項目實戰案例：中型公司網絡構架改革

不久前作過一個小項目,是某公司發展須要,須要對目前網絡進行改革:

1.針對於不一樣的部門劃分不一樣的區域進行網絡管理,確保每處區域均可以正常訪問公網.
  有銷售部,財務部,信息安全,高層管理,市場部,服務器區域,2間主講教室

 

2.針對目前公司總體的規範化管理須要進行如下網絡限制.
   a)  禁止除高層管理辦公室之外的全部部門上QQ
   b)  教師內只得在天天中午12:30-13:30期間能夠訪問外網.

   c)  對服務器區域的全部限制及設定:

 

  !金和OA協同辦公系統服務器:容許全部部門人員訪問,但只容許信息安所有人員進行
遠程管理.金和OA系統採用Windows2003系統,開放3389端口進行遠程管理.
  !用友U8財務系統,只容許財務部門以及高層管理部門以WEB方式進行訪問.

  !公司網站服務器.使用LAMP構架方式.容許市場部進行管理,並能夠經過ftp方式進行
上傳數據或下載數據.其餘部門只有WEB訪問權限.

  !公司遠程教育服務器,只容許主講教師的教師機以及遠程端教室的教師機進行訪問.

 

3.配置DHCP服務器,2間主講教室中分別是兩臺教師機使用靜態IP地址.

 

4.創建遠程教學系統,三家分中心與公司相連,其中一家分中心還另外鏈接一處本地大學教室.

根據以上敘述,拓撲圖以下:

核心路由器配置以下:

interface e0/0
no ip address

lookback 0   (迴環)
ipaddress 1.1.1.1 255.255.255.255

配置dhcp

ip dhcp pool xiaoshou
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 202.106.0.20
lease 2
exit

ip dhcp pool caiwu
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 202.106.0.20
lease 2
exit

ip dhcp pool xinxi
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 202.106.0.20
lease 2
exit

ip dhcp pool gaoceng
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 202.106.0.20
lease 2
exit

ip dhcp pool shichang
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 202.106.0.20
lease 2
exit

ip dhcp pool jiaoshi1
network 192.168.35.0 255.255.255.0
default-router 192.168.35.1
dns-server 202.106.0.20
lease 2
exit

ip dhcp pool jiaoshi2
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 202.106.0.20
lease 2
exit

預留IP地址
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.15.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.25.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.35.1 192.168.35.3
ip dhcp excluded-address 192.168.40.1 192.168.40.3

配置子接口來鏈接不一樣的vlan
interface eth0/0.1
encapsulation dot1Q 100
ip address 192.168.10.1 255.255.255.0
ip access-group xiaoshou in
ip nat inside
exit

interface eth0/0.2
encapsulation dot1Q 200
ip address 192.168.15.1 255.255.255.0
ip access-group caiwu in
ip nat inside
exit

interface eth0/0.3
encapsulation dot1Q 300
ip address 192.168.20.1 255.255.255.0
ip access-group xinxi in
ip nat inside
exit

interface eth0/0.4
encapsulation dot1Q 400
ip address 192.168.25.1 255.255.255.0
ip access-group gaoceng in
ip nat inside
exit

interface eth0/0.5
encapsulation dot1Q 500
ip address 192.168.30.1 255.255.255.0
ip access-group shichang in
ip nat inside
exit

interface eth0/0.6
encapsulation dot1Q 600
ip address 192.168.35.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit

interface eth0/0.7
encapsulation dot1Q 700
ip address 192.168.40.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit

interface eth0/0.8
encapsulation dot1Q 800
ip address 192.168.45.1 255.255.255.0
ip access-group server in
ip nat inside
exit

interface eth0/0.9
encapsulation dot1Q 900
ip address 192.168.50.1 255.255.255.0
ip nat inside
exit

interface eth0/0.10
encapsulation dot1Q 1000
ip address 201.241.1.195 255.255.255.224
ip nat outside
exit

默認路由
ip route 0.0.0.0 0.0.0.0 201.241.1.193

配置ospf鏈路狀態的路由協議
router ospf 100
network 192.168.10.0 0.0.0.255 area 0
network 192.168.15.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.25.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.35.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.45.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 201.241.1.192 0.0.0.31 area 0

動態地址轉換
ip nat pool liyang 201.241.1.195 201.241.1.198 netmask 255.255.255.0
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool liyang overload

配置ACL  進行安全管理
ip access-list extended caiwu
 deny   tcp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 138
 deny   tcp any any eq 445
 deny   udp any any eq 8000
 permit ip any any

ip access-list extended gaoguan
 deny   tcp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 138
 deny   tcp any any eq 445
 permit ip any any

