网络架构图如下:
一 网络架构方案设计
1.1 方案说明
公司网络由核心层和接入层组成,核心层为网络的骨干部分。
不同部门使用不同的VLAN
把vlan154中的服务器发布到外网,并使VM1可以访问
使vlan155网段可以访问外网
管理vlan为vlan100
使用ACL增强网络的安全性
1.2 IP地址规划
vlan154:172.16.154.0/24 网关:172.16.154.254
vlan155:172.16.155.0/24 网关:172.16.155.254
vlan100:172.16.100.0/24 网关:172.16.100.254
二 方案的实施
建立vlan、配置VTP同步,sw1和sw2操作一致:
SW_R(config)#hostname sw_r
sw_r(config)#ip routing
sw_r(config)#vlan 100
sw_r(config-vlan)#vlan 154
sw_r(config-vlan)#vlan 155
sw_r#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3
Fa1/4, Fa1/5, Fa1/6, Fa1/7
Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
100 VLAN0100 active
154 VLAN0154 active
155 VLAN0155 active
sw_r(config)#int range f1/1 , f1/3
sw_r(config-if-range)#sw mode trunk
sw_r(config)#vtp domain cisco
sw_r(config)#vtp password cisco
sw_r(config)#vtp mode server
sw_r(config)#vtp pruning
sw1(config)#hostname sw1
sw1(config)#int f1/1
sw1(config-if)#sw mo tr
sw1(config)#vtp domain cisco
sw1(config)#vtp password cisco
sw1(config)#vtp mode client
sw1#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/2, Fa1/3, Fa1/4
Fa1/5, Fa1/6, Fa1/7, Fa1/8
Fa1/9, Fa1/10, Fa1/11, Fa1/12
Fa1/13, Fa1/14, Fa1/15
100 VLAN0100 active
154 VLAN0154 active
155 VLAN0155 active
sw1(config)#int range f1/2 - 10
sw1(config-if-range)#sw mo access
sw1(config-if-range)#sw ac vlan 154
sw1(config)#int range f1/11 - 15
sw1(config-if-range)#sw mo access
sw1(config-if-range)#sw ac vlan 155
sw1#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0
100 VLAN0100 active
154 VLAN0154 active Fa1/2, Fa1/3, Fa1/4, Fa1/5
Fa1/6, Fa1/7, Fa1/8, Fa1/9
Fa1/10
155 VLAN0155 active Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
sw1#show int trunk
Port Mode Encapsulation Status Native vlan
Fa1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/1 1-1005
配置IP地址:
sw_r(config)#int f1/4
sw_r(config-if)#no switchport
sw_r(config-if)#ip add 192.168.1.1 255.255.255.252
sw_r(config-if)#no sh
sw_r(config)#int vlan 100
sw_r(config-if)#ip add 172.16.100.254 255.255.255.0
sw_r(config-if)#no sh
sw_r(config-if)#int vlan 154
sw_r(config-if)#ip add 172.16.154.254 255.255.255.0
sw_r(config-if)#no sh
sw_r(config-if)#int vlan 155
sw_r(config-if)#ip add 172.16.155.254 255.255.255.0
sw_r(config-if)#no sh
sw_r#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up down
FastEthernet1/1 unassigned YES unset up up
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up up
FastEthernet1/4 192.168.1.1 YES manual up up
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
Vlan100 172.16.100.254 YES manual up up
Vlan154 172.16.154.254 YES manual up up
Vlan155 172.16.155.254 YES manual up up
ROUTER(config)#hostname router
router(config)#int f0/0
router(config-if)#ip add 192.168.1.2 255.255.255.252
router(config-if)#no sh
router(config-if)#int f1/0
router(config-if)#ip add 10.1.1.1 255.255.255.252
router(config-if)#no sh
router(config-if)#end
router#show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.2 YES manual up up
FastEthernet1/0 10.1.1.1 YES manual up up
FastEthernet2/0 unassigned YES unset administratively down down
router#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/64 ms
sw1(config-if)#int vlan 100
sw1(config-if)#ip add 172.16.100.1 255.255.255.0
sw1(config-if)#no sh
sw1(config)#ip default-gateway 172.16.100.254
sw1#show ip int Vlan 100
Vlan100 is up, line protocol is up
Internet address is 172.16.100.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
...
sw1# ping 172.16.100.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:
!!!!!
sw3(config)#int vlan 100
sw3(config-if)#ip add 172.16.100.3 255.255.255.0
sw3(config-if)#no sh
sw3(config)#ip default-gateway 172.16.100.254
sw3#sh ip int vlan 100
Vlan100 is up, line protocol is up
Internet address is 172.16.100.3/24
Broadcast address is 255.255.255.255
Address determined by setup command
...
sw3#ping 172.16.100.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:
.!!!!
