不久前做过一个小项目,是某公司发展需要,需要对目前网络进行改革:
1.针对于不同的部门划分不同的区域进行网络管理,确保每处区域都可以正常访问公网.
有销售部,财务部,信息安全,高层管理,市场部,服务器区域,2间主讲教室
2.针对目前公司整体的规范化管理需要进行以下网络限制.
a) 禁止除高层管理办公室以外的所有部门上QQ
b) 教师内只得在每天中午12:30-13:30期间可以访问外网.
c) 对服务器区域的所有限制及设定:
!金和OA协同办公系统服务器:允许所有部门人员访问,但只允许信息安全部人员进行
远程管理.金和OA系统采用Windows2003系统,开放3389端口进行远程管理.
!用友U8财务系统,只允许财务部门以及高层管理部门以WEB方式进行访问.
!公司网站服务器.使用LAMP构架方式.允许市场部进行管理,并可以通过ftp方式进行
上传数据或下载数据.其他部门只有WEB访问权限.
!公司远程教育服务器,只允许主讲教师的教师机以及远程端教室的教师机进行访问.
3.配置DHCP服务器,2间主讲教室中分别是两台教师机使用静态IP地址.
4.建立远程教学系统,三家分中心与公司相连,其中一家分中心还另外连接一处本地大学教室.
根据以上叙述,拓扑图如下:
核心路由器配置如下:
interface e0/0
no ip address
lookback 0 (回环)
ipaddress 1.1.1.1 255.255.255.255
配置dhcp
ip dhcp pool xiaoshou
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool caiwu
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool xinxi
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool gaoceng
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool shichang
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool jiaoshi1
network 192.168.35.0 255.255.255.0
default-router 192.168.35.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool jiaoshi2
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 202.106.0.20
lease 2
exit
预留IP地址
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.15.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.25.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.35.1 192.168.35.3
ip dhcp excluded-address 192.168.40.1 192.168.40.3
配置子接口来连接不同的vlan
interface eth0/0.1
encapsulation dot1Q 100
ip address 192.168.10.1 255.255.255.0
ip access-group xiaoshou in
ip nat inside
exit
interface eth0/0.2
encapsulation dot1Q 200
ip address 192.168.15.1 255.255.255.0
ip access-group caiwu in
ip nat inside
exit
interface eth0/0.3
encapsulation dot1Q 300
ip address 192.168.20.1 255.255.255.0
ip access-group xinxi in
ip nat inside
exit
interface eth0/0.4
encapsulation dot1Q 400
ip address 192.168.25.1 255.255.255.0
ip access-group gaoceng in
ip nat inside
exit
interface eth0/0.5
encapsulation dot1Q 500
ip address 192.168.30.1 255.255.255.0
ip access-group shichang in
ip nat inside
exit
interface eth0/0.6
encapsulation dot1Q 600
ip address 192.168.35.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
interface eth0/0.7
encapsulation dot1Q 700
ip address 192.168.40.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
interface eth0/0.8
encapsulation dot1Q 800
ip address 192.168.45.1 255.255.255.0
ip access-group server in
ip nat inside
exit
interface eth0/0.9
encapsulation dot1Q 900
ip address 192.168.50.1 255.255.255.0
ip nat inside
exit
interface eth0/0.10
encapsulation dot1Q 1000
ip address 201.241.1.195 255.255.255.224
ip nat outside
exit
默认路由
ip route 0.0.0.0 0.0.0.0 201.241.1.193
配置ospf链路状态的路由协议
router ospf 100
network 192.168.10.0 0.0.0.255 area 0
network 192.168.15.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.25.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.35.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.45.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 201.241.1.192 0.0.0.31 area 0
动态地址转换
ip nat pool liyang 201.241.1.195 201.241.1.198 netmask 255.255.255.0
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool liyang overload
配置ACL 进行安全管理
ip access-list extended caiwu
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
ip access-list extended gaoguan
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
permit ip any any
限制时间
time-range time
periodic daily 12:30 to 13:30
ip access-list extended jiaoshi
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000 (QQ)端口
permit ip any 201.241.1.192 0.0.0.31 time-range time
deny ip any 201.241.1.192 0.0.0.31
permit ip any any
ip access-list extended server
permit tcp any host 192.168.45.2 eq www
permit tcp 192.168.20.0 0.0.0.255 host 192.168.45.2 eq 3389
permit tcp 192.168.15.0 0.0.0.255 host 192.168.45.3 eq www
permit tcp 192.168.25.0 0.0.0.255 host 192.168.45.3 eq www
permit tcp any host 192.168.45.4 eq www
permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq ftp
permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq 22
permit ip host 192.168.35.2 host 192.168.45.5
permit ip host 192.168.35.3 host 192.168.45.5
permit ip host 192.168.40.2 host 192.168.45.5
permit ip host 192.168.40.3 host 192.168.45.5
permit ip host 192.168.1.2 host 192.168.45.5
permit ip host 192.168.2.2 host 192.168.45.5
deny ip any any
ip access-list extended shichang
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
ip access-list extended xiaoshou
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
ip access-list extended xinxi
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
交换机配置
interface Vlan1
no ip address
no ip route-cache
shutdown
划分VLAN
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
spanning-tree portfast
interface FastEthernet0/3
switchport access vlan 200
switchport mode access
spanning-tree portfast
interface FastEthernet0/4
switchport access vlan 300
switchport mode access
spanning-tree portfast
interface FastEthernet0/5
switchport access vlan 400
switchport mode access
spanning-tree portfast
interface FastEthernet0/6
switchport access vlan 500
switchport mode access
spanning-tree portfast
interface FastEthernet0/7
switchport access vlan 600
switchport mode access
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 700
switchport mode access
spanning-tree portfast
interface FastEthernet0/9
switchport access vlan 800
switchport mode access
spanning-tree portfast
interface FastEthernet0/10
switchport access vlan 900
switchport mode access
spanning-tree portfast
interface FastEthernet0/18
switchport access vlan 1000
switchport mode access
spanning-tree portfast
interface FastEthernet0/19
switchport access vlan 1000
switchport mode access
spanning-tree portfast
interface FastEthernet0/22
switchport access vlan 1000
switchport mode access
spanning-tree portfast
interface FastEthernet0/23
switchport access vlan 1000
switchport mode access
spanning-tree portfast
4000路由器配置
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Ethernet0
ip address 192.168.50.2 255.255.255.0
interface Ethernet1
no ip address
shutdown
interface Ethernet2
no ip address
shutdown
interface Ethernet3
no ip address
shutdown
配置串口
interface Serial0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
interface Serial1
ip address 10.1.10.1 255.255.255.0
encapsulation ppp
clock rate 9600
!
interface Serial2
ip address 10.1.20.1 255.255.255.0
encapsulation ppp
interface Serial3
no ip address
shutdown
router ospf 2
log-adjacency-changes
area 1 virtual-link 3.3.3.3
network 10.1.1.0 0.0.0.255 area 1
network 10.1.10.0 0.0.0.255 area 1
network 10.1.20.0 0.0.0.255 area 1
network 192.168.50.0 0.0.0.255 area 0
2500A
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Ethernet0
no ip address
shutdown
interface Serial0
ip address 10.1.1.2 255.255.255.0
encapsulation ppp
clock rate 9600
interface Serial1
no ip address
shutdown
router ospf 2
network 10.1.1.0 0.0.0.255 area 1
2500B
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Ethernet0
no ip address
shutdown
interface Serial0
ip address 10.1.10.2 255.255.255.0
encapsulation ppp
interface Serial1
no ip address
shutdown
router ospf 3
network 10.1.10.0 0.0.0.255 area 1
2500C
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Ethernet0
no ip address
shutdown
interface Serial0
ip address 10.1.20.2 255.255.255.0
encapsulation ppp
clockrate 9600
interface Serial1
ip address 10.2.1.1 255.255.255.0
encapsulation ppp
clockrate 9600
router ospf 8
area 1 virtual-link 2.2.2.2
network 10.1.20.0 0.0.0.255 area 1
network 10.2.1.0 0.0.0.255 area 2
2500D
interface Loopback0
ip address 8.8.8.8 255.255.255.255
interface Ethernet0
ip address dhcp
shutdown
interface Serial0
ip address 10.2.1.2 255.255.255.0
encapsulation ppp
interface Serial1
no ip address
shutdown
router ospf 9
network 10.2.1.0 0.0.0.255 area 2
本文出自 “ 小_网络工程师” 博客,请务必保留此出处 [url]http://liyang.blog.51cto.com/234627/53008[/url]