大型企业网络配置实验报告完整版Word格式.docx

1、大型企业网络设计模拟实验面对日益突出的信息安全问题，要求系统集成的安全特性已经相当高。对此，我们在保留企业的现有投资的基础上，我们提供了一个全新的三层架构的网络，将原来的二层网络纳入汇聚层。新网络功能以及设计注意的问题应该如下：1 新网络能与现有网络兼容；实现三层架构的网络；2 统筹IP规划；3 实现按职能划分VLAN；4 实现访问控制，以保护内部安全；5 实现NAT转换，以及WEB,FTP的固定IP地址映射；6 远程网络VPN的接入设计；7 网络安全防护，如蠕虫的防护，DOS攻击的防护。锐捷 S-S2126S 两台锐捷 RG-S3550-24 一台锐捷 RG-S3760-24 一台锐捷 RG

2、-R1700 Server 一台核心层： 锐捷 RG-S3760-24汇聚层： 锐捷 RG-S3550-24接入层： 锐捷 S-S2126S出口路由： 锐捷 RG-R1700 Server5.1 IP统筹规划 在本实验中，我们内部网络使用了NAT转换。对外我们使用一个210.10.18.1（255.255.255.0）出口地址。汇聚层到核心层， 使用192.168.5.2/24；接入层到会聚层，以及用户到接入层，按需使用；实验中我们一共使用四个网络（分别属于不同的VLAN）192.168.4.1/24，192.168.3.1/24，192.168.2.1/24，192.168.1.1/24；5

3、.2 VLAN配置第一台 s2126s 上的vlan配置hostname A /交换机命名vlan 1 /创建VLAN name vlan1vlan 2 name vlan2int range fastethernet 0/13-24 /进入VLAN配置端口switchport access vlan 2 switchport access vlan 2 /设计端口的VLANinterface vlan 1ip address 192.168.1.1 /设计网络段interface vlan 2ip address 192.168.2.1end第二台s2126s 上的vlan配置hostnam

4、e B /同上vlan 3 /同上 name vlan3vlan 4int range fastethernet 0/2-12 /同上switchport access vlan 3 switchport access vlan 3 /同上int range fastethernet 0/13-24 /同上switchport access vlan 4 switchport access vlan 4 /同上interface vlan 3ip address 192.168.3.1interface vlan 4ip address 192.168.4.13550上的VLAN配置l3swi

5、tch（config）#int f0/1 /进入端口2006-12-16 08:31:11 5-CONFIG:Configured from outbandl3switch（config-if）#switchport mode trunk /设置trunk模式32 5-CONFIG:l3switch（config-if）#switchport trunk allowed vlan all /设置允许VLAN46 5-CONFIG:l3switch（config-if）#exit50 5-CONFIG:l3switch（config）#int f0/2 /进入端口54 5-CONFIG:32:0

6、2 5-CONFIG:09 5-CONFIG:l3switch（config-if）#end14 5-CONFIG:l3switch#show vlanhostname S3550vlan 1vlan 3 name vlan4interface FastEthernet 0/1 switchport mode trunkinterface FastEthernet 0/2interface FastEthernet 0/3 no switchport /起用三层路由端口 ip address 192.168.5.2 255.255.255.0interface Vlan 1 /设置网关 ip

7、address 192.168.1.1 255.255.255.0interface Vlan 2 ip address 192.168.2.1 255.255.255.0interface Vlan 3 ip address 192.168.3.1 255.255.255.0interface Vlan 4 ip address 192.168.4.1 255.255.255.0router ospf /起用OSPF路由协议area 0.0.0.4network 192.168.1.0 255.255.255.0 area 0.0.0.4network 192.168.2.0 255.255

8、.255.0 area 0.0.0.4network 192.168.3.0 255.255.255.0 area 0.0.0.4network 192.168.4.0 255.255.255.0 area 0.0.0.4network 192.168.5.0 255.255.255.0 area 0.0.0.45.3 NAT转换以及路由配置1700A的基本配置：hostname R1700Ainterface fa1/0ip address 192.168.6.1 255.255.255.0 /设置端口IPip nat inside /起用NATno shutdowninterface fa

9、1/1ip address 210.10.18.1 255.255.255.0 /同上ip nat outside路由协议配置ip routing /起用路由router ospfnetwork 192.168.6.0 0.0.0.255 area 4network 210.10.18.0 0.0.0.255 area 0NAT转换配置ip nat pool net20 210.10.18.1 210.10.18.1 netmask 255.255.255.0 type rotaryip nat pool net30 210.10.18.2 210.10.18.2 netmask 255.25

