BG2Q10101O班系統(tǒng)集成爭霸賽.doc

基于公司目前的現(xiàn)狀，我們從以下四方面來實(shí)施此工程：第一方面：是物理的連通性第二方面：系統(tǒng)的集成性第三方面：網(wǎng)絡(luò)服務(wù)的集成性第四方面：網(wǎng)絡(luò)安全的集性首先是物理的連通性鑒于網(wǎng)線的表示，我們使用測線儀側(cè)線【將客戶機(jī)的線纜拔出，插在側(cè)線儀器基座上，然后到交換機(jī)設(shè)備觀察對應(yīng)接口，然后重新給設(shè)備打上標(biāo)簽】其次系統(tǒng)的集成性，基于公司的員工數(shù)量，我們采用域環(huán)境管理模式，系統(tǒng)采用windows-server-2008 企業(yè)版，其目的是將公司網(wǎng)絡(luò)中的多臺計(jì)算機(jī)邏輯上組織到一起，進(jìn)行集中管理，其優(yōu)點(diǎn)：1.集中管理 2.便捷的網(wǎng)絡(luò)資源訪問，3.可擴(kuò)展性。系統(tǒng)方面，我們選用了兩臺IBM公司的服務(wù)器，系統(tǒng)采用windows-server-2008企業(yè)版。流量的監(jiān)控服務(wù)器采用華為的服務(wù)器，系統(tǒng)為windows-server-2003企業(yè)版，客戶機(jī)系統(tǒng)為windows-xp再次是網(wǎng)絡(luò)服務(wù)的集成性，兩臺IBM公司的服務(wù)器，一臺部署活動(dòng)目錄，域名為21，并添加DNS和DHCP服務(wù)角色，配置成DNS和DHCP服務(wù)器；另一臺搭建web，F(xiàn)TP服務(wù)器；在華為華為的服務(wù)上安裝whats up監(jiān)控器最后是網(wǎng)絡(luò)安全的集成，基于公司的網(wǎng)絡(luò)拓?fù)淙缦拢浩鋵?shí)施步驟：【1】 使用單臂路由首先實(shí)現(xiàn)局域網(wǎng)的互通和不同vlan之間的通信，【2】 通過基于子端口的nat地址轉(zhuǎn)換，實(shí)現(xiàn)域內(nèi)的用戶都能訪問Internet【3】 配置擴(kuò)展的ACL訪問控制列表，限制不同部門之間的通信，來提高公司內(nèi)部的安全性【4】 配置標(biāo)準(zhǔn)的ACL VTY控制列表，用于增加網(wǎng)絡(luò)的安全性根據(jù)公司的配置要求我們具體的配置要點(diǎn)和截圖如下：1. 將客戶家加入域，并創(chuàng)建相應(yīng)的ou，并將用戶加入相應(yīng)的ou，并給ou設(shè)置策略，使ou中的用戶受到限制，起到統(tǒng)一管理的作用【統(tǒng)一桌面，登陸時(shí)有標(biāo)題和消息文本出現(xiàn)，ie主頁面不能更改，隱藏客戶機(jī)的c:盤，統(tǒng)一分發(fā)軟件，用windows系統(tǒng)自帶的備份工具來備份系統(tǒng)狀態(tài)】將用戶加入到相應(yīng)的ou中用戶的統(tǒng)一桌面用戶交互式登錄顯示的消息標(biāo)題用戶交互式登錄顯示的消息文本默認(rèn)ie主頁表不能更改2.安裝配置DNS和DHCP服務(wù)器，并驗(yàn)證效果DHCP服務(wù)器獲到的地址2. 安裝配置FTP服務(wù)器，并給相應(yīng)的用戶上傳下載的權(quán)限【manager有下載的權(quán)限】；配置網(wǎng)絡(luò)監(jiān)控流量服務(wù)器【首先安裝SNMP服務(wù)角色，然后啟動(dòng)該服務(wù)，最后添加SNMP服務(wù)的身份驗(yàn)證為public，接受來自Internet的所偶訪問，最最后就可以配置要監(jiān)控的服務(wù)，協(xié)議，網(wǎng)段和流量參數(shù)】3.系統(tǒng)完成以后為公司連接公司的網(wǎng)站數(shù)據(jù)庫【啟用超級用戶的登陸，設(shè)置密碼和web服務(wù)器的主機(jī)地址，掛在公司的數(shù)據(jù)庫文件到web服務(wù)器上】3. 網(wǎng)絡(luò)安全的集成配置具體思路是：【1】在交換機(jī)上按照部門創(chuàng)建相應(yīng)的vlan，并部門的客戶機(jī)連接的交換機(jī)端口，按照部門加入到相應(yīng)的vlan中，人事部屬于vlan2 ，ip/24 網(wǎng)段；系統(tǒng)集成部屬于vlan3，ip/24網(wǎng)段；市場部屬于vlan4，ip網(wǎng)段/24；客服部屬于vlan5，ip網(wǎng)段/24；財(cái)務(wù)部屬于vlan6，ip網(wǎng)段/24；銷售部屬于vlan7，ip網(wǎng)段/24【2】在路由器上通過no ip address 在段口上創(chuàng)建部門對應(yīng)的子端口，在子端口上配置部門相應(yīng)的電腦網(wǎng)關(guān)地址，人事部為e0/0.2，網(wǎng)關(guān)：/24;系統(tǒng)集成部為e0/0.3，網(wǎng)關(guān)：/24;市場部位e0/1.4，網(wǎng)關(guān)：/24;客服部位e0/1.5，網(wǎng)關(guān)：/24;財(cái)務(wù)部位e0/2.6，網(wǎng)關(guān)：/24；銷售部為e0/2.7，網(wǎng)關(guān)：/24?！?】這樣就實(shí)現(xiàn)了局域網(wǎng)的連通，然后用基于子端口的nat地址轉(zhuǎn)換，實(shí)現(xiàn)外網(wǎng)的連通，然后用ACL訪問控制列表，限制各個(gè)部門之間的通信,限制用戶不能訪問路由交換設(shè)備。