Chapter 1 Network Requirements Analysis
1.1 Project Introduction
The company is headquartered in Shanghai. There are human resources department, finance department and R&D department in the headquarters. There are three departments in total, and each department has an average of 16 terminals. The branch is located in Shenzhen. There are production department, production department, customer service department, and three departments. Each department has an average of 254 terminals. It is required to interconnect the terminals together.
1.2 Networking requirements
All machines can access the Internet; branch and headquarters network resources are shared; business travelers can access the resources of the company's LAN; departments are in different network segments; the headquarters builds a WEB server to provide corporate domain name access services; the branch builds an FTP server to provide file services; Use virtual IP addresses within the department, use globally unique addresses between departments and outside, and use CIDR for address allocation; configure online behavior management; configure wireless APs and centralized controllers; configure access control lists; configure static routing at the headquarters; The customer service department has marketing personnel (configure VLAN); all configurations are valid after machine restart. Note: The design of the network topology uniformly uses the Cisco Packet Tracer simulator, referred to as the simulator hereinafter.
Chapter 2 Topology Design and Network Configuration
2.1 Device Selection and Network Topology
There are five parts in this network model, which are the company's Shanghai headquarters, the company's Shenzhen branch, the core area, the extranet area, and the network management area.
The company's Shanghai headquarters is equipped with six switches, and there are four switches in the access layer, which are connected to the four departments of the headquarters and the server cluster. They are named sw1, sw2, sw3, and sw7 respectively. vlan20 (Finance Department), vlan30 (R&D Department) and vlan70 (headquarters server), there are two multi-layer switches as the core aggregation layer of the headquarters, named msw1 and msw2 respectively, and the upper layer is connected to the firewall fw1, thus serving as the external network security wall. There are three servers configured in this department, namely DHCP server, WEB server and DNS server.
The Shenzhen branch of the company is equipped with six switches. There are four switches in the access layer, which are connected to the four departments of the branch and the server cluster. They are named sw4, sw5, sw6 and sw8 respectively. vlan50 (marketing department), vla60 (customer service department) and vlan80 (branch server), there are two multi-layer switches as the core aggregation layer of the headquarters, named msw3 and msw4 respectively, and the upper layer is connected to the firewall fw2, thus serving as the external network security wall. The branch is equipped with three servers, which are P-DHCP server, P-DNS server and FTP server.
Two routers are configured on the external network, one of which is named CK-R2160, which is used as an access router for the external network, and the other is named ISP-P2160, which is used as an ISP. There are also switches, Internet user computers, and servers. , to simulate the extranet area.
The core area is a router named CO-R2160, which connects the network management computer, the company headquarters, the company branch and the external network area.
The IP address allocation of each part will not be introduced here one by one, please refer to the following topology diagram 2-1 for details:
|
Figure 2-1 Network topology diagram (overall part) |
|
Figure 2-2 Network topology diagram (Shanghai headquarters) |
|
Figure 2-3 Network Topology Diagram (Shenzhen Branch) |
|
Figure 2-4 Network topology diagram (network management, core and extranet) |
Chapter 3 Features and Problem Solving
3.1 Networking requirements
3.1.1 Topology Design
In terms of network topology design and planning, the network, server and other equipment are placed on the simulator, the Internet simulation area is placed on the top of the topology map, and a router is connected to it to simulate the core router, which is connected to the network management computer, the company headquarters and the company. The number of equipment configurations in each branch and each area is reasonable, and the comprehensiveness has been verified. At the same time, background images of different colors are used as divisions to enhance the aesthetics and readability of the topology map.
3.1.2 IP address and vlan planning
In the planning of IP addresses and VLANs, the order of allocation is reasonable and orderly. Each department and the two server clusters are divided by VLAN, which realizes two layers of isolation at the same time, ensures a high safety factor for each department, and facilitates network maintenance and management. The Marketing Department and the Human Resources Department in this project’s requirements are based on actual needs. Due to relatively large changes in the flow of people, the IP address is automatically obtained, and other departments can be configured statically. However, for uniformity, the six departments use DHCP to obtain dynamically. .
3.1.3 Use of protocols and technologies
In the use of protocols and technologies, this design uses OSPF routing protocol, access control list, VLAN relay protocol (vtp), link aggregation group port binding, PVST scheme, NAT, firewall and other technical methods, which will be introduced in the following The specific use of key technologies in this design.
