大型企业网络案例

有线网络结构设计背景1.1总介绍中国平安网络，由一个总公司网络、一个分公司网络和一个对外服务区组成。其中总公司网络和分公司网络在不同的地区，总公司和分公司都有公司内部的访问的数据中心（DMZ区）；对外服务区被托管在中国电信。路由器ISP模拟运营商中国电信。2.1总公司1）Router1作为边界路由也是核心层路由器；sw1、sw2是核心层交换机；sw3、sw4是汇聚层交换机，其中SW3分别连接了总公司部门1，总公司部门2和总公司部门3；SW4分别连接了总公司部门4，总公司部门5，总公司部门6，总公司Server以与无线路由器1。2）总公司Server只能为公司内部供应服务，不对外供应服务。部门1,2,3,6均可访问内网Web，服务器，部门4只可以访问内网FTP其他的都不行以访问，部门5可以访问内网Web3.1分公司Router9是出口路由器，其中sw5、sw4是核心交换机，实现冗余架构；sw6、sw7是汇聚层交换机;其中SW6下面连接了部门1和部门2；SW7连接了部门3，部门4，Server2以与无线路由器2。内网ACL配置：部门1，2，4可以访问内网中的Web和Ftp服务器，部门3只可以访问内网的ftp服务器。4.1中国电信企业总公司网络的出口路由器router1和分公司网络的出口路由器都与ISP相连接，其中router1和ISP之间运用了ppp广域网协议，启用了chap的仔细方式实现与互联网相连；R9运用帧中继技术与ISP相连。该企业的对外访问服务器托管到中国电信运营商。二、拓扑结构总体拓扑：总公司拓扑：分公司拓扑：ISP外网即帧中继：三、学问点1.静态路由2.RIP3.单区域OSPF4.EIGRP5.EIGRP非等价负载均衡6.ppp封装（chap）7.帧中继8.ACL访问限制9.NAT地址转换10.STP的配置11.VLAN间的路由12EIGRP手动汇总13.路由重分布14.默认路由15.Telnet16.双链路冗余的备份17.DHCP的运用四、主要功能部门1,2,3,6均可访问内网Web，服务器。部门4只可以访问内网FTP其他的都不行以访问。部门5可以访问内网Web和Ftp但不行以访问DNS。部门1，2,4可以访问外网Web以与公司总部的Web，Ftp服务器。部门3只可以访问公司总部的Ftp服务器。主要配置清单分公司Switch7配置：(Switch#showrunning-configBuildingconfiguration...Currentconfiguration:2096bytes!version12.2noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!!ipdhcppoolvlan7ipdhcppoolvlan8!!iprouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1!interfaceFastEthernet0/2switchportaccessvlan100switchportmodeaccess!interfaceFastEthernet0/3!interfaceFastEthernet0/4!interfaceFastEthernet0/5switchportaccessvlan7switchportmodeaccess!interfaceFastEthernet0/6switchportaccessvlan8switchportmodeaccess!interfaceFastEthernet0/7!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan7!interfaceVlan8!interfaceVlan100!routereigrp1distanceeigrp90150redistributeospf1metric100010025511500auto-summary!routerospf1log-adjacency-changesnetwork55area0network55area0network55area0!ipclassless!ipflow-exportversion9!!!!!!!linecon0!lineaux0!linevty04login!!!end总公司sw4Switch#showrunBuildingconfiguration...Currentconfiguration:2816bytes!version12.2noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!!ipdhcppoolvlan5ipdhcppoolvlan6ipdhcppoolvlan7!!iprouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1noswitchportduplexautospeedauto!interfaceFastEthernet0/2!interfaceFastEthernet0/3!interfaceFastEthernet0/4!interfaceFastEthernet0/5switchportaccessvlan5switchportmodeaccess!interfaceFastEthernet0/6switchportaccessvlan6switchportmodeaccess!interfaceFastEthernet0/7switchportaccessvlan7switchportmodeaccess!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24noswitchportduplexautospeedauto!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan5!interfaceVlan6!interfaceVlan7ipaccess-group100out!routerripversion2!ipclassless!ipflow-exportversion9!!access-list100permittcpanyhost00eqwwwaccess-list100permittcpanyhost00eqftpaccess-list100permitudp55host00eqdomainaccess-list100permitudp55host00eqdomainaccess-list100permitudp55host00eqdomainaccess-list100permitudp55host00eqdomainaccess-list100permitipanyany!!!!!linecon0!lineaux0!linevty04login!