ABC网络工程项目实施文档.doc-资源下载-道客多多-道者的世界，分享的人生！

ABC网络工程项目实施文档.doc

1、ABC网络工程项目实施文档网络拓扑图IP地址规划表VLAN信息规划表防火墙端口安全规划表设备配置流程步骤Part 1 交换配置1.1 VLAN配置3560-01配置3560- 02配置S-3560-01(config)#VLAN 10S-3560-01(config-vlan)#name OAS-3560-01(config-vlan)#VLAN 20S-3560-01(config-vlan)#name ServerS-3560-02(config)#VLAN 10S-3560-02(config-vlan)#name OAS-3560-02(config-vlan)#VLAN 20S-35

2、60-02(config-vlan)#name Server2950-01配置2950-02配置S-2950-01(config)#VLAN 10S-2950-01(config-vlan)#name OAS-2950-01(config-vlan)#VLAN 20S-2950-01(config-vlan)#name ServerS-2950-02(config)#VLAN 10S-2950-02(config-vlan)#name OAS-2950-02(config-vlan)#VLAN 20S-2950-02(config-vlan)#name Server1.2 STP配置步骤1、配

3、置trunk端口3560-01配置S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#switchport trunk encapsulation dot1qS-3560-01(config-if-range)#switchport mode trunkS-3560-01(config-if-range)#switchport trunk allowed vlan 10,20S-3560-01(config)#int range fa0/1-2S-3560-01(config-if-range)#switchport

4、trunk encapsulation dot1qS-3560-01(config-if-range)#switchport mode trunkS-3560-01(config-if-range)#switchport trunk allowed vlan 10,203560-02配置S-3560-02(config)#int range fa0/23-24S-3560-02(config-if-range)#switchport trunk encapsulation dot1qS-3560-02(config-if-range)#switchport mode trunkS-3560-0

5、2(config-if-range)#switchport trunk allowed vlan 10,20S-3560-02(config)#int range fa0/1-2S-3560-02(config-if-range)#switchport trunk encapsulation dot1qS-3560-02(config-if-range)#switchport mode trunkS-3560-02(config-if-range)#switchport trunk allowed vlan 10,202950-1配置S-2950-01(config)#int range fa

6、0/1-2S-2950-01(config-if-range)#switchport mode trunkS-2950-01(config-if-range)#switchport trunk allowed vlan 10,202950-02配置S-2950-02(config)#int range fa0/1-2S-2950-02(config-if-range)#switchport mode trunkS-2950-02(config-if-range)#switchport trunk allowed vlan 10,20步骤2、配置STP生成树3560-01配置3560-02配置S

7、-3560-01(config)#spanning-tree vlan 10 root primary S-3560-01(config)#spanning-tree vlan 20 root secondaryS-3560-02(config)#spanning-tree vlan 10 root secondaryS-3560-02(config)#spanning-tree vlan 20 root primary1.3 EtherChannel配置3560-01配置3560-02配置创建逻辑接口：S-3560-01(config)#int port-channel 1S-3560-01

8、(config-if)#switchport trunk encapsulation dot1qS-3560-01(config-if)#switchport mode trunkS-3560-01(config-if)#switchport trunk allowed vlan 10,20将逻辑接口与物理接口绑定：S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#channel-protocol lacpS-3560-01(config-if-range)#channel-group 1 mode active逻辑

9、接口流量负载均衡：S-3560-01(config)#port-channel load-balance src-dst-ip创建逻辑接口：S-3560-02(config)#interface port-channel 1 vlan 20 root primaryS-3560-02(config-if)#switchport trunk encapsulation dot1qS-3560-02(config-if)#switchport mode trunkS-3560-02(config-if)#switchport trunk allowed vlan 10,20将逻辑接口与物理接口绑定

10、：S-3560-01(config)#int range fa0/23-24S-3560-01(config-if-range)#channel-protocol lacpS-3560-01(config-if-range)#channel-group 1 mode active逻辑接口流量负载均衡：S-3560-01(config)#port-channel load-balance src-dst-ip1.4 HSRP配置3560-01配置3560-02配置VLAN10、20 地址配置：S-3560-01(config)#int vlan 10S-3560-01(config-if)#ip

