需求
深圳总部数据中心 1、汇聚交换机保证网络带宽及可靠想,必须使用链路汇聚,汇聚端口需要开启trunk允许所有VLAN通过;(eth-trunk) 2、中心交换机要保证设备冗余和线路备份,需要搭建成两两环路(形成环路的线一定要使用trunk保证所有VLAN通过),需要用到生成树RSTP,接入层交换机连接的电脑必须开启边缘端口,且同步开启BPDU保护,根交换机要开启根保护;(stp、rstp) 3、数据中心机房里面需要满足三个VLAN的需求,服务器放在单独VLAN100里面;然后设置VLAN2和VLAN3两个部门,允许通过hybrid访问到服务器VLAN100里面的设备;vlan2里面的web-client设备访问到VLAN100里面的web-server,vlan3里面的ftp-client设备访问到VLAN100里面的ftp-server,这些设备的接口必须要使用hybrid才能访问,其他PC设备可以通过access口访问同一个VLAN里面的设备。(vlan、trunk、hybrid) 4、根交换机需要开启三层路由功能,保证不同VLAN之间能实现互访。(三层交换机路由) 5、根交换机需要单独连接到核心路由器,在默认VLAN1里面需要配置发布到公网的服务器。 6、根交换机需要通过OSPF协议发布路由到公网里面,并且要使用接口认证方式发布。 7、运营商所有的路由器都采用OSPF协议学习路由。 8、深圳总部路由器需要开启AAA认证功能,需要建立三个域FTP、telnet、ssh域,每个域里面需要开启本地认证和授权的账号,分别为不同服务提供账号和密码。总部路由器同时需要开启ftp\SSH\telnet服务(ftp、telnet、ssh、aaa,开启环回接口lo:1.1.1.1/32实现多路访问) 9、长沙分支内网IP地址分配需要路由器开启DHCP协议进行分配。(dhcp) 10、长沙内网私有地址只能通过NAT技术访问公网。(SNAT技术) 11、开启长沙分支访问深圳总部公网服务器; 12、禁止长沙分支访问深圳总部公网服务器;(高级acl访问控制) 13、长沙分支通过ftp、telnet、ssh等集中远程访问工具,实现文件系统基本命令的使用配置和远程路由器配置。(ftp、telnet、ssh、aaa、dir,copy,move,cd…) 14、开启外网或者深圳总部内网能访问到长沙分支私网服务器;(DNAT技术:nat server) 15、长沙分支需要开启默认路由实现公网任何地点的访问。(route-static)
网络拓扑图
配置
运营商的配置:
路由器R1的配置:
sysname szzb ftp server enable
acl number 3000 rule 5 deny tcp source 200.1.1.0 0.0.0.255 destination 201.1.1.3 0 rule 10 permit ip
aaa authentication-scheme szzb_authe authorization-scheme szzb_autho domain ftp authentication-scheme szzb_authe authorization-scheme szzb_autho domain telnet authentication-scheme szzb_authe authorization-scheme szzb_autho domain ssh authentication-scheme szzb_authe authorization-scheme szzb_autho
local-user ftp@ftp password cipher 123456 local-user ftp@ftp privilege level 15 local-user ftp@ftp ftp-directory flash: local-user ftp@ftp service-type ftp local-user ssh@ssh password cipher 123456 local-user ssh@ssh privilege level 15 local-user ssh@ssh service-type ssh local-user telnet@telnet password cipher 123456 local-user telnet@telnet privilege level 15 local-user telnet@telnet service-type telnet
interface GigabitEthernet0/0/0 ip address 12.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1 ip address 13.1.1.1 255.255.255.0
interface GigabitEthernet0/0/2 ip address 201.1.1.1 255.255.255.0 traffic-filter outbound acl 3000 ospf authentication-mode md5 1 cipher 123456
interface LoopBack0 ip address 1.1.1.1 255.255.255.255
ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 0.0.0.0 255.255.255.255 network 1.1.1.1 0.0.0.0
stelnet server enable
user-interface vty 0 4 authentication-mode aaa protocol inbound all
路由器R2的配置:
sysname R2
interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1 ip address 24.1.1.2 255.255.255.0
ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 0.0.0.0 255.255.255.255
路由器R3的配置:
sysname R3
interface GigabitEthernet0/0/0 ip address 13.1.1.3 255.255.255.0
interface GigabitEthernet0/0/1 ip address 34.1.1.3 255.255.255.0
ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 0.0.0.0 255.255.255.255
路由器R4的配置:
sysname R4
interface GigabitEthernet0/0/0 ip address 24.1.1.4 255.255.255.0
interface GigabitEthernet0/0/1 ip address 34.1.1.4 255.255.255.0
interface GigabitEthernet0/0/2 ip address 200.1.1.1 255.255.255.0
ospf 1 router-id 4.4.4.4 area 0.0.0.0 network 0.0.0.0 255.255.255.255
深圳总部(中心机房):
SW1交换机的配置:
sysname sw1
vlan batch 2 to 3 100
stp mode rstp
interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/1 eth-trunk 1
interface GigabitEthernet0/0/2 eth-trunk 1
interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 4094
SW2交换机的配置:
sysname sw2
vlan batch 2 to 3 100
stp mode rstp
interface Vlanif1 ip address 201.1.1.2 255.255.255.0 ospf authentication-mode md5 1 cipher 123456
interface Vlanif2 ip address 172.16.2.254 255.255.255.0
interface Vlanif3 ip address 172.16.3.254 255.255.255.0
interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/1 eth-trunk 1
interface GigabitEthernet0/0/2 eth-trunk 1 interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 4094
ospf 1 router-id 201.201.201.201 area 0.0.0.0 network 201.1.1.0 0.0.0.255 network 172.16.0.0 0.0.255.255
SW3交换机的配置:
sysname sw3
vlan batch 2 to 3 100
stp mode rstp
interface Ethernet0/0/1 port link-type access port default vlan 2
interface Ethernet0/0/2 port link-type access port default vlan 3
interface Ethernet0/0/3 port hybrid pvid vlan 3 port hybrid untagged vlan 3 100
interface Ethernet0/0/4 port hybrid pvid vlan 2 port hybrid untagged vlan 2 100
interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094
SW4交换机的配置:
sysname sw4
vlan batch 2 to 3 100
stp mode rstp interface Ethernet0/0/1 port hybrid pvid vlan 100 port hybrid untagged vlan 2 to 3 100
interface Ethernet0/0/2 port hybrid pvid vlan 100 port hybrid untagged vlan 2 to 3 100
interface Ethernet0/0/3
interface Ethernet0/0/4 port hybrid pvid vlan 2 port hybrid untagged vlan 2 100
interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094
成都分支:
路由器R5的配置:
sysname cdfz
acl number 2000 rule 5 permit source 192.168.1.0 0.0.0.255
acl number 2000 rule 5 permit source 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0/0 ip address 200.1.1.2 255.255.255.0 nat server protocol tcp global 200.1.1.3 ftp inside 192.168.1.2 ftp nat outbound 2000
interface GigabitEthernet0/0/1 ip address 192.168.1.254 255.255.255.0 dhcp select global
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
|