1. The OSPF unicast dynamic routing protocol is used between the core switch device and the egress router to realize the reachability of the entire network through the routing protocol. The OSPF routing protocol is configured in msw1-4, fw1-2, CO-R2160, and CK-R2160. This technology avoids routing loops and reduces interference.
2. The access control list can realize the access of specific devices. In this design, the access control list 1 is configured on the CK-R2160 router. The command is as follows:
Match all data accessed here, and the usage in other places is not listed one by one.
3. VLAN trunk protocol (vtp), this technology is mainly used on msw1-4, the command is as follows:
vtp domain cisco// Name the vtp area as "cisco"
vtp mode server //Set the mode of vtp to server mode
vtp password 123456 // Set the password to "123456"
This protocol is a Cisco-specific protocol. vtp is responsible for synchronizing vlan information in the vtp area, minimizing configuration inconsistencies that may occur when changes are made.
4. The link aggregation group of the layer-3 switch is also used on msw1 and msw2, msw3 and msw4. The key code is as follows:
ip routing
int p
int port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
5. The PVST solution is mainly used on msw1-4. This technology is a CISCO-specific solution for processing spanning trees on virtual local area networks. This spanning tree has the ability to load balance traffic through some vlans in the trunk and other vlans in the other trunk that do not cause spanning tree loops. In general, two multilayer switches implement line channel backup, one road In the event of a failure, communication can be performed through another link-bonded switch. The key code is as follows (here the code configured in msw1 is taken as an example);
spanning-tree vlan 70,10 root primary
spanning-tree mode pvst
spanning-tree vlan 20,30 root secondary
6. NAT technology is mainly used on the router CK-R2160 in this project. NAT technology is used here to convert the local address (private network IP address) into a global IP address and interconnect with the Internet. The key code is as follows:
int f0/0
ip address 192.168.2.2 255.255.255.0
no sh
ip nat inside
int s0/0/0
ip address 200.10.10.1 255.255.255.240
clock rate 64000
no sh
ip nat outside
The web server sends to the public network requires NAT mapping, which is a port-based mapping, allowing users on the external network to access the web server.
7. In this design, the company's headquarters and branches each use a firewall to isolate attacks from the other party. Special attention is that the anti-mask is used on the ospf of the firewall, which is different from other ones.
3.2 Problems and solutions
It is not clear what failures occurred during the network construction this time, resulting in some functions not being successfully implemented, but a lot of experience has been accumulated during the network construction process, and a lot has grown in the process of problem discovery and resolution. The issues that arise and solutions are described below.
First of all, let’s talk about the overall situation. A successful network establishment is impossible without a clear idea, clear direction and long-term concentration. It is more troublesome. In this course design, it often appears that "vlan" is typed as "valn", "vanl" and so on. In addition, the order of connection must not be disturbed, and a reasonable connection is convenient for later configuration command operations. A project is interlocking and needs to focus on the overall situation. The given time for this project is relatively short, so it is necessary to carefully plan the construction process and adjust the project execution cycle.
The second most frequent problem is the spelling error of the command, but this kind of problem is easy to deal with. The most impressive one is that when typing "en", an extra "[" is typed, resulting in the result of Figure 2-38, which has been stuck there. . After consulting relevant information, use "ctrl+shift+6" to interrupt the process. Also learned new things in this mistake.
|
Figure 3-1 Errors caused by wrong input |
In this network design, I first write the code in the script, which will clear up the configuration sequence and code structure, and save configuration time. There are many configuration processes that are repeated, just copy and paste, and then modify the data. I accidentally regarded msw3 as msw4 before, and the pre-set msw3 code was configured on another multi-layer switch. Fortunately, there is a script For backup, just type "write erase" on the wrongly configured switch.
There are also some problems when configuring ospf. When configuring ospf in msw2, inputting "router ospf 20" results in an error "IP router not enabled". It is found that the routing function is forgotten to be enabled. The solution is to input "ip routing" to establish a route.
After checking whether the various configurations are successful, but the ospf protocol does not take effect, restart the Cisco Packet Tracer simulator, and the protocol takes effect. Part of the faults are external device problems, but the code logic in the configuration process also needs attention.
Pay attention to whether the button "on" is turned on when configuring the server, and pay attention to the state of the switch when adding a serial port to the router. After modifying some configurations, pay attention to check whether the save is successful.
