网络工程项目实施文档_第1页
网络工程项目实施文档_第2页
网络工程项目实施文档_第3页
网络工程项目实施文档_第4页
网络工程项目实施文档_第5页
已阅读5页,还剩20页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

ABC网络工程项目实施文档网络拓扑图IP地址规划表VLAN信息规划表防火墙端口安全规划表设备配置流程步骤Part 1 交换配置1.1 VLAN配置3560-01配置3560- 02配置S-3560-01(config)#VLAN 10S-3560-01(config-vlan)#name OAS-3560-01(config-vlan)#VLAN 20S-3560-01(config-vlan)#name ServerS-3560-02(config)#VLAN 10S-3560-02(config-vlan)#name OAS-3560-02(config-vlan)#VLAN 20S-3560-02(config-vlan)#name Server2950-01配置2950-02配置S-2950-01(config)#VLAN 10S-2950-01(config-vlan)#name OAS-2950-01(config-vlan)#VLAN 20S-2950-01(config-vlan)#name ServerS-2950-02(config)#VLAN 10S-2950-02(config-vlan)#name OAS-2950-02(config-vlan)#VLAN 20S-2950-02(config-vlan)#name Server1.2 STP配置步骤1、配置trunk端口3560-01配置S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#switchport trunk encapsulation dot1qS-3560-01(config-if-range)#switchport mode trunkS-3560-01(config-if-range)#switchport trunk allowed vlan 10,20S-3560-01(config)#int range fa0/1-2S-3560-01(config-if-range)#switchport trunk encapsulation dot1qS-3560-01(config-if-range)#switchport mode trunkS-3560-01(config-if-range)#switchport trunk allowed vlan 10,203560-02配置S-3560-02(config)#int range fa0/23-24S-3560-02(config-if-range)#switchport trunk encapsulation dot1qS-3560-02(config-if-range)#switchport mode trunkS-3560-02(config-if-range)#switchport trunk allowed vlan 10,20S-3560-02(config)#int range fa0/1-2S-3560-02(config-if-range)#switchport trunk encapsulation dot1qS-3560-02(config-if-range)#switchport mode trunkS-3560-02(config-if-range)#switchport trunk allowed vlan 10,202950-1配置S-2950-01(config)#int range fa0/1-2S-2950-01(config-if-range)#switchport mode trunkS-2950-01(config-if-range)#switchport trunk allowed vlan 10,202950-02配置S-2950-02(config)#int range fa0/1-2S-2950-02(config-if-range)#switchport mode trunkS-2950-02(config-if-range)#switchport trunk allowed vlan 10,20步骤2、配置STP生成树3560-01配置3560-02配置S-3560-01(config)#spanning-tree vlan 10 root primary S-3560-01(config)#spanning-tree vlan 20 root secondaryS-3560-02(config)#spanning-tree vlan 10 root secondaryS-3560-02(config)#spanning-tree vlan 20 root primary1.3 EtherChannel配置3560-01配置3560-02配置创建逻辑接口:S-3560-01(config)#int port-channel 1S-3560-01(config-if)#switchport trunk encapsulation dot1qS-3560-01(config-if)#switchport mode trunkS-3560-01(config-if)#switchport trunk allowed vlan 10,20将逻辑接口与物理接口绑定:S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#channel-protocol lacpS-3560-01(config-if-range)#channel-group 1 mode active逻辑接口流量负载均衡:S-3560-01(config)#port-channel load-balance src-dst-ip创建逻辑接口:S-3560-02(config)#interface port-channel 1 vlan 20 root primaryS-3560-02(config-if)#switchport trunk encapsulation dot1qS-3560-02(config-if)#switchport mode trunkS-3560-02(config-if)#switchport trunk allowed vlan 10,20将逻辑接口与物理接口绑定:S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#channel-protocol lacpS-3560-01(config-if-range)#channel-group 1 mode active逻辑接口流量负载均衡:S-3560-01(config)#port-channel load-balance src-dst-ip1.4 HSRP配置3560-01配置3560-02配置VLAN10、20 地址配置:S-3560-01(config)#int vlan 10S-3560-01(config-if)#ip add 10.0.10.2 255.255.255.0S-3560-01(config-if)#no shutS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#ip add 10.0.20.2 255.255.255.0S-3560-01(config-if)#no shutHSRP浮动地址、优先级等信息配置:S-3560-01(config)#int vlan 10S-3560-01(config-if)#standby 10 ip 10.0.10.1S-3560-01(config-if)#standby 10 priority 150S-3560-01(config-if)#standby 10 preemptS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#standby 