网络介绍
网络为小型公司拓扑,特点为异地办公少,上网人数人,成本要求低等等。本拓扑使用自反ACL加单臂路由,完成网络需求的大多部分。通过自反ACL禁止了外网访问内部网络的地址,和禁止了其他部门访问财务部和研发部的保密要求。在核心路由器设置了dhcp为本公司上网设备提供ip,路由器的子端口作为vlan的网关。缺乏冗余是本网络缺点之一也是最大的问题,后期网络质量要求高是可在二层交换机与路由器连接直接用链路聚合技术。
网络地址分配
vlan |
部门名称 |
分配地址 |
保留地址 |
gateway |
10 |
销售部 |
192.168.10.0 |
1-20 |
192.168.10.1 |
20 |
售后部 |
192.168.20.0 |
1-20 |
192.168.20.1 |
30 |
研发部 |
192.168.30.0 |
1-20 |
192.168.30.1 |
40 |
财务部 |
192.168.40.0 |
1-20 |
192.168.40.1 |
设备配置
switch1
Building configuration...
Current configuration : 3325 bytes
!
! Last configuration change at 00:53:42 UTC Fri Mar 17 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q //这个要配不然配不了trunk
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/3
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet1/0
switchport access vlan 20
switchport mode access
negotiation auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode access
negotiation auto
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
negotiation auto
!
interface GigabitEthernet1/3
negotiation auto
!
interface Vlan10
no ip address
ip helper-address 192.168.10.1 //ip中继,地址为dhcp
!
interface Vlan20
no ip address
ip helper-address 192.168.20.1 //ip中继,地址为dhcp
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
!
control-plane
!
banner exec ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
line aux 0
line vty 0 4
login
!
!
end switch2
Building configuration...
Current configuration : 3325 bytes
!
! Last configuration change at 00:54:14 UTC Fri Mar 17 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q //这个要配不然配不了trunk
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 30
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
negotiation auto
!
interface GigabitEthernet0/3
switchport access vlan 30
switchport mode access
negotiation auto
!
interface GigabitEthernet1/0
switchport access vlan 40
switchport mode access
negotiation auto
!
interface GigabitEthernet1/1
switchport access vlan 40
switchport mode access
negotiation auto
!
interface GigabitEthernet1/2
switchport access vlan 40
switchport mode access
negotiation auto
!
interface GigabitEthernet1/3
negotiation auto
!
interface Vlan30
no ip address
ip helper-address 192.168.30.1 //ip中继,地址为dhcp
!
interface Vlan40
no ip address
ip helper-address 192.168.40.1 //ip中继,地址为dhcp
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
!
control-plane
!
banner exec ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^CC
IOSv - Cisco Systems Confidential -
Supplemental End User License Restrictions
This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.
By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
line aux 0
line vty 0 4
login
!
!
end VIOS1
Building configuration...
Current configuration : 4673 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.20 //dhcpz中排除特点的ip
ip dhcp excluded-address 192.168.20.1 192.168.20.20
ip dhcp excluded-address 192.168.30.1 192.168.30.20
ip dhcp excluded-address 192.168.40.1 192.168.40.20
!
ip dhcp pool vlan 10 //dhcp设置,其他有的设置可以在vlan与10之间空格,有的不可以vlan 10是名称
network 192.168.10.0 255.255.255.0 #工作的网段
default-router 192.168.10.1 #工作网段的网关
dns-server 200.0.0.20 #设置dns服务器地址
!
ip dhcp pool vlan 20 #下同
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 200.0.0.20
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 200.0.0.20
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 200.0.0.20
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0 #这里要配no sh,不然接口无法生效
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 10 #这是封装协议,后面的10 是vlan10的意思
ip address 192.168.10.1 255.255.255.0
ip nat inside #这是nat服务配置端口,说明这是进入的端口,就是从内网进入路由器的端口
ip virtual-reassembly in #ip分片技术,cisco特有,无需配置
!
interface GigabitEthernet0/0.2 #下同
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip access-group aclint in #这是自反acl定义生效的时间,进站前生效,
ip access-group aclout out#这是定义在出站是生效
解释内容:
在acl规则中,范围进站前生效,和出站前生效,其中标准acl在0-99和1300~ 1999之间,只能在进站前生效,
扩展acl在100~199或2000~2699生效,还有就是命名acl,自反acl属于命名acl(不知道我说的对不对),
但他和同方向的acl规则只能生效一种,后面覆盖前面。
其中的进站和出站就是把设备理解为一个车站,进站即数据到达路由器时进入端口的时候,给不给他进来从这个端口进来
出站就是数据来到这个端口准备出去,给不给他从这个端口出去。
nat服务中的inside和outside相同
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip access-group aclint in #同上
ip access-group aclout out
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/2
ip address 100.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool pan 100.0.0.1 100.0.0.2 netmask 255.255.255.0 #这是nat服务设置,100.0.0.1 100.0.0.2是分配的地址,
第一个地址是开始,第二个是结束,pan是nat服务的名称
ip nat inside source list 1 pool pan #这是进一步定义了nat服务的范围,即符合list 1规则才会进行ip转换。
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 #这是静态路由中的默认路由,g0/2可以用ip代替也可以用端口
!
ip access-list extended aclint #这里就是自反acl,aclint是名称
permit ip any any reflect aclint-aclout timeout 300 #允许一切的ip访问,并反映给aclint-aclout,aclint-aclout
更新一个中转名称,生效时间为300s。其他ip是允许的协议可以更改,permit也可以是拒绝,但暂时没有想到有什么用
any是代表任意地址,可以用ip加反码代替
ip access-list extended aclint2 #同上
evaluate aclout2-aclint2 #根据aclout2-aclint2生成允许条例即临时acl,临时acl生效时间由对应reflect定义默认是300s
ip access-list extended aclout#同上
evaluate aclint-aclout
ip access-list extended aclout2
permit ip any any reflect aclout2-aclint2 timeout 300
!
ipv6 ioam timestamp
!
!
access-list 1 permit any
!
control-plane
!
banner exec ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end VIOS2
Building configuration...
Current configuration : 2933 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 200.0.0.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 100.0.0.4 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 #同上
!
ipv6 ioam timestamp
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end 服务器集群
服务器由windows server 2012提供服务具体配置可在百度上本文章不做具体介绍。
win
由一台winxp系统模拟,充当真实机,用来访问网站和ftp,查看具体效果,可以不用配置。
具体效果
自反acl
售后部访问研发部
研发部访问售后部
注:
由于路由器开机时间比pc开机时间长,而pc默认只有dhcp一条命令,所以一般最开始pc都是无ip需要手动获取,现实真发生的可能低。
pc3报的是不可达,配置此拓扑的朋友需要仔细看一下,因为很多人下意识看很长,那就是ping通了,其实不是,他报的是不可达。
外网ping win和win ping Windows server
虽然我布设了nat技术,但如果没有自反acl的话还是能ping的通的
小提示:
每次配置完记得保存。
eve的startup-config要选择exported,作用就是,每次wide之后都把你导出的配置再次导进去,但要再次写入设备,不然开机就没有了。
服务器设备能不还原就不还原,我暂时还没发现可以保存服务器是配置的选择。
需要已经配置完成的拓扑,请点击下面链接,创作不易!!!!文章来源:https://www.toymoban.com/news/detail-762333.html
https://download.csdn.net/download/weixin_44732231/87587943?spm=1001.2014.3001.5503文章来源地址https://www.toymoban.com/news/detail-762333.html
到了这里,关于小型公司网络拓扑的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
