Edualk12/homelab-network
GitHub: Edualk12/homelab-network
个人网络实验室,用于网络配置与安全实践。
Stars: 0 | Forks: 0
# **家庭实验室网络**
我的家庭实验室网络是为了让我学习和获得网络知识以及不同网络设备之间如何相互交互的实践经验而构建的。通过构建这个家庭实验室,我能够更好地控制并深入了解数据在不同组件中的移动及其用途。
## 网络拓扑
## 硬件
### 网络设备
| 设备 | 型号 | 角色 |
|------|------|------|
| 路由器 | Cisco ISR4321 | 间VLAN路由,DHCP服务器,NAT |
| 防火墙(进行中) | MikroTik(进行中) | 边界防火墙 |
| 交换机 | EnGenius EWS7928P | 管理交换 |
| 无线接入点 | EnGenius ews300ap | Wi-Fi |
### 服务器/计算机
| 设备 | CPU | RAM | 存储 | OS/角色 |
|------|-----|-----|---------|------|
| HP瘦客户端T530 | AMD嵌入式G系列GX-215JJ | 4GB | 256GB | Ubuntu服务器(运行Pihole 24/7,主要DNS服务器) |
| 戴尔Optiplex 3050微型 | 英特尔酷睿I5-8500T | 16GB | 256GB | Proxmox VE(测试环境) |
## VLAN设计
| VLAN ID | 名称 | 子网 | 连接的设备 |
|---------|------|--------|------------------|
| 10 | klaude | 192.168.1.0/24 | Klaude PC,HP瘦客户端 |
| 20 | kamange | 192.168.2.0/24 | Kamange PC,访客PC |
| 30 | others | 192.168.3.0/24 | Engenius AP,WIFI |
## 配置
### 思科 ISR4321
对于路由器,我使用了“路由器在棍上”的方法进行间VLAN路由,并在访问特权执行模式时添加了密码以增加额外的安全性。
```
! KlaudeRouter - Cisco ISR4321
! Last modified: Jun 2 2026
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname KlaudeRouter
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret
!
no aaa new-model
!
ip domain name KlaudeRouter
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
!
ip dhcp pool VLAN10
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.69 8.8.8.8
domain-name klaudeVlan10
default-router 192.168.1.1
lease infinite
!
ip dhcp pool VLAN20
network 192.168.2.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.2.1
domain-name klaudeVlan20
lease infinite
!
ip dhcp pool VLAN30
network 192.168.3.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.3.1
domain-name klaudeVlan30
lease infinite
!
ip dhcp pool DEFAULTVLAN
network 192.168.4.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.4.1
domain-name klaudeDefaultVlan
lease infinite
!
subscriber templating
multilink bundle-name authenticated
!
license udi pid ISR4321/K9 sn
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username secret
!
redundancy
mode none
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1.1
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.2
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.3
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.4
encapsulation dot1Q 1 native
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
!
ip ssh version 2
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
!
control-plane
!
line con 0
login local
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 30 0
login local
transport input ssh
line vty 5 97
exec-timeout 30 0
login local
transport input ssh
!
end
```
### 英飞凌 EWS7928P
我使用串行到USB转换器配置了交换机,并使用PuTTy终端访问交换机的终端,将gi1端口配置为连接到思科路由器的trunk端口或混合端口,并将不同的端口分配给不同的VLAN,如下面的配置所示。
```
! Firmware: v1.05.45-c1.8.57
!
ipv6 state autoconfig
username "admin" secret encrypted
username "klaude" secret encrypted
vlan 1
name "default"
vlan 10
name "klaude"
vlan 20
name "Kamange"
vlan 30
name "others"
spanning-tree mst configuration
name ""
!
snmp community private rw
snmp community public ro
snmp engineid
!
no ip telnet
ip ssh
!
interface gi1
switchport mode hybrid
switchport hybrid allowed vlan add 10,20,30 tagged
! Trunk port to Cisco ISR4321 - carries all VLANs tagged
!