In the overall configuration process, pay attention to the order of configuration. You can configure the naming, IP address, and vlan first, and then manage the protocol later. At the beginning of the configuration of the firewall, press Enter directly, and the password can be ignored. I am not familiar with the commands in this part of the firewall, and various difficulties have arisen, which takes a lot of time.
It is already 23:30 in the evening when the thesis is written here. I suddenly came up with another topology solution, using only one firewall, and connecting the company headquarters and branches with a router, as shown in Figure 3-2 and 3-2:
|
Figure 3-2 Topology diagram (Scheme 2) |
|
Figure 3-3 Topology diagram (the main modification part of scheme 3) |
It seems to be more reasonable, but due to limited personal ability and time constraints, I didn’t have time to modify and debug the configuration. I suddenly felt a little regretful, but I thought about it here. In fact, the most basic and difficult step in building a network is to build a topology. Figure, once the picture is unreasonable, it may lead to the wastage of all previous efforts.
Appendix code section
msw1 configuration
en
conf t
hos msw1
vtp doamin cisco
vtp mode server
vtp password 123456
vlan 10
vlan 20
vlan 30
vlan 70
ex
//配置IP地址
int f0/1
no switchport
ip address 192.168.5.2 255.255.255.0
no sh
ex
//让它作为有路由功能的交换机
ip routing
//配置链路聚合组
int p
int port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
ex
//回到中间部分的链路聚合
int range f0/2-3
switchport trunk excapsulation dot1q
switchport mode trunk
ex
//捆绑为一组
channel-group 1 mode on
//配置下层连线
int range f 0/4-6
switchport trunk encapsulation dot1q
switchport mode trunk
ex
//调整生成树
spanning-tree vlan 70,10 root primary
spanning-tree mode pvst
spanning-tree vlan 20,30 root secondary
//进入vlan 70
int vlan 70
ip address 192.168.70.254 255.255.255.0
standby 70 ip 192.168.70.252
//配置抢占模式
//配置上层接口,相当于监控
standby 70 priority 120
standby 70 preempt
standby 70 track fastEthernet 0/1
ip helper-address 192.168.70.1
//进入vlan10,服务器不需要配置自动获取ip
int vlan 10
ip address 192.168.10.254 255.255.255.0
standby 10 ip 192.168.10.252
standby 10 priority 120
standby 10 preempt
standby 10 track fastEthernet 0/1
ip helper-address 192.168.70.1
//进入vlan20,优先级原因,此处不需要配置抢占模式
int vlan 20
ip address 192.168.20.254 255.255.255.0
standby 20 ip 192.168.20.252
standby 20 track fastEthernet 0/1
ip helper-address 192.168.70.1
//进入vlan30
int vlan 30
ip address 192.168.30.254 255.255.255.0
standby 30 ip 192.168.30.252
standby 30 track fastEthernet 0/1
ip helper-address 192.168.70.1
ex
//ospf配置
en
conf t
router ospf 10
network 192.168.70.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
ex
msw2 configuration
en
conf t
hos msw2
vtp domain cisco
vtp mode server
vtp password 123456
vlan 10
vlan 20
vlan 30
vlan 70
ex
int f0/3
no switchport
ip address 192.168.6.2 255.255.255.0
ex
int port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
ex
int range f0/1-2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
ex
int range f0/4-6
switchport trunk encapsulation dot1q
switchport mode trunk
ex
//进入vlan70,254用过了,此处用253
int vlan 70
ip address 192.168.70.253 255.255.255.0
standby 70 ip 192.168.70.252
standby 70 track fastEthernet 0/1
ip helper-address 192.168.70.1
int vlan 10
ip address 192.168.10.253 255.255.255.0
standby 10 ip 192.168.10.252
standby 10 track fastEthernet 0/1
ip helper-address 192.168.70.1
int vlan 20
ip address 192.168.20.253 255.255.255.0
standby 20 ip 192.168.20.252
standby 20 priority 120
standby 20 preempt
standby 20 track fastEthernet 0/1
ip helper-address 192.168.70.1
int vlan 30
ip address 192.168.30.253 255.255.255.0
standby 30 ip 192.168.30.252
standby 30 priority 120
standby 30 preempt
standby 30 track fastEthernet 0/1
ip helper-address 192.168.70.1
ex
//msw2-ospf配置
