中小型企业网络设计
一、设计需求:
1)经理室、设备科、人事处,可以访问外部网络,外部网络不能访问经理室、设备科、人事处,财务部不允许访问外部网络。
2)经理室可以访问设备科,财务部,人事处。
3)人事处和设备科可以互访,但人事处和设备科与财务部不能互访。
4)通过帧中继,实现云两端的路由能够通信。
二、网络拓扑
3.根据拓扑图和实验需求,我们分析一下整体的网络,首先要在二层交换机上配置vlan,并且把相应的端口加入,而在三层交换机上配置vlan间路由,在R1和三层交换机上配置一个路由协议EIGRP,需要注意的是R1上的s1/0端口不行宣告进动态路由协议,我们需要配置一条默认路由指向外网,我们需要实现经理室、设备科、人事处,可以访问外部网络,外部网络不能访问经理室、设备科、人事处,财务部不允许访问外部网络。就需要在R1上配置PAT,以实现需求,
要实现经理室可以访问设备科,财务部,人事处,人事处和设备科可以互访,但人事处和设备科与财务部不能互访。可以在三层交换机上配置ACL,并且在vlan中应用,并且要注意ACL的应用方向,最后就是配置一个帧中继网络了。
4.现在我们分析完整个网络就开始配置了
SW1:
Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#ex
Switch(config)#int f0/1
Switch(config-if)#sw
Switch(config-if)#switchport a
Switch(config-if)#switchport access v
Switch(config-if)#switchport access vlan 10
Switch(config-if)#int f0/2
Switch(config-if)#sw
Switch(config-if)#switchport a
Switch(config-if)#switchport access v
Switch(config-if)#switchport access vlan 20
Switch(config-if)#int f0/3
Switch(config-if)#sw
Switch(config-if)#switchport a
Switch(config-if)#switchport access v
Switch(config-if)#switchport access vlan 30
Switch(config-if)#int f0/10
Switch(config-if)#sw
Switch(config-if)#switchport m
Switch(config-if)#switchport mode t
Switch(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up
Switch(config-if)#int f0/15
Switch(config-if)#sw
Switch(config-if)#switchport m
Switch(config-if)#switchport mode t
Switch(config-if)#switchport mode trunk
SW2:
Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#int f0/4
Switch(config-if)#sw
Switch(config-if)#switchport a
Switch(config-if)#switchport access v
Switch(config-if)#switchport access vlan 10
Switch(config-if)#int f0/5
Switch(config-if)#sw
Switch(config-if)#switchport a
Switch(config-if)#switchport access v
Switch(config-if)#switchport access vlan 20
Switch(config-if)#int f0/6
Switch(config-if)#sw
Switch(config-if)#switchport a
Switch(config-if)#switchport access v
Switch(config-if)#switchport access vlan 30
Switch(config-if)#int f0/10
Switch(config-if)#sw
Switch(config-if)#switchport m
Switch(config-if)#switchport mode t
Switch(config-if)#switchport mode trunk
Switch(config-if)#int f0/20
Switch(config-if)#sw
Switch(config-if)#switchport m
Switch(config-if)#switchport mode t
Switch(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/20, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/20, changed state to up
注意交换机之间的接口需要设置为trunk
5.在各路由接口,三层交换端口和SVI接口配置相应的ip地址
SW3
Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#e
Switch(config)#int vlan 10
%LINK-5-CHANGED: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Switch(config-if)#ip ad
Switch(config-if)#ip address 10.10.10.254 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#int vlan 20
%LINK-5-CHANGED: Interface Vlan20, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
Switch(config-if)#ip ad
Switch(config-if)#ip address 20.20.20.254 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#int vlan 30
%LINK-5-CHANGED: Interface Vlan30, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan30, changed state to up
Switch(config-if)#ip ad
Switch(config-if)#ip address 30.30.30.254 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#int f0/1
Switch(config-if)#no sw
Switch(config-if)#no switchport
Switch(config-if)#ip ad
Switch(config-if)#ip address 10.10.0.254 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#ex
Switch(config)#ip ro
Switch(config)#ip rout
Switch(config)#ip routi
Switch(config)#ip routing
R1:
Router(config)#host Router1
Router1(config)#int f0/1
Router1(config-if)#ip ad
Router1(config-if)#ip address 10.10.0.1 255.255.255.0
