项目实战案例:中型公司网络构架改革
不久前作过一个小项目,是某公司发展须要,须要对目前网络进行改革:
1.针对于不一样的部门划分不一样的区域进行网络管理,确保每处区域均可以正常访问公网.
有销售部,财务部,信息安全,高层管理,市场部,服务器区域,2间主讲教室
有销售部,财务部,信息安全,高层管理,市场部,服务器区域,2间主讲教室
2.针对目前公司总体的规范化管理须要进行如下网络限制.
a) 禁止除高层管理办公室之外的全部部门上QQ
b) 教师内只得在天天中午12:30-13:30期间能够访问外网.
a) 禁止除高层管理办公室之外的全部部门上QQ
b) 教师内只得在天天中午12:30-13:30期间能够访问外网.
c) 对服务器区域的全部限制及设定:
!金和OA协同办公系统服务器:容许全部部门人员访问,但只容许信息安所有人员进行
远程管理.金和OA系统采用Windows2003系统,开放3389端口进行远程管理.
!用友U8财务系统,只容许财务部门以及高层管理部门以WEB方式进行访问.
远程管理.金和OA系统采用Windows2003系统,开放3389端口进行远程管理.
!用友U8财务系统,只容许财务部门以及高层管理部门以WEB方式进行访问.
!公司网站服务器.使用LAMP构架方式.容许市场部进行管理,并能够经过ftp方式进行
上传数据或下载数据.其余部门只有WEB访问权限.
上传数据或下载数据.其余部门只有WEB访问权限.
!公司远程教育服务器,只容许主讲教师的教师机以及远程端教室的教师机进行访问.
3.配置DHCP服务器,2间主讲教室中分别是两台教师机使用静态IP地址.
4.创建远程教学系统,三家分中心与公司相连,其中一家分中心还另外链接一处本地大学教室.
根据以上叙述,拓扑图以下:
核心路由器配置以下:
interface e0/0
no ip address
no ip address
lookback 0 (回环)
ipaddress 1.1.1.1 255.255.255.255
ipaddress 1.1.1.1 255.255.255.255
配置dhcp
ip dhcp pool xiaoshou
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 202.106.0.20
lease 2
exit
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool caiwu
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 202.106.0.20
lease 2
exit
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool xinxi
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 202.106.0.20
lease 2
exit
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool gaoceng
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 202.106.0.20
lease 2
exit
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool shichang
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 202.106.0.20
lease 2
exit
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool jiaoshi1
network 192.168.35.0 255.255.255.0
default-router 192.168.35.1
dns-server 202.106.0.20
lease 2
exit
network 192.168.35.0 255.255.255.0
default-router 192.168.35.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool jiaoshi2
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 202.106.0.20
lease 2
exit
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 202.106.0.20
lease 2
exit
预留IP地址
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.15.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.25.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.35.1 192.168.35.3
ip dhcp excluded-address 192.168.40.1 192.168.40.3
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.15.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.25.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.35.1 192.168.35.3
ip dhcp excluded-address 192.168.40.1 192.168.40.3
配置子接口来链接不一样的vlan
interface eth0/0.1
encapsulation dot1Q 100
ip address 192.168.10.1 255.255.255.0
ip access-group xiaoshou in
ip nat inside
exit
interface eth0/0.2
encapsulation dot1Q 200
ip address 192.168.15.1 255.255.255.0
ip access-group caiwu in
ip nat inside
exit
encapsulation dot1Q 200
ip address 192.168.15.1 255.255.255.0
ip access-group caiwu in
ip nat inside
exit
interface eth0/0.3
encapsulation dot1Q 300
ip address 192.168.20.1 255.255.255.0
ip access-group xinxi in
ip nat inside
exit
encapsulation dot1Q 300
ip address 192.168.20.1 255.255.255.0
ip access-group xinxi in
ip nat inside
exit
interface eth0/0.4
encapsulation dot1Q 400
ip address 192.168.25.1 255.255.255.0
ip access-group gaoceng in
ip nat inside
exit
encapsulation dot1Q 400
ip address 192.168.25.1 255.255.255.0
ip access-group gaoceng in
ip nat inside
exit
interface eth0/0.5
encapsulation dot1Q 500
ip address 192.168.30.1 255.255.255.0
ip access-group shichang in
ip nat inside
exit
encapsulation dot1Q 500
ip address 192.168.30.1 255.255.255.0
ip access-group shichang in
ip nat inside
exit
interface eth0/0.6
encapsulation dot1Q 600
ip address 192.168.35.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
encapsulation dot1Q 600
