[eNSP]校园网络设计(无冗余)

设计要求

  1. 信息中心配置Eth-trunk实现链路冗余
  2. 内网划分多个vlan,减小广播域,提高网络稳定性
  3. 核心交换机作为用户网关实现vlan间路由
  4. 所有用户均为自动获取IP地址
  5. 出口配置NAT实现地址转换
  6. 在出口将内网服务器80端口映射出去,允许外网用户访问
  7. 所有设备都可以被telnet远程管理
  8. 所有校区之间可以互访且出口实现冗余
  9. 财务服务器只允许(vlan 40)的员工访问
  10. 禁止vlan 20 员工访问外网且关键设备做好实时监控

拓扑图

topo

配置详情

一、vlan trunk

首先来配置交换机和路由器的端口的trunk和vlan划分。

//接入sw9配置
[JR_sw9]vlan batch 200 900
[JR_sw9]int Eth-Trunk 1	
[JR_sw9-Eth-Trunk1]mode lacp-static 
[JR_sw9-Eth-Trunk1]trunkport gi 0/0/1 0/0/2
[JR_sw9-Eth-Trunk1]port link-type trunk
[JR_sw9-Eth-Trunk1]port trunk allow-pass vlan 200 900  //vlan 900作为telnet管理vlan
[JR_sw9]port-g g Ethernet 0/0/2 Ethernet 0/0/3
[JR_sw9-port-group]port link-type acc
[JR_sw9-Ethernet0/0/2]port link-type acc
[JR_sw9-Ethernet0/0/3]port link-type acc
[JR_sw9-port-group]port de vlan 200
[JR_sw9-Ethernet0/0/2]port de vlan 200
[JR_sw9-Ethernet0/0/3]port de vlan 200  //划分vlan
//接入sw5配置
[JR_sw5]vlan batch 10 900
[JR_sw5]port-g g e0/0/2 e0/0/3
[JR_sw5-port-group]port link-type acc
[JR_sw5-Ethernet0/0/2]port link-type acc
[JR_sw5-Ethernet0/0/3]port link-type acc
[JR_sw5-port-group]port de vlan 10
[JR_sw5-Ethernet0/0/2]port de vlan 10
[JR_sw5-Ethernet0/0/3]port de vlan 10
[JR_sw5-port-group]qu
[JR_sw5]int g0/0/1
[JR_sw5-GigabitEthernet0/0/1]port link-type trunk
[JR_sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 900
//接入sw6配置
[JR_sw6]vlan batch 20 900
[JR_sw6]int e0/0/1
[JR_sw6-Ethernet0/0/1]port link-type acc
[JR_sw6-Ethernet0/0/1]port de vlan 20
[JR_sw6-Ethernet0/0/1]qu
[JR_sw6]int g0/0/1
[JR_sw6-GigabitEthernet0/0/1]port link-type trunk 	
[JR_sw6-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 900
//汇聚sw2配置
[HJ_sw2]vlan batch 20 10 900
[HJ_sw2]int g0/0/2
[HJ_sw2-GigabitEthernet0/0/2]port link-ty trunk
[HJ_sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 900
[HJ_sw2-GigabitEthernet0/0/2]qu
[HJ_sw2]int g0/0/3
[HJ_sw2-GigabitEthernet0/0/3]port link-type trunk 
[HJ_sw2-GigabitEthernet0/0/3]port trunk allow-pass vlan 20 900
[HJ_sw2-GigabitEthernet0/0/3]qu
[HJ_sw2]int g0/0/1	
[HJ_sw2-GigabitEthernet0/0/1]port link-type trunk 	
[HJ_sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900  
//教学楼和行政楼汇聚和接入交换机配置方法相似这里不在给出
//核心sw1配置
[HX_sw1]vlan batch 10 20 30 40 200 800 900
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]mode lacp-static 
[HX_sw1-Eth-Trunk1]trunkport gi 0/0/2 0/0/5
[HX_sw1-Eth-Trunk1]port link-type trunk
[HX_sw1-Eth-Trunk1]port trunk allow-pass vlan 200 900
[HX_sw1]int g0/0/1
[HX_sw1-GigabitEthernet0/0/1]port link-ty trunk 	
[HX_sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900
[HX_sw1-GigabitEthernet0/0/1]qu
[HX_sw1]int g0/0/3
[HX_sw1-GigabitEthernet0/0/3]port link-ty trunk 	
[HX_sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 30 900
[HX_sw1-GigabitEthernet0/0/3]qu
[HX_sw1]int g0/0/4
[HX_sw1-GigabitEthernet0/0/4]port link-ty trunk
[HX_sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 40 900
[HX_sw1-GigabitEthernet0/0/4]qu
[HX_sw1]int g0/0/24	
[HX_sw1-GigabitEthernet0/0/24]port link-ty acc
[HX_sw1-GigabitEthernet0/0/24]port de vlan 800