Router1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router1(config-if)#int f0/0
Router1(config-if)#ip ad
Router1(config-if)#ip address 10.0.0.1 255.255.255.0
Router1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#int s1/0
Router(config-if)#ip ad
Router1(config-if)#ip address 11.1.1.2 255.255.255.0
Router1(config-if)#no shut
%LINK-5-CHANGED: Interface Serial1/0, changed state to down
Router1(config-if)#cla
Router1(config-if)#cl
Router1(config-if)#clock r
Router1(config-if)#clock rate 64000
R2:
Router(config)#host Router2
Router2(config)#int s1/1
Router2(config-if)#ip ad
Router2(config-if)#ip address 11.1.1.1 255.255.255.0
Router2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial1/1, changed state to up
Router(config-if)#int s1/0
Router(config-if)#ip a
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up
d
Router2(config-if)#ip address 12.1.1.1 255.255.255.0
Router2(config-if)#no shut
Router2(config-if)#
%LINK-5-CHANGED: Interface Serial1/0, changed state to up
R3:
Router(config)#host Router3
Router3(config)#int s1/1
Router3(config-if)#ipa d
Router3(config-if)#ipad
Router3(config-if)#ipaddress 12.1.1.2 255.255.255.0
Router3(config-if)#no shut
注意三层交换机上要打开路由端口才可以配置ip地址还有要开启三层交换机的路由功能,还有就是PC的ip就要自己去配置了,这里就不讲了。
6.现在在R1和三层交换机上配置EIGRP协议,以便让内网互通
SW3:
Switch(config)#router eigrp 100
Switch(config-router)#net
Switch(config-router)#network 10.10.10.0 0.0.0.255
Switch(config-router)#network 20.20.20.0 0.0.0.255
Switch(config-router)#network 30.30.30.0 0.0.0.255
Switch(config-router)#network 10.10.0.0 0.0.0.255
R1:
Router1(config)#router eigrp 100
Router1(config-router)#net
Router1(config-router)#network 10.0.0.0 0.0.0.255
Router1(config-router)#network 10.10.0.0 0.0.0.255
Router(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 10.10.0.254 (FastEthernet0/1) is up: new adjacency
现在我们来测试一下内网是否可以互达
现在我们用设备科的pc1分别ping人事处财务部经理室
PC>ping 30.30.30.2
Pinging 30.30.30.2 with 32 bytes of data:
Reply from 30.30.30.2: bytes=32 time=11ms TTL=127
Reply from 30.30.30.2: bytes=32 time=17ms TTL=127
Reply from 30.30.30.2: bytes=32 time=17ms TTL=127
Reply from 30.30.30.2: bytes=32 time=9ms TTL=127
Ping statistics for 30.30.30.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 17ms, Average = 13ms
PC>ping 20.20.20.2
Pinging 20.20.20.2 with 32 bytes of data:
Reply from 20.20.20.2: bytes=32 time=8ms TTL=127
Reply from 20.20.20.2: bytes=32 time=13ms TTL=127
Reply from 20.20.20.2: bytes=32 time=16ms TTL=127
Reply from 20.20.20.2: bytes=32 time=14ms TTL=127
Ping statistics for 20.20.20.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 16ms, Average = 12ms
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=12ms TTL=126
Reply from 10.0.0.2: bytes=32 time=13ms TTL=126
Reply from 10.0.0.2: bytes=32 time=10ms TTL=126
Reply from 10.0.0.2: bytes=32 time=14ms TTL=126
Ping statistics for 10.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 14ms, Average = 12ms
显然内网全网可达,
再ping一下外网地址
PC>ping 11.1.1.1
Pinging 11.1.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 11.1.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
显然不通
但是我们需要实现经理室、设备科、人事处,可以访问外部网络,外部网络不能访问经理室、设备科、人事处,财务部不允许访问外部网络。就需要在R1上配置PAT,以实现需求,
要实现经理室可以访问设备科,财务部,人事处,人事处和设备科可以互访,但人事处和设备科与财务部不能互访。可以在三层交换机上配置ACL,并且在vlan中应用,并且要注意ACL的应用方向现在开始配置
7.就需要在R1上配置PAT,三层交换机上配置ACL
R1:
Router1(config)#int f0/0
Router1(config-if)#ip na
Router1(config-if)#ip nat i
Router1(config-if)#ip nat inside
Router(config-if)#int f0/1
Router1(config-if)#ip na
Router1(config-if)#ip nat i
Router1(config-if)#ip nat inside