!!end总公司SW3Switch#showrunBuildingconfiguration...Currentconfiguration:1791bytes!version12.2noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!!!!iprouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1noswitchportduplexautospeedauto!interfaceFastEthernet0/2switchportaccessvlan2switchportmodeaccess!interfaceFastEthernet0/3switchportaccessvlan3switchportmodeaccess!interfaceFastEthernet0/4switchportaccessvlan4switchportmodeaccess!interfaceFastEthernet0/5!interfaceFastEthernet0/6!interfaceFastEthernet0/7!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24noswitchportduplexautospeedauto!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan2!interfaceVlan3!interfaceVlan4!routerripversion2!ipclassless!ipflow-exportversion9!!!!!!!linecon0!lineaux0!linevty04login!!!end总公司R1R1#showrunBuildingconfiguration...Currentconfiguration:1575bytes!version12.4noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameR1!!!!!!!!noipcefnoipv6cef!!!usernameISPpassword0123!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/0ipnatinsideduplexautospeedauto!interfaceFastEthernet0/1ipnatinsideduplexautospeedauto!interfaceSerial0/3/0encapsulationppppppauthenticationchapipnatoutsideclockrate2000000!interfaceSerial0/3/1noipaddressclockrate2000000shutdown!interfaceVlan1noipaddressshutdown!routerripversion2!ipnatinsidesourcelist10poolabcipnatinsidesourcestatic0000ipclasslessiproute!ipflow-exportversion9!!!nocdprun!!!!!linecon0!lineaux0!linevty04passwordciscologin!!!end分公司SW6Switch#showrunning-configBuildingconfiguration...Currentconfiguration:1429bytes!version12.2noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!!!!iprouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1switchportaccessvlan100switchportmodeaccess!interfaceFastEthernet0/2!interfaceFastEthernet0/3!interfaceFastEthernet0/4noswitchportduplexautospeedauto!interfaceFastEthernet0/5!interfaceFastEthernet0/6!interfaceFastEthernet0/7!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan100!routereigrp1distanceeigrp90150redistributeospf1metric100010025511500auto-summary!ipclassless!ipflow-exportversion9!!!!!!!linecon0!lineaux0!linevty04login!!!end分公司R8Router#showrunBuildingconfiguration...Currentconfiguration:753bytes!version12.4noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameRouter!!!!!!!!ipcefnoipv6cef!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/0duplexautospeedauto!interfaceFastEthernet0/1noipaddressduplexautospeedauto!interfaceFastEthernet0/1.1encapsulationdot1Q6!interfaceFastEthernet0/1.2encapsulationdot1Q7!interfaceVlan1noipaddressshutdown!ipclassless!ipflow-exportversion9!!!nocdprun!!!!!linecon0!lineaux0!linevty04login!!!end2.RIP配置（Switch1,2,3,4和Route1）在Switch4上Rip配置步骤：#iprouting(config)#routerrip#version2#####Switch1,2,3,4和Route1配置步骤和Switch配置类似3.Route1NAT配置(config)#intf0/0#ipnatinside#noshut(config)#intf0/1#ipnatinside#noshut(config)#ints0/0/0#ipnatoutside#nosshut(config)######(config)#(config)#ipnatinsidesourcelist10poolabc为服务器静态映射一个静态的公网地址：(config)#静态路由： (config)#4.PPP（chap）配置ISP的PPP配置：(config)#hostnameISP#usernameR1password0123(config)#interfaceSerial0/0/0#i#encapsulationppp#pppauthenticationchap对应的总公司出口路由器R1PPP配置：(config)#hostnameR1#usernameISPpassword0123(config)#interfaceSerial0/0/0#ipaddress#clockrate64000#encapsulationppp#pppauthenticationchap5.ACL配置内网配置需求:1.