IPSEC+NAT+GRE+ACL+VOIP+SNMP配置
![]()
v
VLAN 10
布暑windows服务器 VLAN 20布暑LINUX服务器 VLAN 1 网络管日志中心 VLAN 30 客户机 R7,R8分别是两个企业边界路由器 ISP-R6代表运营商路由器是不了解企业路由信息
v实现高可用内网互联,提供链路冗余,设备冗余VLAN信息一致。
v互联网OSPF路由信息互通。注(不能将企业路由信息专播出去,企业到外网有NAT) v将企业边界设备上的缺省路由引入到企业内部。 v实现企业内部主机可以访问互联网,并采用ACL实验过滤。对常用服务开放,上班企业间禁止QQ。 v将企业内部服务器发布到互联网。 v通过×××+GRE+NAT技术实验企业对企业互通。 v启用SNMP v应用VOIP
构建windwos 2003环境下的:
web+mssql以动网7.0为实例.FTP采用户隔离. DNS配置 构建linux环境下的: LAMP以IT168整站为例 VSFTP,SAMBA,并服务器上启用IPTABLES R7配置如下:
r7#show run
Building configuration...
Current configuration : 3618 bytes
! Last configuration change at 11:09:20 UTC Mon Nov 12 2007 version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r7 ip subnet-zero no ip domain lookup ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 100 authentication pre-share group 2 lifetime 3600 crypto isakmp key cisco123 address 202.100.1.1 crypto ipsec transform-set r7-set ah-sha-hmac esp-des ! crypto map r7-map 100 ipsec-isakmp set peer 202.100.1.1 set transform-set r7-set match address ***-acl voice call carrier capacity active mta receive maximum-recipients 0 interface Loopback1 ip address 7.7.7.7 255.255.255.255 ! interface Tunnel0 ip address 172.17.1.1 255.255.255.0 tunnel source 202.100.2.2 tunnel destination 202.100.1.1 tunnel key 123456 tunnel sequence-datagrams tunnel path-mtu-discovery crypto map r7-map ! interface FastEthernet0/0 ip address 172.16.100.2 255.255.255.0 ip nat inside duplex auto speed auto interface FastEthernet0/1 ip address 202.100.2.2 255.255.255.0 ip nat outside duplex auto speed auto crypto map r7-map ! router ospf 1 log-adjacency-changes network 202.100.2.0 0.0.0.255 area 1 ! router rip version 2 redistribute static metric 3 network 172.16.0.0 no auto-summary ! ip nat inside source list nat-acl interface FastEthernet0/1 overload ip nat inside source static tcp 172.16.20.100 80 interface FastEthernet0/1 80 ip nat inside source static tcp 172.16.10.100 21 interface FastEthernet0/1 21 ip nat inside source static tcp 172.16.10.5 23 interface FastEthernet0/1 23 ip classless ip route 0.0.0.0 0.0.0.0 202.100.2.1 ip route 10.1.1.0 255.255.255.0 Tunnel0 ip route 192.168.0.0 255.255.0.0 Tunnel0 ip http server ! ! ip access-list extended access-acl permit udp any any eq isakmp permit ip host 202.100.2.2 host 202.100.1.1 permit tcp 172.16.0.0 0.0.255.255 any eq www permit tcp 172.16.0.0 0.0.255.255 any eq ftp permit tcp 172.16.0.0 0.0.255.255 any eq smtp permit tcp 172.16.0.0 0.0.255.255 any eq pop3 permit tcp 172.16.0.0 0.0.255.255 any eq domain permit tcp 172.16.0.0 0.0.255.255 any eq 443 permit tcp 172.16.0.0 0.0.255.255 any eq ftp-data permit tcp host 202.100.2.2 any eq www permit tcp host 202.100.2.2 any eq ftp permit tcp host 202.100.2.2 any eq telnet permit tcp host 202.100.2.2 any eq smtp permit tcp host 202.100.2.2 any eq pop3 permit tcp host 202.100.2.2 any eq 443 permit tcp host 202.100.2.2 any eq nntp deny udp 172.16.0.0 0.0.255.255 any eq 8000 time-range work-time permit udp 172.16.0.0 0.0.255.255 any eq 8000 ip access-list extended nat-acl deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 permit ip 172.16.0.0 0.0.255.255 any ip access-list extended ***-acl permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 permit ip 172.16.0.0 0.0.255.255 10.1.1.0 0.0.0.255 ! ! snmp-server community user RO snmp-server community admin RW snmp-server enable traps snmp authentication linkdown linkup snmp-server enable traps tty snmp-server enable traps config snmp-server host 172.16.1.200 admin syslog snmp-server host 172.16.1.100 user call rsvp-sync ! voice-port 1/0/0 ! voice-port 1/0/1 ! voice-port 1/1/0 ! voice-port 1/1/1 mgcp profile default ! dial-peer cor custom line con 0 line aux 0 line vty 0 4 ! time-range free-time absolute start 00:00 12 November 2007 end 00:00 12 November 2008 periodic weekend 0:00 to 23:59 ! time-range work-time absolute start 00:00 12 November 2007 end 00:00 12 November 2008 periodic weekdays 8:00 to 18:00 dial-peer voice 1 pots destination-pattern 120 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 110 session target ipv4:202.100.1.1 ! end
r7#
------------------------------r8配置----------------
r8#
r8#show run r8#show running-config Building configuration...
Current configuration : 3893 bytes
! ! Last configuration change at 11:20:53 UTC Mon Nov 12 2007 ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r8 ! ! ip subnet-zero ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 100 authentication pre-share group 2 lifetime 3600 crypto isakmp key cisco123 address 202.100.2.2 ! ! crypto ipsec transform-set r8-set ah-sha-hmac esp-des ! crypto map r8-map 100 ipsec-isakmp set peer 202.100.2.2 set transform-set r8-set match address ***-acl ! ! ! voice call carrier capacity active ! mta receive maximum-recipients 0 interface Loopback8 ip address 8.8.8.8 255.255.255.255 ! interface Tunnel0 ip address 172.17.1.2 255.255.255.0 tunnel source 202.100.1.1 tunnel destination 202.100.2.2 tunnel key 123456 tunnel sequence-datagrams tunnel path-mtu-discovery crypto map r8-map ! interface FastEthernet0/0 mac-address 0000.1111.1112 ip address 10.1.1.2 255.255.255.0 ip nat inside duplex auto speed auto crypto map r8-map ! interface FastEthernet0/1 mac-address 0000.1111.2222 ip address 202.100.1.1 255.255.255.0 ip access-group access-acl out ip nat outside duplex auto speed auto ! router ospf 1 log-adjacency-changes network 202.100.1.0 0.0.0.255 area 0 ! router rip redistribute static metric 3 network 10.0.0.0 ! ip nat inside source list nat-acl interface FastEthernet0/1 overload ip nat inside source static tcp 192.168.1.5 23 interface FastEthernet0/1 23 ip nat inside source static tcp 192.168.2.100 21 interface FastEthernet0/1 21 ip nat inside source static tcp 192.168.10.100 80 interface FastEthernet0/1 80 ip classless ip route 0.0.0.0 0.0.0.0 202.100.1.2 ip route 172.16.0.0 255.255.0.0 Tunnel0 ip http server ! ! ip access-list extended access-acl permit udp any any eq isakmp permit ip host 202.100.1.1 host 202.100.2.2 permit tcp 192.168.0.0 0.0.255.255 any eq www permit tcp 192.168.0.0 