中小型网络系统集成

中小型网络系统集成

背景描述：

公司环境和要求： 

1、公司有2个部门，财务部、市场部，还有经理办公室；

2、为了确保财务部电脑的安全，不允许市场部访问财务部主机；

3、财务部不能访问外网；

4、公司只申请到了两个公网IP地址（202.100.100.2/29、202.100.100.3/29），供企业内网接入使用，其中一个公网地址分配给公司服务器使用，另一个公网地址分给公司员工上网使用。

5、公司内部使用私网地址172.16.0.0/16，其中三层交换机SW1为财务部、市场部的DHCP服务器，自动为两部门电脑分配IP地址。

6、公司路由器R4和三层交换机SW1上运行RIP路由协议，并SW1上做默认路由指向R4，在R4上做默认路由指向外网；

7、允许外网用户访问公司www服务器，但不允许访问内网和FTP服务器；

R1的配置：
en
conf t
host R1
enable password test
no ip domain-lookup
line con 0
pass test
login
logg syn
no exec
exit
line vty 0 4
pass test
login
logg syn
no exec
exit
username R4 password test
int s0/0/0
ip add 202.100.100.1 255.255.255.248
clock rate 64000
encapsulation ppp
ppp  authentication chap
no sh
exit
int fa0/0
ip add 192.168.1.1 255.255.255.252
ip ospf message-digest-key 1 md5 123456
no sh
exit
router ospf 100
network 202.100.100.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
area 0 authentication message-digest

R2的配置：
en
conf t
host R2
enable password test
no ip domain-lookup
line con 0
pass test
login
logg syn
no exec
exit
line vty 0 4
pass test
login
logg syn
no exec
exit
int fa0/0
ip add 192.168.1.2 255.255.255.252
ip ospf message-digest-key 1 md5 123456
no sh
int fa0/1
ip add 192.168.1.5 255.255.255.252
ip ospf message-digest-key 1 md5 123456
no sh
exit
router ospf 100
network 192.168.1.2 0.0.0.0 area 0
network 192.168.1.5 0.0.0.0 area 0
area 0 authentication message-digest

R3的配置

en
conf t
host R3
enable password test
no ip domain-lookup
line con 0
pass test
login
logg syn
no exec
exit
line vty 0 4
pass test
login
logg syn
no exec
exit
int fa0/0
ip add 192.168.1.6 255.255.255.252
ip ospf message-digest-key 1 md5 123456
no sh
int fa0/1
ip add 202.200.200.1 255.255.255.0
ip ospf message-digest-key 1 md5 123456
no sh
exit
router ospf 100
network 192.168.1.6  0.0.0.0 area 0
network 202.200.200.1 0.0.0.0 area 0
area 0 authentication message-digest

R4的配置：
en
conf t
host R4
enable password test
no ip domain-lookup
line con 0
pass test
login
logg syn
no exec
exit
line vty 0 4
pass test
login
logg syn
no exec
exit
username R1 pass test
int s0/0/0
ip add 202.100.100.2 255.255.255.248
ip nat outside
encapsulation ppp
ppp authentication chap
no sh
int fa0/1
ip add 172.16.50.1 255.255.255.0
ip nat inside
no sh
int fa0/0
ip add 172.16.1.1 255.255.255.252
ip nat inside
no sh
exit
ip route  0.0.0.0 0.0.0.0 202.100.100.1
ip default-network 202.100.100.0
router rip
version 2
no auto-summary
network 202.100.100.0
network 172.16.50.0
network 172.16.1.0
exit
access-list 1 deny 172.16.20.0 0.0.0.255
access-list 1 permit any
int s0/0/0
ip access-group 1 out
exit
ip nat inside source static tcp 172.16.50.2 80 202.100.100.3 80
ip nat inside source list 1 interface s0/0/0 overload

SW1的配置：
en
conf t
host SW1
enable password test
no ip domain-lookup
line con 0
pass test
login
logg syn
no exec
exit
line vty 0 4
pass test
login
logg syn
no exec
exit
vlan 10
name manager
exit
vlan 20
name finance
exit
vlan 30
name market
exit
vlan 40
name wireless
exit
ip routing
int fa0/22
no switchport
ip add 172.16.1.2 255.255.255.252
no sh
int range fa0/1 -10
switchport mode acc
switchport access vlan 30
exit
int range fa0/11 - 12
Sswitchport mode acc
switchport access vlan 10
exit
int port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
exit
port-channel load-balance src-dst-ip
int range fa0/23 -24
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
exit
ip access-list extended financeIn
permit ip any 172.16.30.0 0.0.0.255 reflect reflectIn
permit ip any any
exit
ip access-list extended Tofinance
evaluate reflectIn
deny ip 172.16.30.0 0.0.0.255 172.16.20.0 0.0.0.255
permit ip any any
exit
int vlan 10
ip add 172.16.10.1 255.255.255.0
no sh
int vlan 20
ip add 172.16.20.1 255.255.255.0
ip helper-address 172.16.1.2
ip access-group financeIn in
ip access-group Tofinance out
no sh
int vlan 30
ip add 172.16.30.1 255.255.255.0
ip helper-address 172.16.1.2
no sh
int vlan 40
ip add 172.16.40.1 255.255.255.0
no sh
exit
ip dhcp excluded-address 172.16.20.1 172.16.20.10
ip dhcp pool finance-dhcp
network 172.16.20.0 255.255.255.0
default-router 172.16.20.1
dns-server 202.96.128.143
lease 2 0 0
exit
ip dhcp excluded-address 172.16.30.1 172.16.30.10
ip dhcp pool market-dhcp
network 172.16.30.0 255.255.255.0
default-router 172.16.30.1
dns-server 202.96.128.143
lease 2 0 0
exit
router rip
version 2
no auto-summary
network 172.16.10.0
network 172.16.20.0
network 172.16.30.0
network 172.16.40.0
network 172.16.1.0
exit

配置SW2：
en
conf t
host SW2
enable password test
line con 0
pass test
login
logg syn
no exec
exit
line vty 0 4
pass test
login
logg syn
no exec
exit
no ip routing
vlan 20
name finance
vlan 30
name market
vlan 40 
name wireless
exit
int range fa0/1 - 10
switchport mode access
switchport access vlan 30
int range fa0/11 - 15
switchport mode access
switchport access vlan 20
int fa0/16
switchport mode access
switchport access vlan 40
exit
int port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
exit
port-channel load-balance src-dst-ip
int range fa0/23 -24
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
exit
int range fa0/1 - 15
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation shutdown
exit

至此完成配置，然后到测试，图就不上了。