具體配置如下：VLAN的劃分機(jī)房部Ip 網(wǎng) 段網(wǎng) 關(guān)Vlan 子端口00Vlan1E0/0.2人事部Vlan 1E0/0.2系統(tǒng)集成部Vlan 2E0/0.3市場部Vlan 3E0/1.4客服部Vlan 4E0/1.5財(cái)務(wù)部Vlan 5E0/2.6銷售部Vlan 6E0/2.7交換機(jī)1的配置hostname s1boot-start-markerboot-end-markerno aaa new-modelmemory-size iomem 5no ip routinginterface FastEthernet0/1switchport access vlan 2interface FastEthernet0/2switchport access vlan 3interface FastEthernet0/14interface FastEthernet0/15switchport mode trunkinterface Vlan1no ip addressno ip route-cacheip http servercontrol-planecontrol-planeline con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4end交換機(jī)二的配置hostname s2boot-start-markerboot-end-markerno aaa new-modelmemory-size iomem 5no ip routingno ip cefno ip domain lookupinterface FastEthernet0/1switchport access vlan 4interface FastEthernet0/2switchport access vlan 5interface FastEthernet0/15switchport mode trunkinterface Vlan1no ip addressno ip route-cacheip http serverline con 0exec-timeout 0 0logging synchronousline aux 0line vty 0 4交換機(jī)三的配置hostname s3boot-start-markerboot-end-markerno aaa new-modelmemory-size iomem 5no ip routingno ip domain lookupinterface FastEthernet0/1switchport access vlan 6interface FastEthernet0/2switchport access vlan 7interface FastEthernet0/15switchport mode trunkinterface Vlan1no ip addressno ip route-cacheip http serverline con 0 exec-timeout 0 0 logging synchronousline aux 0line vty 0 4endTPlink路由器的配置hostname TPlinkboot-start-markerboot-end-markerenable secret 5 $1$LsbK$ZzMj/2VsSgkPstdrZ.LxC1no aaa new-modelmemory-size iomem 5ip cefno ip domain lookupinterface Ethernet0/0description managerbandwidth 40000no ip addressfull-duplexinterface Ethernet0/0.2encapsulation dot1Q 2ip address ip access-group 100 inip nat insideip virtual-reassemblyinterface Ethernet0/0.3encapsulation dot1Q 3ip address ip access-group 101 inip nat insideip virtual-reassemblyinterface Ethernet0/1description caiwububandwidth 30000no ip addressfull-duplexinterface Ethernet0/1.4encapsulation dot1Q 4ip address ip access-group 102 inip nat insideip virtual-reassemblyinterface Ethernet0/1.5encapsulation dot1Q 5ip address ip access-group 103 inip nat insideip virtual-reassemblyinterface Ethernet0/2description shichangbubandwidth 20000no ip addressfull-duplexinterface Ethernet0/2.6encapsulation dot1Q 6ip address ip access-group 104 inip nat insideip virtual-reassemblyinterface Ethernet0/2.7encapsulation dot1Q 7ip address ip access-group 105 inip nat insideip virtual-reassembly配置外網(wǎng)的ip地址interface Ethernet0/3ip address 52ip nat outsideip virtual-reassemblyfull-duplexexit單臂路由實(shí)現(xiàn)網(wǎng)絡(luò)的互通interface Ethernet0/0.2encapsulation dot1Q 2ip address ip access-group 100 inip