ip address 192.168.35.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
interface eth0/0.7
encapsulation dot1Q 700
ip address 192.168.40.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
encapsulation dot1Q 700
ip address 192.168.40.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
interface eth0/0.8
encapsulation dot1Q 800
ip address 192.168.45.1 255.255.255.0
ip access-group server in
ip nat inside
exit
encapsulation dot1Q 800
ip address 192.168.45.1 255.255.255.0
ip access-group server in
ip nat inside
exit
interface eth0/0.9
encapsulation dot1Q 900
ip address 192.168.50.1 255.255.255.0
ip nat inside
exit
encapsulation dot1Q 900
ip address 192.168.50.1 255.255.255.0
ip nat inside
exit
interface eth0/0.10
encapsulation dot1Q 1000
ip address 201.241.1.195 255.255.255.224
ip nat outside
exit
encapsulation dot1Q 1000
ip address 201.241.1.195 255.255.255.224
ip nat outside
exit
默认路由
ip route 0.0.0.0 0.0.0.0 201.241.1.193
ip route 0.0.0.0 0.0.0.0 201.241.1.193
配置ospf链路状态的路由协议
router ospf 100
network 192.168.10.0 0.0.0.255 area 0
network 192.168.15.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.25.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.35.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.45.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 201.241.1.192 0.0.0.31 area 0
router ospf 100
network 192.168.10.0 0.0.0.255 area 0
network 192.168.15.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.25.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.35.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.45.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 201.241.1.192 0.0.0.31 area 0
动态地址转换
ip nat pool liyang 201.241.1.195 201.241.1.198 netmask 255.255.255.0
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool liyang overload
ip nat pool liyang 201.241.1.195 201.241.1.198 netmask 255.255.255.0
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool liyang overload
配置ACL 进行安全管理
ip access-list extended caiwu
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
ip access-list extended caiwu
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
ip access-list extended gaoguan
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
permit ip any any
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
permit ip any any
限制时间
time-range time
periodic daily 12:30 to 13:30
time-range time
periodic daily 12:30 to 13:30
ip access-list extended jiaoshi
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000 (QQ)端口
permit ip any 201.241.1.192 0.0.0.31 time-range time
deny ip any 201.241.1.192 0.0.0.31
permit ip any any
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000 (QQ)端口
permit ip any 201.241.1.192 0.0.0.31 time-range time
deny ip any 201.241.1.192 0.0.0.31
permit ip any any
ip access-list extended server
permit tcp any host 192.168.45.2 eq www
permit tcp 192.168.20.0 0.0.0.255 host 192.168.45.2 eq 3389
permit tcp 192.168.15.0 0.0.0.255 host 192.168.45.3 eq www
permit tcp 192.168.25.0 0.0.0.255 host 192.168.45.3 eq www
permit tcp any host 192.168.45.4 eq www
permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq ftp
permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq 22
permit ip host 192.168.35.2 host 192.168.45.5
permit ip host 192.168.35.3 host 192.168.45.5
permit ip host 192.168.40.2 host 192.168.45.5
permit ip host 192.168.40.3 host 192.168.45.5
permit ip host 192.168.1.2 host 192.168.45.5
permit ip host 192.168.2.2 host 192.168.45.5
deny ip any any
permit tcp any host 192.168.45.2 eq www
permit tcp 192.168.20.0 0.0.0.255 host 192.168.45.2 eq 3389
permit tcp 192.168.15.0 0.0.0.255 host 192.168.45.3 eq www
permit tcp 192.168.25.0 0.0.0.255 host 192.168.45.3 eq www
permit tcp any host 192.168.45.4 eq www
permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq ftp
