ABC網(wǎng)絡工程項目實施文檔.docx_第1頁
ABC網(wǎng)絡工程項目實施文檔.docx_第2頁
ABC網(wǎng)絡工程項目實施文檔.docx_第3頁
ABC網(wǎng)絡工程項目實施文檔.docx_第4頁
ABC網(wǎng)絡工程項目實施文檔.docx_第5頁
已閱讀5頁,還剩20頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權,請進行舉報或認領

文檔簡介

ABC網(wǎng)絡工程項目實施文檔網(wǎng)絡拓撲圖IP地址規(guī)劃表VLAN信息規(guī)劃表防火墻端口安全規(guī)劃表設備配置流程步驟Part 1 交換配置1.1 VLAN配置3560-01配置3560- 02配置S-3560-01(config)#VLAN 10S-3560-01(config-vlan)#name OAS-3560-01(config-vlan)#VLAN 20S-3560-01(config-vlan)#name ServerS-3560-02(config)#VLAN 10S-3560-02(config-vlan)#name OAS-3560-02(config-vlan)#VLAN 20S-3560-02(config-vlan)#name Server2950-01配置2950-02配置S-2950-01(config)#VLAN 10S-2950-01(config-vlan)#name OAS-2950-01(config-vlan)#VLAN 20S-2950-01(config-vlan)#name ServerS-2950-02(config)#VLAN 10S-2950-02(config-vlan)#name OAS-2950-02(config-vlan)#VLAN 20S-2950-02(config-vlan)#name Server1.2 STP配置步驟1、配置trunk端口3560-01配置S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#switchport trunk encapsulation dot1qS-3560-01(config-if-range)#switchport mode trunkS-3560-01(config-if-range)#switchport trunk allowed vlan 10,20S-3560-01(config)#int range fa0/1-2S-3560-01(config-if-range)#switchport trunk encapsulation dot1qS-3560-01(config-if-range)#switchport mode trunkS-3560-01(config-if-range)#switchport trunk allowed vlan 10,203560-02配置S-3560-02(config)#int range fa0/23-24S-3560-02(config-if-range)#switchport trunk encapsulation dot1qS-3560-02(config-if-range)#switchport mode trunkS-3560-02(config-if-range)#switchport trunk allowed vlan 10,20S-3560-02(config)#int range fa0/1-2S-3560-02(config-if-range)#switchport trunk encapsulation dot1qS-3560-02(config-if-range)#switchport mode trunkS-3560-02(config-if-range)#switchport trunk allowed vlan 10,202950-1配置S-2950-01(config)#int range fa0/1-2S-2950-01(config-if-range)#switchport mode trunkS-2950-01(config-if-range)#switchport trunk allowed vlan 10,202950-02配置S-2950-02(config)#int range fa0/1-2S-2950-02(config-if-range)#switchport mode trunkS-2950-02(config-if-range)#switchport trunk allowed vlan 10,20步驟2、配置STP生成樹3560-01配置3560-02配置S-3560-01(config)#spanning-tree vlan 10 root primary S-3560-01(config)#spanning-tree vlan 20 root secondaryS-3560-02(config)#spanning-tree vlan 10 root secondaryS-3560-02(config)#spanning-tree vlan 20 root primary1.3 EtherChannel配置3560-01配置3560-02配置創(chuàng)建邏輯接口:S-3560-01(config)#int port-channel 1S-3560-01(config-if)#switchport trunk encapsulation dot1qS-3560-01(config-if)#switchport mode trunkS-3560-01(config-if)#switchport trunk allowed vlan 10,20將邏輯接口與物理接口綁定:S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#channel-protocol lacpS-3560-01(config-if-range)#channel-group 1 mode active邏輯接口流量負載均衡:S-3560-01(config)#port-channel load-balance src-dst-ip創(chuàng)建邏輯接口:S-3560-02(config)#interface port-channel 1 vlan 20 root primaryS-3560-02(config-if)#switchport trunk encapsulation dot1qS-3560-02(config-if)#switchport mode trunkS-3560-02(config-if)#switchport trunk allowed vlan 10,20將邏輯接口與物理接口綁定:S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#channel-protocol lacpS-3560-01(config-if-range)#channel-group 1 mode active邏輯接口流量負載均衡:S-3560-01(config)#port-channel load-balance src-dst-ip1.4 HSRP配置3560-01配置3560-02配置VLAN10、20 地址配置:S-3560-01(config)#int vlan 10S-3560-01(config-if)#ip add 10.0.10.2 255.255.255.0S-3560-01(config-if)#no shutS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#ip add 10.0.20.2 255.255.255.0S-3560-01(config-if)#no shutHSRP浮動地址、優(yōu)先級等信息配置:S-3560-01(config)#int vlan 10S-3560-01(config-if)#standby 10 ip 10.0.10.1S-3560-01(config-if)#standby 10 priority 