[eNSP]校园网络设计(无冗余)
设计要求
- 信息中心配置Eth-trunk实现链路冗余
- 内网划分多个vlan,减小广播域,提高网络稳定性
- 核心交换机作为用户网关实现vlan间路由
- 所有用户均为自动获取IP地址
- 出口配置NAT实现地址转换
- 在出口将内网服务器80端口映射出去,允许外网用户访问
- 所有设备都可以被telnet远程管理
- 所有校区之间可以互访且出口实现冗余
- 财务服务器只允许(vlan 40)的员工访问
- 禁止vlan 20 员工访问外网且关键设备做好实时监控
拓扑图
配置详情
一、vlan trunk
首先来配置交换机和路由器的端口的trunk和vlan划分。
//接入sw9配置
[JR_sw9]vlan batch 200 900
[JR_sw9]int Eth-Trunk 1
[JR_sw9-Eth-Trunk1]mode lacp-static
[JR_sw9-Eth-Trunk1]trunkport gi 0/0/1 0/0/2
[JR_sw9-Eth-Trunk1]port link-type trunk
[JR_sw9-Eth-Trunk1]port trunk allow-pass vlan 200 900 //vlan 900作为telnet管理vlan
[JR_sw9]port-g g Ethernet 0/0/2 Ethernet 0/0/3
[JR_sw9-port-group]port link-type acc
[JR_sw9-Ethernet0/0/2]port link-type acc
[JR_sw9-Ethernet0/0/3]port link-type acc
[JR_sw9-port-group]port de vlan 200
[JR_sw9-Ethernet0/0/2]port de vlan 200
[JR_sw9-Ethernet0/0/3]port de vlan 200 //划分vlan
//接入sw5配置
[JR_sw5]vlan batch 10 900
[JR_sw5]port-g g e0/0/2 e0/0/3
[JR_sw5-port-group]port link-type acc
[JR_sw5-Ethernet0/0/2]port link-type acc
[JR_sw5-Ethernet0/0/3]port link-type acc
[JR_sw5-port-group]port de vlan 10
[JR_sw5-Ethernet0/0/2]port de vlan 10
[JR_sw5-Ethernet0/0/3]port de vlan 10
[JR_sw5-port-group]qu
[JR_sw5]int g0/0/1
[JR_sw5-GigabitEthernet0/0/1]port link-type trunk
[JR_sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 900
//接入sw6配置
[JR_sw6]vlan batch 20 900
[JR_sw6]int e0/0/1
[JR_sw6-Ethernet0/0/1]port link-type acc
[JR_sw6-Ethernet0/0/1]port de vlan 20
[JR_sw6-Ethernet0/0/1]qu
[JR_sw6]int g0/0/1
[JR_sw6-GigabitEthernet0/0/1]port link-type trunk
[JR_sw6-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 900
//汇聚sw2配置
[HJ_sw2]vlan batch 20 10 900
[HJ_sw2]int g0/0/2
[HJ_sw2-GigabitEthernet0/0/2]port link-ty trunk
[HJ_sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 900
[HJ_sw2-GigabitEthernet0/0/2]qu
[HJ_sw2]int g0/0/3
[HJ_sw2-GigabitEthernet0/0/3]port link-type trunk
[HJ_sw2-GigabitEthernet0/0/3]port trunk allow-pass vlan 20 900
[HJ_sw2-GigabitEthernet0/0/3]qu
[HJ_sw2]int g0/0/1
[HJ_sw2-GigabitEthernet0/0/1]port link-type trunk
[HJ_sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900
//教学楼和行政楼汇聚和接入交换机配置方法相似这里不在给出
//核心sw1配置
[HX_sw1]vlan batch 10 20 30 40 200 800 900
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]mode lacp-static
[HX_sw1-Eth-Trunk1]trunkport gi 0/0/2 0/0/5
[HX_sw1-Eth-Trunk1]port link-type trunk
[HX_sw1-Eth-Trunk1]port trunk allow-pass vlan 200 900
[HX_sw1]int g0/0/1
[HX_sw1-GigabitEthernet0/0/1]port link-ty trunk
[HX_sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900
[HX_sw1-GigabitEthernet0/0/1]qu
[HX_sw1]int g0/0/3
[HX_sw1-GigabitEthernet0/0/3]port link-ty trunk
[HX_sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 30 900
[HX_sw1-GigabitEthernet0/0/3]qu
