Cisco之中小型企业网络-阿里云开发者社区

Cisco之中小型企业网络

2017-11-12 950

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介：

网络架构图如下：

一网络架构方案设计

1.1 方案说明

公司网络由核心层和接入层组成，核心层为网络的骨干部分。
不同部门使用不同的VLAN
把vlan154中的服务器发布到外网，并使VM1可以访问
使vlan155网段可以访问外网
管理vlan为vlan100
使用ACL增强网络的安全性

1.2 IP地址规划

vlan154：172.16.154.0/24 网关：172.16.154.254

vlan155：172.16.155.0/24 网关：172.16.155.254

vlan100：172.16.100.0/24 网关：172.16.100.254

二方案的实施

建立vlan、配置VTP同步，sw1和sw2操作一致：

SW_R(config)#hostname sw_r

sw_r(config)#ip routing

sw_r(config)#vlan 100

sw_r(config-vlan)#vlan 154

sw_r(config-vlan)#vlan 155

sw_r#show vlan-switch

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3

Fa1/4, Fa1/5, Fa1/6, Fa1/7

Fa1/8, Fa1/9, Fa1/10, Fa1/11

Fa1/12, Fa1/13, Fa1/14, Fa1/15

100 VLAN0100 active

154 VLAN0154 active

155 VLAN0155 active

sw_r(config)#int range f1/1 , f1/3

sw_r(config-if-range)#sw mode trunk

sw_r(config)#vtp domain cisco

sw_r(config)#vtp password cisco

sw_r(config)#vtp mode server

sw_r(config)#vtp pruning

sw1(config)#hostname sw1

sw1(config)#int f1/1

sw1(config-if)#sw mo tr

sw1(config)#vtp domain cisco

sw1(config)#vtp password cisco

sw1(config)#vtp mode client

sw1#show vlan-switch

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1/0, Fa1/2, Fa1/3, Fa1/4

Fa1/5, Fa1/6, Fa1/7, Fa1/8

Fa1/9, Fa1/10, Fa1/11, Fa1/12

Fa1/13, Fa1/14, Fa1/15

100 VLAN0100 active

154 VLAN0154 active

155 VLAN0155 active

sw1(config)#int range f1/2 - 10

sw1(config-if-range)#sw mo access

sw1(config-if-range)#sw ac vlan 154

sw1(config)#int range f1/11 - 15

sw1(config-if-range)#sw mo access

sw1(config-if-range)#sw ac vlan 155

sw1#show vlan-switch

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa1/0

100 VLAN0100 active

154 VLAN0154 active Fa1/2, Fa1/3, Fa1/4, Fa1/5

Fa1/6, Fa1/7, Fa1/8, Fa1/9

Fa1/10

155 VLAN0155 active Fa1/11, Fa1/12, Fa1/13, Fa1/14

Fa1/15

sw1#show int trunk

Port Mode Encapsulation Status Native vlan

Fa1/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa1/1 1-1005

配置IP地址：

sw_r(config)#int f1/4

sw_r(config-if)#no switchport

sw_r(config-if)#ip add 192.168.1.1 255.255.255.252

sw_r(config-if)#no sh

sw_r(config)#int vlan 100

sw_r(config-if)#ip add 172.16.100.254 255.255.255.0

sw_r(config-if)#no sh

sw_r(config-if)#int vlan 154

sw_r(config-if)#ip add 172.16.154.254 255.255.255.0

sw_r(config-if)#no sh

sw_r(config-if)#int vlan 155

sw_r(config-if)#ip add 172.16.155.254 255.255.255.0

sw_r(config-if)#no sh

sw_r#show ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned YES unset administratively down down

FastEthernet0/1 unassigned YES unset administratively down down

FastEthernet1/0 unassigned YES unset up down

FastEthernet1/1 unassigned YES unset up up

FastEthernet1/2 unassigned YES unset up down

FastEthernet1/3 unassigned YES unset up up

FastEthernet1/4 192.168.1.1 YES manual up up

FastEthernet1/5 unassigned YES unset up down

FastEthernet1/6 unassigned YES unset up down

FastEthernet1/7 unassigned YES unset up down

FastEthernet1/8 unassigned YES unset up down

FastEthernet1/9 unassigned YES unset up down

FastEthernet1/10 unassigned YES unset up down

FastEthernet1/11 unassigned YES unset up down

FastEthernet1/12 unassigned YES unset up down

FastEthernet1/13 unassigned YES unset up down

FastEthernet1/14 unassigned YES unset up down

FastEthernet1/15 unassigned YES unset up down

Vlan1 unassigned YES unset up up

Vlan100 172.16.100.254 YES manual up up

Vlan154 172.16.154.254 YES manual up up

Vlan155 172.16.155.254 YES manual up up

ROUTER(config)#hostname router

router(config)#int f0/0

router(config-if)#ip add 192.168.1.2 255.255.255.252

router(config-if)#no sh

router(config-if)#int f1/0

router(config-if)#ip add 10.1.1.1 255.255.255.252

router(config-if)#no sh

router(config-if)#end

router#show ip int b

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.2 YES manual up up

FastEthernet1/0 10.1.1.1 YES manual up up

FastEthernet2/0 unassigned YES unset administratively down down

router#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/64 ms

sw1(config-if)#int vlan 100

sw1(config-if)#ip add 172.16.100.1 255.255.255.0

sw1(config-if)#no sh

sw1(config)#ip default-gateway 172.16.100.254

sw1#show ip int Vlan 100

Vlan100 is up, line protocol is up

Internet address is 172.16.100.1/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

...

sw1# ping 172.16.100.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:

!!!!!

sw3(config)#int vlan 100

sw3(config-if)#ip add 172.16.100.3 255.255.255.0

sw3(config-if)#no sh

sw3(config)#ip default-gateway 172.16.100.254

sw3#sh ip int vlan 100

Vlan100 is up, line protocol is up

Internet address is 172.16.100.3/24

Broadcast address is 255.255.255.255

Address determined by setup command

...

sw3#ping 172.16.100.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:

.!!!!

