背景及要求
某公司有2个办公区, 分别位于不同的两个城市, 位于A城市的办公区为公司总部,为一幢2层办公楼,需要的计算机节点约30多个。A办公区有3个部门,分别是财务部, 销售部,行政部。位于B城市的办公区为研发部,需要的计算机节点约15个,两边办公区都通过宽带接入Internet,,现在要求设计一个网络组网方案,实现:
1、实现A区企业内部资源共享(内部邮件,FTP和WWW服务)
2、A,B区用户上班时间不能QQ聊天、浏览非法网页
3、A、B区用户分别各自共享一个IP地址访问Internet
4、所有公司内部部门之间不能相互直接访问
5、在办公区外的销售人员要求能访问A区销售部的信息服务器,但是禁止Internet上的用户访问该服务器
设计方案和网络拓扑图
设备的属性值基本规划
-
Router3
IP Address | Subnet Mask | 端口 |
192.168.5.1 | 255.255.255.240 | S2/0 |
192.168.1.1 | 255.255.255.224 | Fa0/0.1 |
192.168.2.1 | 255.255.255.224 | Fa1/0.1 |
192.168.3.1 | 255.255.255.224 | Fa6/0.1 |
192.168.4.1 | 255.255.255.224 | Fa7/0.1 |
192.168.7.1 | 255.255.255.0 | Fa4/0 |
-
Router2
IP Address | Subnet Mask | 端口 |
192.168.6.1 | 255.255.255.240 | Fa0/0 |
192.168.5.2 | 255.255.255.240 | Serial2/0 |
192.168.8.1 | 255.255.255.0 | Serial3/0 |
-
Router0
IP Address | Subnet Mask | 端口 |
192.168.7.3 | 255.255.255.0 | Fa0/0 |
202.10.1.2 | 255.255.255.0 | Serial2/0 |
- Router1
IP Address | Subnet Mask | 端口 |
202.10.2.1 | 255.255.255.0 | Fa0/0 |
202.10.1.1 | 255.255.255.0 | Serial2/0 |
- Router4
IP Address | Subnet Mask | 端口 |
202.10.3.1 | 255.255.255.0 | Fa0/0 |
192.168.8.2 | 255.255.255.0 | Serial2/0 |
- PC机
PC | IP Address | Subnet Mask | 默认网关 | 说明 |
0 | 192.168.1.2 | 255.255.255.224 | 192.168.1.1 | Vlan 2 |
1 | 192.168.2.2 | 255.255.255.224 | 192.168.2.1 | Vlan 3 |
2 | 192.168.3.2 | 255.255.255.224 | 192.168.3.1 | Vlan 4 |
3 | 192.168.6.2 | 255.255.255.240 | 192.168.6.1 | Vlan 6 |
- Server服务器
Serve | IP Address | 说明 |
0 | 192.168.4.2/27 | EMAIL/vlan 5 |
1 | 192.168.4.3/27 | FTP/vlan 5 |
2 | 192.168.4.4/27 | WWW/vlan 5 |
3 | 202.10.2.3/24 | 外部网络 |
4 | 202.10.3.3/24 | 外部网络 |
分vlan
- Switch-PT Switch 1
Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#vlan 2 Switch(config-vlan)#exit Switch(config)#interface fa0/1 Switch(config-if)#switchport access vlan 2 Switch(config-if)#exit Switch(config)#interface fa1/1 Switch(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up Switch(config-if)#end Switch# %SYS-5-CONFIG_I: Configured from console by console
-
同理Switch 2, 3, 4和Multilayer Switch 1
-
使研发部(vlan6)只能访问行政部(vlan4)打卡上班
同时满足不能访问财务部(vlan2),销售部(vlan3),服务器群(vlan5)。
Router3
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router ospf 1 Router(config-router)#network 192.168.1.0 0.0.0.31 area 0 Router(config-router)#network 192.168.2.0 0.0.0.31 area 0 Router(config-router)#network 192.168.3.0 0.0.0.31 area 0 Router(config-router)#network 192.168.4.0 0.0.0.31 area 0 Router(config-router)#network 192.168.5.0 0.0.0.31 area 0 Router(config-router)#end Router# %SYS-5-CONFIG_I: Configured from console by console
测试结果
Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 192.168.1.0/27 is subnetted, 1 subnets C 192.168.1.0 is directly connected, FastEthernet0/0 192.168.2.0/27 is subnetted, 1 subnets C 192.168.2.0 is directly connected, FastEthernet1/0 192.168.3.0/27 is subnetted, 1 subnets C 192.168.3.0 is directly connected, FastEthernet6/0 192.168.4.0/27 is subnetted, 1 subnets C 192.168.4.0 is directly connected, FastEthernet7/0 192.168.5.0/28 is subnetted, 1 subnets C 192.168.5.0 is directly connected, Serial2/0 R 192.168.6.0/24 [120/1] via 192.168.5.2, 00:00:26, Serial2/0 Router#
Router2
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router ospf 1 Router(config-router)#network 192.168.5.0 0.0.0.15 area 0 Router(config-router)# 01:24:19: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.5.1 on Serial2/0 from LOADING to FULL, Loading Done Router(config-router)#network 192.168.6.0 0.0.0.15 area 0 Router(config-router)# Router(config-router)#end Router# %SYS-5-CONFIG_I: Configured from console by console