[HX_sw1]int g0/0/4
[HX_sw1-GigabitEthernet0/0/4]port link-ty trunk
[HX_sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 40 900
[HX_sw1-GigabitEthernet0/0/4]qu
[HX_sw1]int g0/0/24
[HX_sw1-GigabitEthernet0/0/24]port link-ty acc
[HX_sw1-GigabitEthernet0/0/24]port de vlan 800
二、网关SVI配置
//通过给vlan配置相应的IP地址作为用户网关实现vlan间路由
[HX_sw1]int vlanif 10
[HX_sw1-Vlanif10]ip add 192.168.10.1 24
[HX_sw1-Vlanif10]qu
[HX_sw1]in vlanif 20
[HX_sw1-Vlanif20]ip add 192.168.20.1 24
[HX_sw1-Vlanif20]qu
[HX_sw1]int vlanif 30
[HX_sw1-Vlanif30]ip add 192.168.30.1 24
[HX_sw1-Vlanif30]qu
[HX_sw1]int vlanif 40
[HX_sw1-Vlanif40]ip add 192.168.40.1 24
[HX_sw1-Vlanif40]qu
[HX_sw1]int vlanif 200
[HX_sw1-Vlanif200]ip add 192.168.200.1 24
[HX_sw1]int vlanif 800
[HX_sw1-Vlanif800]ip add 192.168.254.2 24
三、DHCP配置
//不同vlan下的设备将自动获取对应网关IP地址
[HX_sw1]dhcp en
[HX_sw1]ip pool SYL_vlan10
[HX_sw1-ip-pool-syl_vlan10]network 192.168.10.0 mask 24
[HX_sw1-ip-pool-syl_vlan10]gateway-list 192.168.10.1
[HX_sw1-ip-pool-syl_vlan10]dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-syl_vlan10]qu
[HX_sw1]ip pool syl_vlan20
[HX_sw1-ip-pool-syl_vlan20] gateway-list 192.168.20.1
[HX_sw1-ip-pool-syl_vlan20] network 192.168.20.0 mask 255.255.255.0
[HX_sw1-ip-pool-syl_vlan20] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-syl_vlan20]
[HX_sw1-ip-pool-syl_vlan20]ip pool jxl_vlan30
[HX_sw1-ip-pool-jxl_vlan30] gateway-list 192.168.30.1
[HX_sw1-ip-pool-jxl_vlan30] network 192.168.30.0 mask 255.255.255.0
[HX_sw1-ip-pool-jxl_vlan30] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-jxl_vlan30]
[HX_sw1-ip-pool-jxl_vlan30]ip pool xzl_vlan40
[HX_sw1-ip-pool-xzl_vlan40] gateway-list 192.168.40.1
[HX_sw1-ip-pool-xzl_vlan40] network 192.168.40.0 mask 255.255.255.0
[HX_sw1-ip-pool-xzl_vlan40] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-xzl_vlan40]qu
四、OSPF配置
[R1]dis ip int bri
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 6
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 6
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.254.1/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
GigabitEthernet1/0/0 192.168.104.1/30 up up
GigabitEthernet2/0/0 12.1.1.1/29 up up
GigabitEthernet3/0/0 13.1.1.1/29 up up
GigabitEthernet4/0/0 192.168.105.1/30 up up
NULL0 unassigned up up(s)
[R1] //配置接口ip地址,过程不再给出
[HX_sw1-ospf-1]dis this
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.200.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.254.0 0.0.0.255
#
return //汇聚交换机网段宣告,其他路由和交换机宣告过程不再给出
[HX_sw1]dis ip routing-table //sw1通过ospf学习到的路由表
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10
192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20
192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30