0.0.255.255 any eq ftp permit tcp 192.168.0.0 0.0.255.255 any eq smtp permit tcp 192.168.0.0 0.0.255.255 any eq pop3 permit tcp 192.168.0.0 0.0.255.255 any eq domain permit tcp 192.168.0.0 0.0.255.255 any eq 443 permit tcp 192.168.0.0 0.0.255.255 any eq ftp-data permit tcp host 202.100.1.1 any eq www permit tcp host 202.100.1.1 any eq ftp permit tcp host 202.100.1.1 any eq telnet permit tcp host 202.100.1.1 any eq smtp permit tcp host 202.100.1.1 any eq pop3 permit tcp host 202.100.1.1 any eq 443 permit tcp host 202.100.1.1 any eq nntp deny udp 192.168.0.0 0.0.255.255 any eq 8000 time-range work-time permit udp 192.168.0.0 0.0.255.255 any eq 8000 ip access-list extended nat-acl deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255 permit ip 192.168.0.0 0.0.255.255 any deny ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 permit ip 10.1.1.0 0.0.0.255 any ip access-list extended ***-acl permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255 permit ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255 ! ! snmp-server community user RO snmp-server community admin RW snmp-server enable traps snmp authentication linkdown linkup snmp-server enable traps tty snmp-server enable traps config snmp-server host 192.168.1.200 admin syslog snmp-server host 192.168.1.100 user call rsvp-sync ! voice-port 1/0/0 description 110 ! voice-port 1/0/1 ! voice-port 1/1/0 ! voice-port 1/1/1 ! ! mgcp profile default ! dial-peer cor custom ! ! ! dial-peer voice 1 pots destination-pattern 110 port 1/0/0 ! dial-peer voice 2 voip destination-pattern 120 session target ipv4:202.100.2.2 ! ! ! line con 0 line aux 0 line vty 0 4 ! time-range free-time absolute start 00:00 12 November 2007 end 00:00 12 November 2008 periodic weekend 0:00 to 23:59 ! time-range work-time absolute start 00:00 12 November 2007 end 00:00 12 November 2008 periodic weekdays 8:00 to 18:00 ! ! end
r8#
------------------------------ISP-R6配置---------------------------
r6#show run
r6#show running-config Building configuration...
Current configuration : 1057 bytes
! ! Last configuration change at 10:20:01 UTC Mon Nov 12 2007 ! NVRAM config last updated at 10:21:22 UTC Mon Nov 12 2007 ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r6 ! ! ip subnet-zero ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ! ! ! voice call carrier capacity active ! ! ! ! ! ! ! ! ! mta receive maximum-recipients 0 ! ! ! ! interface Loopback1 ip address 6.6.6.6 255.255.255.255 ! interface FastEthernet0/0 mac-address 0000.1111.4444 ip address 202.100.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 mac-address 0000.3333.3333 ip address 202.100.2.1 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 6.6.6.6 0.0.0.0 area 0 network 202.100.1.0 0.0.0.255 area 0 network 202.100.2.0 0.0.0.255 area 1 ! ip classless ip http server ! ! ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ntp master 2 ! end ------------------------------RS3750-2--------------------------
RS3750-2#show run
RS3750-2#show running-config Building configuration...
