大型企业网络案例.docx

有线网络结构设计背景1.1总介绍中国平安网络，由一个总公司网络、一个分公司网络和一个对外服务区组成。其中总公司网络和分公司网络在不同的地区，总公司和分公司都有公司内部的访问的数据中心（DMZ区）；对外服务区被托管在中国电信。路由器ISP模拟运营商中国电信。2.1总公司1）Router1作为边界路由也是核心层路由器；sw1、sw2是核心层交换机；sw3、sw4是汇聚层交换机，其中SW3分别连接了总公司部门1，总公司部门2和总公司部门3；SW4分别连接了总公司部门4，总公司部门5，总公司部门6，总公司Server以及无线路由器1。2）总公司Server只能为公司内部提供服务，不对外提供服务。部门1,2,3,6均可访问内网Web，Ftp和DNS服务器，部门4只可以访问内网FTP其他的都不可以访问， 部门5可以访问内网Web 3.1分公司Router9是出口路由器，其中sw5、sw4 是核心交换机，实现冗余架构；sw6、sw7是汇聚层交换机;其中SW6下面连接了部门1和部门2；SW7连接了部门3，部门4，Server 2以及无线路由器2。内网ACL配置：部门1，2，4可以访问内网中的Web和Ftp服务器，部门3只可以访问内网的ftp服务器。4.1中国电信企业总公司网络的出口路由器router1和分公司网络的出口路由器都与ISP相连接，其中 router1和ISP之间使用了ppp广域网协议，启用了chap的认真方式实现与互联网相连；R9使用帧中继技术与ISP相连。该企业的对外访问服务器托管到中国电信运营商。二、拓扑结构总体拓扑：总公司拓扑：分公司拓扑：ISP外网即帧中继：三、知识点1.静态路由 2.RIP 3.单区域OSPF 4.EIGRP 5.EIGRP非等价负载均衡 6.ppp封装（chap）7.帧中继 8.ACL访问控制 9.NAT地址转换 10.STP的配置 11.VLAN间的路由 12 EIGRP手动汇总 13.路由重分布 14.默认路由 15.Telnet 16.双链路冗余的备份 17.DHCP的使用四、主要功能部门1,2,3,6均可访问内网Web，Ftp和DNS服务器。部门4只可以访问内网FTP其他的都不可以访问。部门5可以访问内网Web和Ftp但不可以访问DNS。部门1，2,4可以访问外网Web以及公司总部的Web，Ftp服务器。部门3只可以访问公司总部的Ftp服务器。五、 主要配置清单分公司Switch7配置： (Switch#show running-config Building configuration.Current configuration : 2096 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname Switch!ip dhcp excluded-address 192.168.5.254ip dhcp excluded-address 192.168.7.254ip dhcp excluded-address 192.168.8.254ip dhcp excluded-address 192.168.6.254!ip dhcp pool vlan7network 192.168.7.0 255.255.255.0default-router 192.168.7.254dns-server 192.168.8.100ip dhcp pool vlan8network 192.168.8.0 255.255.255.0default-router 192.168.8.254dns-server 192.168.8.100!ip routing!spanning-tree mode pvst!interface FastEthernet0/1!interface FastEthernet0/2switchport access vlan 100switchport mode access!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5switchport access vlan 7switchport mode access!interface FastEthernet0/6switchport access vlan 8switchport mode access!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1no ip addressshutdown!interface Vlan7ip address 192.168.7.254 255.255.255.0!interface Vlan8ip address 192.168.8.254 255.255.255.0!interface Vlan100ip address 123.123.2.1 255.255.255.0!router eigrp 1distance eigrp 90 150redistribute ospf 1 metric 1000 100 255 1 1500 auto-summary!router ospf 1log-adjacency-changesnetwork 192.168.6.0 0.0.0.255 area 0network 192.168.7.0 0.0.0.255 area 0network 192.168.8.0 0.0.0.255 area 0!ip classless!ip flow-export version 9!line con 0!line aux 0!line vty 0 4login!end总公司sw4Switch#show runBuilding configuration.Current configuration : 2816 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname Switch!ip dhcp excluded-address 192.168.4.254ip dhcp excluded-address 192.168.5.254ip dhcp excluded-address 192.168.6.254ip dhcp excluded-address 192.168.7.254!ip dhcp pool vlan5network 192.168.5.0 255.255.255.0default-router 192.168.5.254dns-server 192.168.7.100ip dhcp pool vlan6network 192.168.6.0 255.255.255.0default-router 192.168.6.254dns-server 192.168.7.100ip dhcp pool vlan7network 192.168.7.0 255.255.255.0default-router 192.168.7.254dns-server 192.168.7.100!ip routing!spanning-tree mode pvst!interface FastEthernet0/1no switchportip address 192.168.11.2 255.255.255.0duplex autospeed auto!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5switchport access vlan 5switchport mode access!interface FastEthernet0/6switchport access vlan 6switchport mode access!interface FastEthernet0/7switchport access vlan 7switchport mode access!