11、 add 10.0.10.2 255.255.255.0S-3560-01(config-if)#no shutS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#ip add 10.0.20.2 255.255.255.0S-3560-01(config-if)#no shutHSRP浮动地址、优先级等信息配置：S-3560-01(config)#int vlan 10S-3560-01(config-if)#standby 10 ip 10.0.10.1S-3560-01(config-if)#standby 10 priority 1

12、50S-3560-01(config-if)#standby 10 preemptS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#standby 20 ip 10.0.20.1S-3560-01(config-if)#standby 20 priority 140S-3560-01(config-if)#standby 20 preemptVLAN10、20 地址配置：S-3560-01(config)#int vlan 10S-3560-01(config-if)#ip add 10.0.10.3 255.255.255.0S-356

13、0-01(config-if)#no shutS-3560-01(config-if)#int vlan 20S-3560-01(config-if)#ip add 10.0.20.3 255.255.255.0S-3560-01(config-if)#no shutHSRP浮动地址、优先级等信息配置：S-3560-02(config-if)#int vlan 10S-3560-02(config-if)#standby 10 ip 10.0.10.1 S-3560-02(config-if)#standby 10 priority 140S-3560-02(config-if)#standb

14、y 10 preemptS-3560-02(config-if)#int vlan 20S-3560-02(config-if)#standby 20 ip 10.0.20.1S-3560-02(config-if)#standby 20 priority 150S-3560-02(config-if)#standby 20 preempt1.5 二层交换配置 2950-01配置2950-02配置S-2950-01(config)#int range fa0/11-12S-2950-01(config-if-range)#switchport mode accessS-2950-01(conf

15、ig-if-range)#switchport access vlan 10S-2950-01(config-if-range)#spanning-tree portfastS-2950-02(config)#int range fa0/11-12S-2950-02(config-if-range)#switchport mode accessS-2950-02(config-if-range)#switchport access vlan 20S-2950-02(config-if-range)#spanning-tree portfast1.6 PC机配置IP并测试网关通畅性能PC1配置P

16、C2配置测试结果1.7 路由配置3560-01配置3560-02配置S-3560-01(config)#ip routingS-3560-02(config)#ip routing1.8 测试Part2 路由器配置Router(config)#hostname ISP-DianXin-2811-01ISP-DianXin-2811-01(config)#ISP-DianXin-2811-01(config)#int fa0/0ISP-DianXin-2811-01(config-if)#ip add 220.0.0.2 255.255.255.248ISP-DianXin-2811-01(co

17、nfig-if)#no shutISP-DianXin-2811-01(config)#int fa0/1ISP-DianXin-2811-01(config-if)#ip add 130.0.0.2 255.255.255.252ISP-DianXin-2811-01(config-if)#no shutISP-DianXin-2811-01(config)#int fa1/0ISP-DianXin-2811-01(config-if)#ip add 121.0.0.1 255.255.255.0ISP-DianXin-2811-01(config-if)#no shutPart3 防火墙配

18、置基础配置ASA5505-01ASA5505-02设置主机名ciscoasa#conf tciscoasa(config)#hostname HQ-BeiJing-ASA5505-01HQ-BeiJing-ASA5505-01(config)#清除原有VLAN配置HQ-BeiJing-ASA5505-01(config)#int vlan 1HQ-BeiJing-ASA5505-01(config-if)#no nameifHQ-BeiJing-ASA5505-01(config-if)#no security-levelHQ-BeiJing-ASA5505-01(config-if)#no

19、ip addHQ-BeiJing-ASA5505-01(config)#int vlan 2HQ-BeiJing-ASA5505-01(config-if)#no nameifHQ-BeiJing-ASA5505-01(config-if)#no security-levelHQ-BeiJing-ASA5505-01(config-if)#no ip add配置VLAN数据HQ-BeiJing-ASA5505-01(config-if)#int vlan 10HQ-BeiJing-ASA5505-01(config-if)#nameif outsideHQ-BeiJing-ASA5505-01

20、(config-if)#security-level 0HQ-BeiJing-ASA5505-01(config-if)#ip add 220.0.0.1 255.255.255.248HQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int vlan 20HQ-BeiJing-ASA5505-01(config-if)#nameif insideHQ-BeiJing-ASA5505-01(config-if)#security-level 100HQ-BeiJing-ASA5505-01(config-if)#