20 ip 10.0.20.1S-3560-01(config-if)#standby 20 priority 140S-3560-01(config-if)#standby 20 preemptVLAN10、20 地址配置:S-3560-01(config)#int vlan 10S-3560-01(config-if)#ip add 10.0.10.3 255.255.255.0S-3560-01(config-if)#no shutS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#ip add 10.0.20.3 255.255.255.0S-3560-01(config-if)#no shutHSRP浮动地址、优先级等信息配置:S-3560-02(config-if)#int vlan 10S-3560-02(config-if)#standby 10 ip 10.0.10.1 S-3560-02(config-if)#standby 10 priority 140S-3560-02(config-if)#standby 10 preemptS-3560-02(config-if)#int vlan 20S-3560-02(config-if)#standby 20 ip 10.0.20.1S-3560-02(config-if)#standby 20 priority 150S-3560-02(config-if)#standby 20 preempt1.5 二层交换配置 2950-01配置2950-02配置S-2950-01(config)#int range fa0/11-12S-2950-01(config-if-range)#switchport mode accessS-2950-01(config-if-range)#switchport access vlan 10S-2950-01(config-if-range)#spanning-tree portfastS-2950-02(config)#int range fa0/11-12S-2950-02(config-if-range)#switchport mode accessS-2950-02(config-if-range)#switchport access vlan 20S-2950-02(config-if-range)#spanning-tree portfast1.6 PC机配置IP并测试网关通畅性能PC1配置PC2配置测试结果1.7 路由配置3560-01配置3560-02配置S-3560-01(config)#ip routingS-3560-02(config)#ip routing1.8 测试Part2 路由器配置Router(config)#hostname ISP-DianXin-2811-01ISP-DianXin-2811-01(config)#ISP-DianXin-2811-01(config)#int fa0/0ISP-DianXin-2811-01(config-if)#ip add 220.0.0.2 255.255.255.248ISP-DianXin-2811-01(config-if)#no shutISP-DianXin-2811-01(config)#int fa0/1ISP-DianXin-2811-01(config-if)#ip add 130.0.0.2 255.255.255.252ISP-DianXin-2811-01(config-if)#no shutISP-DianXin-2811-01(config)#int fa1/0ISP-DianXin-2811-01(config-if)#ip add 121.0.0.1 255.255.255.0ISP-DianXin-2811-01(config-if)#no shutPart3 防火墙配置基础配置ASA5505-01ASA5505-02设置主机名ciscoasa#conf tciscoasa(config)#hostname HQ-BeiJing-ASA5505-01HQ-BeiJing-ASA5505-01(config)#清除原有VLAN配置HQ-BeiJing-ASA5505-01(config)#int vlan 1HQ-BeiJing-ASA5505-01(config-if)#no nameifHQ-BeiJing-ASA5505-01(config-if)#no security-levelHQ-BeiJing-ASA5505-01(config-if)#no ip addHQ-BeiJing-ASA5505-01(config)#int vlan 2HQ-BeiJing-ASA5505-01(config-if)#no nameifHQ-BeiJing-ASA5505-01(config-if)#no security-levelHQ-BeiJing-ASA5505-01(config-if)#no ip add配置VLAN数据HQ-BeiJing-ASA5505-01(config-if)#int vlan 10HQ-BeiJing-ASA5505-01(config-if)#nameif outsideHQ-BeiJing-ASA5505-01(config-if)#security-level 0HQ-BeiJing-ASA5505-01(config-if)#ip add 220.0.0.1 255.255.255.248HQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int vlan 20HQ-BeiJing-ASA5505-01(config-if)#nameif insideHQ-BeiJing-ASA5505-01(config-if)#security-level 100HQ-BeiJing-ASA5505-01(config-if)#ip add 10.0.0.1 255.255.255.0HQ-BeiJing-ASA5505-01(config-if)#no shutHQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int vlan 30HQ-BeiJing-ASA5505-01(config-if)#no forward interface vlan 20HQ-BeiJing-ASA5505-01(config-if)#nameif dmzHQ-BeiJing-ASA5505-01(config-if)#security-level 50HQ-BeiJing-ASA5505-01(config-if)#ip add 172.16.10.1 255.255.255.0VLAN与端口绑定HQ-BeiJing-ASA5505-01(config-if)#int eth0/0HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 10HQ-BeiJing-ASA5505-01(config-if)#int eth0/1HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 20HQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int eth0/2HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 30配置静态路由HQ-BeiJing-ASA5505-01(config)#route outside 130.0.0.0 255.255.255.252 220.0.0.2设置主机名ciscoasa#conf tciscoasa(config)#hostname Branch-NanJing-ASA5505-02Branch-NanJing-ASA5505-02 (config)#清除原有VLAN配置Branch-NanJing-ASA5505-02(config)#int vlan 1Branch-NanJing-ASA5505-02(config-if)#no nameifBranch-NanJing-ASA5505-02(config-if)#no security-levelBranch-NanJing-ASA5505-02(config-if)#no ip addBranch-NanJing-ASA5505-02(config)#int vlan 2Branch-NanJing-ASA5505-02(config-if)#no nameifBranch-NanJing-ASA5505-02(config-if)#no security-levelBranch-NanJing-ASA5505-02(config-if)#no ip add配置VLAN数据Branch-NanJing-ASA5505-02(config)#int vlan 10Branch-NanJing-ASA5505-02(config-if)#name outsideBranch-NanJing-ASA5505-02(config-if)#security-level 0Branch-NanJing-ASA5505-02(config-if)#ip add 130.0.0.1 255.255.255.252Branch-NanJing-ASA5505-02(config-if)#no shutBranch-NanJing-ASA5505-02(config-if)#Branch-NanJing-ASA5505-02(config-if)#int vlan 20Branch-NanJing-ASA5505-02(config-if)#name insideINFO: Security level for inside set to 100 by default.Branch-NanJing-ASA5505-02(config-if)#security-level 100Branch-NanJing-ASA5505-02(config-if)#ip add 10.0.30.1 255.255.255.0Branch-NanJing-ASA5505-02(config-if)#no shutBranch-NanJing-ASA5505-02(config-if)#VLAN与端口绑定Branch-NanJing-ASA5505-02(config)#int eth0/0Branch-NanJing-ASA5505-02(config-if)#switchport access vlan 10Branch-NanJing-ASA5505-02(config-if)#int eth0/1Branch-NanJing-ASA5505-02(config-if)#switchport access vlan 20配置静态路由Branch-NanJing-ASA5505-02(config)#route outside 220.0.0.0 255.255.255.248 130.0.0.2防火墙配置策略配置1、dmz区web服务器静态映射HQ-BeiJing-ASA5505-01(config)#object network 172.16.10.11/32-WebServerHQ-BeiJing-ASA5505-01(config-network-object)#host 172.16.10.11HQ-BeiJing-ASA5505-01(config-network-object)#nat (dmz,outside) static 220.0.0.32、定义ACL访问控制列表,放行外网进入ASA访问Web服务器的流量HQ-BeiJing-ASA5505-01(config)#access-list Access-DMZ-Server permit icmp any object 172.16.10.11/32-WebServerHQ-BeiJing-ASA5505-01(config)#access-group Access-DMZ-Server out interface dmz3、定义dmz区其他服务器的动态映射HQ-BeiJing-ASA5505-01(config)#object network 172.16.10.0/24-DMZ-ServerHQ-BeiJing-ASA5505-01(config-network-object)#subnet 172.16.10.0 255.255.255.0HQ-BeiJing-ASA5505-01(config-network-object)#nat (dmz,outside) dynamic interface4、定义ACL访问控制列表,放行外网进入ASA访问DMZ其他服务器的流量HQ-BeiJing-ASA5505-01(config)#access-list Access-DMZ-Server permit icmp any object 172.16.10.0/24-DMZ-Server说明:access-group和前面一样,不用再定义5、inside区内网地址IP映射HQ-BeiJing-ASA5505-01(config)#object network 10.0.0.0/24HQ-BeiJing-ASA5505-01(config-network-object)#subnet 10.0.0.0 255.255.255.0HQ-BeiJing-ASA5505-01(config-network-object)#nat (inside,outside) dynamic interface6、3560配置缺省网关S-3560-02(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.17、ASA定义ACL访问控制列表,放行外网进入ASA访问inside的流量定义地址对象组:HQ-BeiJing-ASA5505-01(config)#object network 220.0.0.0/29HQ-BeiJing-ASA5505-01(config-network-object)#subnet 220.0.0.0 255.255.255.248HQ-BeiJing-ASA5505-01(config)#object network 10.0.0.0/24HQ-BeiJing-ASA5505-01(config-network-object)#subnet 10.0.0.0 255.255.255.0定义ACL:HQ-BeiJing-ASA5505-01(config)#access-list Outside-Access-Inside permit icmp object 220.0.0.0/29 object 10.0.0.0/24 源IP 目标IP应用ACL:HQ-BeiJing-ASA5505-01(config)#access-group Outside-Access-Inside out interface inside 允许外网IP离开inside端口8、3560配置OSPF,发布缺省路由3560-01配置3560-02配置S-3560-01(config)#int loopback 0S-3560-01(config-if)#ip add 10.0.0.1 255.255.255.0S-3560-01(config-if)#exitS-3560-01(config)#router ospf 1S-3560-01(config-router)#router-id 10.0.0.1S-3560-01(config-router)#network 10.0.10.0 0.0.0.255 area 0S-3560-01(config-router)#network 10.0.20.0 0.0.0.
人人文库> 全部分类> 教育资料 > 辅导培训

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论