192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
192.168.40.0/24 Direct 0 0 D 192.168.40.1 Vlanif40
192.168.40.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
192.168.100.0/24 OSPF 10 3 D 192.168.254.1 Vlanif800
192.168.104.0/30 OSPF 10 2 D 192.168.254.1 Vlanif800
192.168.105.0/30 OSPF 10 2 D 192.168.254.1 Vlanif800
192.168.150.0/24 OSPF 10 3 D 192.168.254.1 Vlanif800
192.168.200.0/24 Direct 0 0 D 192.168.200.1 Vlanif200
192.168.200.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
192.168.254.0/24 Direct 0 0 D 192.168.254.2 Vlanif800
192.168.254.2/32 Direct 0 0 D 127.0.0.1 Vlanif800
此时内部网络已经完全打通,可以通过测试监测其连通性(方法不再给出)。
五、广域网出口选路
在出口选路时通常使用防火墙来完成,这里我们出口选用了路由器来充当。
[HX_sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.254.1
[R1]ip route-static 0.0.0.0 0 12.1.1.6
[R1]ip route-static 0.0.0.0 0 13.1.1.6 pre 80 //配置缺省路由,并设置优先级,将联通网作为备份
下面为R2、R3配置回环地址,模拟互联网上的百度9.9.9.9。
[YD_R2]int loo 0
[YD_R2-LoopBack0]ip add 9.9.9.9 24
[YD_R2-LoopBack0]description baidu
[LT_R3]int loo 0
[LT_R3-LoopBack0]ip add 9.9.9.9 24
六、NAT配置
前面我们已经打通了内网到运营商网络,但需要用NAT将内网地址转为公网地址,才能连接到互联网。
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2000]q
[R1]int g2/0/0
[R1-GigabitEthernet2/0/0]nat outbound 2000
[R1-GigabitEthernet2/0/0]q
[R1]int g3/0/0
[R1-GigabitEthernet3/0/0]nat outbound 2000
[R1-GigabitEthernet3/0/0] //现在可以使用pc ping通外网(9.9.9.9)
[R1-GigabitEthernet2/0/0]nat server protocol tcp global current-interface 80 ins
ide 192.168.200.10 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[R1-GigabitEthernet2/0/0]int g3/0/0
[R1-GigabitEthernet3/0/0]nat server protocol tcp global current-interface www i
nside 192.168.200.10 www
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y //将内网web服务通过80端口映射出去
七、telnet远程管理配置
[HX_sw1]aaa
[HX_sw1-aaa]local-user xs privilege level 3 password cipher 123
[HX_sw1-aaa]local-user xs service-type telnet
[HX_sw1-aaa]q
[HX_sw1]user-interface vty 0 4
[HX_sw1-ui-vty0-4]authentication-mode aaa //对于其他路由或交换机都可以通过相似命令配置telnet
八、访问控制配置
[HX_sw1]acl 3000
[HX_sw1-acl-adv-3000]rule permit ip source 192.168.40.0 0.0.0.255 destination 19
2.168.200.20 0
[HX_sw1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0
[HX_sw1-acl-adv-3000]q
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]traffic-filter outbound acl 3000
[HX_sw1-Eth-Trunk1]dis this
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 200 900
traffic-filter outbound acl 3000
mode lacp-static
#
return //控制只允许vlan 40(行政楼)访问财务服务器(192.168.200.20)
[R1]acl 3001
[R1-acl-adv-3001]rule permit ip destination 192.168.0.0 0.0.255.255
[R1-acl-adv-3001]rule deny ip source 192.168.20.0 0.0.0.255
[R1-acl-adv-3001]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3001 //禁止vlan 20访问外网
九、SNMP运维监控
运维监控涉及到的产品比较多,可自行选择配置,这里不在给出。