测试结果
Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks R 192.168.1.0/24 [120/1] via 192.168.5.1, 00:00:06, Serial2/0 O 192.168.1.0/27 [110/782] via 192.168.5.1, 00:00:26, Serial2/0 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks R 192.168.2.0/24 [120/1] via 192.168.5.1, 00:00:06, Serial2/0 O 192.168.2.0/27 [110/782] via 192.168.5.1, 00:00:26, Serial2/0 192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks R 192.168.3.0/24 [120/1] via 192.168.5.1, 00:00:06, Serial2/0 O 192.168.3.0/27 [110/782] via 192.168.5.1, 00:00:26, Serial2/0 192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks R 192.168.4.0/24 [120/1] via 192.168.5.1, 00:00:06, Serial2/0 O 192.168.4.0/27 [110/782] via 192.168.5.1, 00:00:26, Serial2/0 192.168.5.0/28 is subnetted, 1 subnets C 192.168.5.0 is directly connected, Serial2/0 192.168.6.0/28 is subnetted, 1 subnets C 192.168.6.0 is directly connected, FastEthernet0/0 Router#
Router3
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list standard david //配置名为david的IP标准访问控制列表 Router(config-std-nacl)#permit 192.168.3.0 0.0.0.31 //允许192.168.3.0网段通过 Router(config-std-nacl)#deny 192.168.1.0 0.0.0.31 //禁止192.168.1.0网段通过 Router(config-std-nacl)#deny 192.168.2.0 0.0.0.31 Router(config-std-nacl)#deny 192.168.4.0 0.0.0.31 Router(config-std-nacl)#exit Router(config)#interface se2/0 Router(config-if)#ip access-group david out //将名为david的IP标准访问控制列表应用到se2/0端口 Router(config-if)#end Router# %SYS-5-CONFIG_I: Configured from console by console
测试结果
show running-config Building configuration... Current configuration : 1355 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Router ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.224 duplex auto speed auto ! interface FastEthernet1/0 ip address 192.168.2.1 255.255.255.224 duplex auto speed auto ! interface Serial2/0 ip address 192.168.5.1 255.255.255.240 ip access-group david out clock rate 64000 ! interface Serial3/0 no ip address shutdown ! interface FastEthernet4/0 no ip address ! interface FastEthernet5/0 no ip address shutdown ! interface FastEthernet6/0 ip address 192.168.3.1 255.255.255.224 duplex auto speed auto ! interface FastEthernet7/0 ip address 192.168.4.1 255.255.255.224 duplex auto speed auto ! router ospf 1 log-adjacency-changes network 192.168.1.0 0.0.0.31 area 0 network 192.168.2.0 0.0.0.31 area 0 network 192.168.3.0 0.0.0.31 area 0 network 192.168.4.0 0.0.0.31 area 0 network 192.168.5.0 0.0.0.31 area 0 ! router rip network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 network 192.168.5.0 ! ip classless ! ! ip access-list standard david permit 192.168.3.0 0.0.0.31 deny 192.168.1.0 0.0.0.31 deny 192.168.2.0 0.0.0.31 deny 192.168.4.0 0.0.0.31 ! ! ! ! ! line con 0 line vty 0 4 login ! ! ! End
建立企业局域网
Router3
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fa0/0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fa0/0.1 %LINK-5-CHANGED: Interface FastEthernet0/0.1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.1, changed state to up Router(config-subif)#encapsulation dot1q 2 Router(config-subif)#ip address 192.168.1.1 255.255.255.224 Router(config-subif)#exit Router(config-if)#end Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fa1/0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fa1/0.1 %LINK-5-CHANGED: Interface FastEthernet1/0.1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0.1, changed state to up