- 应用背景
- 设计目的及意义
理工教学楼的网络组网设计,实现各楼层网络畅通,连接因特网,进行业务的对上网的连通性。
- 需求分析
- 用户需求分析
完成理工教学楼的网络组网设计,实现各楼层网络畅通,连接因特网,考虑网络安全。完成网络拓扑设计,并根据实际情况,合理划分各网段ip,测试设计拓扑的连通性(各路由、交换机、区域主机之间可以相互通信),合理的vlan划分,结合访问控制列表、NAT等技术合理设计。
-
- 功能需求
采用合理的vlan划分,结合访问控制列表、NAT等技术合理设计。
- 网络总体设计
- 根据功能分析
vlan划分,访问控制列表、NAT、OSPF路由协议。
-
- 网络设备选型
设备 |
型号 |
数量 |
路由器 |
MSR36-20 |
2 |
交换机 |
S5820V2-54QS-GE_25 |
9 |
PC |
个人PC |
13 |
-
- 设备命名、vlan规划和命名、IP地址规划
设备 |
设备命名 |
一楼交换机 |
LG-1-HX |
一楼交换机接入1 |
LG-1-SW1 |
一楼交换机接入2 |
LG-1-SW2 |
二楼交换机 |
LG-2-HX |
二楼交换机接入1 |
LG-2-SW1 |
二楼交换机接入2 |
LG-2-SW2 |
三楼交换机 |
LG-2-HX |
三楼交换机接入1 |
LG-3-SW1 |
三楼交换机接入2 |
LG-3-SW2 |
路由器 |
R1 |
ISP |
ISP |
设备 |
VLAN ID |
IP地址 |
说明 |
LG-1-HX |
VLAN 10 |
192.168.10.0/24 |
|
LG-1-HX |
VLAN 20 |
192.168.20.0/24 |
|
LG-1-HX |
VLAN 30 |
192.168.30.0/24 |
|
LG-2-HX |
VLAN 10 |
192.168.40.0/24 |
|
LG-2-HX |
VLAN 20 |
192.168.50.0/24 |
|
LG-2-HX |
VLAN 30 |
192.168.60.0/24 |
|
LG-1-HX |
VLAN 10 |
192.168.70.0/24 |
|
LG-1-HX |
VLAN 20 |
192.168.80.0/24 |
|
LG-1-HX |
VLAN 30 |
192.168.90.0/24 |
|
R1 |
G0/1 |
10.1.1.2/30 |
连接LG-1-HX |
R1 |
G0/2 |
10.2.2.2/30 |
连接LG-2-HX |
R1 |
G0/3 |
10.3.3.2/30 |
连接LG-3-HX |
LG-1-HX |
G1/0/3 |
10.1.1.1/30 |
连接R1 |
LG-2-HX |
G1/0/3 |
10.2.2.1/30 |
连接R1 |
LG-3-HX |
G1/0/3 |
10.3.3.1/30 |
连接R1 |
-
- 网络拓扑图
-
- 网络设备布局及设备互联
一层教室,教室;实验室,办公室。二层 教室;实验室,实验室,办公室 。三层 教室,教室;办公室,财务。
- 网络实现
- 接入层的配置
LG-1-SW1:
sysname LG-1-SW1
vlan 10
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 10
combo enable fiber
LG-1-SW2:
sysname LG-1-SW2
vlan 20
vlan 30
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
combo enable fiber
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 30
combo enable fiber
LG-2-SW1:
sysname LG-2-SW1
vlan 10
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
LG-2-SW2:
sysname LG-2-SW2
vlan 20
vlan 30
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
combo enable fiber
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 20
combo enable fiber
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 30
combo enable fiber
LG-3-SW1:
sysname LG-3-SW1
vlan 10
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 10
combo enable fiber
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
combo enable fiber
LG-3-SW2:
sysname LG-3-SW2
vlan 20
vlan 30
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
combo enable fiber
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 30
combo enable fiber
-
- 汇聚层的配置
LG-1-HX:
sysname LG-1-HX1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 192.168.0.0 0.0.255.255
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
interface Vlan-interface10
ip address 192.168.10.254 255.255.255.0
packet-filter 3000 inbound
#
interface Vlan-interface20
ip address 192.168.20.254 255.255.255.0
packet-filter 3001 inbound
#
interface Vlan-interface30
ip address 192.168.30.254 255.255.255.0
packet-filter 3002 inbound
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 10.1.1.1 255.255.255.252#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
LG-2-HX:
sysname LG-2-HX
#
ospf 1
area 0.0.0.0
network 10.2.2.0 0.0.0.3
network 192.168.0.0 0.0.255.255
#
vlan 10
#
vlan 20
#
vlan 30
interface Vlan-interface10
ip address 192.168.40.254 255.255.255.0
packet-filter 3000 inbound
#
interface Vlan-interface20
ip address 192.168.50.254 255.255.255.0
packet-filter 3001 inbound
#
interface Vlan-interface30
ip address 192.168.60.254 255.255.255.0
packet-filter 3002 inbound
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 10.2.2.1 255.255.255.252
##
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
LG-3-HX:
sysname LG-3-HX#
ospf 1
area 0.0.0.0
network 10.3.3.0 0.0.0.3
network 192.168.0.0 0.0.255.255
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface10
