网络规划实例(二)
文章目录
- 一、需求分析
- 二、网络拓扑结构
- 三、 ip地址规划设计
- 四、主要设备配置方案
- 1.三层交换机
- 2.路由器Router 0
- 3.路由器Router 1
- 4.二层交换机
- 五、网络测试
一、需求分析
模拟器:Cisco Packet Tracer 版本 5.3.3.0019
某公司的网络拓扑结构如下图所示,每个部门属于一个VLAN。我们需要在二层交换机上配置端口安全,并且在三层交换机上配置安全策略和流量控制,只允许高管部可以访问财务部。另外外网也可以访问公司的web服务器和FTP服务器,最后不允许外网用户ping出口路由器
二、网络拓扑结构
三、 ip地址规划设计
| 部门 | ip地址 | 网关 | VLAN |
|---|---|---|---|
| 财务部 | 172.16.10.0/24网段 | 172.16.10.1 | 10 |
| 研发部 | 172.16.20.0./24网段 | 172.16.20.1 | 20 |
| 高管部 | 172.16.30.0/24网段 | 172.16.30.1 | 30 |
| 信息中心 | 172.16.127.0/24网段 | 172.16.172.1 | 127 |
四、主要设备配置方案
1.三层交换机
①开启路由功能,创建相应的SVI接口
vlan间通信可以使用单臂路由或者SVI虚拟交换接口, 因为单臂路由有带宽限制和单点故障问题,所以用的更多的是SVI虚拟交换接口,来让不同VLAN间通信。SVI要用三层交换机。每个VLAN都有且仅有一个SVI口,在SVI口上配置IP,终端的的网关指向三层交换机上本VLAN的IP地址。
Switch(config)#ip routing //开启路由功能
Switch(config)#vlan 10
%LINK-5-CHANGED: Interface Vlan10, changed state to up
Switch(config-vlan)#exit
Switch(config)#int vlan 10
Switch(config-if)#ip add 172.16.10.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#vlan 20
Switch(config-vlan)#exit
Switch(config)#int vlan 20
%LINK-5-CHANGED: Interface Vlan20, changed state to up
Switch(config-if)#ip add 172.16.20.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#vlan 30
Switch(config-vlan)#exit
Switch(config)#int vlan 30
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan30, changed state to up
Switch(config-if)#ip add 172.16.30.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#vlan 127
Switch(config-vlan)#exit
Switch(config)#int vlan 127
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan127, changed state to up
Switch(config-if)#ip add 172.16.127.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#
②设置连接路由器的Fa0/5接口为三层接口
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface FastEthernet0/5
Switch(config-if)#no switchport
Switch(config-if)#ip add 172.16.40.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#
Switch#
③ 与二层交换机直接相连的接口封装dot1q协议,设为trunk链路 ,允许多个vlan通过
Switch(config)#int range fa 0/1-4
Switch(config-if-range)#switchport mode trunk
Switch(config-if-range)#switchport trunk encapsulation dot1q
Switch(config-if-range)#exit
Switch(config)#
④设置访问控制列表ACL,并应用到vlan 10
此处设置的是扩展访问列表,其实用标准访问控制列表也可以,用以限制财务部和高管部之外的部门通信。
switch(config)#access-list 100 permit ip 172.16.10.0 0.0.0.255 172.16.30.0 0.0.0.255
switch(config)#access-list 100 deny ip any any
switch(config)#int vlan 10
switch(config-if)#ip acc
switch(config-if)#ip access-group 100 in
switch(config-if)#exit
switch(config)#
switch#
⑤使用OSPF协议来进行路由的更新汇总
Switch(config)#router ospf 1
Switch(config-router)#network 172.16.10.0 0.0.0.255 area 0
Switch(config-router)#network 172.16.20.0 0.0.0.255 area 0
Switch(config-router)#network 172.16.30.0 0.0.0.255 area 0
Switch(config-router)#network 172.16.127.0 0.0.0.255 area 0
Switch(config-router)#network 172.16.40.0 0.0.0.255 area 0
Switch(config-router)#exit
Switch(config)#
⑥根据MAC地址限制端口流量
//通过MAC地址来限制端口流量,此配置允许一TRUNK口最多通过50个MAC地址,超过50时,但来自新的主机的数据帧将丢失。
switch(config)#int fa 0/1