Internet(config)#hostname Internet

Internet(config)#int f0/0

Internet(config-if)#ip add 10.1.1.2 255.255.255.252

Internet(config-if)#no sh

Internet(config-if)#int f1/0

Internet(config-if)#ip add 10.1.1.5 255.255.255.252

Internet(config-if)#no sh

Internet#sh ip int b

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.1.1.2 YES manual up up

FastEthernet1/0 10.1.1.5 YES manual up up

Internet#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/34/48 ms

R8(config)#hostname R8

R8(config)#int f0/0

R8(config-if)#ip add 10.1.1.6 255.255.255.252

R8(config-if)#no sh

R8(config-if)#int f1/0

R8(config-if)#ip add 192.168.60.254 255.255.255.0

R8(config-if)#no sh

配置路由：

sw_r(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

router(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2

router(config)#ip route 172.16.100.0 255.255.255.0 192.168.1.1

router(config)#ip route 172.16.154.0 255.255.255.0 192.168.1.1

router(config)#ip route 172.16.155.0 255.255.255.0 192.168.1.1

R8(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.5

在核心交换机上配置DHCP服务

sw_r(config)#ip dhcp pool vlan154

sw_r(dhcp-config)#network 172.16.154.0 255.255.255.0

sw_r(dhcp-config)#default-router 172.16.154.254

sw_r(dhcp-config)#dns-server 202.96.134.33 202.96.134.133

sw_r(config)#ip dhcp excluded-address 172.16.154.254

sw_r(config)#ip dhcp pool vlan155

sw_r(dhcp-config)#network 172.16.155.0 255.255.255.0

sw_r(dhcp-config)#dns-server 202.96.134.33 202.96.134.133

sw_r(dhcp-config)#default-router 172.16.155.254

sw_r(config)#ip dhcp excluded-address 172.16.155.254

vlan155的主机获取到IP：

R6(config)#int f0/0

R6(config-if)#ip add dhcp

R6#sh ip int b

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.155.1 YES DHCP up up

FastEthernet0/1 unassigned YES unset administratively down down

配置NAT允许vlan155访问外网

ROUTER(config)#access-list 1 permit 172.16.155.0 0.0.0.255

ROUTER(config)#ip nat inside source list 1 interface f1/0 overload

ROUTER(config)#int f1/0

ROUTER(config-if)#ip nat outside

ROUTER(config)#int f0/0

ROUTER(config-if)#ip nat inside

R6#ping 10.1.1.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/68/128 ms

查看NAT的统计信息：

ROUTER#sh ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 2 extended)

Outside interfaces:

FastEthernet1/0

Inside interfaces:

FastEthernet0/0

Hits: 54 Misses: 6

CEF Translated packets: 60, CEF Punted packets: 0

Expired translations: 4

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 interface FastEthernet1/0 refcount 2

Appl doors: 0

Normal doors: 0

Queued Packets: 0

查看当前存在的NAT转换条目，前提是有数据包进行转换（如果没有数据包转换，只能显示静态NAT条目）

ROUTER#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 10.1.1.1:20 172.16.155.1:20 10.1.1.6:20 10.1.1.6:20

icmp 10.1.1.1:21 172.16.155.1:21 10.1.1.6:21 10.1.1.6:21

icmp 10.1.1.1:22 172.16.155.1:22 10.1.1.6:22 10.1.1.6:22

对NAT进行监控：

ROUTER#sh ip nat translations verbose

Pro Inside global Inside local Outside local Outside global

icmp 10.1.1.1:24 172.16.155.1:24 10.1.1.6:24 10.1.1.6:24

create 00:00:03, use 00:00:03 timeout:60000, left 00:00:56, Map-Id(In): 1,

flags:

extended, use_count: 0, entry-id: 17, lc_entries: 0

向外网发布Web服务器：

ROUTER(config)#ip nat inside source static tcp 172.16.154.1 80 10.1.1.1 80 extendable

查看静态ANT条目：

ROUTER#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 10.1.1.1:80 172.16.154.1:80 --- ---

在Web服务器上开放80端口

在客户端访问：

配置telnet远程管理：

ROUTER(config)#line vty 0 4

ROUTER(config-line)#password cisco

ROUTER(config-line)#login

ROUTER(config)#enable secret cisco

配置SSH远程管理：

sw1(config)#ip domain-name cisco.com

sw1(config)#username best password best1

sw1(config)#crypto key generate rsa general-keys modulus 1024

sw1(config)#ip ssh version 2

sw1(config)#line vty 0 4

sw1(config-line)#login local

sw1(config-line)#transport input ssh #只允许SSH登陆

登陆方式：

Cisco网络设备：ssh -l best 192.168.1.1

Xshell：ssh 172.16.100.254

配置console登陆密码：

sw1(config)#line console 0

sw1(config-line)#password cisco

sw1(config-line)#login

本文转自 zengwj1949 51CTO博客，原文链接:http://blog.51cto.com/zengwj1949/1922768

Cisco之中小型企业网络

热门文章

最新文章

相关课程

相关电子书

相关实验场景