nat insideip virtual-reassemblyinterface Ethernet0/0.3encapsulation dot1Q 3ip address ip access-group 101 inip nat insideip virtual-reassemblyinterface Ethernet0/1description caiwububandwidth 30000no ip addressfull-duplexinterface Ethernet0/1.4encapsulation dot1Q 4ip address ip access-group 102 inip nat insideip virtual-reassemblyinterface Ethernet0/1.5encapsulation dot1Q 5ip address ip access-group 103 inip nat insideip virtual-reassemblyinterface Ethernet0/2description shichangbubandwidth 20000no ip addressfull-duplexinterface Ethernet0/2.6encapsulation dot1Q 6ip address ip access-group 104 inip nat insideip virtual-reassemblyinterface Ethernet0/2.7encapsulation dot1Q 7ip address ip access-group 105 inip nat insideip virtual-reassembly配置外網(wǎng)的ip地址interface Ethernet0/3ip address 52 ip nat outsideip virtual-reassemblyfull-duplexip http server通過基于子斷口的NAt轉(zhuǎn)換地址ip nat inside source list 1 int e0/3 overloadint e0/0.2ip nat insideexitint e0/3ip natip nat ouip nat outsideexitaccess-list 2 permit 55ip nat inside source list 2 int e0/3 overloadint e0/0.3ip nat insideexitint e0/3ip nat outsideexitaccess-list 3 permit 55ip nat inside source list 3 int e0/3 overloadint e0/1.4ip nat insideexitint e0/3ip nat outsideexitaccess-list 4 permit 55ip nat inside source list 4 int e0/3 overloadint e0/1.5ip nat insideexitint e0/3ip nat outsideexitaccess-list 5 permit 55ip nat inside source list 5 int e0/3 overloadint e0/2.6ip nat insideexitint e0/3ip nat outsideexitaccess-list 6 permit 55ip nat inside source list 6 int e0/3 overloadint e0/2.7ip nat insideexitint e0/3ip nat outsideexitwr配置ACL訪問控制列表access-list 100 deny ip any 55access-list 100 deny ip any 55access-list 100 deny ip any 55access-list 100 deny ip any 55access-list 100 deny ip any 55int e0/0.2ip access-group 100 inexitaccess-list 101 deny ip any 55access-list 101 deny ip any 55access-list 101 deny ip any 55access-list 101 deny ip any 55access-list 101 deny ip any 55access-list 101 permit ip any anyint e0/0.3ip access-group 101 inexitaccess-list 102 deny ip any 55access-list 102 deny ip any 55access-list 102 deny ip any 55access-list 102 deny ip any 55access-list 102 deny ip any 55access-list 102 permit ip any anyint e0/1.4ip access-group 102 inexitaccess-list 103 deny ip any 55access-list 103 deny ip any 55access-list 103 deny ip any 55access-list 103 deny ip any 55access-list 103 deny ip any 55access-list 103 permit ip any anyint e0/1.5ip access-group 103 inexitaccess-list 104 deny ip any 55access-list 104 deny ip any 55access-list 104 deny ip any 55access-list 104 deny ip any 55access-list 104