switch(config-if)#switchport port-security maximum 50 //允许此端口通过的最大MAC地址数目为50。
switch(config-if)#switchport port-security violation protect
//当主机MAC地址数目超过50时,交换机继续工作,但来自新的主机的数据帧将丢失。
switch(config)#int fa 0/2
switch(config-if)#switchport port-security maximum 50
switch(config-if)#switchport port-security violation protect
switch(config)#int fa 0/3
switch(config-if)#switchport port-security maximum 50
switch(config-if)#switchport port-security violation protect
2.路由器Router 0
① 做napt地址转换
Router(config)#ip nat pool to-internet 200.200.100.1 200.200.100.1 netmask 255.255.255.0
//定义地址池
Router0(config)#access-list 1 permit 172.16.10.0 0.0.0.255 //定义允许转换地址
Router0(config)#access-list 2 permit 172.16.20.0 0.0.0.255
Router0(config)#access-list 3 permit 172.16.30.0 0.0.0.255
Router0(config)#access-list 4 permit 172.16.127.0 0.0.0.255
Router0(config)#ip nat inside source list 1 pool to-internet overload //为内部本地调用转换地址池
Router0(config)#ip nat inside source list 2 pool to-internet overload
Router0(config)#ip nat inside source list 3 pool to-internet overload
Router0(config)#ip nat inside source list 4 pool to-internet overload
//端口映射,将我们拥有的公网ip的80端口、21端口分别映射给两台服务器
Router0(config)#ip nat inside source static tcp 172.16.127.2 80 200.200.100.1 80
Router0(config)#ip nat inside source static tcp 172.16.127.3 21 200.200.100.1 21
Router0(config)#int fa 0/0 //定义内部接口
Router0(config-if)#ip nat inside
Router0(config-if)#exit
Router0(config)#int fa 0/1 //定义外部接口
Router0(config-if)#ip nat outside
Router0(config-if)#exit
Router0(config)#
②使用OSPF动态路由协议来进行路由的更新汇总
Router0(config)#router ospf 1
Router0(config-router)#network 172.16.40.0 0.0.0.255 area 0
Router0(config-router)#network 200.200.100.0 0.0.0.255 area 0
③设置访问控制列表,不允许外网设备ping路由器外网出口
Router0(config)#access-list 100 deny icmp any any echo
Router0(config)#access-list 100 permit ip any any
Router0(config)#int fa 0/1
Router0(config-if)#ip access-group 100 in
Router0(config-if)#exit
Router0(config)#
3.路由器Router 1
①使用OSPF动态路由协议来进行路由的更新汇总
Router1(config)#router ospf 1
Router1(config-router)#network 200.200.100.0 0.0.0.255 area 0
Router1(config-router)#network 172.18.10.0 0.0.0.255 area 0
Router1(config-router)#exit
Router1(config)#
②NAPT转换
Router(config)#access-list 1 permit 172.18.10.0 0.0.0.255
Router(config)#ip nat pool to-internet 200.200.100.2 200.200.100.2 netmask 255.255.255.0
Router(config)#ip nat inside source list 1 pool to-internet overload
Router(config)#int fa 0/0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#int fa 0/1
Router(config-if)#ip nat outside
Router(config-if)#exit
4.二层交换机
在每个二层交换机上创建相应的vlan,并将端口加入到vlan中
①switch0 vlan 10
Switch0(config)#vlan 10
Switch0(config-vlan)#exit
Switch0(config)#int range fa 0/1-2
Switch0(config-if-range)#switchport mode access
Switch0(config-if-range)#switchport access vlan 10
Switch0(config-if-range)#exit
Switch0(config)#
②switch 1 vlan 20
Switch1(config)#vlan 20
Switch1(config-vlan)#exit
Switch1(config)#int range fa 0/1-2
Switch1(config-if-range)#switchport mode access
Switch1(config-if-range)#switchport access vlan 20