10、5.255.0 type rotaryip nat inside source list 1 pool net20 ip nat inside source list 2 pool net30access-list 1 permit 192.168.5.0 0.0.0.255access-list 2 permit 192.168.6.0 0.0.0.255策略路由配置access-list 101 permit any gt 1024 any eq www /访问控制列表控制access-list 101 permit any gt 1024 any eq ftproute-map pmap

11、 permitmatch ip address 101set default interface fa1/0ip policy route-map pmap5.4 ACL访问控制配置acl实施：192.168.4.0网络为财务部192.168.1.0网络为股东实施规则：禁止其他网段访问财务部允许股东网段访问财务部实施命令：在S3550上#制定访问控制列表ip access-list standard deny-4 deny 192.168.4.0 0.0.0.255 permit any#在SVI接口上实施int vlan 2ip access-group deny-4 inint vlan

12、35.5 VPN配置由于实验不作要求，暂且先不配置。5.6 安全配置在3550实施安全控制：int f0/3防止广播风暴 storm-control broadcast防止未知名地址风暴 storm-control unicast防止多播 storm-control multicast指定级数storm-control level 206.1 基本路由测试名称测试version 8.4 （building 15）!IP地址配置测试interface FastEthernet 1/0 ip nat inside ip address 192.168.5.1 255.255.255.0 duple

13、x auto speed autointerface FastEthernet 1/1 ip nat outside ip address 210.10.18.1 255.255.255.0OSPF协议测试 network 210.10.18.0 0.0.0.255 area 0.0.0.0 network 192.168.5.0 0.0.0.255 area 0.0.0.4access-list测试access-list 101 permit tcp any gt 1024 any eq wwwaccess-list 101 permit tcp any gt 1024 any eq ftp

14、策略路由测试R1700A（config）#show route-map pmaproute-map pmap, permit, sequence 10 Match clauses: ip address 101 Set clauses: default interface FastEthernet 1/0 Policy routing matches: 0 packets, 0 bytes内网到外网的测试：C:Documents and SettingsAdministratorping 210.10.18.1Pinging 210.10.18.1 with 32 bytes of data:

15、Reply from 210.10.18.1: bytes=32 time1ms TTL=626.2 VLAN验证第一台 s2126s 上的vlan验证1 vlan1 active Fa0/1 ,Fa0/2 ,Fa0/3 Fa0/4 ,Fa0/5 ,Fa0/6 Fa0/7 ,Fa0/8 ,Fa0/9 Fa0/10,Fa0/11,Fa0/122 vlan2 active Fa0/1 ,Fa0/13,Fa0/14 Fa0/15,Fa0/16,Fa0/17 Fa0/18,Fa0/19,Fa0/20 Fa0/21,Fa0/22,Fa0/23 Fa0/24第二台 s2126s 上的vlan验证1 vla

16、n3 active Fa0/1 ,Fa0/2 ,Fa0/32 vlan4 active Fa0/1 ,Fa0/13,Fa0/143350的vlan验证S3550#show vlanVLAN Name Status Ports- - - -1 vlan1 active Fa0/1 ,Fa0/2 ,Fa0/4 ,Fa0/5 Fa0/6 ,Fa0/7 ,Fa0/8 ,Fa0/9 Fa0/10,Fa0/11,Fa0/12,Fa0/13 Fa0/14,Fa0/15,Fa0/16,Fa0/17 Fa0/18,Fa0/19,Fa0/20,Fa0/21 Fa0/22,Fa0/23,Fa0/242 vlan2

17、active Fa0/1 ,Fa0/23 vlan3 active Fa0/1 ,Fa0/24 vlan4 active Fa0/1 ,Fa0/26.3 NAT验证 NAT转换结果显示ip nat inside source list 1 pool net206.4 ACL访问控制验证ACL验证：在ip为192.168.1.2主机上测试ping 192.168.4.2Pinging 192.168.4.2 with 32 bytes of data:Reply from 192.168.4.2: bytes=32 time=1ms TTL=1271ms TTL=127Ping statisti

18、cs for 192.168.4.2: Packets: Sent = 4, Received = 4, Lost = 0 （0% loss）,Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms在ip为192.168.2.3主机上测试Request timed out. Sent = 4, Received = 0, Lost = 4 （100% loss）,6.5 VPN验证 由于现场的条件限制，以及实验不作要求，我们验证就先不谈！6.7 1 本次实验让我们体验了高速实验的配置的速度要求，更加提升了我们的团结合作能力。2 本次实验我们对设备的配置以及现场演示的能力有了极大的提升。