1、企业背景
某集团经过业务发展,总公司在广州市体育中心附近,在海珠区和白云区有二个分公司,为了实现快捷的信息交流和资源共享,需要构建统一网络,整合公司所有相关业务流程。总公司采用双核心的网络架构模式,采用专线接入互联网,二个分公司分别租用二条专线光纤线路进行连接,特向ISP供应商取得如下公网IP地址:202.16.10.5~20/24,现要求组建网络,总体要求如下:
1、保证整个网络的稳定性、可靠性。
2、各单位部门能通过地址转换连接上互联网。
3、各部门划分VLAN,只有经理室才能访问分公司。
4、要求集团各部门能通过FTP服务器进行文件传输。
5、内网和外网均能访问公司的主页(WEB1 服务器)。
6、只有财务部和经理部的人员才能访问(WEB2 服务器)
2、网络拓扑结构图
图1 网络拓扑结构图
3、 IP地址规划
表1 IP地址规划表
4、网络设备命名与设备连接表
表2 设备命名与设备连接表
5、VLAN规划表
表3 Vlan规划表
6、配置各设备的远程登录
各个设备配置远程登陆如下:
二层交换机:
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
三层交换机和路由器:
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user zjnet password cipher zjnet123
local-user zjnet privilege level 3
local-user zjnet service-type telnet
7、划分VLAN
ZJnet09-FB1-SW8:
vlan batch 100 110
#
interface Ethernet0/0/1
port link-type access
port default vlan 110
#
interface Ethernet0/0/2
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ZJnet09-ZB-SW4:
vlan batch 10
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ZJnet09-ZB-SW5:
vlan batch 20
#
interface Ethernet0/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ZJnet09-ZB-SW6:
vlan batch 30
#
interface Ethernet0/0/1
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ZJnet09-ZB-SW7:
vlan batch 40
#
interface Ethernet0/0/1
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ZJnet09-FB2-SW9:
vlan batch 200 210
#
interface Ethernet0/0/1
port link-type access
port default vlan 210
#
interface Ethernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ZJnet09-ZB-LSW1:
vlan batch 2 to 3 10 20 30 40
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ZJnet09-ZB-LSW2:
vlan batch 2 to 3 10 20 30 40
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
8、核心交换机冗余备份
ZJnet09-ZB-LSW1:
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
load-balance src-dst-mac
#
interface GigabitEthernet0/0/21
eth-trunk 1
#
interface GigabitEthernet0/0/22
eth-trunk 1
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
ZJnet09-ZB-LSW2:
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
load-balance src-dst-mac
#
interface GigabitEthernet0/0/21
eth-trunk 1
#
interface GigabitEthernet0/0/22
eth-trunk 1
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
9、交换机配置MSTP
ZJnet09-ZB-LSW1:
#
stp instance 1 root primary
stp instance 2 root primary
stp instance 3 root primary
stp instance 4 root primary
#
stp region-configuration
region-name mstp1
instance 1 vlan 10
instance 2 vlan 20
instance 3 vlan 30
instance 4 vlan 40
active region-configuration
ZJnet09-ZB-LSW2:
#
stp instance 1 root secondary
stp instance 2 root secondary
stp instance 3 root secondary
stp instance 4 root secondary
#
stp region-configuration
region-name mstp1
instance 1 vlan 10
instance 2 vlan 20
instance 3 vlan 30
instance 4 vlan 40
active region-configuration
10、配置DHCP服务
ZJnet09-FB-DHCP:
#
dhcp enable
#
ip pool vlan10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan30
gateway-list 192.168.30.1
network 192.168.30.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan40
gateway-list 192.168.40.1
network 192.168.40.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan100
gateway-list 192.168.100.1
network 192.168.100.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan110
gateway-list 192.168.110.1
network 192.168.110.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan200
gateway-list 192.168.200.1
network 192.168.200.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan210
gateway-list 192.168.210.1
network 192.168.210.0 mask 255.255.255.0
dns-list 8.8.8.8
ZJnet09-FB1-R2:
dhcp enable
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 100
ip address 192.168.100.1 255.255.255.0
arp broadcast enable
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
interface GigabitEthernet0/0/1.2
dot1q termination vid 110
ip address 192.168.110.1 255.255.255.0
arp broadcast enable
