1000人规模的网络设计(非冗余)

优质老薛主机推荐:15%终身付款折扣:xwseo15 25%首次付款折扣 : xwseo115 点击下图进入购买

实验要求:
1.信息中心配置Eth-trunk实现链路冗余
2.企业内网划分多个vlan,减小广播域大小,提高网络稳定性
3.核心交换机作为用户网关实现vlan间路由
4.所有用户均为自动获取ip地址
5.出口配置NAT实现地址转换
6.在企业出口将内网服务器的80端口映射出去,允许外网用户访问
7.所有设备都可以被telnet远程管理
8.所有校区之间可以互访且出口实现冗余
9.企业财务服务器,只允许(vlan 40)的员工访问。
10.禁止vlan20员工访问外网且关键设备做好实时监控。

1000人规模的网络设计(非冗余)

步骤1:链路聚合

将需要聚合的端口添加到Eth-Trunk 1里

[hexin]int Eth-Trunk 1

[hexin-Eth-Trunk1]trunkport g 0/0/2 0/0/5

[hexin-Eth-Trunk1]port link-type trunk

[hexin-Eth-Trunk1]port trunk allow-pass vlan 200 900

注意对端也要做相同操作

步骤2:划分vlan略,比较简单看配置

步骤3:vlan间路由

interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0

其他相同的略

步骤4:自动获取ip地址

1.开启dhcp功能

dhcp enable

2.创建地址池

ip pool syl-vlan10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8

3.接口下调用

interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select global

步骤5:出口nat

1.创建acl匹配需要转换的网段范围

acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255

2.出口调用acl(注意这里有两个出口分别是移动12.1.1.1联通13.1.1.1)

interface GigabitEthernet3/0/0
ip address 12.1.1.1 255.255.255.248
nat outbound 2000

interface GigabitEthernet0/0/1
ip address 13.1.1.1 255.255.255.248
nat outbound 2000

步骤6:端口映射

interface GigabitEthernet3/0/0
ip address 12.1.1.1 255.255.255.248
nat server protocol tcp global current-interface www inside 192.168.200.10 www
nat outbound 2000

interface GigabitEthernet0/0/1
ip address 13.1.1.1 255.255.255.248
nat server protocol tcp global current-interface www inside 192.168.200.10 www
nat outbound 2000

步骤7: telnet远程管理

注意:真机设备上需要敲下面两条命令

telnet server enable
protocol inbound telnet

1.aaa认证
aaa
local-user aa privilege level 3 password cipher 123
local-user aa service-type telnet

2.接口调用aaa
user-int vty 0 4
authentication-mode aaa

步骤8:所有校区之间实现互访

由于网络运行了ospf动态路由所以可以互访。

步骤9:只允许vlan 40访问财务服务器

创建acl:

acl number 3000
rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.200.20 0

rule 10 deny ip destination 192.168.200.20 0

接口下调用:

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 200 900
traffic-filter outbound acl 3000
mode lacp-static

步骤10:禁止vlan 20 访问外网并做好监控

创建acl 3001:

acl number 3001
rule 5 permit ip destination 192.168.0.0 0.0.255.255
rule 10 deny ip source 192.168.20.0 0.0.0.255

接口下调用:

interface GigabitEthernet4/0/0
ip address 192.168.254.1 255.255.255.0
traffic-filter inbound acl 3001

监控snmp配置:每个需要被监控的交换机都需要配置

所有的交换机都配这个snmp
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all

交换机sw1配置

<jr-sw1>dis cu
#
sysname jr-sw1
#
vlan batch 10 900
#
undo nap slave enable
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.1 255.255.255.0
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 900
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw2配置:

<jr-sw2>dis cu
#
sysname jr-sw2
#
undo info-center enable
#
vlan batch 20 900
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.2 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 900
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw3配置:

<jr-sw3>dis cu
#
sysname jr-sw3
#
vlan batch 30 900
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.3 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 30
#
interface Ethernet0/0/2
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 900
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw4配置:

<jr-sw4>dis cu
#
sysname jr-sw4
#
undo info-center enable
#
vlan batch 40 900
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.4 255.255.255.0
#
interface Ethernet0/0/2
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 40 900
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw5配置:

<hj-sw5>dis cu
#
sysname hj-sw5
#
vlan batch 10 20 900
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.5 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 900
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 900
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 20 900
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw6配置:

<hj-sw6>dis cu
#
sysname hj-sw6
#
undo info-center enable
#
vlan batch 30 900
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.6 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 900
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30 900
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw7配置:

<hj-sw7>dis cu
#
sysname hj-sw7
#
undo info-center enable
#
vlan batch 40 900
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.7 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 40 900
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 40 900
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw8配置:

