某医院项目备忘

【设备清单】

路由器*1

核心交换机*1

接入交换机*25

【需求】

全网能与医保系统互通

【大致配置】

路由器

access-list 3198 deny tcp any any eq 135
access-list 3198 deny tcp any any eq 445
access-list 3198 permit ip any any
access-list 3199 deny icmp any any echo
access-list 3199 deny tcp any any eq 135
access-list 3199 deny tcp any any eq 445
access-list 3199 permit ip any any
access-list 99 permit any
dialer-list 1 protocol ip permit

interface FastEthernet 0/0
ip nat inside
ip access-group 3198 in
no ip redirects
no ip mask-reply
no ip proxy-arp
ip address 192.168.0.1 255.255.255.0
arp gratuitous-send interval 1 5
arp trust-monitor enable
!
interface FastEthernet 1/0
ip nat outside
ip access-group 3199 in
no ip redirects
no ip mask-reply
no ip proxy-arp
ip address 222.222.222.222 255.255.255.252
no arp trust-monitor enable
duplex auto
speed auto
!
interface FastEthernet 1/1
no arp trust-monitor enable
duplex auto
speed auto
shutdown
!
interface Null 0
!
!
ip nat pool nbr_setup_build_pool prefix-length 24
address 222.222.222.222 222.222.222.222 match interface FastEthernet 1/0
!
ip nat inside source list 99 pool nbr_setup_build_pool
ip nat application qq 1024
ip nat translation per-ip 0.0.0.0 1000
ip nat translation udp-timeout 150
ip nat translation icmp-timeout 30
ip nat translation tcp-timeout 600
ip nat translation finrst-timeout 20
ip nat translation dns-timeout 30
arp attacker-detect enable
security anti-wan-attack level high
security anti-lan-attack drop
security deny wan-ping
!
ip route 0.0.0.0 0.0.0.0 FastEthernet 1/0 222.222.222.223    默认路由去网关
ip route 192.168.0.0 255.255.0.0 192.168.0.2     内网的路由

核心交换机

划分N个vlan
vlan 100
!

…………………..
!
vlan 121
!
interface GigabitEthernet 2/1
switchport mode trunk                       

!

…………………                                                         忽略N多接口封装TR
interface GigabitEthernet 3/23
no switchport
no ip proxy-arp
ip address 192.168.0.2 255.255.255.0                 开启三层接口与路由器内网接口相连
!
interface GigabitEthernet 3/24                             
switchport access vlan 1000 
!
interface VLAN 100
no ip proxy-arp
ip address 192.168.100.1 255.255.255.0
!

………..                                                                 忽略N多给VLAN配的地址
!
interface Mgmt 0                 管理口
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1 permanent       默认路由去路由器内网接口

接入交换机
vlan 101            划分VLAN
name 101

vlan 100            划分管理VLAN
name management

int vlan 100        管理VLAN地址
ip add 192.168.100.2 255.255.255.0

ip def 192.168.1.1         用户默认网关

int ran g 0/1 – 22          接口划到VLAN中
sw acc vlan 101

int ran g 0/23 – 24        上联口封装TR
sw mo tr