Switch1(config-if-range)#exit
Switch1(config)#
③switch 2 vlan 30
Switch2(config)#vlan 30
Switch2(config-vlan)#exit
Switch2(config)#int range fa 0/1-2
Switch2(config-if-range)#switchport mode access
Switch2(config-if-range)#switchport access vlan 30
Switch2(config-if-range)#exit
Switch2(config)#
④switch 3 vlan 127
Switch3(config)#vlan 127
Switch3(config-vlan)#exit
Switch3(config)#int range fa 0/1-2
Switch3(config-if-range)#switchport mode access
Switch3(config-if-range)#switchport access vlan 127
Switch3(config-if-range)#exit
Switch3(config)#
将端口与MAC地址绑定
//交换机switch0
Switch0(config)#int range fa 0/1-2
Switch0(config-if-range)#switchport port-security //打开端口安全模式
Switch0(config-if-range)#switchport port-security violation restrict
//设置在检测到安全违规时要采取的措施,在端口安全进程级别丢弃来自不安全主机的所有数据包,并增加安全违规计数。
Switch0(config-if-range)#switchport port-security mac-address sticky
//黏性可靠的MAC地址绑定,会自动学习第一次连接设备的MAC地址,并与该端口进行绑定
Switch0(config-if-range)#exit
Switch0(config)#exit
//注意:这里可以先ping本交换机相连的另一个主机,这样才会学习到相连端口设备的MAC地址,进而才会自动绑定
//否则下表不会显示绑定有关信息
switch0# show port-security address //查看端口绑定信息
Secure Mac Address Table
---------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ----------- --------------- -------------
10 0001.9753.07E6 SecureSticky FastEthernet 0/1 -
10 0005.5E80.674B SecureSticky FastEthernet0/2 -
---------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) : 1024
switch0#
//交换机switch1
switch1(config)#int range fa 0/1-2
switch1(config-if-range)#switchport-s
switch1(config-if-range)#switchport port
switch1(config-if-range)#switchport port-security
switch1(config-if-range)#switchport port-security violation restrict
switch1(config-if-range)#switchport port-security mac-address sticky
switch1(config-if-range)#exit
switch1(config)#exit
//注意:这里可以先ping本交换机相连的另一个主机,这样才会学习到相连端口设备的MAC地址,进而才会自动绑定
//否则下表不会显示绑定有关信息
switch1# show port-security address //查看端口绑定信息
Secure Mac Address Table
---------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ----------- --------------- -------------
20 00E0.A369.CCA9 SecureSticky FastEthernet0/1 -
20 0007.ECC1.0B62 SecureSticky FastEthernet0/2 -
---------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) : 1024
switch1#
//交换机switch2
switch2(config)#int range fa 0/1-2
switch2(config-if-range)#switchport port-security
switch2(config-if-range)#switchport port-security violation restrict
switch2(config-if-range)#switchport port-security mac-address sticky
switch2(config-if-range)#exit
switch2(config)#exit
//注意:这里可以先ping本交换机相连的另一个主机,这样才会学习到相连端口设备的MAC地址,进而才会自动绑定
//否则下表不会显示绑定有关信息
switch2# show port-security address //查看端口绑定信息
Secure Mac Address Table
---------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ----------- --------------- -------------
30 00E0.F7EE.1A8D SecureSticky FastEthernet0/1 -
30 0010.11C0.E382 SecureSticky FastEthernet0/2 -
---------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) : 1024
switch2#
//交换机switch3
switch3(config)#int range fa 0/1-2