permit tcp 192.168.30.0 0.0.0.255 host 192.168.45.4 eq 22
permit ip host 192.168.35.2 host 192.168.45.5
permit ip host 192.168.35.3 host 192.168.45.5
permit ip host 192.168.40.2 host 192.168.45.5
permit ip host 192.168.40.3 host 192.168.45.5
permit ip host 192.168.1.2 host 192.168.45.5
permit ip host 192.168.2.2 host 192.168.45.5
deny ip any any
ip access-list extended shichang
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
ip access-list extended xiaoshou
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
ip access-list extended xinxi
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
deny udp any any eq 8000
permit ip any any
交换机配置
interface Vlan1
no ip address
no ip route-cache
shutdown
no ip address
no ip route-cache
shutdown
划分VLAN
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
spanning-tree portfast
switchport access vlan 100
switchport mode access
spanning-tree portfast
interface FastEthernet0/3
switchport access vlan 200
switchport mode access
spanning-tree portfast
switchport access vlan 200
switchport mode access
spanning-tree portfast
interface FastEthernet0/4
switchport access vlan 300
switchport mode access
spanning-tree portfast
switchport access vlan 300
switchport mode access
spanning-tree portfast
interface FastEthernet0/5
switchport access vlan 400
switchport mode access
spanning-tree portfast
switchport access vlan 400
switchport mode access
spanning-tree portfast
interface FastEthernet0/6
switchport access vlan 500
switchport mode access
spanning-tree portfast
switchport access vlan 500
switchport mode access
spanning-tree portfast
interface FastEthernet0/7
switchport access vlan 600
switchport mode access
spanning-tree portfast
switchport access vlan 600
switchport mode access
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 700
switchport mode access
spanning-tree portfast
switchport access vlan 700
switchport mode access
spanning-tree portfast
interface FastEthernet0/9
switchport access vlan 800
switchport mode access
spanning-tree portfast
switchport access vlan 800
switchport mode access
spanning-tree portfast
interface FastEthernet0/10
switchport access vlan 900
switchport mode access
spanning-tree portfast
switchport access vlan 900
switchport mode access
spanning-tree portfast
interface FastEthernet0/18
switchport access vlan 1000
switchport mode access
spanning-tree portfast
switchport access vlan 1000
switchport mode access
spanning-tree portfast
interface FastEthernet0/19
switchport access vlan 1000
switchport mode access
spanning-tree portfast
switchport access vlan 1000
switchport mode access
spanning-tree portfast
interface FastEthernet0/22
switchport access vlan 1000
switchport mode access
spanning-tree portfast
switchport access vlan 1000
switchport mode access
spanning-tree portfast
interface FastEthernet0/23
switchport access vlan 1000
switchport mode access
spanning-tree portfast
switchport access vlan 1000
switchport mode access
spanning-tree portfast
4000路由器配置
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip address 2.2.2.2 255.255.255.255
interface Ethernet0
ip address 192.168.50.2 255.255.255.0
ip address 192.168.50.2 255.255.255.0
interface Ethernet1
no ip address
shutdown
no ip address
shutdown
interface Ethernet2
no ip address
shutdown
no ip address
shutdown
interface Ethernet3
no ip address
shutdown
no ip address
shutdown
配置串口
interface Serial0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
interface Serial0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
interface Serial1
ip address 10.1.10.1 255.255.255.0
encapsulation ppp
clock rate 9600
!
interface Serial2
ip address 10.1.20.1 255.255.255.0
encapsulation ppp
ip address 10.1.10.1 255.255.255.0
encapsulation ppp
clock rate 9600
!