interface gi3
switchport mode hybrid
switchport hybrid pvid 10
switchport hybrid allowed vlan add 10 untagged
! Access port - VLAN 10
!
interface gi5
switchport mode hybrid
switchport hybrid pvid 30
switchport hybrid allowed vlan add 30 untagged
switchport hybrid allowed vlan remove 1
! Access port - VLAN 30, removed from default VLAN
!
interface gi7
switchport mode hybrid
switchport hybrid pvid 10
switchport hybrid allowed vlan add 10 untagged
switchport hybrid allowed vlan remove 1
! Access port - VLAN 10
!
interface gi19
switchport mode hybrid
switchport hybrid pvid 20
switchport hybrid allowed vlan add 20 untagged
switchport hybrid allowed vlan remove 1
! Access port - VLAN 20
!
interface gi21
switchport mode hybrid
switchport hybrid pvid 10
switchport hybrid allowed vlan add 10 untagged
switchport hybrid allowed vlan remove 1
! Access port - VLAN 10
!
interface gi25
switchport mode hybrid
speed auto duplex full
!
interface gi26
switchport mode hybrid
speed auto duplex full
!
interface gi27
switchport mode hybrid
speed auto duplex full
!
interface gi28
switchport mode hybrid
speed auto duplex full
!
```
## 运作方式
### 流量流向
流量从ISP调制解调器进入Cisco ISR4321路由器的G0/0/0接口,并通过G0/0/1接口进入网络。
### VLAN路由
Cisco ISR4321使用单个物理接口(GigabitEthernet0/0/1)通过dot1Q子接口为每个VLAN进行路由:
```
!
interface GigabitEthernet0/0/1.1
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.2
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.3
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.4
encapsulation dot1Q 1 native
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
```
### 交换
EnGenius EWS7928P连接到Cisco路由器,并通过gi1作为标记的trunk携带VLAN 10、20和30。访问端口按VLAN分配:
- gi3,gi7,gi21 → VLAN 10(主要)
- gi19 → VLAN 20
- gi5 → VLAN 30(访客)
### DHCP
每个VLAN在Cisco路由器上都有自己的DHCP池。
其中,思科路由器的接口地址被排除在外。
```
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.4.1
!
```
每个VLAN的DHCP池,其中只有VLAN10将主DNS服务器设置为Pihole PC。
```
ip dhcp pool VLAN10
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.69 8.8.8.8
domain-name klaudeVlan10
default-router 192.168.1.1
lease infinite
!
ip dhcp pool VLAN20
network 192.168.2.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.2.1
domain-name klaudeVlan20
lease infinite
!
ip dhcp pool VLAN30
network 192.168.3.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.3.1
domain-name klaudeVlan30
lease infinite
!
ip dhcp pool DEFAULTVLAN
network 192.168.4.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.4.1
domain-name klaudeDefaultVlan
lease infinite
!
```
### DNS
通过VLAN 10连接的HP瘦客户端使用192.168.1.69上的Pi-hole作为主DNS。
Cisco ISR4321还充当二级或备用DNS,以防HP瘦客户端出现故障。
### NAT
所有四个子网通过GigabitEthernet0/0/0通过Cisco路由器上的PAT过载进行NAT。
### 安全性
使用Cisco ISR4321板载路由器作为防火墙,并使用Pihole广告拦截器和DNS服务器用于过滤。
## 我学到的知识
- 使用dot1Q子接口进行VLAN的路由器在棍上
- 不同品牌如何处理配置(Cisco,Engenius)
- 每个VLAN的间VLAN路由和DHCP池
- 排除网关IP地址从DHCP的重要性
- 通过在所有设备上启用SSH和禁用telnet来提高安全性
- Pi-hole如何作为每个VLAN的主DNS集成
- Cisco IOS-XE软件许可限制
## 我想要改进的(进行中)
- 添加MikroTik作为边界防火墙
- 实施间VLAN ACL以隔离访客流量
- 将路由移至MikroTik以绕过50Mbps限制
- 为所有设备添加Zabbix SNMP监控