学习网络很多小伙伴经常会陷入一个怪圈,对着现成的网络拓扑知道如何敲命令但是却不知道如何将其利用到实际环境中,下面我就结合实际情况讲讲一总多分的企业网络该如何配置有兴趣的小伙伴收藏加关注。
需求如下:总部与各分公司之间可以互相通信,但是分公司之间无法互访,总部与分公司之间是通过运营商的专线对接,且总部出口路由器对外仅有一个出口。
具体规划如下:
总部
IP规划:192.168.10X.0/24
网关:192.168.10X.254/24
核心交换机与出口路由器R1对接IP为10.1.12.0/30
分公司1
IP规划:192.169.10X.0/24
网关:192.169.10X.254/24
核心交换机与出口路由器R1对接IP为20.1.12.0/30
分公司2
IP规划:192.170.10X.0/24
网关:192.170.10X.254/24
核心交换机与出口路由器R1对接IP为30.1.12.0/30
具体配置如下:
1.配置总部网络
sw4:
vlan batch 10 101 to 103
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 102
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 103
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 10 101 to 103
sw1:
vlan batch 10 101 to 103
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101 to 103
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 10
#
interface Vlanif10
ip address 10.1.12.1 255.255.255.252
#
interface Vlanif101
ip address 192.168.101.254 255.255.255.0
#
interface Vlanif102
ip address 192.168.102.254 255.255.255.0
#
interface Vlanif103
ip address 192.168.103.254 255.255.255.0
#
[zongbu_R1]
inter gig 0
ip addre 10.1.12.2 30
quit
interface GigabitEthernet0/0/1.1
dot1q termination vid 123
ip address 123.1.1.1 255.255.255.252
arp broadcast enable
#
interface GigabitEthernet0/0/1.2
dot1q termination vid 124
ip address 124.1.1.1 255.255.255.252
arp broadcast enable
#
ISP配置:
#
vlan batch 123 to 124
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 123 to 124
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 123
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 124
#
分公司1网络配置:
sw5:
vlan batch 20 101 to 102
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 102
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 20 101 to 102
sw2:
vlan batch 20 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 101 to 103
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 20
#
interface Vlanif20
ip address 20.1.12.1 255.255.255.252
#
interface Vlanif101
ip address 192.169.101.254 255.255.255.0
#
interface Vlanif102
ip address 192.169.102.254 255.255.255.0
#
[R2]
inter gig 0/0/1
ip addre 123.1.1.2 30
quit
inter gig 0/0/0
ip addre 20.1.12.2 30
quit
分公司2网络配置
sw6:
vlan batch 30 101 to 102
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 102
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 30 101 to 102
sw3:
vlan batch 30 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 101 to 102
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 30
#
interface Vlanif30
ip address 30.1.12.1 255.255.255.252
#
interface Vlanif101
ip address 192.170.101.254 255.255.255.0
#
interface Vlanif102
ip address 192.170.102.254 255.255.255.0
#
[R3]
inter gig 0/0/1
ip addre 124.1.1.2 30
quit
inter gig 0/0/0
ip addre 30.1.12.2 30
quit
配置路由
[sw1]ip route-static 0.0.0.0 0.0.0.0 10.1.12.2
[sw4]ip route-static 0.0.0.0 0.0.0.0 10.1.12.2
[sw2]ip route-static 0.0.0.0 0.0.0.0 20.1.12.2
[sw5]ip route-static 0.0.0.0 0.0.0.0 20.1.12.2
[sw3]ip route-static 0.0.0.0 0.0.0.0 30.1.12.2
[sw6]ip route-static 0.0.0.0 0.0.0.0 30.1.12.2
在各自的出口路由器上配置OSPF
R1:
ospf
area 0.0.0.0
network 123.1.1.1 0.0.0.0
network 124.1.1.1 0.0.0.0
R2:
ospf
area 0.0.0.0
network 123.1.1.2 0.0.0.0
R3:
ospf
area 0.0.0.0
network 124.1.1.2 0.0.0.0
R1:
ip route-static 192.168.101.0 24 10.1.12.1
ip route-static 192.168.102.0 24 10.1.12.1
ip route-static 192.168.103.0 24 10.1.12.1
R2:
ip route-static 192.169.101.0 24 20.1.12.1
ip route-static 192.169.102.0 24 20.1.12.1
R3:
ip route-static 192.170.101.0 24 30.1.12.1
ip route-static 192.170.102.0 24 30.1.12.1
将各自的静态路由引入到OSPF中
ospf 1
import-route static
结果验证:
从总部访问分公司
分公司2访问总部
分公司1访问总部:
查看R1上的ospf状态
查看R1上的路由表
禁止分公司之间网络互访:
SW6上配置ACL并应用到出口上
acl number 3000
rule 5 deny ip source 192.170.101.0 0.0.0.255 destination 192.169.101.0 0.0.0.2
55
rule 10 deny ip source 192.170.102.0 0.0.0.255 destination 192.169.101.0 0.0.0.
255
rule 15 deny ip source 192.170.102.0 0.0.0.255 destination 192.169.102.0 0.0.0.
255
rule 20 deny ip source 192.170.101.0 0.0.0.255 destination 192.169.102.0 0.0.0.
255
#
interface GigabitEthernet0/0/24
traffic-filter outbound acl 3000
结果验证:
经验证分公司1和分公司2之间网路不能互访,但都可以跟总部网络互通,至此所有实验效果均已达到。
本文发布于:2023-02-28 20:59:00,感谢您对本站的认可!
本文链接:https://www.wtabcd.cn/zhishi/a/167771416495795.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文word下载地址:公司网络(公司网络安全的治理机构是什么).doc
本文 PDF 下载地址:公司网络(公司网络安全的治理机构是什么).pdf
| 留言与评论(共有 0 条评论) |