ip address 192.168.70.254 255.255.255.0
packet-filter 3000 inbound
#
interface Vlan-interface20
ip address 192.168.80.254 255.255.255.0
packet-filter 3001 inbound
#
interface Vlan-interface30
ip address 192.168.90.254 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 10.3.3.1 255.255.255.252#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
-
- 核心层的配置
R1:
#
sysname R1
#
ospf 1
default-route-advertise always
import-route static
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.2.2.0 0.0.0.3
network 10.3.3.0 0.0.0.3
#
sysid R1
interface GigabitEthernet0/0
port link-mode route
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet0/1
port link-mode route
ip address 10.2.2.2 255.255.255.252
#
interface GigabitEthernet0/2
port link-mode route
ip address 10.3.3.2 255.255.255.252
#
interface GigabitEthernet5/0
port link-mode route
ip address 200.200.200.1 255.255.255.0 -------配置外网接口
nat outbound 2000 ------设置NAT
配置静态路由
ip route-static 0.0.0.0 0 200.200.200.2
#
acl basic 2000
rule 0 permit
- 网络测试
- 网络测试
NAT的测试
访问互联网:
使用教室或者其他PC,测试PING 8.8.8.8这个公网地址,进行访问互联网
查看出口路由器NAT转换情况:
ACL的配置与测试
LG-1-HX的配置
教室不能访问办公室,实验室,财务;
acl advanced 3000
rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 1 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 2 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
rule 3 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.60.0 0.0.0.255
rule 4 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.80.0 0.0.0.255
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
实验室不能访问办公室,财务;
acl advanced 3001
rule 1 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 2 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.60.0 0.0.0.255
rule 3 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.80.0 0.0.0.255
rule 4 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
办公室不能访问财务
acl advanced 3002
rule 1 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
LG-2-HX
教室不能访问办公室,实验室,财务;
acl advanced 3000
rule 0 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 1 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 2 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
rule 3 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.60.0 0.0.0.255
rule 4 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.80.0 0.0.0.255
rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
rule 6 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
实验室不能访问办公室,财务;
acl advanced 3001
rule 1 deny ip source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 2 deny ip source 192.168.50.0 0.0.0.255 destination 192.168.60.0 0.0.0.255
rule 3 deny ip source 192.168.50.0 0.0.0.255 destination 192.168.80.0 0.0.0.255
rule 4 deny ip source 192.168.50.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
办公室不能访问财务
acl advanced 3002
rule 1 deny ip source 192.168.60.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
LG-3-HX
教室不能访问办公室,实验室,财务
acl advanced 3000
rule 0 deny ip source 192.168.70.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 1 deny ip source 192.168.70.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 2 deny ip source 192.168.70.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
rule 3 deny ip source 192.168.70.0 0.0.0.255 destination 192.168.60.0 0.0.0.255
rule 4 deny ip source 192.168.70.0 0.0.0.255 destination 192.168.80.0 0.0.0.255
rule 5 deny ip source 192.168.70.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
rule 6 deny ip source 192.168.70.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
办公室不能访问财务
acl advanced 3001
rule 1 deny ip source 192.168.80.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
测试:
教室不能访问办公室,实验室,财务;
实验室不能访问办公室,财务;
办公室不能访问财务
连通性测试
教室访问教室
实验室访问实验室
办公室访问办公室
核心交换机与路由器的连通性