怎么组建小型公司局域网买台24口交换机,买10台电脑,电脑设好IP ,掩码,没有网关。组好了。
可简陋,可复杂。
防火墙,网关,交换机,冗余,VLAN ,acl 都整上,也算一个局域网。
客户需求:
1. 公司有6个部门,高管部门、设计部、财务部、生产部、采购部、其他部门。
2. 公司有4台服务器:财务服务器、生产ERP服务器、文件存储服务器、web服务器。
3. 各部门之间可以互相通信。
4. 高管部门可以访问所有公司服务器,可以访问互联网资源。
5. 设计部门可以访问文件服务器、web服务器,可以访问互联网。
6. 财务部可以访问财务服务器、文件服务器、web服务器,可以访问互联网资源。
7. 生产部可以访问ERP服务器、文件服务器、web服务器,不能访问互联网。
8. 采购部可以访问文件服务器、web服务器,可以访问互联网资源。
9. 其他部门可以访问文件服务器、web服务器,不可以访问互联网。
10. 财务服务器、生产ERP服务器、文件存储服务器不能访问外网。
11. 外网可以通过http://202.101.100.3:8080,访问web服务器。
12. 公司从电信服务商购买202.101.100.0/29固定IP,可用固定公网IP为:202.101.100.2-202.101.100.6
13. ISP和公司连接的网关接口为202.101.100.1/29
网络设备拓扑图
设计概述:
1. 用两台二层交换机做汇聚和冗余备份及负载分担,并且:
192.168.200.0/24,192.168.4.0/24,192.168.1.0/24,192.168.255.0/24的流量优先从交换机SW-FR1-CVG走;
192.168.2.0/24,192.168.3.0/24,192.168.5.0/24,192.168.6.0/24的流量优先从交换机SW-FR1-CVG-BACK走。
2. 交换机SW-FR1、SW-FR2、SW-FR3分布在办公楼的1、2、3层,连接各楼层PC。
3. 按部门划分VLAN:高管部门属于vlan10、设计部属于vlan20、财务部属于vlan30、生产部属于vlan40、采购部属于vlan50、其他部门都划到vlan60、服务器属于vlan200、网络设备的管理vlan设为255。各交换机的telnet密码:123456
4. 路由器RT-GW fa0/0口起子接口做单臂路由,管理各vlan之间通信。
5. 路由器RT-GW fa0/0.200 接口挂ACL out,控制PC对服务器的流量。
6. 路由器RT-GW s1/0接口分配一个固定ip,起PPP协议,与服务商的网关用pap认证连接。用户名:ISP 密码:123456
7. 路由器RT-GW 做NAT,支持局域网中PC访问互联网。
8. 路由器RT-GW做静态NAT,实现广域网通过http://202.101.100.3:8080访问web服务器。
仓促而就,其中肯定有很多错误,再检查太麻烦了。就这样吧。
网络设备配置:(懒得整理了,都直接复制过来就得了。)
SW-FR1#sh run
Building configuration…
Current configuration : 2305 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW-FR1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
no ip routing
no ip icmp rate-limit unreachable
!
no ip cef
no ip domain-lookup
!
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 200
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/1
switchport access vlan 200
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/2
switchport access vlan 200
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/3
switchport access vlan 200
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/0
switchport access vlan 40
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/1
switchport access vlan 40
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/2
switchport access vlan 40
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/3
switchport access vlan 40
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet2/0
duplex auto
!
interface Ethernet2/1
duplex auto
!
interface Ethernet2/2
duplex auto
!
interface Ethernet2/3
duplex auto
!
interface Ethernet3/0
duplex auto
!
interface Ethernet3/1
duplex auto
!
interface Ethernet3/2
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/3
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan255
ip address 192.168.255.3 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.255.254
!
ip forward-protocol nd
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password 123456
login
transport input all
!
End
===========================================================
SW-FR2#sh run
Building configuration…
Current configuration : 2246 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW-FR2
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
no ip domain-lookup
!
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 20
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/1
switchport access vlan 20
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/3
switchport access vlan 20
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/0
switchport access vlan 10
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/1
switchport access vlan 10
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/2
switchport access vlan 10
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/3
switchport access vlan 10
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet2/0
duplex auto
!
interface Ethernet2/1
duplex auto
!
interface Ethernet2/2
duplex auto
!
interface Ethernet2/3
duplex auto
!
interface Ethernet3/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/2
duplex auto
!
interface Ethernet3/3
duplex auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan255
ip address 192.168.255.4 255.255.255.0
!
ip default-gateway 192.168.255.254
!
ip forward-protocol nd
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password 123456
login
transport input all
!