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24no switchportip address 192.168.1.2 255.255.255.0duplex autospeed auto!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1no ip addressshutdown!interface Vlan5ip address 192.168.5.254 255.255.255.0!interface Vlan6ip address 192.168.6.254 255.255.255.0!interface Vlan7ip address 192.168.7.254 255.255.255.0ip access-group 100 out!router ripversion 2network 192.168.1.0network 192.168.5.0network 192.168.6.0network 192.168.7.0network 192.168.11.0!ip classless!ip flow-export version 9!access-list 100 permit tcp any host 192.168.7.100 eq wwwaccess-list 100 permit tcp any host 192.168.7.100 eq ftpaccess-list 100 permit udp 192.168.2.0 0.0.0.255 host 192.168.7.100 eq domainaccess-list 100 permit udp 192.168.3.0 0.0.0.255 host 192.168.7.100 eq domainaccess-list 100 permit udp 192.168.4.0 0.0.0.255 host 192.168.7.100 eq domainaccess-list 100 permit udp 192.168.7.0 0.0.0.255 host 192.168.7.100 eq domainaccess-list 100 deny tcp any host 192.168.7.100access-list 100 deny udp any host 192.168.7.100access-list 100 permit ip any any!line con 0!line aux 0!line vty 0 4login!end总公司SW3Switch#show runBuilding configuration.Current configuration : 1791 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname Switch!ip routing!spanning-tree mode pvst!interface FastEthernet0/1no switchportip address 192.168.10.2 255.255.255.0duplex autospeed auto!interface FastEthernet0/2switchport access vlan 2switchport mode access!interface FastEthernet0/3switchport access vlan 3switchport mode access!interface FastEthernet0/4switchport access vlan 4switchport mode access!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24no switchportip address 192.168.1.1 255.255.255.0duplex autospeed auto!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1no ip addressshutdown!interface Vlan2ip address 192.168.2.254 255.255.255.0!interface Vlan3ip address 192.168.3.254 255.255.255.0!interface Vlan4ip address 192.168.4.254 255.255.255.0!router ripversion 2network 192.168.1.0network 192.168.2.0network 192.168.3.0network 192.168.4.0network 192.168.5.0network 192.168.6.0network 192.168.10.0!ip classless!ip flow-export version 9!line con 0!line aux 0!line vty 0 4login!end总公司R1R1#show runBuilding configuration.Current configuration : 1575 bytes!version 12.4no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R1!no ip cefno ipv6 cef!username ISP password 0 123!spanning-tree mode pvst!interface FastEthernet0/0ip address 172.16.11.1 255.255.255.0ip nat insideduplex autospeed auto!interface FastEthernet0/1ip address 172.16.22.1 255.255.255.0ip nat insideduplex autospeed auto!interface Serial0/3/0ip address 63.5.1.1 255.255.255.0encapsulation pppppp authentication chapip nat outsideclock rate 2000000!interface Serial0/3/1no ip addressclock rate 2000000shutdown!interface Vlan1no ip addressshutdown!router ripversion 2network 63.0.0.0network 172.16.0.0network 192.168.1.0network 192.168.2.0network 192.168.3.0network 192.168.4.0network 192.168.5.0network 192.168.6.0network 192.168.7.0network 192.168.10.0network 192.168.11.0!ip nat pool abc 63.5.1.10 63.5.1.50 netmask 255.255.255.0ip nat inside source list 10 pool abcip nat inside source static 192.168.7.100 63.5.1.100 ip classlessip route 0.0.0.0 0.0.0.0 63.5.1.2 !ip flow-export version 9!access-list 10 permit 192.168.2.0 0.0.0.255access-list 10 permit 192.168.3.0 0.0.0.255access-list 10 permit 192.168.4.0 0.0.0.255access-list 10 permit 192.168.5.0 0.0.0.255access-list 10 permit 192.168.6.0 0.0.0.255access-list 10 permit 192.168.7.0 0.0.0.255!no cdp run!line con 0!line aux 0!line vty 0 4password ciscologin!end分公司SW6Switch#show running-config Building configuration.Current configuration : 1429 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname Switch!ip routing!spanning-tree mode pvst!interface FastEthernet0/1switchport access vlan 100switchport mode access!