[eNSP]校園網路設計(無冗餘)
阿新 • • 發佈:2021-06-11
設計要求
- 資訊中心配置Eth-trunk實現鏈路冗餘
- 內網劃分多個vlan,減小廣播域,提高網路穩定性
- 核心交換機作為使用者閘道器實現vlan間路由
- 所有使用者均為自動獲取IP地址
- 出口配置NAT實現地址轉換
- 在出口將內網伺服器80埠映射出去,允許外網使用者訪問
- 所有裝置都可以被telnet遠端管理
- 所有校區之間可以互訪且出口實現冗餘
- 財務伺服器只允許(vlan 40)的員工訪問
- 禁止vlan 20 員工訪問外網且關鍵裝置做好實時監控
拓撲圖
配置詳情
一、vlan trunk
首先來配置交換機和路由器的埠的trunk和vlan劃分。
//接入sw9配置 [JR_sw9]vlan batch 200 900 [JR_sw9]int Eth-Trunk 1 [JR_sw9-Eth-Trunk1]mode lacp-static [JR_sw9-Eth-Trunk1]trunkport gi 0/0/1 0/0/2 [JR_sw9-Eth-Trunk1]port link-type trunk [JR_sw9-Eth-Trunk1]port trunk allow-pass vlan 200 900 //vlan 900作為telnet管理vlan [JR_sw9]port-g g Ethernet 0/0/2 Ethernet 0/0/3 [JR_sw9-port-group]port link-type acc [JR_sw9-Ethernet0/0/2]port link-type acc [JR_sw9-Ethernet0/0/3]port link-type acc [JR_sw9-port-group]port de vlan 200 [JR_sw9-Ethernet0/0/2]port de vlan 200 [JR_sw9-Ethernet0/0/3]port de vlan 200 //劃分vlan
//接入sw5配置 [JR_sw5]vlan batch 10 900 [JR_sw5]port-g g e0/0/2 e0/0/3 [JR_sw5-port-group]port link-type acc [JR_sw5-Ethernet0/0/2]port link-type acc [JR_sw5-Ethernet0/0/3]port link-type acc [JR_sw5-port-group]port de vlan 10 [JR_sw5-Ethernet0/0/2]port de vlan 10 [JR_sw5-Ethernet0/0/3]port de vlan 10 [JR_sw5-port-group]qu [JR_sw5]int g0/0/1 [JR_sw5-GigabitEthernet0/0/1]port link-type trunk [JR_sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 900
//接入sw6配置
[JR_sw6]vlan batch 20 900
[JR_sw6]int e0/0/1
[JR_sw6-Ethernet0/0/1]port link-type acc
[JR_sw6-Ethernet0/0/1]port de vlan 20
[JR_sw6-Ethernet0/0/1]qu
[JR_sw6]int g0/0/1
[JR_sw6-GigabitEthernet0/0/1]port link-type trunk
[JR_sw6-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 900
//匯聚sw2配置 [HJ_sw2]vlan batch 20 10 900 [HJ_sw2]int g0/0/2 [HJ_sw2-GigabitEthernet0/0/2]port link-ty trunk [HJ_sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 900 [HJ_sw2-GigabitEthernet0/0/2]qu [HJ_sw2]int g0/0/3 [HJ_sw2-GigabitEthernet0/0/3]port link-type trunk [HJ_sw2-GigabitEthernet0/0/3]port trunk allow-pass vlan 20 900 [HJ_sw2-GigabitEthernet0/0/3]qu [HJ_sw2]int g0/0/1 [HJ_sw2-GigabitEthernet0/0/1]port link-type trunk [HJ_sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900 //教學樓和行政樓匯聚和接入交換機配置方法相似這裡不在給出
//核心sw1配置
[HX_sw1]vlan batch 10 20 30 40 200 800 900
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]mode lacp-static
[HX_sw1-Eth-Trunk1]trunkport gi 0/0/2 0/0/5
[HX_sw1-Eth-Trunk1]port link-type trunk
[HX_sw1-Eth-Trunk1]port trunk allow-pass vlan 200 900
[HX_sw1]int g0/0/1
[HX_sw1-GigabitEthernet0/0/1]port link-ty trunk
[HX_sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900
[HX_sw1-GigabitEthernet0/0/1]qu
[HX_sw1]int g0/0/3
[HX_sw1-GigabitEthernet0/0/3]port link-ty trunk
[HX_sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 30 900
[HX_sw1-GigabitEthernet0/0/3]qu
