设为首页收藏本站
开启辅助访问

[eNSP]校园网络设计(无冗余)

 您所在的位置:网站首页 网络拓扑图讲解实例 [eNSP]校园网络设计(无冗余)

[eNSP]校园网络设计(无冗余)

2023-04-22 22:02| 来源: 网络整理| 查看: 265

设计要求 信息中心配置Eth-trunk实现链路冗余 内网划分多个vlan,减小广播域,提高网络稳定性 核心交换机作为用户网关实现vlan间路由 所有用户均为自动获取IP地址 出口配置NAT实现地址转换 在出口将内网服务器80端口映射出去,允许外网用户访问 所有设备都可以被telnet远程管理 所有校区之间可以互访且出口实现冗余 财务服务器只允许(vlan 40)的员工访问 禁止vlan 20 员工访问外网且关键设备做好实时监控 拓扑图

topo

配置详情 一、vlan trunk

首先来配置交换机和路由器的端口的trunk和vlan划分。

//接入sw9配置 [JR_sw9]vlan batch 200 900 [JR_sw9]int Eth-Trunk 1 [JR_sw9-Eth-Trunk1]mode lacp-static [JR_sw9-Eth-Trunk1]trunkport gi 0/0/1 0/0/2 [JR_sw9-Eth-Trunk1]port link-type trunk [JR_sw9-Eth-Trunk1]port trunk allow-pass vlan 200 900 //vlan 900作为telnet管理vlan [JR_sw9]port-g g Ethernet 0/0/2 Ethernet 0/0/3 [JR_sw9-port-group]port link-type acc [JR_sw9-Ethernet0/0/2]port link-type acc [JR_sw9-Ethernet0/0/3]port link-type acc [JR_sw9-port-group]port de vlan 200 [JR_sw9-Ethernet0/0/2]port de vlan 200 [JR_sw9-Ethernet0/0/3]port de vlan 200 //划分vlan //接入sw5配置 [JR_sw5]vlan batch 10 900 [JR_sw5]port-g g e0/0/2 e0/0/3 [JR_sw5-port-group]port link-type acc [JR_sw5-Ethernet0/0/2]port link-type acc [JR_sw5-Ethernet0/0/3]port link-type acc [JR_sw5-port-group]port de vlan 10 [JR_sw5-Ethernet0/0/2]port de vlan 10 [JR_sw5-Ethernet0/0/3]port de vlan 10 [JR_sw5-port-group]qu [JR_sw5]int g0/0/1 [JR_sw5-GigabitEthernet0/0/1]port link-type trunk [JR_sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 900 //接入sw6配置 [JR_sw6]vlan batch 20 900 [JR_sw6]int e0/0/1 [JR_sw6-Ethernet0/0/1]port link-type acc [JR_sw6-Ethernet0/0/1]port de vlan 20 [JR_sw6-Ethernet0/0/1]qu [JR_sw6]int g0/0/1 [JR_sw6-GigabitEthernet0/0/1]port link-type trunk [JR_sw6-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 900 //汇聚sw2配置 [HJ_sw2]vlan batch 20 10 900 [HJ_sw2]int g0/0/2 [HJ_sw2-GigabitEthernet0/0/2]port link-ty trunk [HJ_sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 900 [HJ_sw2-GigabitEthernet0/0/2]qu [HJ_sw2]int g0/0/3 [HJ_sw2-GigabitEthernet0/0/3]port link-type trunk [HJ_sw2-GigabitEthernet0/0/3]port trunk allow-pass vlan 20 900 [HJ_sw2-GigabitEthernet0/0/3]qu [HJ_sw2]int g0/0/1 [HJ_sw2-GigabitEthernet0/0/1]port link-type trunk [HJ_sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900 //教学楼和行政楼汇聚和接入交换机配置方法相似这里不在给出 //核心sw1配置 [HX_sw1]vlan batch 10 20 30 40 200 800 900 [HX_sw1]int Eth-Trunk 1 [HX_sw1-Eth-Trunk1]mode lacp-static [HX_sw1-Eth-Trunk1]trunkport gi 0/0/2 0/0/5 [HX_sw1-Eth-Trunk1]port link-type trunk [HX_sw1-Eth-Trunk1]port trunk allow-pass vlan 200 900 [HX_sw1]int g0/0/1 [HX_sw1-GigabitEthernet0/0/1]port link-ty trunk [HX_sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900 [HX_sw1-GigabitEthernet0/0/1]qu [HX_sw1]int g0/0/3 [HX_sw1-GigabitEthernet0/0/3]port link-ty trunk [HX_sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 30 900 [HX_sw1-GigabitEthernet0/0/3]qu [HX_sw1]int g0/0/4 [HX_sw1-GigabitEthernet0/0/4]port link-ty trunk [HX_sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 40 900 [HX_sw1-GigabitEthernet0/0/4]qu [HX_sw1]int g0/0/24 [HX_sw1-GigabitEthernet0/0/24]port link-ty acc [HX_sw1-GigabitEthernet0/0/24]port de vlan 800 二、网关SVI配置 //通过给vlan配置相应的IP地址作为用户网关实现vlan间路由 [HX_sw1]int vlanif 10 [HX_sw1-Vlanif10]ip add 192.168.10.1 24 [HX_sw1-Vlanif10]qu [HX_sw1]in vlanif 20 [HX_sw1-Vlanif20]ip add 192.168.20.1 