二、网关SVI配置

//通过给vlan配置相应的IP地址作为用户网关实现vlan间路由
[HX_sw1]int vlanif 10
[HX_sw1-Vlanif10]ip add 192.168.10.1 24
[HX_sw1-Vlanif10]qu
[HX_sw1]in vlanif 20 
[HX_sw1-Vlanif20]ip add 192.168.20.1 24
[HX_sw1-Vlanif20]qu
[HX_sw1]int vlanif 30
[HX_sw1-Vlanif30]ip add 192.168.30.1 24
[HX_sw1-Vlanif30]qu
[HX_sw1]int vlanif 40
[HX_sw1-Vlanif40]ip add 192.168.40.1 24
[HX_sw1-Vlanif40]qu
[HX_sw1]int vlanif 200
[HX_sw1-Vlanif200]ip add 192.168.200.1 24
[HX_sw1]int vlanif 800
[HX_sw1-Vlanif800]ip add 192.168.254.2 24

三、DHCP配置

//不同vlan下的设备将自动获取对应网关IP地址
[HX_sw1]dhcp en
[HX_sw1]ip pool SYL_vlan10
[HX_sw1-ip-pool-syl_vlan10]network 192.168.10.0 mask 24	
[HX_sw1-ip-pool-syl_vlan10]gateway-list 192.168.10.1
[HX_sw1-ip-pool-syl_vlan10]dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-syl_vlan10]qu
[HX_sw1]ip pool syl_vlan20
[HX_sw1-ip-pool-syl_vlan20] gateway-list 192.168.20.1
[HX_sw1-ip-pool-syl_vlan20] network 192.168.20.0 mask 255.255.255.0
[HX_sw1-ip-pool-syl_vlan20] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-syl_vlan20]
[HX_sw1-ip-pool-syl_vlan20]ip pool jxl_vlan30
[HX_sw1-ip-pool-jxl_vlan30] gateway-list 192.168.30.1
[HX_sw1-ip-pool-jxl_vlan30] network 192.168.30.0 mask 255.255.255.0
[HX_sw1-ip-pool-jxl_vlan30] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-jxl_vlan30]
[HX_sw1-ip-pool-jxl_vlan30]ip pool xzl_vlan40
[HX_sw1-ip-pool-xzl_vlan40] gateway-list 192.168.40.1
[HX_sw1-ip-pool-xzl_vlan40] network 192.168.40.0 mask 255.255.255.0
[HX_sw1-ip-pool-xzl_vlan40] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-xzl_vlan40]qu

四、OSPF配置

[R1]dis ip int bri
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 6
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 6
The number of interface that is DOWN in Protocol is 2

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.254.1/24     up         up        
GigabitEthernet0/0/1              unassigned           down       down      
GigabitEthernet0/0/2              unassigned           down       down      
GigabitEthernet1/0/0              192.168.104.1/30     up         up        
GigabitEthernet2/0/0              12.1.1.1/29          up         up        
GigabitEthernet3/0/0              13.1.1.1/29          up         up        
GigabitEthernet4/0/0              192.168.105.1/30     up         up        
NULL0                             unassigned           up         up(s)     
[R1]   //配置接口ip地址,过程不再给出
[HX_sw1-ospf-1]dis this
#
ospf 1 router-id 1.1.1.1
 area 0.0.0.0
  network 192.168.200.0 0.0.0.255
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
  network 192.168.30.0 0.0.0.255
  network 192.168.40.0 0.0.0.255
  network 192.168.254.0 0.0.0.255
#
return  //汇聚交换机网段宣告,其他路由和交换机宣告过程不再给出
[HX_sw1]dis ip routing-table  //sw1通过ospf学习到的路由表 

Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------

Routing Tables: Public
         Destinations : 18       Routes : 18       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