Current configuration : 2068 bytes
! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RS3750-2 ! ! no aaa new-model switch 1 provision ws-c3750-24ts ip subnet-zero ip routing ! ! ! ! ! ! no file verify auto ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree vlan 1,10,20,30 priority 24576 ! vlan internal allocation policy ascending ! ! interface Port-channel1 ! interface Port-channel3 ! interface FastEthernet1/0/1 channel-group 1 mode on ! interface FastEthernet1/0/2 channel-group 1 mode on ! interface FastEthernet1/0/3 channel-group 3 mode on ! interface FastEthernet1/0/4 channel-group 3 mode on ! interface FastEthernet1/0/5 ! interface FastEthernet1/0/6 ! interface FastEthernet1/0/7 ! interface FastEthernet1/0/8 ! interface FastEthernet1/0/9 no switchport ip address 172.16.100.1 255.255.255.0 ! interface FastEthernet1/0/10 ! interface FastEthernet1/0/11 ! interface FastEthernet1/0/12 ! interface FastEthernet1/0/13 ! interface FastEthernet1/0/14 ! interface FastEthernet1/0/15 ! interface FastEthernet1/0/16 ! interface FastEthernet1/0/17 ! interface FastEthernet1/0/18 ! interface FastEthernet1/0/19 ! interface FastEthernet1/0/20 ! interface FastEthernet1/0/21 ! interface FastEthernet1/0/22 ! interface FastEthernet1/0/23 ! interface FastEthernet1/0/24 ! interface GigabitEthernet1/0/1 ! interface GigabitEthernet1/0/2 ! interface Vlan1 ip address 172.16.1.1 255.255.255.0 ! interface Vlan10 ip address 172.16.10.1 255.255.255.0 ! interface Vlan20 ip address 172.16.20.1 255.255.255.0 ! interface Vlan30 ip address 172.16.30.1 255.255.255.0 ! router rip version 2 network 172.16.0.0 no auto-summary ! ip classless ip http server ip http secure-server ! ! snmp-server community user RO snmp-server community admin RW snmp-server enable traps snmp authentication linkdown linkup snmp-server enable traps tty snmp-server enable traps config snmp-server host 172.16.1.200 admin syslog snmp-server host 172.16.1.100 user ! control-plane ! ! line con 0 line vty 5 15 ! end
RS3750-2#
172.16.0.0/24 is subnetted, 5 subnets C 172.16.30.0 is directly connected, Vlan30 C 172.16.20.0 is directly connected, Vlan20 C 172.16.10.0 is directly connected, Vlan10 C 172.16.1.0 is directly connected, Vlan1 C 172.16.100.0 is directly connected, FastEthernet1/0/9 10.0.0.0/24 is subnetted, 1 subnets R 10.1.1.0 [120/3] via 172.16.100.2, 00:00:05, FastEthernet1/0/9 R* 0.0.0.0/0 [120/3] via 172.16.100.2, 00:00:05, FastEthernet1/0/9 R 192.168.0.0/16 [120/3] via 172.16.100.2, 00:00:06, FastEthernet1/0/9 RS3750-2# RS3750-2# show vtp status VTP Version : 2 Configuration Revision : 1 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : zhaolongedu VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xC8 0xD0 0x04 0x18 0xEF 0x1F 0x71 0x48 Configuration last modified by 0.0.0.0 at 3-1-93 00:03:46 Local updater ID is 172.16.1.1 on interface Vl1 (lowest numbered VLAN interface found) RS3750-2#
----------接入层交换机配置基本相同-------------
s7# show vtp st
s7# show vtp status VTP Version : 2 Configuration Revision : 1 Maximum VLANs supported locally : 64 Number of existing VLANs : 8 VTP Operating Mode : Client VTP Domain Name : zhaolongedu VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xC8 0xD0 0x04 0x18 0xEF 0x1F 0x71 0x48 Configuration last modified by 0.0.0.0 at 3-1-93 00:03:46 s7#
s7#
s7# s7# s7#show run s7#show running-config Building configuration...
Current configuration : 1535 bytes
! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname s7 ! ! ip subnet-zero ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! interface Port-channel1 flowcontrol send off ! interface Port-channel2 flowcontrol send off ! interface FastEthernet0/1 channel-group 1 mode on ! interface FastEthernet0/2 channel-group 1 mode on ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 channel-group 2 mode on ! interface FastEthernet0/6 channel-group 2 mode on ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface Vlan1 ip address 172.16.1.7 255.255.255.0 no ip route-cache ! ip default-gateway 172.16.1.1 ip http server ! snmp-server community user RO snmp-server community admin RW snmp-server enable traps snmp authentication linkdown linkup snmp-server enable traps config snmp-server host 172.16.1.200 admin syslog snmp-server host 172.16.1.100 user ! line con 0 line vty 5 15 ! end
s7#
|
转载于:https://blog.51cto.com/flycisco/54762