150S-3560-01(config-if)#standby 10 preemptS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#standby 20 ip 10.0.20.1S-3560-01(config-if)#standby 20 priority 140S-3560-01(config-if)#standby 20 preemptVLAN10、20 地址配置:S-3560-01(config)#int vlan 10S-3560-01(config-if)#ip add 10.0.10.3 255.255.255.0S-3560-01(config-if)#no shutS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#ip add 10.0.20.3 255.255.255.0S-3560-01(config-if)#no shutHSRP浮動地址、優(yōu)先級等信息配置:S-3560-02(config-if)#int vlan 10S-3560-02(config-if)#standby 10 ip 10.0.10.1 S-3560-02(config-if)#standby 10 priority 140S-3560-02(config-if)#standby 10 preemptS-3560-02(config-if)#int vlan 20S-3560-02(config-if)#standby 20 ip 10.0.20.1S-3560-02(config-if)#standby 20 priority 150S-3560-02(config-if)#standby 20 preempt1.5 二層交換配置 2950-01配置2950-02配置S-2950-01(config)#int range fa0/11-12S-2950-01(config-if-range)#switchport mode accessS-2950-01(config-if-range)#switchport access vlan 10S-2950-01(config-if-range)#spanning-tree portfastS-2950-02(config)#int range fa0/11-12S-2950-02(config-if-range)#switchport mode accessS-2950-02(config-if-range)#switchport access vlan 20S-2950-02(config-if-range)#spanning-tree portfast1.6 PC機配置IP并測試網(wǎng)關通暢性能PC1配置PC2配置測試結果1.7 路由配置3560-01配置3560-02配置S-3560-01(config)#ip routingS-3560-02(config)#ip routing1.8 測試Part2 路由器配置Router(config)#hostname ISP-DianXin-2811-01ISP-DianXin-2811-01(config)#ISP-DianXin-2811-01(config)#int fa0/0ISP-DianXin-2811-01(config-if)#ip add 220.0.0.2 255.255.255.248ISP-DianXin-2811-01(config-if)#no shutISP-DianXin-2811-01(config)#int fa0/1ISP-DianXin-2811-01(config-if)#ip add 130.0.0.2 255.255.255.252ISP-DianXin-2811-01(config-if)#no shutISP-DianXin-2811-01(config)#int fa1/0ISP-DianXin-2811-01(config-if)#ip add 121.0.0.1 255.255.255.0ISP-DianXin-2811-01(config-if)#no shutPart3 防火墻配置基礎配置ASA5505-01ASA5505-02設置主機名ciscoasa#conf tciscoasa(config)#hostname HQ-BeiJing-ASA5505-01HQ-BeiJing-ASA5505-01(config)#清除原有VLAN配置HQ-BeiJing-ASA5505-01(config)#int vlan 1HQ-BeiJing-ASA5505-01(config-if)#no nameifHQ-BeiJing-ASA5505-01(config-if)#no security-levelHQ-BeiJing-ASA5505-01(config-if)#no ip addHQ-BeiJing-ASA5505-01(config)#int vlan 2HQ-BeiJing-ASA5505-01(config-if)#no nameifHQ-BeiJing-ASA5505-01(config-if)#no security-levelHQ-BeiJing-ASA5505-01(config-if)#no ip add配置VLAN數(shù)據(jù)HQ-BeiJing-ASA5505-01(config-if)#int vlan 10HQ-BeiJing-ASA5505-01(config-if)#nameif outsideHQ-BeiJing-ASA5505-01(config-if)#security-level 0HQ-BeiJing-ASA5505-01(config-if)#ip add 220.0.0.1 255.255.255.248HQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int vlan 20HQ-BeiJing-ASA5505-01(config-if)#nameif insideHQ-BeiJing-ASA5505-01(config-if)#security-level 100HQ-BeiJing-ASA5505-01(config-if)#ip add 10.0.0.1 255.255.255.0HQ-BeiJing-ASA5505-01(config-if)#no shutHQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int vlan 30HQ-BeiJing-ASA5505-01(config-if)#no forward interface vlan 20HQ-BeiJing-ASA5505-01(config-if)#nameif dmzHQ-BeiJing-ASA5505-01(config-if)#security-level 50HQ-BeiJing-ASA5505-01(config-if)#ip add 172.16.10.1 255.255.255.0VLAN與端口綁定HQ-BeiJing-ASA5505-01(config-if)#int eth0/0HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 10HQ-BeiJing-ASA5505-01(config-if)#int eth0/1HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 20HQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int eth0/2HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 30配置靜態(tài)路由HQ-BeiJing-ASA5505-01(config)#route outside 130.0.0.0 255.255.255.252 220.0.0.2設置主機名ciscoasa#conf tciscoasa(config)#hostname Branch-NanJing-ASA5505-02Branch-NanJing-ASA5505-02 (config)#清除原有VLAN配置Branch-NanJing-ASA5505-02(config)#int vlan 1Branch-NanJing-ASA5505-02(config-if)#no nameifBranch-NanJing-ASA5505-02(config-if)#no security-levelBranch-NanJing-ASA5505-02(config-if)#no ip addBranch-NanJing-ASA5505-02(config)#int vlan 2Branch-NanJing-ASA5505-02(config-if)#no nameifBranch-NanJing-ASA5505-02(config-if)#no security-levelBranch-NanJing-ASA5505-02(config-if)#no ip add配置VLAN數(shù)據(jù)Branch-NanJing-ASA5505-02(config)#int vlan 10Branch-NanJing-ASA5505-02(config-if)#name outsideBranch-NanJing-ASA5505-02(config-if)#security-level 0Branch-NanJing-ASA5505-02(config-if)#ip add 130.0.0.1 255.255.255.252Branch-NanJing-ASA5505-02(config-if)#no shutBranch-NanJing-ASA5505-02(config-if)#Branch-NanJing-ASA5505-02(config-if)#int vlan 20Branch-NanJing-ASA5505-02(config-if)#name insideINFO: Security level for inside set to 100 by default.Branch-NanJing-ASA5505-02(config-if)#security-level 100Branch-NanJing-ASA5505-02(config-if)#ip add 10.0.30.1 255.255.255.0Branch-NanJing-ASA5505-02(config-if)#no shutBranch-NanJing-ASA5505-02(config-if)#VLAN與端口綁定Branch-NanJing-ASA5505-02(config)#int eth0/0Branch-NanJing-ASA5505-02(config-if)#switchport access vlan 10Branch-NanJing-ASA5505-02(config-if)#int eth0/1Branch-NanJing-ASA5505-02(config-if)#switchport access vlan 20配置靜態(tài)路由Branch-NanJing-ASA5505-02(config)#route outside 220.0.0.0 255.255.255.248 130.0.0.2防火墻配置策略配置1、dmz區(qū)web服務器靜態(tài)映射HQ-BeiJing-ASA5505-01(config)#object network 172.16.10.11/32-WebServerHQ-BeiJing-ASA5505-01(config-network-object)#host 172.16.10.11HQ-BeiJing-ASA5505-01(config-network-object)#nat (dmz,outside) static 220.0.0.32、定義ACL訪問控制列表,放行外網(wǎng)進入ASA訪問Web服務器的流量HQ-BeiJing-ASA5505-01(config)#access-list Access-DMZ-Server permit icmp any object 172.16.10.11/32-WebServerHQ-BeiJing-ASA5505-01(config)#access-group Access-DMZ-Server out interface dmz3、定義dmz區(qū)其他服務器的動態(tài)映射HQ-BeiJing-ASA5505-01(config)#object network 172.16.10.0/24-DMZ-ServerHQ-BeiJing-ASA5505-01(config-network-object)#subnet 172.16.10.0 255.255.255.0HQ-BeiJing-ASA5505-01(config-network-object)#nat (dmz,outside) dynamic interface4、定義ACL訪問控制列表,放行外網(wǎng)進入ASA訪問DMZ其他服務器的流量HQ-BeiJing-ASA5505-01(config)#access-list Access-DMZ-Server permit icmp any object 172.16.10.0/24-DMZ-Server說明:access-group和前面一樣,不用再定義5、inside區(qū)內(nèi)網(wǎng)地址IP映射HQ-BeiJing-ASA5505-01(config)#object network 10.0.0.0/24HQ-BeiJing-ASA5505-01(config-network-object)#subnet 10.0.0.0 255.255.255.0HQ-BeiJing-ASA5505-01(config-network-object)#nat (inside,outside) dynamic interface6、3560配置缺省網(wǎng)關S-3560-02(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.17、ASA定義ACL訪問控制列表,放行外網(wǎng)進入ASA訪問inside的流量定義地址對象組:HQ-BeiJing-ASA5505-01(config)#object network 220.0.0.0/29HQ-BeiJing-ASA5505-01(config-network-object)#subnet 220.0.0.0 255.255.255.248HQ-BeiJing-ASA5505-01(config)#object network 10.0.0.0/24HQ-BeiJing-ASA5505-01(config-network-object)#subnet 10.0.0.0 255.255.255.0定義ACL:HQ-BeiJing-ASA5505-01(config)#access-list Outside-Access-Inside permit icmp object 220.0.0.0/29 object 10.0.0.0/24 源IP 目標IP應用ACL:HQ-BeiJing-ASA5505-01(config)#access-group Outside-Access-Inside out interface inside 允許外網(wǎng)IP離開inside端口8、3560配置OSPF,發(fā)布缺省路由3560-01配置3560-02配置S-3560-01(config)#int loopback 0S-3560-01(config-if)#ip add 10.0.0.1 255.255.255.0S-3560-01(config-if)#exitS-3560-01(config)#router ospf 1S-3560-01(config-router)#router-id 10.0.0.1S-3560-01(config-router)#network 10.0.10.0 0.0.0.255 area 0S-3560-01(config-router)#network 10.0.20.0 0.0.0

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論