Router1(config-if)#int s1/0
Router1(config-if)#ip na
Router1(config-if)#ip nat o
Router1(config-if)#ip nat outside
Router1(config-if)#ex
Router1(config)#ac
Router1(config)#access-list 1 d
Router1(config)#access-list 1 deny 20.20.20.0 0.0.0.255
Router1(config)#ac
Router1(config)#access-list 1 p
Router1(config)#access-list 1 permit a
Router1(config)#access-list 1 permit any
Router1(config)#ip rou
Router1(config)#ip route 0.0.0.0 0.0.0.0 11.1.1.1
Router1(config)#rou
Router1(config)#router e
Router1(config)#router eigrp 100
Router1(config-router)#re
Router1(config-router)#redistribute s
Router1(config-router)#redistribute static
SW3:
Switch(config)#access-list 100 permit icmp 20.20.20.0 0.0.0.255 10.0.0.0 0.0.0.255
Switch(config)#int vlan 20
Switch(config-if)#ip a
Switch(config-if)#ip-
Switch(config-if)#ip ac
Switch(config-if)#ip access-group 100 in
Switch(config-if)#
配置完成后,再ping一下外网
PC>ping 11.1.1.1
Pinging 11.1.1.1 with 32 bytes of data:
Reply from 11.1.1.1: bytes=32 time=88ms TTL=253
Reply from 11.1.1.1: bytes=32 time=15ms TTL=253
Reply from 11.1.1.1: bytes=32 time=21ms TTL=253
Reply from 11.1.1.1: bytes=32 time=19ms TTL=253
Ping statistics for 11.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 88ms, Average = 35ms
显然可以了
最后只差一个帧中继的网络了
8.配置帧中继网络
R2:
Router2(config)#int s1/0
Router2(config-if)#en
Router2(config-if)#encapsulation
Router2(config-if)#encapsulation f
Router2(config-if)#encapsulation frame-relay
Router2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
Router2(config-if)#f
Router2(config-if)#fr
Router2(config-if)#frame-relay i
Router2(config-if)#frame-relay interface-dlci 203
Router2(config-if)#
R3:
Router3(config)#int s1/1
Router3(config-if)#en
Router3(config-if)#encapsulation f
Router3(config-if)#encapsulation frame-relay
Router3(config-if)#f
Router3(config-if)#fr
Router3(config-if)#frame-relay i
Router3(config-if)#frame-relay interface-dlci 302
Cloud0:
s0
大家这里需要注意一下,这样是不行的,以前自己粗心忘记按下ADD了,按下的效果是这样的
s1同上
好了我们这样子就已经做完全部的配置了,现在我们来测试实验需求
测试设备科可不可以和财务部互访
PC>ping 20.20.20.2
Pinging 20.20.20.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 20.20.20.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
显然不可以
9.测试财务部可不可以和经理室互访
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=15ms TTL=126
Reply from 10.0.0.2: bytes=32 time=14ms TTL=126
Reply from 10.0.0.2: bytes=32 time=18ms TTL=126
Reply from 10.0.0.2: bytes=32 time=18ms TTL=126
Ping statistics for 10.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 18ms, Average = 16ms
显然可以
测试财务部可不可以访问外网
PC>ping 11.1.1.1
Pinging 11.1.1.1 with 32 bytes of data:
Reply from 20.20.20.254: Destination host unreachable.
Reply from 20.20.20.254: Destination host unreachable.
Reply from 20.20.20.254: Destination host unreachable.
Reply from 20.20.20.254: Destination host unreachable.
Ping statistics for 11.1.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
显然不可以
测试外网可不可以访问内网
Router#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
显然不可以
10.写到这里有的人又说,现在为了实现企业网络的高性价比呢?不可能都是cisco的设备呢?那么就不可以在内网中用EIGRP了,那么又如何配置呢?
第二种协议ospf当然基本配置大家要自己去配置了,这里指出不一样的是静态路由的重分布,命令如下
Router1
Router1(config)#router os
Router1(config)#router ospf 110
Router1(config-router)#de
Router1(config-router)#default-information
Router1(config-router)#default-informationoriginate
11.第三种rip就是应用于内部网络比较小的情况了,这里是版本2的,有版本1和2的区别,至于想知道去别的,自己去百度了(呵呵)
Router1
Router1(config)#ip route 0.0.0.0 0.0.0.0 11.1.1.1
Router1(config)#router rip
Router(config-router)#version 2
Router1(config-router)#redistribute static
文章可能存在很多的问题,希望大家可以帮我指出。