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
ZJnet09-FB2-R3:
dhcp enable
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 200
ip address 192.168.200.1 255.255.255.0
arp broadcast enable
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
interface GigabitEthernet0/0/1.2
dot1q termination vid 210
ip address 192.168.210.1 255.255.255.0
arp broadcast enable
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
ZJnet09-ZB-LSW1:
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1
vrrp vrid 1 priority 120
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.1
vrrp vrid 1 priority 120
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
interface Vlanif30
ip address 192.168.30.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.30.1
vrrp vrid 1 priority 120
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
interface Vlanif40
ip address 192.168.40.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.40.1
vrrp vrid 1 priority 120
dhcp select relay
dhcp relay server-ip 172.16.1.1
#
ZJnet09-ZB-LSW2:
#
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1
#
interface Vlanif20
ip address 192.168.20.3 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.1
#
interface Vlanif30
ip address 192.168.30.3 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.30.1
#
interface Vlanif40
ip address 192.168.40.3 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.40.1
11、配置路由协议
ZJnet09-ZB-R1:
#
ip route-static 0.0.0.0 0.0.0.0 202.16.10.1
ip route-static 172.16.1.0 255.255.255.0 14.14.14.2
ip route-static 192.168.100.0 255.255.255.0 10.10.20.1
ip route-static 192.168.110.0 255.255.255.0 10.10.20.1
ip route-static 192.168.200.0 255.255.255.0 10.10.10.2
ip route-static 192.168.210.0 255.255.255.0 10.10.10.2
#
ZJnet09-FB1-R2:
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
ZJnet09-FB2-R3:
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1
#
ZJnet09-FB-DHCP:
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.254
#
ZJnet09-ZB-LSW1:
#
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 12.12.12.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
#
ZJnet09-ZB-LSW2:
#
ospf 1
area 0.0.0.0
network 13.13.13.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
12、配置地址转换
ZJnet09-ZB-R1:
#
nat address-group 1 202.16.10.6 202.16.10.19
#
interface Serial2/0/0
link-protocol ppp
ip address 202.16.10.5 255.255.255.0
nat server protocol tcp global 202.16.10.20 www inside 172.16.1.2 8080
13、配置访问控制列表
ZJnet09-FB1-R2:
#
acl number 2000
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 permit source 172.16.1.0 0.0.0.255
rule 15 permit source 10.10.10.0 0.0.0.3
rule 20 permit source 202.16.10.0 0.0.0.255
rule 25 deny
#
traffic classifier a1 operator or
if-match acl 2000
#
traffic behavior b1
#
traffic policy 1
classifier a1 behavior b1
#
interface GigabitEthernet0/0/0
ip address 10.10.20.1 255.255.255.0
traffic-policy 1 inbound
#
ZJnet09-ZB-R1:
#
acl number 2001
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 permit source 192.168.20.0 0.0.0.255
rule 15 permit source 192.168.30.0 0.0.0.255
rule 20 permit source 192.168.40.0 0.0.0.255
rule 25 permit source 192.168.100.0 0.0.0.255
rule 30 permit source 192.168.110.0 0.0.0.255
rule 35 permit source 192.168.200.0 0.0.0.255
rule 40 permit source 192.168.210.0 0.0.0.255
rule 45 deny
#
interface Serial2/0/0
nat outbound 2001 address-group 1 no-pat
ZJnet09-FB2-R3:
#
acl number 2000
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 permit source 172.16.1.0 0.0.0.255
rule 15 permit source 10.10.20.0 0.0.0.3
rule 20 permit source 202.16.10.0 0.0.0.255
rule 25 deny
#
traffic classifier a1 operator or
if-match acl 2000
#
traffic behavior b1
#
traffic policy c1
classifier a1 behavior b1
#
interface GigabitEthernet0/0/0
ip address 10.10.10.2 255.255.255.252
traffic-policy c1 inbound
