을적용하기시작하면매치되는항목이없는것도거부된다. 그러므로 1에의해서학생망은거부되고 2가없으면서버망과관리망에서오는신호도모두거부된다. 아래는거꾸로교사망을출발지로하는신호는학생망으로못들어가게검열하는것이다. Router(config)#access-list 20 deny 110.216.0.0 0.7.255.255 Router(config)#access-list 20 permit any Router(config)#int fa0/1.30 Router(config-subif)#ip access-group 20 out - 6 -

Router#sh run Building configuration... Current configuration : 1748 bytes version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec service password-encryption hostname Router enable secret 5 $1$mERr$cHnlzIx/l0soOPRkFdpUI0 ip dhcp excluded-address 110.200.0.1 110.200.0.10 ip dhcp excluded-address 110.200.0.21 110.200.255.255 ip dhcp excluded-address 110.208.0.1 110.208.0.10 ip dhcp excluded-address 110.208.0.21 110.208.255.255 ip dhcp excluded-address 110.216.0.1 110.216.0.10 ip dhcp excluded-address 110.216.0.21 110.216.255.255 ip dhcp pool Manage_net network 110.200.0.0 255.248.0.0 default-router 110.200.0.1 dns-server 110.192.0.2 ip dhcp pool Student_net network 110.208.0.0 255.248.0.0 default-router 110.208.0.1 dns-server 110.192.0.2 ip dhcp pool Teacher_net network 110.216.0.0 255.248.0.0 default-router 110.216.0.1 dns-server 110.192.0.2 spanning-tree mode pvst interface FastEthernet0/0 no ip address duplex auto speed auto interface FastEthernet0/0.10 encapsulation dot1q 10 ip address 110.192.0.1 255.248.0.0 interface FastEthernet0/0.20 encapsulation dot1q 20 ip address 110.200.0.1 255.248.0.0 interface FastEthernet0/1 no ip address duplex auto speed auto interface FastEthernet0/1.30 encapsulation dot1q 30 ip address 110.208.0.1 255.248.0.0 ip access-group 20 out interface FastEthernet0/1.40 encapsulation dot1q 40 ip address 110.216.0.1 255.248.0.0 ip access-group 10 out interface Vlan1 no ip address shutdown ip classless access-list 10 deny 110.208.0.0 0.7.255.255 access-list 10 permit any access-list 20 deny 110.216.0.0 0.7.255.255 access-list 20 permit any line con 0 history size 20 password 7 08114D5D1A2E0A0536 line vty 0 4 end - 7 -

S1#sh run Building configuration... Current configuration : 2207 bytes version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption hostname S1 enable password PassWorD no ip domain-lookup spanning-tree mode pvst interface FastEthernet0/1 interface FastEthernet0/2 interface FastEthernet0/3 interface FastEthernet0/4 interface FastEthernet0/5 interface FastEthernet0/6 interface FastEthernet0/7 interface FastEthernet0/8 interface FastEthernet0/9 interface FastEthernet0/10 interface FastEthernet0/11 interface FastEthernet0/12 interface FastEthernet0/13 interface FastEthernet0/14 interface FastEthernet0/15 interface FastEthernet0/16 interface FastEthernet0/17 interface FastEthernet0/18 interface FastEthernet0/19 interface FastEthernet0/20 interface FastEthernet0/21 interface FastEthernet0/22-8 -

interface FastEthernet0/23 switchport mode trunk interface FastEthernet0/24 interface GigabitEthernet1/1 interface GigabitEthernet1/2 interface Vlan1 no ip address shutdown interface Vlan10 ip address 110.200.0.2 255.248.0.0 ip default-gateway 110.200.0.1 line con 0 line vty 0 4 line vty 5 15 end S2#sh run Building configuration... Current configuration : 2187 bytes version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption hostname S2 enable password PassWorD spanning-tree mode pvst interface FastEthernet0/1 interface FastEthernet0/2 interface FastEthernet0/3 interface FastEthernet0/4 interface FastEthernet0/5 interface FastEthernet0/6 interface FastEthernet0/7 interface FastEthernet0/8 interface FastEthernet0/9 interface FastEthernet0/10 interface FastEthernet0/11 interface FastEthernet0/12 interface FastEthernet0/13 interface FastEthernet0/14-9 -

interface FastEthernet0/15 interface FastEthernet0/16 interface FastEthernet0/17 interface FastEthernet0/18 interface FastEthernet0/19 interface FastEthernet0/20 interface FastEthernet0/21 interface FastEthernet0/22 interface FastEthernet0/23 interface FastEthernet0/24 switchport mode trunk interface GigabitEthernet1/1 interface GigabitEthernet1/2 interface Vlan1 no ip address shutdown interface Vlan30 ip address 110.208.0.2 255.248.0.0 ip default-gateway 110.208.0.1 line con 0 line vty 0 4 line vty 5 15 end - 10 -