一、项目基本情况
某企业需要建设一个综合的企业网,公司有4个部门,从内网的安全考虑,使用VLAN技术将各门划分到不同的VLAN中,部署防环、防攻击、数据负载均衡等相关策略,确保局域网业务安全、可靠。为了提高公司的业务能力和增强企业的知名度,将公司的Web网站以及FTP服务发布到互联网上;为了便于网络管理,公司内部的网络需要使用OSPF路由协议使全网互通;公司需要能够访问互联网,并从ISP那里申请了一段公网IP地址99.1.1.0/28。
二、网络拓扑说明
信息化建设方案拓扑图如下图1所示,相关说明如下:
1.一台RG-RSR20编号为R1,作为分公司出口设备;
2.两台RG-3760编号为S3和S4,作为公司核心交换机;
3.两台RG-S2328编号为S1和S2,作为公司接入交换机;
4. 一台RG-RSR20编号为R2,作为运营商接入设备。
5. 计算机(可使用虚拟机)5台,服务器操作系统为windows server 2008。
三、实验拓扑
四、拓扑连线与地址规划
本项目的网络物理连接表如表1所示,网络设备名称表如2所示,IP地址分配表如表3所示。
五、网络设备部署
1.路由器配置
(1)路由器R1
配置接口//描述接口
R7_RSR10_1(config)#hostname RSR20-R1
RSR20-R1(config)#int f0/0
RSR20-R1(config-if)#ip address 10.1.1.1 255.255.255.240
RSR20-R1(config-if)#no shutdown
RSR20-R1(config-if)#ip address 10.1.1.1 255.255.255.252
RSR20-R1(config-if)#description Con_To_S3_F0/24
RSR20-R1(config-if)#int f0/1
RSR20-R1(config-if)#ip address 10.1.1.5 255.255.255.252
RSR20-R1(config-if)#no shutdown
RSR20-R1(config-if)#description Con_To_S4_F0/24
RSR20-R1(config-if)#int s1/0
RSR20-R1(config-if)#ip address 99.1.1.1 255.255.255.240
RSR20-R1(config-if)#no shutdown
RSR20-R1(config-if)#description Con_To_R2_S1/0
RSR20-R1(config-if)#ex
RSR20-R1(config)#int loopback 0
RSR20-R1(config-if)#ip address 192.168.99.1 255.255.255.0
DHCP地址池
RSR20-R1(config)# ip dhcp pool vlan100
RSR20-R1(dhcp-config)#network 192.168.100.0 255.255.255.0
RSR20-R1(dhcp-config)#lease 0 0 1
RSR20-R1(dhcp-config)#default-router 192.168.100.254
RSR20-R1(dhcp-config)#ip dhcp pool vlan101
RSR20-R1(dhcp-config)#network 192.168.101.0 255.255.255.0
RSR20-R1(dhcp-config)#lease 0 0 1
RSR20-R1(dhcp-config)#default-router 192.168.101.254
RSR20-R1(dhcp-config)#ip dhcp pool vlan102
RSR20-R1(dhcp-config)#network 192.168.102.0 255.255.255.0
RSR20-R1(dhcp-config)#lease 0 0 1
RSR20-R1(dhcp-config)#default-router 192.168.102.254
RSR20-R1(dhcp-config)#ip dhcp pool vlan103
RSR20-R1(dhcp-config)#network 192.168.103.0 255.255.255.0
RSR20-R1(dhcp-config)#lease 0 0 1
RSR20-R1(dhcp-config)#default-router 192.168.103.254
不分配DHCP地址
RSR20-R1(config)#ip dhcp excluded-address 192.168.100.1
RSR20-R1(config)#ip dhcp excluded-address 192.168.100.2
RSR20-R1(config)#ip dhcp excluded-address 192.168.100.254
RSR20-R1(config)#ip dhcp excluded-address 192.168.101.254
RSR20-R1(config)#ip dhcp excluded-address 192.168.101.2
RSR20-R1(config)#ip dhcp excluded-address 192.168.101.1
RSR20-R1(config)#ip dhcp excluded-address 192.168.102.1
RSR20-R1(config)#ip dhcp excluded-address 192.168.102.2
RSR20-R1(config)#ip dhcp excluded-address 192.168.102.254
RSR20-R1(config)#ip dhcp excluded-address 192.168.103.254
RSR20-R1(config)#ip dhcp excluded-address 192.168.103.2
RSR20-R1(config)#ip dhcp excluded-address 192.168.103.1
内外网
RSR20-R1(config)#int f0/0
RSR20-R1(config-if)#ip nat inside
RSR20-R1(config-if)#int f0/1
RSR20-R1(config-if)#ip nat inside
RSR20-R1(config-if)#int s1/0
RSR20-R1(config-if)#ip nat outside
配置ospf及默认路由
RSR20-R1(config)#route ospf 10
RSR20-R1(config-router)#network 10.1.0.1 0.0.0.0 area 0
RSR20-R1(config-router)#network 10.1.1.0 0.0.0.3 area 0
RSR20-R1(config-router)#network 10.1.1.4 0.0.0.3 area 0
RSR20-R1(config-router)#default-information originate always
RSR20-R1(config)#ip route 0.0.0.0 0.0.0.0 99.1.1.2
配置ACL
RSR20-R1(config)#access-list 1 permit 192.168.100.0 0.0.0.255
RSR20-R1(config)#access-list 1 permit 192.168.101.0 0.0.0.255
RSR20-R1(config)#access-list 2 permit 192.168.102.0 0.0.0.255
RSR20-R1(config)#access-list 2 permit 192.168.103.0 0.0.0.255
地址转换
RSR20-R1(config)#ip nat pool a1 99.1.1.3 99.1.1.5 netmask 255.255.255.240
RSR20-R1(config)#ip nat pool a2 99.1.1.6 99.1.1.8 net
RSR20-R1(config)#ip nat pool a2 99.1.1.6 99.1.1.8 netmask 255.255.255.240
RSR20-R1(config)#$ tcp 192.168.104.252 20 99.1.1.11 20
RSR20-R1(config)#$ tcp 192.168.104.252 21 99.1.1.11 21
RSR20-R1(config)#$ tcp 192.168.104.254 80 99.1.1.9 80
RSR20-R1(config)#ip nat inside source list 1 pool a1 overload
RSR20-R1