Internet(config)#hostname Internet
Internet(config)#int f0/0
Internet(config-if)#ip add 10.1.1.2 255.255.255.252
Internet(config-if)#no sh
Internet(config-if)#int f1/0
Internet(config-if)#ip add 10.1.1.5 255.255.255.252
Internet(config-if)#no sh
Internet#sh ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.2 YES manual up up
FastEthernet1/0 10.1.1.5 YES manual up up
Internet#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/34/48 ms
R8(config)#hostname R8
R8(config)#int f0/0
R8(config-if)#ip add 10.1.1.6 255.255.255.252
R8(config-if)#no sh
R8(config-if)#int f1/0
R8(config-if)#ip add 192.168.60.254 255.255.255.0
R8(config-if)#no sh
配置路由:
sw_r(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
router(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
router(config)#ip route 172.16.100.0 255.255.255.0 192.168.1.1
router(config)#ip route 172.16.154.0 255.255.255.0 192.168.1.1
router(config)#ip route 172.16.155.0 255.255.255.0 192.168.1.1
R8(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.5
在核心交换机上配置DHCP服务
sw_r(config)#ip dhcp pool vlan154
sw_r(dhcp-config)#network 172.16.154.0 255.255.255.0
sw_r(dhcp-config)#default-router 172.16.154.254
sw_r(dhcp-config)#dns-server 202.96.134.33 202.96.134.133
sw_r(config)#ip dhcp excluded-address 172.16.154.254
sw_r(config)#ip dhcp pool vlan155
sw_r(dhcp-config)#network 172.16.155.0 255.255.255.0
sw_r(dhcp-config)#dns-server 202.96.134.33 202.96.134.133
sw_r(dhcp-config)#default-router 172.16.155.254
sw_r(config)#ip dhcp excluded-address 172.16.155.254
vlan155的主机获取到IP:
R6(config)#int f0/0
R6(config-if)#ip add dhcp
R6#sh ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.155.1 YES DHCP up up
FastEthernet0/1 unassigned YES unset administratively down down
配置NAT允许vlan155访问外网
ROUTER(config)#access-list 1 permit 172.16.155.0 0.0.0.255
ROUTER(config)#ip nat inside source list 1 interface f1/0 overload
ROUTER(config)#int f1/0
ROUTER(config-if)#ip nat outside
ROUTER(config)#int f0/0
ROUTER(config-if)#ip nat inside
R6#ping 10.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/68/128 ms
查看NAT的统计信息:
ROUTER#sh ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
FastEthernet1/0
Inside interfaces:
FastEthernet0/0
Hits: 54 Misses: 6
CEF Translated packets: 60, CEF Punted packets: 0
Expired translations: 4
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface FastEthernet1/0 refcount 2
Appl doors: 0
Normal doors: 0
Queued Packets: 0
查看当前存在的NAT转换条目,前提是有数据包进行转换(如果没有数据包转换,只能显示静态NAT条目)
ROUTER#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.1.1.1:20 172.16.155.1:20 10.1.1.6:20 10.1.1.6:20
icmp 10.1.1.1:21 172.16.155.1:21 10.1.1.6:21 10.1.1.6:21
icmp 10.1.1.1:22 172.16.155.1:22 10.1.1.6:22 10.1.1.6:22
对NAT进行监控:
ROUTER#sh ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 10.1.1.1:24 172.16.155.1:24 10.1.1.6:24 10.1.1.6:24
create 00:00:03, use 00:00:03 timeout:60000, left 00:00:56, Map-Id(In): 1,
flags:
extended, use_count: 0, entry-id: 17, lc_entries: 0
向外网发布Web服务器:
ROUTER(config)#ip nat inside source static tcp 172.16.154.1 80 10.1.1.1 80 extendable
查看静态ANT条目:
ROUTER#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.1.1.1:80 172.16.154.1:80 --- ---
在Web服务器上开放80端口
在客户端访问:
配置telnet远程管理:
ROUTER(config)#line vty 0 4
ROUTER(config-line)#password cisco
ROUTER(config-line)#login
ROUTER(config)#enable secret cisco
配置SSH远程管理:
sw1(config)#ip domain-name cisco.com
sw1(config)#username best password best1
sw1(config)#crypto key generate rsa general-keys modulus 1024
sw1(config)#ip ssh version 2
sw1(config)#line vty 0 4
sw1(config-line)#login local
sw1(config-line)#transport input ssh #只允许SSH登陆
登陆方式:
Cisco网络设备:ssh -l best 192.168.1.1
Xshell:ssh 172.16.100.254
配置console登陆密码:
sw1(config)#line console 0
sw1(config-line)#password cisco
sw1(config-line)#login