需求
深圳总部数据中心
1、汇聚交换机保证网络带宽及可靠想,必须使用链路汇聚,汇聚端口需要开启trunk允许所有VLAN通过;(eth-trunk)
2、中心交换机要保证设备冗余和线路备份,需要搭建成两两环路(形成环路的线一定要使用trunk保证所有VLAN通过),需要用到生成树RSTP,接入层交换机连接的电脑必须开启边缘端口,且同步开启BPDU保护,根交换机要开启根保护;(stp、rstp)
3、数据中心机房里面需要满足三个VLAN的需求,服务器放在单独VLAN100里面;然后设置VLAN2和VLAN3两个部门,允许通过hybrid访问到服务器VLAN100里面的设备;vlan2里面的web-client设备访问到VLAN100里面的web-server,vlan3里面的ftp-client设备访问到VLAN100里面的ftp-server,这些设备的接口必须要使用hybrid才能访问,其他PC设备可以通过access口访问同一个VLAN里面的设备。(vlan、trunk、hybrid)
4、根交换机需要开启三层路由功能,保证不同VLAN之间能实现互访。(三层交换机路由)
5、根交换机需要单独连接到核心路由器,在默认VLAN1里面需要配置发布到公网的服务器。
6、根交换机需要通过OSPF协议发布路由到公网里面,并且要使用接口认证方式发布。
7、运营商所有的路由器都采用OSPF协议学习路由。
8、深圳总部路由器需要开启AAA认证功能,需要建立三个域FTP、telnet、ssh域,每个域里面需要开启本地认证和授权的账号,分别为不同服务提供账号和密码。总部路由器同时需要开启ftp\SSH\telnet服务(ftp、telnet、ssh、aaa,开启环回接口lo:1.1.1.1/32实现多路访问)
9、长沙分支内网IP地址分配需要路由器开启DHCP协议进行分配。(dhcp)
10、长沙内网私有地址只能通过NAT技术访问公网。(SNAT技术)
11、开启长沙分支访问深圳总部公网服务器;
12、禁止长沙分支访问深圳总部公网服务器;(高级acl访问控制)
13、长沙分支通过ftp、telnet、ssh等集中远程访问工具,实现文件系统基本命令的使用配置和远程路由器配置。(ftp、telnet、ssh、aaa、dir,copy,move,cd…)
14、开启外网或者深圳总部内网能访问到长沙分支私网服务器;(DNAT技术:nat server)
15、长沙分支需要开启默认路由实现公网任何地点的访问。(route-static)
网络拓扑图
配置
运营商的配置:
路由器R1的配置:
sysname szzb
ftp server enable
acl number 3000
rule 5 deny tcp source 200.1.1.0 0.0.0.255 destination 201.1.1.3 0
rule 10 permit ip
aaa
authentication-scheme szzb_authe
authorization-scheme szzb_autho
domain ftp
authentication-scheme szzb_authe
authorization-scheme szzb_autho
domain telnet
authentication-scheme szzb_authe
authorization-scheme szzb_autho
domain ssh
authentication-scheme szzb_authe
authorization-scheme szzb_autho
local-user ftp@ftp password cipher 123456
local-user ftp@ftp privilege level 15
local-user ftp@ftp ftp-directory flash:
local-user ftp@ftp service-type ftp
local-user ssh@ssh password cipher 123456
local-user ssh@ssh privilege level 15
local-user ssh@ssh service-type ssh
local-user telnet@telnet password cipher 123456
local-user telnet@telnet privilege level 15
local-user telnet@telnet service-type telnet
interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 13.1.1.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 201.1.1.1 255.255.255.0
traffic-filter outbound acl 3000
ospf authentication-mode md5 1 cipher 123456
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 0.0.0.0 255.255.255.255
network 1.1.1.1 0.0.0.0
stelnet server enable
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
路由器R2的配置:
sysname R2
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 24.1.1.2 255.255.255.0
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 0.0.0.0 255.255.255.255
路由器R3的配置:
sysname R3
interface GigabitEthernet0/0/0
ip address 13.1.1.3 255.255.255.0
interface GigabitEthernet0/0/1
ip address 34.1.1.3 255.255.255.0
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 0.0.0.0 255.255.255.255
路由器R4的配置:
sysname R4
interface GigabitEthernet0/0/0
ip address 24.1.1.4 255.255.255.0
interface GigabitEthernet0/0/1
ip address 34.1.1.4 255.255.255.0
interface GigabitEthernet0/0/2
ip address 200.1.1.1 255.255.255.0
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 0.0.0.0 255.255.255.255
深圳总部(中心机房):
SW1交换机的配置:
sysname sw1
vlan batch 2 to 3 100
stp mode rstp
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/1
eth-trunk 1
interface GigabitEthernet0/0/2
eth-trunk 1
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
SW2交换机的配置:
sysname sw2
vlan batch 2 to 3 100
stp mode rstp
interface Vlanif1
ip address 201.1.1.2 255.255.255.0
ospf authentication-mode md5 1 cipher 123456
interface Vlanif2
ip address 172.16.2.254 255.255.255.0
interface Vlanif3
ip address 172.16.3.254 255.255.255.0
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/1
eth-trunk 1
interface GigabitEthernet0/0/2
eth-trunk 1
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
ospf 1 router-id 201.201.201.201
area 0.0.0.0
network 201.1.1.0 0.0.0.255
network 172.16.0.0 0.0.255.255
SW3交换机的配置:
sysname sw3
vlan batch 2 to 3 100
stp mode rstp
interface Ethernet0/0/1
port link-type access
port default vlan 2
interface Ethernet0/0/2
port link-type access
port default vlan 3
interface Ethernet0/0/3
port hybrid pvid vlan 3
port hybrid untagged vlan 3 100
interface Ethernet0/0/4
port hybrid pvid vlan 2
port hybrid untagged vlan 2 100
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
SW4交换机的配置:
sysname sw4
vlan batch 2 to 3 100
stp mode rstp
interface Ethernet0/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 2 to 3 100
interface Ethernet0/0/2
port hybrid pvid vlan 100
port hybrid untagged vlan 2 to 3 100
interface Ethernet0/0/3
interface Ethernet0/0/4
port hybrid pvid vlan 2
port hybrid untagged vlan 2 100
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
成都分支:
路由器R5的配置:
sysname cdfz
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0/0
ip address 200.1.1.2 255.255.255.0
nat server protocol tcp global 200.1.1.3 ftp inside 192.168.1.2 ftp
nat outbound 2000
interface GigabitEthernet0/0/1
ip address 192.168.1.254 255.255.255.0
dhcp select global
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1