<hexin>dis cu
#
sysname hexin
#
undo info-center enable
#
vlan batch 10 20 30 40 200 800 900
#
dhcp enable
#
acl number 3000
rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.200.20 0

rule 10 deny ip destination 192.168.200.20 0
#
ip pool jxl-vlan30
gateway-list 192.168.30.1
network 192.168.30.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8
#
ip pool syl-vlan10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8
#
ip pool syl-vlan20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8
#
ip pool xzl-vlan40
gateway-list 192.168.40.1
network 192.168.40.0 mask 255.255.255.0
dns-list 114.114.114.114 8.8.8.8
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select global
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
dhcp select global
#
interface Vlanif40
ip address 192.168.40.1 255.255.255.0
dhcp select global
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
interface Vlanif800
ip address 192.168.254.2 255.255.255.0
#
interface Vlanif900
ip address 192.168.255.8 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 200 900
traffic-filter outbound acl 3000
mode lacp-static
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 900
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30 900
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 40 900
#
interface GigabitEthernet0/0/5
eth-trunk 1
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 900
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 800
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.200.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.254.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 192.168.254.1
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

交换机sw9配置:

<jr-sw9>dis cu
#
sysname jr-sw9
#
vlan batch 200 900
#
aaa
local-user aa password cipher #*C>*$C`S!INZPO3JBXBHA!!
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Vlanif900
ip address 192.168.255.9 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 200 900
mode lacp-static
#
interface Ethernet0/0/2
port link-type access
port default vlan 200
#
interface Ethernet0/0/3
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.255.8
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

路由器AR7出口配置:

<chukou>dis cu
#
sysname chukou
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent community write %$%$O-KBWOHE80q<Yq~x52(+,&u2%$%$
snmp-agent community read %$%$Gul(F64yYD@Y[d,66lt+,&u2%$%$
snmp-agent
#
acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255
#
acl number 3001
rule 5 permit ip destination 192.168.0.0 0.0.255.255
rule 10 deny ip source 192.168.20.0 0.0.0.255
#
aaa
local-user aa password cipher %$%$^w5F(%.*g@hz.>#n%2u3{#<2%$%$
local-user aa privilege level 3
local-user aa service-type telnet
#
interface GigabitEthernet0/0/1
ip address 13.1.1.1 255.255.255.248
nat server protocol tcp global current-interface www inside 192.168.200.10 www
nat outbound 2000
#
interface GigabitEthernet1/0/0
ip address 192.168.104.1 255.255.255.252
#
interface GigabitEthernet2/0/0
ip address 192.168.105.1 255.255.255.252
#
interface GigabitEthernet3/0/0
ip address 12.1.1.1 255.255.255.248
nat server protocol tcp global current-interface www inside 192.168.200.10 www
nat outbound 2000
#
interface GigabitEthernet4/0/0
ip address 192.168.254.1 255.255.255.0
traffic-filter inbound acl 3001
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 192.168.104.1 0.0.0.0
network 192.168.105.1 0.0.0.0
network 192.168.254.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.6
ip route-static 0.0.0.0 0.0.0.0 13.1.1.6 preference 70
#
user-interface vty 0 4
authentication-mode aaa

路由器R1移动配置:

<yidong>dis cu
#
sysname yidong
#
interface Ethernet0/0/0
ip address 12.1.1.6 255.255.255.248
#
interface Ethernet0/0/1
ip address 7.7.7.1 255.255.255.0
#
interface LoopBack0
description baidu
ip address 9.9.9.9 255.255.255.0

路由器R2联通配置:

<liantong>dis cu
#
sysname liantong
#
interface Ethernet0/0/0
ip address 13.1.1.6 255.255.255.248
#
interface LoopBack0
description baidu
ip address 9.9.9.9 255.255.255.0

路由器R3新校区1配置:

<xxq1>dis cu
#
sysname xxq1
#
aaa
local-user aa password cipher hf(q:QD,,#;BH^68NhwOmqj#
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Ethernet0/0/0
ip address 192.168.100.1 255.255.255.0
#
interface Ethernet0/0/1
ip address 192.168.104.2 255.255.255.252
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 192.168.104.2 0.0.0.0
network 192.168.100.1 0.0.0.0
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

路由器R4新校区2配置:

<xxq2>dis cu
#
sysname xxq2
#
aaa
local-user aa password cipher ZwsjHT#_>%ZypQCee$t3Pq%#
local-user aa privilege level 3
local-user aa service-type telnet
#
interface Ethernet0/0/0
ip address 192.168.105.2 255.255.255.252
#
interface Ethernet0/0/1
ip address 192.168.150.1 255.255.255.0
#
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 192.168.105.2 0.0.0.0
network 192.168.150.1 0.0.0.0
#
snmp-agent
snmp-agent community write 123
snmp-agent community read 456
snmp-agent sys-info version all
#
user-interface vty 0 4
authentication-mode aaa

由于模拟器pc不支持telnet,所以我们这里用路由器模拟pc,实现远程telnet访问管理设备

<pc>dis cu
#
sysname pc
#
dhcp enable
#
interface Ethernet0/0/0
ip address dhcp-alloc

 

验证实验结果:

1.

自动获取ip

vlan间可以通

nat地址转换,可以看到我的pc地址为192.168.10.253,访问9.9.9.9百度的时候转换为了公网12.1.1.1

nat地址转换

地址映射

地址映射

远程telnet

远程telnet

出口移动线路故障,我们看到联通的备份还是可以访问外网百度9.9.9.9

vlan 40可以访问企业财务服务器

只有vlan 40可以访问财务服务器其他不能

vlan 20访问不了外网

 

赞 (0)
分享到:更多 ()