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4no switchportip address 192.168.4.2 255.255.255.0duplex autospeed auto!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1no ip addressshutdown!interface Vlan100ip address 123.123.1.1 255.255.255.0!router eigrp 1distance eigrp 90 150redistribute ospf 1 metric 1000 100 255 1 1500 auto-summary!ip classless!ip flow-export version 9!line con 0!line aux 0!line vty 0 4login!end分公司R8Router#show runBuilding configuration.Current configuration : 753 bytes!version 12.4no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname Router!ip cefno ipv6 cef!spanning-tree mode pvst!interface FastEthernet0/0ip address 192.168.4.1 255.255.255.0duplex autospeed auto!interface FastEthernet0/1no ip addressduplex autospeed auto!interface FastEthernet0/1.1encapsulation dot1Q 6ip address 192.168.6.254 255.255.255.0!interface FastEthernet0/1.2encapsulation dot1Q 7ip address 192.168.5.254 255.255.255.0!interface Vlan1no ip addressshutdown!ip classless!ip flow-export version 9!no cdp run!line con 0!line aux 0!line vty 0 4login!end2.RIP配置（Switch 1,2,3,4和Route1）在Switch4上Rip 配置步骤：#ip routing(config)#router rip #version 2 #network 192.168.1.0#network 192.168.5.0#network 192.168.6.0#network 192.168.7.0 #network 192.168.11.0Switch 1,2,3,4和Route1配置步骤和Switch配置类似3.Route1 NAT配置 (config)#int f0/0 #ip nat inside #no shut(config)#int f0/1 #ip nat inside #no shut(config)#int s0/0/0 #ip nat outside #nos shut(config)# access-list 10 permit 192.168.2.0 0.0.0.255#access-list 10 permit 192.168.3.0 0.0.0.255#access-list 10 permit 192.168.4.0 0.0.0.255#access-list 10 permit 192.168.5.0 0.0.0.255#access-list 10 permit 192.168.6.0 0.0.0.255#access-list 10 permit 192.168.7.0 0.0.0.255(config)# ip nat pool abc 63.5.1.10 63.5.1.50 netmask 255.255.255.0(config)# ip nat inside source list 10 pool abc为服务器静态映射一个静态的公网地址：(config)# ip nat inside source static 192.168.7.100 63.5.1.100静态路由：(config)# ip route 0.0.0.0 0.0.0.0 63.5.1.24.PPP（chap）配置ISP的PPP配置： (config)# hostname ISP #username R1 password 0 123 (config)# interface Serial0/0/0# ip address 63.5.1.2 255.255.255.0 # encapsulation ppp# ppp authentication chap对应的总公司出口路由器R1 PPP配置：(config)# hostname R1 #username ISP password 0 123 (config)# interface Serial0/0/0# ip address 63.5.1.1 255.255.255.0#clock rate 64000 # encapsulation ppp# ppp authentication chap5.ACL配置内网配置需求:1.接入层共有6个部门：分别属于 VLAN 2,3,4,5,6,72.接入层ACL配置： 部门1,2,3,6均可访问内网Web，Ftp和DNS服务器 部门4只可以访问内网FTP其他的都不可以访问 部门5可以访问内网Web和Ftp但不可以访问DNS 也就是不能访问外网。由于内网服务器在VLAN7上因此 ，在Switch4上配置 ACL (config)# access-list 100 permit tcp any host 192.168.7.100 eq www#access-list 100 permit tcp any host 192.168.7.100 eq ftp#access-list 100 permit udp 192.168.2.0 0.0.0.255 host 192.168.7.100 eq domain#access-list 100 permit udp 192.168.3.0 0.0.0.255 host 192.168.7.100 eq domain#access-list 100 permit udp 192.168.4.0 0.0.0.255 host 192.168.7.100 eq domain#access-list 100 permit udp 192.168.7.0 0.0.0.255 host 192.168.7.100 eq domain#access-list 100 deny tcp any host 192.168.7.100#access-list 100 deny udp any host 192.168.7.100#access