大型公司企业企业网络案例

有线网络结构设计背景总介绍中国平安网络，由一个总公司网络、一个分公司网络和一个对外服务区组成。其中总公司网络和分公司网络在不同的地区，总公司和分公司都有公司内部的访问的数据中心（DMZ区）；对外服务区被托管在中国电信。路由器ISP模拟运营商中国电信。总公司1）Router1作为边界路由也是核心层路由器；sw1、sw2是核心层交换机；sw3、sw4是汇聚层交换机，其中SW3分别连接了总公司部门1，总公司部门2和总公司部门3；SW4分别连接了总公司部门4，总公司部门5，总公司部门6，总公司Server以及无线路由器1。2）总公司Server只能为公司内部提供服务，不对外提供服务。部门1,2,3,6均可访问内网Web，Ftp和DNS服务器，部门4只可以访问内网FTP其他的都不可以访问，部门5可以访问内网Web分公司Router9是出口路由器，其中sw5、sw4是核心交换机，实现冗余架构；sw6、sw7是汇聚层交换机;其中SW6下面连接了部门1和部门2；SW7连接了部门3，部门4，Server2以及无线路由器2。内网ACL配置：部门1，2，4可以访问内网中的Web和Ftp服务器，部门3只可以访问内网的ftp服务器。中国电信企业总公司网络的出口路由器router1和分公司网络的出口路由器都与ISP相连接，其中router1和ISP之间使用了ppp广域网协议，启用了chap的认真方式实现与互联网相连；R9使用帧中继技术与ISP相连。该企业的对外访问服务器托管到中国电信运营商。二、拓扑结构总体拓扑：总公司拓扑：分公司拓扑：ISP外网即帧中继：三、知识点1.静态路由3.单区域OSPF非等价负载均衡封装（chap）7.帧中继访问控制地址转换的配置间的路由12EIGRP手动汇总13.路由重分布14.默认路由16.双链路冗余的备份的使用四、主要功能部门1,2,3,6均可访问内网Web，Ftp和DNS服务器。部门4只可以访问内网FTP其他的都不可以访问。部门5可以访问内网Web和Ftp但不可以访问DNS。部门1，2,4可以访问外网Web以及公司总部的Web，Ftp服务器。部门3只可以访问公司总部的Ftp服务器。主要配置清单分公司Switch7配置：(Switch#showrunning-configBuildingconfiguration...Currentconfiguration:2096bytes!versionnoservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!ipdhcpexcluded-addressdhcpexcluded-addressdhcpexcluded-addressdhcpexcluded-addressdhcppoolvlan7networkdhcppoolvlan8networkrouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1!interfaceFastEthernet0/2switchportaccessvlan100switchportmodeaccess!interfaceFastEthernet0/3!interfaceFastEthernet0/4!interfaceFastEthernet0/5switchportaccessvlan7switchportmodeaccess!interfaceFastEthernet0/6switchportaccessvlan8switchportmodeaccess!interfaceFastEthernet0/7!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan7ipaddressVlan8ipaddressVlan100ipaddresseigrp1distanceeigrp90150redistributeospf1metric100010025511500auto-summary!routerospf1log-adjacency-changesnetworkarea0networkarea0networkarea0!ipclassless!ipflow-exportversion9!!!!!!!linecon0!lineaux0!linevty04login!!!end总公司sw4Switch#showrunBuildingconfiguration...Currentconfiguration:2816bytes!versionnoservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!ipdhcpexcluded-addressdhcpexcluded-addressdhcpexcluded-addressdhcpexcluded-addressdhcppoolvlan5networkdhcppoolvlan6networkdhcppoolvlan7networkrouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1noswitchportipaddressautospeedauto!interfaceFastEthernet0/2!interfaceFastEthernet0/3!interfaceFastEthernet0/4!interfaceFastEthernet0/5switchportaccessvlan5switchportmodeaccess!interfaceFastEthernet0/6switchportaccessvlan6switchportmodeaccess!interfaceFastEthernet0/7switchportaccessvlan7switchportmodeaccess!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24noswitchportipaddressautospeedauto!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan5ipaddressVlan6ipaddressVlan7ipaddressaccess-group100out!routerripversion2networkclassless!ipflow-exportversion9!!access-list100permittcpanyhosteqwwwaccess-list100permittcpanyhosteqftpaccess-list100permitudphosteqdomainaccess-list100permitudphosteqdomainaccess-list100permitudphosteqdomainaccess-list100permitudphosteqdomainaccess-list100denytcpanyhost100denyudpanyhost100permitipanyany!!!!!linecon0!lineaux0!linevty04login!!!end总公司SW3Switch#showrunBuildingconfiguration...Currentconfiguration:1791bytes!versionnoservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!!!!iprouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1noswitchportipaddressautospeedauto!interfaceFastEthernet0/2switchportaccessvlan2switchportmodeaccess!interfaceFastEthernet0/3switchportaccessvlan3switchportmodeaccess!interfaceFastEthernet0/4switchportaccessvlan4switchportmodeaccess!interfaceFastEthernet0/5!interfaceFastEthernet0/6!interfaceFastEthernet0/7!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24noswitchportipaddressautospeedauto!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan2ipaddressVlan3ipaddressVlan4ipaddressripversion2networkclassless!ipflow-exportversion9!!!!!!!linecon0!lineaux0!linevty04login!!!end总公司R1R1#showrunBuildingconfiguration...Currentconfiguration:1575bytes!versionnoservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameR1!!!!!!!!noipcefnoipv6cef!!!usernameISPpassword0123!