24 [HX_sw1-Vlanif20]qu [HX_sw1]int vlanif 30 [HX_sw1-Vlanif30]ip add 192.168.30.1 24 [HX_sw1-Vlanif30]qu [HX_sw1]int vlanif 40 [HX_sw1-Vlanif40]ip add 192.168.40.1 24 [HX_sw1-Vlanif40]qu [HX_sw1]int vlanif 200 [HX_sw1-Vlanif200]ip add 192.168.200.1 24 [HX_sw1]int vlanif 800 [HX_sw1-Vlanif800]ip add 192.168.254.2 24 三、DHCP配置 //不同vlan下的设备将自动获取对应网关IP地址 [HX_sw1]dhcp en [HX_sw1]ip pool SYL_vlan10 [HX_sw1-ip-pool-syl_vlan10]network 192.168.10.0 mask 24 [HX_sw1-ip-pool-syl_vlan10]gateway-list 192.168.10.1 [HX_sw1-ip-pool-syl_vlan10]dns-list 114.114.114.114 8.8.8.8 [HX_sw1-ip-pool-syl_vlan10]qu [HX_sw1]ip pool syl_vlan20 [HX_sw1-ip-pool-syl_vlan20] gateway-list 192.168.20.1 [HX_sw1-ip-pool-syl_vlan20] network 192.168.20.0 mask 255.255.255.0 [HX_sw1-ip-pool-syl_vlan20] dns-list 114.114.114.114 8.8.8.8 [HX_sw1-ip-pool-syl_vlan20] [HX_sw1-ip-pool-syl_vlan20]ip pool jxl_vlan30 [HX_sw1-ip-pool-jxl_vlan30] gateway-list 192.168.30.1 [HX_sw1-ip-pool-jxl_vlan30] network 192.168.30.0 mask 255.255.255.0 [HX_sw1-ip-pool-jxl_vlan30] dns-list 114.114.114.114 8.8.8.8 [HX_sw1-ip-pool-jxl_vlan30] [HX_sw1-ip-pool-jxl_vlan30]ip pool xzl_vlan40 [HX_sw1-ip-pool-xzl_vlan40] gateway-list 192.168.40.1 [HX_sw1-ip-pool-xzl_vlan40] network 192.168.40.0 mask 255.255.255.0 [HX_sw1-ip-pool-xzl_vlan40] dns-list 114.114.114.114 8.8.8.8 [HX_sw1-ip-pool-xzl_vlan40]qu 四、OSPF配置 [R1]dis ip int bri *down: administratively down ^down: standby (l): loopback (s): spoofing The number of interface that is UP in Physical is 6 The number of interface that is DOWN in Physical is 2 The number of interface that is UP in Protocol is 6 The number of interface that is DOWN in Protocol is 2 Interface IP Address/Mask Physical Protocol GigabitEthernet0/0/0 192.168.254.1/24 up up GigabitEthernet0/0/1 unassigned down down GigabitEthernet0/0/2 unassigned down down GigabitEthernet1/0/0 192.168.104.1/30 up up GigabitEthernet2/0/0 12.1.1.1/29 up up GigabitEthernet3/0/0 13.1.1.1/29 up up GigabitEthernet4/0/0 192.168.105.1/30 up up NULL0 unassigned up up(s) [R1] //配置接口ip地址,过程不再给出 [HX_sw1-ospf-1]dis this # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 192.168.200.0 0.0.0.255 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 network 192.168.30.0 0.0.0.255 network 192.168.40.0 0.0.0.255 network 192.168.254.0 0.0.0.255 # return //汇聚交换机网段宣告,其他路由和交换机宣告过程不再给出 [HX_sw1]dis ip routing-table //sw1通过ospf学习到的路由表 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 18 Routes : 18 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10 192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20 192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20 192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30 192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30 192.168.40.0/24 Direct 0 0 D 192.168.40.1 Vlanif40 192.168.40.1/32 Direct 0 0 D 127.0.0.1 Vlanif40 192.168.100.0/24 OSPF 10 3 D 192.168.254.1 Vlanif800 192.168.104.0/30 OSPF 10 2 D 192.168.254.1 Vlanif800 192.168.105.0/30 OSPF 10 2 D 192.168.254.1 Vlanif800 192.168.150.0/24 OSPF 10 3 D 192.168.254.1 Vlanif800 192.168.200.0/24 Direct 0 0 D 192.168.200.1 Vlanif200 192.168.200.1/32 Direct 0 0 D 127.0.0.1 Vlanif200 192.168.254.0/24 Direct 0 0 D 192.168.254.2 Vlanif800 192.168.254.2/32 Direct 0 0 D 127.0.0.1 Vlanif800