   192.168.10.0/24  Direct  0    0           D   192.168.10.1    Vlanif10
   192.168.10.1/32  Direct  0    0           D   127.0.0.1       Vlanif10
   192.168.20.0/24  Direct  0    0           D   192.168.20.1    Vlanif20
   192.168.20.1/32  Direct  0    0           D   127.0.0.1       Vlanif20
   192.168.30.0/24  Direct  0    0           D   192.168.30.1    Vlanif30
   192.168.30.1/32  Direct  0    0           D   127.0.0.1       Vlanif30
   192.168.40.0/24  Direct  0    0           D   192.168.40.1    Vlanif40
   192.168.40.1/32  Direct  0    0           D   127.0.0.1       Vlanif40
  192.168.100.0/24  OSPF    10   3           D   192.168.254.1   Vlanif800
  192.168.104.0/30  OSPF    10   2           D   192.168.254.1   Vlanif800
  192.168.105.0/30  OSPF    10   2           D   192.168.254.1   Vlanif800
  192.168.150.0/24  OSPF    10   3           D   192.168.254.1   Vlanif800
  192.168.200.0/24  Direct  0    0           D   192.168.200.1   Vlanif200
  192.168.200.1/32  Direct  0    0           D   127.0.0.1       Vlanif200
  192.168.254.0/24  Direct  0    0           D   192.168.254.2   Vlanif800
  192.168.254.2/32  Direct  0    0           D   127.0.0.1       Vlanif800

此时内部网络已经完全打通,可以通过测试监测其连通性(方法不再给出)。

五、广域网出口选路

在出口选路时通常使用防火墙来完成,这里我们出口选用了路由器来充当。

[HX_sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.254.1
[R1]ip route-static 0.0.0.0 0 12.1.1.6
[R1]ip route-static 0.0.0.0 0 13.1.1.6 pre 80  //配置缺省路由,并设置优先级,将联通网作为备份

下面为R2、R3配置回环地址,模拟互联网上的百度9.9.9.9。

[YD_R2]int loo 0
[YD_R2-LoopBack0]ip add 9.9.9.9 24
[YD_R2-LoopBack0]description baidu
[LT_R3]int loo 0
[LT_R3-LoopBack0]ip add 9.9.9.9 24

六、NAT配置

前面我们已经打通了内网到运营商网络,但需要用NAT将内网地址转为公网地址,才能连接到互联网。

[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2000]q
[R1]int g2/0/0
[R1-GigabitEthernet2/0/0]nat outbound 2000
[R1-GigabitEthernet2/0/0]q
[R1]int g3/0/0
[R1-GigabitEthernet3/0/0]nat outbound 2000
[R1-GigabitEthernet3/0/0]   //现在可以使用pc ping通外网(9.9.9.9)
[R1-GigabitEthernet2/0/0]nat server protocol tcp global current-interface 80 ins
ide 192.168.200.10 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[R1-GigabitEthernet2/0/0]int g3/0/0
[R1-GigabitEthernet3/0/0]nat server protocol tcp global current-interface www i
nside 192.168.200.10 www
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y    //将内网web服务通过80端口映射出去

七、telnet远程管理配置

[HX_sw1]aaa
[HX_sw1-aaa]local-user xs privilege level 3 password cipher 123
[HX_sw1-aaa]local-user xs service-type telnet 
[HX_sw1-aaa]q	
[HX_sw1]user-interface vty 0 4
[HX_sw1-ui-vty0-4]authentication-mode aaa  //对于其他路由或交换机都可以通过相似命令配置telnet

八、访问控制配置

[HX_sw1]acl 3000
[HX_sw1-acl-adv-3000]rule permit ip source 192.168.40.0 0.0.0.255 destination 19
2.168.200.20 0
[HX_sw1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0
[HX_sw1-acl-adv-3000]q
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]traffic-filter outbound acl 3000
[HX_sw1-Eth-Trunk1]dis this
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 200 900
 traffic-filter outbound acl 3000
 mode lacp-static
#
return  //控制只允许vlan 40(行政楼)访问财务服务器(192.168.200.20)
[R1]acl 3001
[R1-acl-adv-3001]rule permit ip destination 192.168.0.0 0.0.255.255
[R1-acl-adv-3001]rule deny ip source 192.168.20.0 0.0.0.255
[R1-acl-adv-3001]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3001  //禁止vlan 20访问外网

九、SNMP运维监控

运维监控涉及到的产品比较多,可自行选择配置,这里不在给出。

posted @ 2021-06-11 18:25  Alexander8527  阅读(9261)  评论(2编辑  收藏  举报