21、ip add 10.0.0.1 255.255.255.0HQ-BeiJing-ASA5505-01(config-if)#no shutHQ-BeiJing-ASA5505-01(config-if)#HQ-BeiJing-ASA5505-01(config-if)#int vlan 30HQ-BeiJing-ASA5505-01(config-if)#no forward interface vlan 20HQ-BeiJing-ASA5505-01(config-if)#nameif dmzHQ-BeiJing-ASA5505-01(config-if)#security-level 50

22、HQ-BeiJing-ASA5505-01(config-if)#ip add 172.16.10.1 255.255.255.0VLAN与端口绑定HQ-BeiJing-ASA5505-01(config-if)#int eth0/0HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 10HQ-BeiJing-ASA5505-01(config-if)#int eth0/1HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 20HQ-BeiJing-ASA5505-01(co

23、nfig-if)#HQ-BeiJing-ASA5505-01(config-if)#int eth0/2HQ-BeiJing-ASA5505-01(config-if)#switchport access vlan 30配置静态路由HQ-BeiJing-ASA5505-01(config)#route outside 130.0.0.0 255.255.255.252 220.0.0.2设置主机名ciscoasa#conf tciscoasa(config)#hostname Branch-NanJing-ASA5505-02Branch-NanJing-ASA5505-02 (config)

24、#清除原有VLAN配置Branch-NanJing-ASA5505-02(config)#int vlan 1Branch-NanJing-ASA5505-02(config-if)#no nameifBranch-NanJing-ASA5505-02(config-if)#no security-levelBranch-NanJing-ASA5505-02(config-if)#no ip addBranch-NanJing-ASA5505-02(config)#int vlan 2Branch-NanJing-ASA5505-02(config-if)#no nameifBranch-Na

25、nJing-ASA5505-02(config-if)#no security-levelBranch-NanJing-ASA5505-02(config-if)#no ip add配置VLAN数据Branch-NanJing-ASA5505-02(config)#int vlan 10Branch-NanJing-ASA5505-02(config-if)#name outsideBranch-NanJing-ASA5505-02(config-if)#security-level 0Branch-NanJing-ASA5505-02(config-if)#ip add 130.0.0.1

26、255.255.255.252Branch-NanJing-ASA5505-02(config-if)#no shutBranch-NanJing-ASA5505-02(config-if)#Branch-NanJing-ASA5505-02(config-if)#int vlan 20Branch-NanJing-ASA5505-02(config-if)#name insideINFO: Security level for inside set to 100 by default.Branch-NanJing-ASA5505-02(config-if)#security-level 10

27、0Branch-NanJing-ASA5505-02(config-if)#ip add 10.0.30.1 255.255.255.0Branch-NanJing-ASA5505-02(config-if)#no shutBranch-NanJing-ASA5505-02(config-if)#VLAN与端口绑定Branch-NanJing-ASA5505-02(config)#int eth0/0Branch-NanJing-ASA5505-02(config-if)#switchport access vlan 10Branch-NanJing-ASA5505-02(config-if)

28、#int eth0/1Branch-NanJing-ASA5505-02(config-if)#switchport access vlan 20配置静态路由Branch-NanJing-ASA5505-02(config)#route outside 220.0.0.0 255.255.255.248 130.0.0.2防火墙配置策略配置1、dmz区web服务器静态映射HQ-BeiJing-ASA5505-01(config)#object network 172.16.10.11/32-WebServerHQ-BeiJing-ASA5505-01(config-network-object

29、)#host 172.16.10.11HQ-BeiJing-ASA5505-01(config-network-object)#nat (dmz,outside) static 220.0.0.32、定义ACL访问控制列表，放行外网进入ASA访问Web服务器的流量HQ-BeiJing-ASA5505-01(config)#access-list Access-DMZ-Server permit icmp any object 172.16.10.11/32-WebServerHQ-BeiJing-ASA5505-01(config)#access-group Access-DMZ-Server