[HX_sw1]int g0/0/4
[HX_sw1-GigabitEthernet0/0/4]port link-ty trunk
[HX_sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 40 900
[HX_sw1-GigabitEthernet0/0/4]qu
[HX_sw1]int g0/0/24
[HX_sw1-GigabitEthernet0/0/24]port link-ty acc
[HX_sw1-GigabitEthernet0/0/24]port de vlan 800
二、閘道器SVI配置
//通過給vlan配置相應的IP地址作為使用者閘道器實現vlan間路由
[HX_sw1]int vlanif 10
[HX_sw1-Vlanif10]ip add 192.168.10.1 24
[HX_sw1-Vlanif10]qu
[HX_sw1]in vlanif 20
[HX_sw1-Vlanif20]ip add 192.168.20.1 24
[HX_sw1-Vlanif20]qu
[HX_sw1]int vlanif 30
[HX_sw1-Vlanif30]ip add 192.168.30.1 24
[HX_sw1-Vlanif30]qu
[HX_sw1]int vlanif 40
[HX_sw1-Vlanif40]ip add 192.168.40.1 24
[HX_sw1-Vlanif40]qu
[HX_sw1]int vlanif 200
[HX_sw1-Vlanif200]ip add 192.168.200.1 24
[HX_sw1]int vlanif 800
[HX_sw1-Vlanif800]ip add 192.168.254.2 24
三、DHCP配置
//不同vlan下的裝置將自動獲取對應閘道器IP地址
[HX_sw1]dhcp en
[HX_sw1]ip pool SYL_vlan10
[HX_sw1-ip-pool-syl_vlan10]network 192.168.10.0 mask 24
[HX_sw1-ip-pool-syl_vlan10]gateway-list 192.168.10.1
[HX_sw1-ip-pool-syl_vlan10]dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-syl_vlan10]qu
[HX_sw1]ip pool syl_vlan20
[HX_sw1-ip-pool-syl_vlan20] gateway-list 192.168.20.1
[HX_sw1-ip-pool-syl_vlan20] network 192.168.20.0 mask 255.255.255.0
[HX_sw1-ip-pool-syl_vlan20] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-syl_vlan20]
[HX_sw1-ip-pool-syl_vlan20]ip pool jxl_vlan30
[HX_sw1-ip-pool-jxl_vlan30] gateway-list 192.168.30.1
[HX_sw1-ip-pool-jxl_vlan30] network 192.168.30.0 mask 255.255.255.0
[HX_sw1-ip-pool-jxl_vlan30] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-jxl_vlan30]
[HX_sw1-ip-pool-jxl_vlan30]ip pool xzl_vlan40
[HX_sw1-ip-pool-xzl_vlan40] gateway-list 192.168.40.1
[HX_sw1-ip-pool-xzl_vlan40] network 192.168.40.0 mask 255.255.255.0
[HX_sw1-ip-pool-xzl_vlan40] dns-list 114.114.114.114 8.8.8.8
[HX_sw1-ip-pool-xzl_vlan40]qu
四、OSPF配置
[R1]dis ip int bri
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 6
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 6
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.254.1/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
GigabitEthernet1/0/0 192.168.104.1/30 up up
GigabitEthernet2/0/0 12.1.1.1/29 up up
GigabitEthernet3/0/0 13.1.1.1/29 up up
GigabitEthernet4/0/0 192.168.105.1/30 up up
NULL0 unassigned up up(s)
[R1] //配置介面ip地址,過程不再給出
[HX_sw1-ospf-1]dis this
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.200.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.254.0 0.0.0.255
#
return //匯聚交換機網段宣告,其他路由和交換機宣告過程不再給出
[HX_sw1]dis ip routing-table //sw1通過ospf學習到的路由表
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10
192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20
192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30