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/0ipaddressnatinsideduplexautospeedauto!interfaceFastEthernet0/1ipaddressnatinsideduplexautospeedauto!interfaceSerial0/3/0ipaddressppppppauthenticationchapipnatoutsideclockrate2000000!interfaceSerial0/3/1noipaddressclockrate2000000shutdown!interfaceVlan1noipaddressshutdown!routerripversion2networknatpoolabcnetmasknatinsidesourcelist10poolabcipnatinsidesourcestaticipclasslessiproute!ipflow-exportversion9!!access-list10permit10permit10permit10permit10permit10permitcdprun!!!!!linecon0!lineaux0!linevty04passwordciscologin!!!end分公司SW6Switch#showrunning-configBuildingconfiguration...Currentconfiguration:1429bytes!versionnoservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameSwitch!!!!!!!iprouting!!!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/1switchportaccessvlan100switchportmodeaccess!interfaceFastEthernet0/2!interfaceFastEthernet0/3!interfaceFastEthernet0/4noswitchportipaddressautospeedauto!interfaceFastEthernet0/5!interfaceFastEthernet0/6!interfaceFastEthernet0/7!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/15!interfaceFastEthernet0/16!interfaceFastEthernet0/17!interfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23!interfaceFastEthernet0/24!interfaceGigabitEthernet0/1!interfaceGigabitEthernet0/2!interfaceVlan1noipaddressshutdown!interfaceVlan100ipaddresseigrp1distanceeigrp90150redistributeospf1metric100010025511500auto-summary!ipclassless!ipflow-exportversion9!!!!!!!linecon0!lineaux0!linevty04login!!!end分公司R8Router#showrunBuildingconfiguration...Currentconfiguration:753bytes!versionnoservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameRouter!!!!!!!!ipcefnoipv6cef!!!!!!!!!!!!spanning-treemodepvst!!!!!!interfaceFastEthernet0/0ipaddressautospeedauto!interfaceFastEthernet0/1noipaddressduplexautospeedauto!interfaceFastEthernet0/encapsulationdot1Q6ipaddressFastEthernet0/encapsulationdot1Q7ipaddressVlan1noipaddressshutdown!ipclassless!ipflow-exportversion9!!!nocdprun!!!!!linecon0!lineaux0!linevty04login!!!end配置（Switch1,2,3,4和Route1）在Switch4上Rip配置步骤：#iprouting(config)#routerrip#version2#network#network1,2,3,4和Route1配置步骤和Switch配置类似NAT配置(config)#intf0/0#ipnatinside#noshut(config)#intf0/1#ipnatinside#noshut(config)#ints0/0/0#ipnatoutside#nosshut(config)#access-list10permit10permit10permit10permit10permit10permitipnatpoolabcnetmaskipnatinsidesourcelist10poolabc为服务器静态映射一个静态的公网地址：(config)#ipnatinsidesourcestatic静态路由： (config)#iproute（chap）配置ISP的PPP配置：(config)#hostnameISP#usernameR1password0123(config)#interfaceSerial0/0/0#ipaddress#encapsulationppp#pppauthenticationchap对应的总公司出口路由器R1PPP配置：(config)#hostnameR1#usernameISPpassword0123(config)#interfaceSerial0/0/0#ipaddressrate64000#encapsulationppp#pppauthenticationchap配置内网配置需求:1.接入层共有6个部门：分别属于VLAN2,3,4,5,6,72.接入层ACL配置：部门1,2,3,6均可访问内网Web，Ftp和DNS服务器部门4只可以访问内网FTP其他的都不可以访问部门5可以访问内网Web和Ftp但不可以访问DNS也就是不能访问外网。由于内网服务器在VLAN7上因此，在Switch4上配置ACL(config)#access-list100permittcpanyhosteqwww#access-list100permittcpanyhosteqftp#access-list100permitudphosteqdomain#access-list100permitudphosteqdomain#access-list100permitudphosteqdomain#access-list100permitudphosteqdomain#access-list100denytcpanyhost100denyudpanyhost100permitipanyany（config）#intvlan7#ipacc100out在汇聚层，以及分公司的网络上均配置有ACL，配置原理和此类似6.帧中继配置（配置在ISP与分公司的出口路由器上）ISP上帧中继配置(config)#interfaceSerial0/2/0#ipaddressencapsulationframe-relayietf#framapip409b#clockrate64000#noshut分公司上的帧中继配置：(config)#interfaceSerial0/0/0#ipaddress#encapsulationframe-relayietf#framapip904b#clockrate64000#noshut配置和EIGRP非等价负载均衡,以及手动汇总在外网和分公司的核心层均配置有Eigrp协议外网的Eigrp协议配置：外网R3配置：（config）#interfaceFastEthernet0/0#ipaddressshut（config）#interfaceSerial0/0/0#ipaddressrate64000#noshut(configt)#routereigrp100#network#networkR4配置：（config）#interfaceFastEthernet0/0#ipaddressshut（config）#interfaceSerial0/0/0#ipaddressrate64000#noshut（config）#interfaceSerial0/0/1#ipaddressrate64000#noshut(config)#routereigrp100#redistributestaticmetric100010025511500由重分布路由重分布配置在分公司汇聚层，将OSPF的路由分布到Eigrp中去Sw7配置：(config)#routereigrp1#distanceeigrp90150#redistributeospf1metric100010025511500Sw6配置：(config)#routereigrp1#distanceeigrp90150#redistributeospf1metric10001002551150010.三层交换机STP配置配置在分公司的汇聚层Sw4,5,6,7交换机上Sw4配置：(config)#vlan100#ex(config)#interfaceFastEthernet0/1#switchportmodeaccess#switchportaccessvlan100#noshut(config)#intvlan100#ipaddress#exit(c