此时内部网络已经完全打通,可以通过测试监测其连通性(方法不再给出)。

五、广域网出口选路

在出口选路时通常使用防火墙来完成,这里我们出口选用了路由器来充当。

[HX_sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.254.1 [R1]ip route-static 0.0.0.0 0 12.1.1.6 [R1]ip route-static 0.0.0.0 0 13.1.1.6 pre 80 //配置缺省路由,并设置优先级,将联通网作为备份

下面为R2、R3配置回环地址,模拟互联网上的百度9.9.9.9。

[YD_R2]int loo 0 [YD_R2-LoopBack0]ip add 9.9.9.9 24 [YD_R2-LoopBack0]description baidu [LT_R3]int loo 0 [LT_R3-LoopBack0]ip add 9.9.9.9 24 六、NAT配置

前面我们已经打通了内网到运营商网络,但需要用NAT将内网地址转为公网地址,才能连接到互联网。

[R1]acl 2000 [R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 [R1-acl-basic-2000]q [R1]int g2/0/0 [R1-GigabitEthernet2/0/0]nat outbound 2000 [R1-GigabitEthernet2/0/0]q [R1]int g3/0/0 [R1-GigabitEthernet3/0/0]nat outbound 2000 [R1-GigabitEthernet3/0/0] //现在可以使用pc ping通外网(9.9.9.9) [R1-GigabitEthernet2/0/0]nat server protocol tcp global current-interface 80 ins ide 192.168.200.10 80 Warning:The port 80 is well-known port. If you continue it may cause function fa ilure. Are you sure to continue?[Y/N]:y [R1-GigabitEthernet2/0/0]int g3/0/0 [R1-GigabitEthernet3/0/0]nat server protocol tcp global current-interface www i nside 192.168.200.10 www Warning:The port 80 is well-known port. If you continue it may cause function fa ilure. Are you sure to continue?[Y/N]:y //将内网web服务通过80端口映射出去 七、telnet远程管理配置 [HX_sw1]aaa [HX_sw1-aaa]local-user xs privilege level 3 password cipher 123 [HX_sw1-aaa]local-user xs service-type telnet [HX_sw1-aaa]q [HX_sw1]user-interface vty 0 4 [HX_sw1-ui-vty0-4]authentication-mode aaa //对于其他路由或交换机都可以通过相似命令配置telnet 八、访问控制配置 [HX_sw1]acl 3000 [HX_sw1-acl-adv-3000]rule permit ip source 192.168.40.0 0.0.0.255 destination 19 2.168.200.20 0 [HX_sw1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0 [HX_sw1-acl-adv-3000]q [HX_sw1]int Eth-Trunk 1 [HX_sw1-Eth-Trunk1]traffic-filter outbound acl 3000 [HX_sw1-Eth-Trunk1]dis this # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 200 900 traffic-filter outbound acl 3000 mode lacp-static # return //控制只允许vlan 40(行政楼)访问财务服务器(192.168.200.20) [R1]acl 3001 [R1-acl-adv-3001]rule permit ip destination 192.168.0.0 0.0.255.255 [R1-acl-adv-3001]rule deny ip source 192.168.20.0 0.0.0.255 [R1-acl-adv-3001]q [R1]int g0/0/0 [R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3001 //禁止vlan 20访问外网 九、SNMP运维监控

运维监控涉及到的产品比较多,可自行选择配置,这里不在给出。



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3