限制時間
time-range time
periodic daily 12:30 to 13:30

ip access-list extended jiaoshi
 deny   tcp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 138
 deny   tcp any any eq 445
 deny   udp any any eq 8000  (QQ)端口
 permit ip any 201.241.1.192 0.0.0.31 time-range time   
 deny   ip any 201.241.1.192 0.0.0.31
 permit ip any any

ip access-list extended server
 permit tcp any host 192.168.45.2 eq www
 permit tcp 192.168.20.0 0.0.0.255 host 192.168.45.2 eq 3389
 permit tcp 192.168.15.0 0.0.0.255 host 192.168.45.3 eq www
 permit tcp 192.168.25.0 0.0.0.255 host 192.168.45.3 eq www
 permit tcp any host 192.168.45.4 eq www
 permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq ftp
 permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq 22
 permit ip host 192.168.35.2 host 192.168.45.5
 permit ip host 192.168.35.3 host 192.168.45.5
 permit ip host 192.168.40.2 host 192.168.45.5
 permit ip host 192.168.40.3 host 192.168.45.5
 permit ip host 192.168.1.2 host 192.168.45.5
 permit ip host 192.168.2.2 host 192.168.45.5
 deny   ip any any

ip access-list extended shichang
 deny   tcp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 138
 deny   tcp any any eq 445
 deny   udp any any eq 8000
 permit ip any any

ip access-list extended xiaoshou
 deny   tcp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 138
 deny   tcp any any eq 445
 deny   udp any any eq 8000
 permit ip any any

ip access-list extended xinxi
 deny   tcp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 138
 deny   tcp any any eq 445
 deny   udp any any eq 8000
 permit ip any any

 

交換機配置

interface Vlan1
 no ip address
 no ip route-cache
 shutdown

劃分VLAN
interface FastEthernet0/1
 switchport mode trunk

interface FastEthernet0/2
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/3
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/4
 switchport access vlan 300
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/5
 switchport access vlan 400
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/6
 switchport access vlan 500
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/7
 switchport access vlan 600
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/8
 switchport access vlan 700
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/9
 switchport access vlan 800
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/10
 switchport access vlan 900
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/18
 switchport access vlan 1000
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/19
 switchport access vlan 1000
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/22
switchport access vlan 1000
switchport mode access
spanning-tree portfast

interface FastEthernet0/23
switchport access vlan 1000
switchport mode access
spanning-tree portfast

4000路由器配置

interface Loopback0
 ip address 2.2.2.2 255.255.255.255

interface Ethernet0
ip address 192.168.50.2 255.255.255.0

interface Ethernet1
no ip address
shutdown

interface Ethernet2
no ip address
shutdown

interface Ethernet3
no ip address
shutdown

配置串口
interface Serial0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp

interface Serial1
ip address 10.1.10.1 255.255.255.0
encapsulation ppp
clock rate 9600
!
interface Serial2
ip address 10.1.20.1 255.255.255.0
encapsulation ppp

interface Serial3
no ip address
shutdown

router ospf 2
log-adjacency-changes
area 1 virtual-link 3.3.3.3
network 10.1.1.0 0.0.0.255 area 1
network 10.1.10.0 0.0.0.255 area 1
network 10.1.20.0 0.0.0.255 area 1
network 192.168.50.0 0.0.0.255 area 0

2500A
interface Loopback0
ip address 4.4.4.4 255.255.255.255

interface Ethernet0
no ip address
shutdown

interface Serial0
ip address 10.1.1.2 255.255.255.0
encapsulation ppp
clock rate 9600

interface Serial1
no ip address
shutdown

router ospf 2
network 10.1.1.0 0.0.0.255 area 1

2500B
interface Loopback0
ip address 5.5.5.5 255.255.255.255

interface Ethernet0
no ip address
shutdown

interface Serial0
ip address 10.1.10.2 255.255.255.0
encapsulation ppp

interface Serial1
no ip address
shutdown

router ospf 3
network 10.1.10.0 0.0.0.255 area 1

2500C
interface Loopback0
ip address 3.3.3.3 255.255.255.255

interface Ethernet0
no ip address
shutdown

interface Serial0
ip address 10.1.20.2 255.255.255.0
encapsulation ppp
clockrate 9600

interface Serial1
ip address 10.2.1.1 255.255.255.0
encapsulation ppp
clockrate 9600

router ospf 8
area 1 virtual-link 2.2.2.2
network 10.1.20.0 0.0.0.255 area 1
network 10.2.1.0 0.0.0.255 area 2

 

2500D
interface Loopback0
ip address 8.8.8.8 255.255.255.255

interface Ethernet0
ip address dhcp
shutdown

interface Serial0
ip address 10.2.1.2 255.255.255.0
encapsulation ppp

interface Serial1
no ip address
shutdown

router ospf 9
network 10.2.1.0 0.0.0.255 area 2

 

本文出自 「 小_網絡工程師」 博客，請務必保留此出處 [url]http://liyang.blog.51cto.com/234627/53008[/url]