switch3(config-if-range)#switchport po
switch3(config-if-range)#switchport port-security
switch3(config-if-range)#switchport port-security violation restrict
switch3(config-if-range)#switchport port-security mac-address sticky
switch3(config-if-range)#exit
switch3(config)#exit
//注意:这里可以先ping本交换机相连的另一个主机,这样才会学习到相连端口设备的MAC地址,进而才会自动绑定
//否则下表不会显示绑定有关信息
switch3# show port-security address //查看端口绑定信息
Secure Mac Address Table
---------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ----------- --------------- -------------
127 0030.F228.3956 SecureSticky FastEthernet0/1 -
127 0003.E492.B354 SecureSticky FastEthernet0/2 -
---------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) :0
Max Addresses limit in System (excluding one mac per port) : 1024
switch3#
五、网络测试
①napt转换测试
//先用内网pc 172.16.20.2 ping 外网的200.200.100.2,然后查看地址转换表
Router0#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 200.200.100.1:9 172.16.20.2:9 200.200.100.2:9 200.200.100.2:9
Router0#
②外网ping路由器外网出口测试
ping不通,ACL生效
Router1#ping 200.200.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.100.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
Router1#
③财务部访问权限测试
//研发部ping财务部,不可以通信
PC>ping 172.16.10.2
Pinging 172.16.10.2 with 32 bytes of data:
Request timed out.
Request timed out .
Request timed out .
Request timed out .
Ping statistics for 172. 16.10.2:
Packets: Sent = 4,Received = 0,Lost = 4 (100 % loss) ,
PC>
//高管部ping财务部,可以通信
PC>ping 172. 16.10.2
Pinging 172.16.10.2 with 32 bytes of data:
Reply from 1 72.16.10.2: bytes=32 time=18ms TTL=127
Reply from 172.16.10.2: bytes=32 time=13ms TTL=127
Reply from 172.16.10.2: bytes=32 time=14ms TTL=127
Reply from 172.16. 10.2: bytes=32 time=18ms TTL=127
Ping statistics for 172.16.10.2:
Packets: Sent = 4,Received = 4,Lost = 0 (0% loss) ,
Approximate round trip times in mill i- seconds :
Minimum = 1 3ms, Maximum = 1 8ms,Average = 1 5ms
PC>
④端口安全测试
//更改PC的MAC地址后,发现无法与其它设备进行通信,端口安全起作用,丢弃了数据包
⑤内部访问WEB、FTP服务器测试
//WEB、DNS服务测试
Web Browser
< > URL http: //www.test.com/index.html Go Stop
Cisco Packet Tracer
Welcome to Cisco Packet Tracer. Opening doors to new opportunities. Mind Wide Open.
Quick Links:
A sma11 paze
Copyri shts
Image page
Image
//FTP服务测试
PC>ftp 172.16.127.3
Trying to connect. . .172.16.127.3
Connected to 172.16.127 .3
220- Welcome to PT Ftp server
Username: cisco
331- Username ok,
need password
Password:
230- Logged in
(passive mode On)
ftp>dir
Listing /ftp directory from 172. 16.127.3:
0 : c1841 -advipservicesk9-mz.124-15.T1 .bin 33591768
1 : c1841 -ipbase-mz.123-14.T7.bin 13832032
2 : c1841- ipbasek9-mz.124-12.bin 16599160
ftp>
⑥外部访问WEB、FTP服务器测试
//WEB、DNS服务测试
Web Browser
< > URL http: //www.test.com/index.html Go Stop
Cisco Packet Tracer
Welcome to our company
Quick Links:
A sma11 paze
Copyri shts
Image page
Image
//FTP服务测试
PC>ftp ftp.test.com
Trying to connect. . .ftp.test.com
Connected to 172.16.127 .3
220- Welcome to PT Ftp server
Username: cisco
331- Username ok,
need password
Password:
230- Logged in
(passive mode On)
ftp>