End
=========================================================
SW-FR3#sh run
Building configuration…
Current configuration : 2566 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW-FR3
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
no ip domain-lookup
!
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 50
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/1
switchport access vlan 50
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/2
switchport access vlan 50
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet0/3
switchport access vlan 50
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/0
switchport access vlan 30
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/1
switchport access vlan 30
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/2
switchport access vlan 30
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet1/3
switchport access vlan 30
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet2/0
switchport access vlan 60
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet2/1
switchport access vlan 60
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet2/2
switchport access vlan 60
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet2/3
switchport access vlan 60
switchport mode access
duplex auto
spanning-tree portfast edge
!
interface Ethernet3/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/2
duplex auto
!
interface Ethernet3/3
duplex auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan255
ip address 192.168.255.5 255.255.255.0
!
ip default-gateway 192.168.255.254
!
ip forward-protocol nd
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password 123456
login
transport input all
!
End
==========================================================
SW-FR1-CVG#sh run
Building configuration…
Current configuration : 1887 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW-FR1-CVG
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
no ip domain-lookup
!
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10,40,200,255 priority 24576
spanning-tree vlan 20,30,50,60 priority 28672
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Ethernet0/0
duplex auto
!
interface Ethernet0/1
duplex auto
!
interface Ethernet0/2
duplex auto
!
interface Ethernet0/3
duplex auto
!
interface Ethernet1/0
duplex auto
!
interface Ethernet1/1
duplex auto
!
interface Ethernet1/2
duplex auto
!
interface Ethernet1/3
duplex auto
!
interface Ethernet2/0
duplex auto
!
interface Ethernet2/1
duplex auto
!
interface Ethernet2/2
duplex auto
!
interface Ethernet2/3
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/2
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/3
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan255
ip address 192.168.255.1 255.255.255.0
!
ip default-gateway 192.168.255.254
!
ip forward-protocol nd
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password 123456
login
transport input all
!
End
===========================================================
SW-FR1-CVG-BACK#sh run
Building configuration…
Current configuration : 1831 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW-FR1-CVG-BACK
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
no ip domain-lookup
!
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10,40,200,255 priority 28672
spanning-tree vlan 20,30,50,60 priority 24576
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Ethernet0/0
duplex auto
!
interface Ethernet0/1
duplex auto
!
interface Ethernet0/2
duplex auto
!
interface Ethernet0/3
duplex auto
!
interface Ethernet1/0
duplex auto
!
interface Ethernet1/1
duplex auto
!
interface Ethernet1/2
duplex auto
!
interface Ethernet1/3
duplex auto
!
interface Ethernet2/0
duplex auto
!
interface Ethernet2/1
duplex auto
!
interface Ethernet2/2
duplex auto
!
interface Ethernet2/3
duplex auto
!
interface Ethernet3/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/2
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Ethernet3/3
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan255
ip address 192.168.255.2 255.255.255.0
!
ip default-gateway 192.168.255.254
!
ip forward-protocol nd
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password 123456
login
transport input all
!
End
==========================================================
RT-GW#sh run
Building configuration…
Current configuration : 2941 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RT-GW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.4.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 192.168.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.60
encapsulation dot1Q 60
ip address 192.168.6.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.200
encapsulation dot1Q 200
ip address 192.168.200.254 255.255.255.0
ip access-group ACL-2SERVER out
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.255
encapsulation dot1Q 255
ip address 192.168.255.254 255.255.255.0
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 202.101.100.2 255.255.255.248
ip nat outside
ip virtual-reassembly
encapsulation ppp
serial restart-delay 0
clock rate 64000
ppp pap sent-username ISP password 0 123456
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
ip nat inside source list ACL-NAT-1 interface Serial1/0 overload
ip nat inside source static tcp 192.168.200.4 80 202.101.100.3 8080 extendable
!
!
ip access-list extended ACL-2SERVER
permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip any host 192.168.200.3
permit ip 192.168.3.0 0.0.0.255 host 192.168.200.1
permit ip 192.168.4.0 0.0.0.255 host 192.168.200.2
permit ip any host 192.168.200.4
ip access-list extended ACL-NAT-1
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
access-list 1 permit any
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
no login
!
!
End
===========================================================