192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
192.168.40.0/24 Direct 0 0 D 192.168.40.1 Vlanif40
192.168.40.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
192.168.100.0/24 OSPF 10 3 D 192.168.254.1 Vlanif800
192.168.104.0/30 OSPF 10 2 D 192.168.254.1 Vlanif800
192.168.105.0/30 OSPF 10 2 D 192.168.254.1 Vlanif800
192.168.150.0/24 OSPF 10 3 D 192.168.254.1 Vlanif800
192.168.200.0/24 Direct 0 0 D 192.168.200.1 Vlanif200
192.168.200.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
192.168.254.0/24 Direct 0 0 D 192.168.254.2 Vlanif800
192.168.254.2/32 Direct 0 0 D 127.0.0.1 Vlanif800
此時內部網路已經完全打通,可以通過測試監測其連通性(方法不再給出)。
五、廣域網出口選路
在出口選路時通常使用防火牆來完成,這裡我們出口選用了路由器來充當。
[HX_sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.254.1
[R1]ip route-static 0.0.0.0 0 12.1.1.6
[R1]ip route-static 0.0.0.0 0 13.1.1.6 pre 80 //配置預設路由,並設定優先順序,將聯通網作為備份
下面為R2、R3配置迴環地址,模擬網際網路上的百度9.9.9.9。
[YD_R2]int loo 0
[YD_R2-LoopBack0]ip add 9.9.9.9 24
[YD_R2-LoopBack0]description baidu
[LT_R3]int loo 0
[LT_R3-LoopBack0]ip add 9.9.9.9 24
六、NAT配置
前面我們已經打通了內網到運營商網路,但需要用NAT將內網地址轉為公網地址,才能連線到網際網路。
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2000]q
[R1]int g2/0/0
[R1-GigabitEthernet2/0/0]nat outbound 2000
[R1-GigabitEthernet2/0/0]q
[R1]int g3/0/0
[R1-GigabitEthernet3/0/0]nat outbound 2000
[R1-GigabitEthernet3/0/0] //現在可以使用pc ping通外網(9.9.9.9)
[R1-GigabitEthernet2/0/0]nat server protocol tcp global current-interface 80 ins
ide 192.168.200.10 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[R1-GigabitEthernet2/0/0]int g3/0/0
[R1-GigabitEthernet3/0/0]nat server protocol tcp global current-interface www i
nside 192.168.200.10 www
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y //將內網web服務通過80埠映射出去
七、telnet遠端管理配置
[HX_sw1]aaa
[HX_sw1-aaa]local-user xs privilege level 3 password cipher 123
[HX_sw1-aaa]local-user xs service-type telnet
[HX_sw1-aaa]q
[HX_sw1]user-interface vty 0 4
[HX_sw1-ui-vty0-4]authentication-mode aaa //對於其他路由或交換機都可以通過相似命令配置telnet
八、訪問控制配置
[HX_sw1]acl 3000
[HX_sw1-acl-adv-3000]rule permit ip source 192.168.40.0 0.0.0.255 destination 19
2.168.200.20 0
[HX_sw1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0
[HX_sw1-acl-adv-3000]q
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]traffic-filter outbound acl 3000
[HX_sw1-Eth-Trunk1]dis this
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 200 900
traffic-filter outbound acl 3000
mode lacp-static
#
return //控制只允許vlan 40(行政樓)訪問財務伺服器(192.168.200.20)
[R1]acl 3001
[R1-acl-adv-3001]rule permit ip destination 192.168.0.0 0.0.255.255
[R1-acl-adv-3001]rule deny ip source 192.168.20.0 0.0.0.255
[R1-acl-adv-3001]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3001 //禁止vlan 20訪問外網
九、SNMP運維監控
運維監控涉及到的產品比較多,可自行選擇配置,這裡不在給出。