30、 out interface dmz3、定义dmz区其他服务器的动态映射HQ-BeiJing-ASA5505-01(config)#object network 172.16.10.0/24-DMZ-ServerHQ-BeiJing-ASA5505-01(config-network-object)#subnet 172.16.10.0 255.255.255.0HQ-BeiJing-ASA5505-01(config-network-object)#nat (dmz,outside) dynamic interface4、定义ACL访问控制列表，放行外网进入ASA访问DMZ其他服务器的流量H

31、Q-BeiJing-ASA5505-01(config)#access-list Access-DMZ-Server permit icmp any object 172.16.10.0/24-DMZ-Server说明：access-group和前面一样，不用再定义5、inside区内网地址IP映射HQ-BeiJing-ASA5505-01(config)#object network 10.0.0.0/24HQ-BeiJing-ASA5505-01(config-network-object)#subnet 10.0.0.0 255.255.255.0HQ-BeiJing-ASA5505-0

32、1(config-network-object)#nat (inside,outside) dynamic interface6、3560配置缺省网关S-3560-02(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.17、ASA定义ACL访问控制列表，放行外网进入ASA访问inside的流量定义地址对象组：HQ-BeiJing-ASA5505-01(config)#object network 220.0.0.0/29HQ-BeiJing-ASA5505-01(config-network-object)#subnet 220.0.0.0 255.255.25

33、5.248HQ-BeiJing-ASA5505-01(config)#object network 10.0.0.0/24HQ-BeiJing-ASA5505-01(config-network-object)#subnet 10.0.0.0 255.255.255.0定义ACL：HQ-BeiJing-ASA5505-01(config)#access-list Outside-Access-Inside permit icmp object 220.0.0.0/29 object 10.0.0.0/24 源IP 目标IP应用ACL：HQ-BeiJing-ASA5505-01(config)#

34、access-group Outside-Access-Inside out interface inside 允许外网IP离开inside端口8、3560配置OSPF，发布缺省路由3560-01配置3560-02配置S-3560-01(config)#int loopback 0S-3560-01(config-if)#ip add 10.0.0.1 255.255.255.0S-3560-01(config-if)#exitS-3560-01(config)#router ospf 1S-3560-01(config-router)#router-id 10.0.0.1S-3560-01(

35、config-router)#network 10.0.10.0 0.0.0.255 area 0S-3560-01(config-router)#network 10.0.20.0 0.0.0.255 area 0S-3560-02(config)#int loo 0S-3560-02(config-if)#ip add 1.0.0.2 255.255.255.0S-3560-02(config-if)#exitS-3560-02(config)#router ospf 1S-3560-02(config-router)#router-id 1.0.0.2S-3560-02(config-r

36、outer)#network 10.0.10.0 0.0.0.255 area 0S-3560-02(config-router)#network 10.0.20.0 0.0.0.255 area 0S-3560-02(config-router)#default-information originate9、3560-02对内网IP进行NAT设置3560外网口S-3560-02(config)#int gig0/1S-3560-02(config-if)#ip nat outsideS-3560-02(config-if)#exit设置3560内网口S-3560-02(config)#int

37、 vlan 10S-3560-02(config-if)#ip nat insideS-3560-02(config-if)#int vlan 20S-3560-02(config-if)#ip nat inside设置NAT的访问控制列表ACLS-3560-02(config)#ip nat inside source list 10 interface gig0/1 overload 10、验证测试内网inside区PC测试内网inside服务器测试防火墙上验证HQ-BeiJing-ASA5505-01#HQ-BeiJing-ASA5505-01#show natAuto NAT Poli

38、cies (Section 2)1 (inside) to (outside) source dynamic 10.0.0.0/24 interfacetranslate_hits = 23, untranslate_hits = 232 (dmz) to (outside) source dynamic 172.16.10.0/24-DMZ-Server interfacetranslate_hits = 13, untranslate_hits = 133 (dmz) to (outside) source static 172.16.10.11/32-WebServer 220.0.0.3translate_hits = 0, untranslate_hits = 0

邮箱/手机：
温馨提示：	快捷下载时，用户名和密码都是您填写的邮箱或者手机号，方便查询和重复下载（系统自动生成）。如填写123，账号就是123，密码也是123。
特别说明：	请自助下载，系统不会自动发送文件的哦；如果您已付费，想二次下载，请登录后访问：我的下载记录
支付方式：
验证码：	换一换

账号：
密码：
验证码：	换一换
当日自动登录忘记密码？