项目实战案例:中型公司网络构架改革
2015-06-28 00:00作者:网管联盟
不久前做过一个小项目,是某公司发展需要,需要对目前网络进行改革:
1.针对于不同的部门划分不同的区域进行网络管理,确保每处区域都可以正常访问公网.
有销售部,财务部,信息安全,高层管理,市场部,服务器区域,2间主讲教室
2.针对目前公司整体的规范化管理需要进行以下网络限制.
a) 禁止除高层管理办公室以外的所有部门上QQ
b) 教师内只得在每天中午12:30-13:30期间可以访问外网.
c) 对服务器区域的所有限制及设定:
!金和OA协同办公系统服务器:允许所有部门人员访问,但只允许信息安全部人员进行远程管理.金和OA系统采用Windows2003系统,开放3389端口进行远程管理.
!用友U8财务系统,只允许财务部门以及高层管理部门以WEB方式进行访问.
!公司网站服务器.使用LAMP构架方式.允许市场部进行管理,并可以通过ftp方式进行上传数据或下载数据.其他部门只有WEB访问权限.
!公司远程教育服务器,只允许主讲教师的教师机以及远程端教室的教师机进行访问.
3.配置DHCP服务器,2间主讲教室中分别是两台教师机使用静态IP地址.
4.建立远程教学系统,三家分中心与公司相连,其中一家分中心还另外连接一处本地大学教室.
根据以上叙述,拓扑图如下:
核心路由器配置如下:
interface e0/0
no ip address
lookback 0 (回环)
ipaddress 1.1.1.1 255.255.255.255
配置dhcp
ip dhcp pool xiaoshou
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool caiwu
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool xinxi
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool gaoceng
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool shichang
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool jiaoshi1
network 192.168.35.0 255.255.255.0
default-router 192.168.35.1
dns-server 202.106.0.20
lease 2
exit
ip dhcp pool jiaoshi2
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 202.106.0.20
lease 2
exit
预留IP地址
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.15.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.25.1
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.35.1 192.168.35.3
ip dhcp excluded-address 192.168.40.1 192.168.40.3
配置子接口来连接不同的vlan
interface eth0/0.1
encapsulation dot1Q 100
ip address 192.168.10.1 255.255.255.0
ip access-group xiaoshou in
ip nat inside
exit
interface eth0/0.2
encapsulation dot1Q 200
ip address 192.168.15.1 255.255.255.0
ip access-group caiwu in
ip nat inside
exit
interface eth0/0.3
encapsulation dot1Q 300
ip address 192.168.20.1 255.255.255.0
ip access-group xinxi in
ip nat inside
exit
interface eth0/0.4
encapsulation dot1Q 400
ip address 192.168.25.1 255.255.255.0
ip access-group gaoceng in
ip nat inside
exit
interface eth0/0.5
encapsulation dot1Q 500
ip address 192.168.30.1 255.255.255.0
ip access-group shichang in
ip nat inside
exit
interface eth0/0.6
encapsulation dot1Q 600
ip address 192.168.35.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
interface eth0/0.7
encapsulation dot1Q 700
ip address 192.168.40.1 255.255.255.0
ip access-group jiaoshi in
ip nat inside
exit
interface eth0/0.8
encapsulation dot1Q 800
ip address 192.168.45.1 255.255.255.0
ip access-group server in
ip nat inside
exit
interface eth0/0.9
encapsulation dot1Q 900
ip address 192.168.50.1 255.255.255.0
ip nat inside
exit
interface eth0/0.10
encapsulation dot1Q 1000
ip address 201.241.1.195 255.255.255.224
ip nat outside
exit
默认路由
ip route 0.0.0.0 0.0.0.0 201.241.1.193
配置ospf链路状态的路由协议
router ospf 100
network 192.168.10.0 0.0.0.255 area 0
network 192.168.15.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.25.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.35.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.45.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 201.241.1.192 0.0.0.31 area 0
动态地址转换
ip nat pool liyang 201.241.1.195 201.241.1.198 netmask 255.255.255.0
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 pool liyang overload
配置ACL 进行安全管理
ip access-list extended caiwu