Router(config-subif)#encapsulation dot1q 3 // /封装802.1q协议,并把该端口划分到vlan 3 Router(config-subif)#ip address 192.168.2.1 255.255.255.224 Router(config-subif)#exit Router(config)#interface fa6/0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fa6/0.1 %LINK-5-CHANGED: Interface FastEthernet6/0.1, changed state to up Router(config-subif)# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet6/0.1, changed state to up Router(config-subif)#encapsulation dot1q 4 Router(config-subif)#ip address 192.168.3.1 255.255.255.224 Router(config-subif)#exit Router(config)#interface fa7/0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fa7/0.1 %LINK-5-CHANGED: Interface FastEthernet7/0.1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet7/0.1, changed state to up Router(config-subif)# Router(config-subif)#encapsulation dot1q 5 Router(config-subif)#ip address 192.168.4.1 255.255.255.224 Router(config-subif)#exit Router(config)#exit Router# %SYS-5-CONFIG_I: Configured from console by console
测试结果
Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 192.168.1.0/27 is subnetted, 1 subnets C 192.168.1.0 is directly connected, FastEthernet0/0.1 192.168.2.0/27 is subnetted, 1 subnets C 192.168.2.0 is directly connected, FastEthernet1/0.1 192.168.3.0/27 is subnetted, 1 subnets C 192.168.3.0 is directly connected, FastEthernet6/0.1 192.168.4.0/27 is subnetted, 1 subnets C 192.168.4.0 is directly connected, FastEthernet7/0.1 192.168.5.0/28 is subnetted, 1 subnets C 192.168.5.0 is directly connected, Serial2/0 192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks R 192.168.6.0/24 [120/1] via 192.168.5.2, 00:00:04, Serial2/0 192.168.6.0/28 [110/782] via 192.168.5.2, 00:24:24, Serial2/0
部门之间不能相互访问
Router3
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 1 deny 192.168.1.2 Router(config)#access-list 1 permit any Router(config)#int fa1/0.1 Router(config-subif)#ip access-group 1 in Router(config-subif)#ip access-group 1 out Router(config-subif)#exit Router(config)#int fa6/0.1 Router(config-subif)#ip access-group 1 out Router(config-subif)#ip access-group 1 in Router(config-subif)#exit Router(config)#access-list 2 deny 192.168.2.2 Router(config)#access-list 2 permit any Router(config)#in fa6/0.1 Router(config-subif)#ip access-group 2 in Router(config-subif)#ip access-group 2 out Router(config-subif)#exit Router(config)#access-list 3 deny 192.168.3.2 Router(config)#access-list 3 permit any Router(config)#int fa0/0.1 Router(config-subif)#ip access-group 3 out Router(config-subif)#ip access-group 3 in
访问外网
防火墙1设置NAT
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int s2/0 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#int fa4/0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#ip nat inside source static 192.168.7.2 202.10.0.2 Router(config)#exit Router# %SYS-5-CONFIG_I: Configured from console by console
测试结果
Router#show ip nat trans Pro Inside global Inside local Outside local Outside global --- 202.10.0.2 192.168.7.2 --- ---
访问公网配置
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa0/0 Router(config-if)#exit Router(config)#int fa4/0 Router(config-if)#ip add 192.168.7.3 255.255.255.0 Router(config-if)#no shut Router(config-if)#exit Router(config)#route rip Router(config-router)#ver 2 Router(config-router)#no au Router(config-router)#net 192.168.7.0 Router(config-router)#default-information originate Router(config-router)#exit Router(config)#exit Router# %SYS-5-CONFIG_I: Configured from console by console
测试结果
Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set R 192.168.1.0/24 [120/1] via 192.168.7.1, 00:00:00, FastEthernet4/0 R 192.168.2.0/24 [120/1] via 192.168.7.1, 00:00:00, FastEthernet4/0 R 192.168.3.0/24 [120/1] via 192.168.7.1, 00:00:00, FastEthernet4/0 R 192.168.4.0/24 [120/1] via 192.168.7.1, 00:00:00, FastEthernet4/0 R 192.168.5.0/24 [120/1] via 192.168.7.1, 00:00:00, FastEthernet4/0 R 192.168.6.0/24 [120/2] via 192.168.7.1, 00:00:00, FastEthernet4/0 C 192.168.7.0/24 is directly connected, FastEthernet4/0 C 202.10.0.0/24 is directly connected, Serial2/0 Router#
允许网段通过路由出去
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 1 permit 192.168.1.0 0.0.0.31 Router(config)#access-list 1 permit 192.168.2.0 0.0.0.31 Router(config)#access-list 1 permit 192.168.3.0 0.0.0.31 Router(config)#int s2/0 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#int fa4/0 Router(config-if)#ip nat inside Router(config-if)#end Router# %SYS-5-CONFIG_I: Configured from console by console Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip route 0.0.0.0 0.0.0.0 s2/0 Router(config)#end Router# %SYS-5-CONFIG_I: Configured from console by console
设置A区域内部服务器群
WWW服务器配置
开启HTTP服务,同时关闭在此服务器上的DNS、FTP、MAIL和DHCP服务,即单击左侧MAIL,SMTP Service、POP3 Service 设置为 off,其他服务保持不变。
从PC0访问内部www服务器:
FTP 服务器配置
配置FTP服务器,关闭在此服务器上的DHCP、DNS、MAIL、WEB服务(Service),其他服务不变,操作过程类似于DHCP配置过程,在此只针对FTP配置:
Service(服务状态):On(开),添加User Name(用户名)和Password(密码),每个用户都勾选上Write(可写)、Read(可读)、Delete(删除)、Rename(重命名)、List(列表),每次添加最后要点击 +(添加)到滚动文本区域里。
E-MAIL服务器配置
配置MAIL服务器,关闭在此服务器上的DHCP、DNS、FTP、WEB服务(Service),其他服务不变,操作过程类似于DHCP配置过程,在此只针对EMAIL配置:
SMTP Service 、POP3 Service(服务状态):On(开)Domain Name(域名):mail.yyd.com分别添加2个User (用户)和Password(密码),每次添加最后要点击 +(添加)到滚动文本区域里。
办公室外销售人员访问销售部
Switch-PC Switch 1
Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int vlan 3 //interface vlan 3 %LINK-5-CHANGED: Interface Vlan3, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, changed state to up Switch(config-if)#ip address 192.168.2.1 255.255.255.224 //设置交换机ip Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#enable password 123456 //设置进入特权模式的密码为123456 Switch(config)#line vty 0 4 Switch(config-line)#password yydyyd //设置远程登录密码为yydyyd Switch(config-line)#login Switch(config-line)#end Switch# %SYS-5-CONFIG_I: Configured from console by console Switch#
将远程登录设置了密码,这样internet上的人不知道密码的话就无法访问,而销售人员知道密码就可以访问。
上班时间不能QQ聊天、浏览非法网页
Router3
Router>en Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#time-range nowork Router(config-time-range)#periodic weekend 0:00 to 23:59//从星期六:00到星期天23:59 Router(config)#access-list 101 deny tcp any any time-range work1 Router(config)#access-list 101 permit tcp any 192.168.1.2 0.0.0.31 time-range nowork Router(config)#access-list 101 permit tcp any 192.168.2.2 0.0.0.31 time-range nowork Router(config)#access-list 101 permit tcp any 192.168.3.2 0.0.0.31 time-range nowork Router(config)#access-list 101 permit tcp any 192.168.4.2 0.0.0.31 time-range nowork Router(config)#int fa0/0.1 Router(config-subif)#ip access-group 101 out Router(config-subif)#exit Router(config)#int fa1/0.1 Router(config-subif)#ip access-group 101 out Router(config-subif)#exit Router(config)#int fa6/0.1 Router(config-subif)#ip access-group 101 out Router(config-subif)#exit Router(config)#int fa7/0.1 Router(config-subif)#ip access-group 101 out Router(config-subif)#exit
同理Router2
总结
这个是我在大二上的时候,这差不多这个时候,做路由器课程设计的时候老师叫做的,当时就只有我做的比较完善,心中暗自得意,哈哈哈哈。
希望这个对你们有帮助,写的稍微有点乱哈。
当时老师说到公司A地与公司B地联系的话是用VPN建立,后来不知道怎么的也就没做了。
转载请注明出处:http://www.cnblogs.com/yydcdut/p/3520838.html