接入层共有6个部门：分别属于VLAN2,3,4,5,6,72.接入层ACL配置：部门1,2,3,6均可访问内网Web，服务器部门4只可以访问内网FTP其他的都不行以访问部门5可以访问内网Web和Ftp但不行以访问DNS也就是不能访问外网。由于内网服务器在VLAN7上因此，在Switch4上配置ACL(config)#access-list100permittcpanyhost00eqwww#access-list100permittcpanyhost00eqftp#access-list100permitudp55host00eqdomain#access-list100permitudp55host00eqdomain#access-list100permitudp55host00eqdomain#access-list100permitudp55host00eqdomain###access-list100permitipanyany（config）#intvlan7#ipacc100out在汇聚层，以与分公司的网络上均配置有ACL，配置原理和此类似6.帧中继配置（配置在ISP与分公司的出口路由器上）ISP上帧中继配置(config)#interfaceSerial0/2/0##encapsulationframe-relayietf#framapip409b#clockrate64000#noshut分公司上的帧中继配置：(config)#interfaceSerial0/0/0##encapsulationframe-relayietf#framapip904b#clockrate64000#noshut7.EIGRP配置和EIGRP非等价负载均衡,以与手动汇总在外网和分公司的核心层均配置有Eigrp协议外网的Eigrp协议配置：外网R3配置：（config）#interfaceFastEthernet0/0##noshut（config）#interfaceSerial0/0/0##clockrate64000#noshut(configt)#routereigrp100##R4配置：（config）#interfaceFastEthernet0/0##noshut（config）#interfaceSerial0/0/0##clockrate64000#noshut（config）#interfaceSerial0/0/1##clockrate64000#noshut(config)#routereigrp100#redistributestaticmetric100010025511500//路由重分布####exit(config)#routereigrp100#varicance2//启用负载均衡#exit(config)##//默认路由#exitR5配置：（config）#interfaceSerial0/0/0##noshut（config）#interfaceSerial0/0/1##clockrate64000#noshut（config）#routeeigrp100#exitR6配置：（config）#interfaceFastEthernet0/0##noshut（config）#interfaceSerial0/3/1##clockrate64000#noshut（config）#interfaceSerial0/3/0##clockrate64000#noshut（config）#routereigrp100#R7配置：（config）#interfaceSerial0/3/1##clockrate64000#noshut（config）#interfaceSerial0/3/0#ipsummary-addresseigrp10010//手动汇总Eigrp中的的网段#clockrate64000#noshut（config）#routereigrp100###noauto-summary#exit8.OSPF配置ospf配置在分公司的汇聚层分公司Sw7OSPF配置：（config）#vlan7#ex（config）#vlan8#ex（config）#intvlan7#exit（config）#intvlan8#exit（config）#routerospf1#network55area0#network55area0#network55area0同样在R0，Sw6,Sw7上配置和此类似。9.路由重分布路由重分布配置在分公司汇聚层，将OSPF的路由分布到Eigrp中去Sw7配置：(config)#routereigrp1#distanceeigrp90150#redistributeospf1metric100010025511500Sw6配置：(config)#routereigrp1#distanceeigrp90150#redistributeospf1metric10001002551150010.三层交换机STP配置配置在分公司的汇聚层Sw4,5,6,7交换机上Sw4配置：(config)#vlan100#ex(config)#interfaceFastEthernet0/1#switchportmodeaccess#switchportaccessvlan100#noshut(config)#intvlan100##exit(config)#spanning-treemp//启用生成树协议Sw5,6,7配置和Sw4配置一样，同样根据Sw4的配置就可11.DHCP的配置DHCP配置在总公司和分公司的汇聚层以总公司的Sw4为例配置：（config）#ipdhcppoolvlan5###（config）#ipdhcppoolvlan6###（config）#ipdhcppoolvlan7#network192.168.7#default-router54#（config）####同理可配置其余的交换机12.Telnet的配置Telnet配置在总公司的出口路由器上（config）#linevty04#l