interface Serial2
ip address 10.1.20.1 255.255.255.0
encapsulation ppp
interface Serial3
no ip address
shutdown
no ip address
shutdown
router ospf 2
log-adjacency-changes
area 1 virtual-link 3.3.3.3
network 10.1.1.0 0.0.0.255 area 1
network 10.1.10.0 0.0.0.255 area 1
network 10.1.20.0 0.0.0.255 area 1
network 192.168.50.0 0.0.0.255 area 0
log-adjacency-changes
area 1 virtual-link 3.3.3.3
network 10.1.1.0 0.0.0.255 area 1
network 10.1.10.0 0.0.0.255 area 1
network 10.1.20.0 0.0.0.255 area 1
network 192.168.50.0 0.0.0.255 area 0
2500A
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Ethernet0
no ip address
shutdown
no ip address
shutdown
interface Serial0
ip address 10.1.1.2 255.255.255.0
encapsulation ppp
clock rate 9600
ip address 10.1.1.2 255.255.255.0
encapsulation ppp
clock rate 9600
interface Serial1
no ip address
shutdown
no ip address
shutdown
router ospf 2
network 10.1.1.0 0.0.0.255 area 1
network 10.1.1.0 0.0.0.255 area 1
2500B
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Ethernet0
no ip address
shutdown
no ip address
shutdown
interface Serial0
ip address 10.1.10.2 255.255.255.0
encapsulation ppp
ip address 10.1.10.2 255.255.255.0
encapsulation ppp
interface Serial1
no ip address
shutdown
no ip address
shutdown
router ospf 3
network 10.1.10.0 0.0.0.255 area 1
network 10.1.10.0 0.0.0.255 area 1
2500C
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Ethernet0
no ip address
shutdown
no ip address
shutdown
interface Serial0
ip address 10.1.20.2 255.255.255.0
encapsulation ppp
clockrate 9600
ip address 10.1.20.2 255.255.255.0
encapsulation ppp
clockrate 9600
interface Serial1
ip address 10.2.1.1 255.255.255.0
encapsulation ppp
clockrate 9600
ip address 10.2.1.1 255.255.255.0
encapsulation ppp
clockrate 9600
router ospf 8
area 1 virtual-link 2.2.2.2
network 10.1.20.0 0.0.0.255 area 1
network 10.2.1.0 0.0.0.255 area 2
area 1 virtual-link 2.2.2.2
network 10.1.20.0 0.0.0.255 area 1
network 10.2.1.0 0.0.0.255 area 2
2500D
interface Loopback0
ip address 8.8.8.8 255.255.255.255
interface Loopback0
ip address 8.8.8.8 255.255.255.255
interface Ethernet0
ip address dhcp
shutdown
ip address dhcp
shutdown
interface Serial0
ip address 10.2.1.2 255.255.255.0
encapsulation ppp
ip address 10.2.1.2 255.255.255.0
encapsulation ppp
interface Serial1
no ip address
shutdown
no ip address
shutdown
router ospf 9
network 10.2.1.0 0.0.0.255 area 2
network 10.2.1.0 0.0.0.255 area 2
本文出自 “
小_网络工程师” 博客,请务必保留此出处
[url]http://liyang.blog.51cto.com/234627/53008[/url]
相关文章
- 1. 【实验】小型网络WLAN架构实战案例
- 2. 小型公司网络项目
- 3. Tensorflow案例实战-09神经网络模型架构
- 4. [转]项目型公司和产品型公司的决战
- 5. 某公司网络搭建项目实战
- 6. 大型互联网公司项目如何架构
- 7. 中型企业网络构建案例
- 8. 大型公司网络构建
- 9. 公司网络改造
- 10. 第十四期 小型公司网络构架-全网互通
- 更多相关文章...
- • Thymeleaf项目实践 - Thymeleaf 教程
- • 网络体系的构成和类型 - TCP/IP教程
- • Kotlin学习(二)基本类型
- • Docker容器实战(一) - 封神Server端技术
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. eclipse设置粘贴字符串自动转义
- 2. android客户端学习-启动模拟器异常Emulator: failed to initialize HAX: Invalid argument
- 3. android.view.InflateException: class com.jpardogo.listbuddies.lib.views.ListBuddiesLayout问题
- 4. MYSQL8.0数据库恢复 MYSQL8.0ibd数据恢复 MYSQL8.0恢复数据库
- 5. 你本是一个肉体,是什么驱使你前行【1】
- 6. 2018.04.30
- 7. 2018.04.30
- 8. 你本是一个肉体,是什么驱使你前行【3】
- 9. 你本是一个肉体,是什么驱使你前行【2】
- 10. 【资讯】LocalBitcoins达到每周交易比特币的7年低点
欢迎关注本站公众号,获取更多信息
相关文章
- 1. 【实验】小型网络WLAN架构实战案例
- 2. 小型公司网络项目
- 3. Tensorflow案例实战-09神经网络模型架构
- 4. [转]项目型公司和产品型公司的决战
- 5. 某公司网络搭建项目实战
- 6. 大型互联网公司项目如何架构
- 7. 中型企业网络构建案例
- 8. 大型公司网络构建
- 9. 公司网络改造
- 10. 第十四期 小型公司网络构架-全网互通