en
conf t
router ospf 20
network 192.168.70.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.6.0 0.0.0.255 area 0
ex
msw3 configuration
en
conf t
hos msw3
vtp domain cisco
vtp mode server
vtp password 123456
vlan 40
vlan 50
vlan 60
vlan 80
ex
int f0/3
no switchport
ip address 192.168.7.2 255.255.255.0
ex
int port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
ex
int range f0/2-3
//此处的配置出现了点问题
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
ex
int range f0/4-6
switchport trunk encapsulation dot1q
switchport mode trunk
ex
//进入vlan80,254用过了,此处用253
int vlan 80
ip address 192.168.80.253 255.255.255.0
standby 80 ip 192.168.80.252
standby 80 track fastEthernet 0/1
ip helper-address 192.168.80.1
int vlan 60
ip address 192.168.60.253 255.255.255.0
standby 60 ip 192.168.60.252
standby 60 track fastEthernet 0/1
ip helper-address 192.168.80.1
int vlan 50
ip address 192.168.50.253 255.255.255.0
standby 50 ip 192.168.50.252
standby 50 priority 120
standby 50 preempt
standby 50 track fastEthernet 0/1
ip helper-address 192.168.80.1
int vlan 40
ip address 192.168.40.253 255.255.255.0
standby 40 ip 192.168.40.252
standby 40 priority 120
standby 40 preempt
standby 40 track fastEthernet 0/1
ip helper-address 192.168.80.1
ex
//msw3-ospf
en
conf t
router ospf 60
network 192.168.80.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
network 192.168.7.0 0.0.0.255 area 0
ex
msw4 configuration
en
conf t
hos msw4
vtp domain cisco
vtp mode server
vtp password 123456
vlan 40
vlan 50
vlan 60
vlan 80
ex
//配置IP地址
int f0/1
no switchport
ip address 192.168.8.2 255.255.255.0
no sh
ex
//让它作为有路由功能的交换机
ip routing
//配置链路聚合组
int p
int port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
ex
//回到中间部分的链路聚合
int range f0/2-3
switchport trunk encapsulation dot1q
switchport mode trunk
//此处之前有个ex
//捆绑为一组
channel-group 1 mode on
//配置下层连线
int range f 0/4-6
switchport trunk encapsulation dot1q
switchport mode trunk
ex
//调整生成树
spanning-tree vlan 80,60 root primary
spanning-tree mode pvst
spanning-tree vlan 50,40 root secondary
//进入vlan 80
int vlan 80
ip address 192.168.80.254 255.255.255.0
standby 80 ip 192.168.80.252
//配置抢占模式
//配置上层接口,相当于监控
standby 80 priority 120
standby 80 preempt
standby 80 track fastEthernet 0/1
ip helper-address 192.168.80.1
//进入vlan60,服务器不需要配置自动获取ip
int vlan 60
ip address 192.168.60.254 255.255.255.0
standby 60 ip 192.168.50.252
standby 60 priority 120
standby 60 preempt
standby 60 track fastEthernet 0/1
ip helper-address 192.168.80.1
//进入vlan50,优先级原因,此处不需要配置抢占模式
int vlan 50
ip address 192.168.50.254 255.255.255.0
standby 50 ip 192.168.30.252
standby 50 track fastEthernet 0/1
ip helper-address 192.168.80.1
//进入vlan40
int vlan 40
ip address 192.168.40.254 255.255.255.0
standby 40 ip 192.168.40.252
standby 40 track fastEthernet 0/1
ip helper-address 192.168.80.1
ex
// msw4-ospf
en
conf t
router ospf 70
network 192.168.80.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
network 192.168.8.0 0.0.0.255 area 0
ex
sw1 configuration
en
conf t
hos sw1
vtp domain cisco
vtp mode client
vtp password 123456
int f0/1
switchport mode trunk
ex
int f0/3
switchport mode trunk
ex
int f0/2
switchport mode access
switchport access vlan 10
int f0/4
switchport mode access
switchport access vlan 10
ex
sw2 configuration
en
conf t
hos sw2
vtp domain cisco
vtp mode client
vtp password 123456
int range f0/3-4
switchport mode trunk
ex
int range f0/1-2
switchport mode access
switchport access vlan 20
ex
sw3 configuration
en
conf t
hos sw3
vtp domain cisco
vtp mode client
vtp password 123456
int range f0/3-4
switchport mode trunk
ex
int range f0/1-2
switchport mode access
switchport access vlan 30
ex
sw4 configuration
en
conf t
hos sw4
vtp domain cisco
vtp mode client
vtp password 123456
int range f0/3-4
switchport mode trunk
ex
int range f0/1-2
switchport mode access
switchport access vlan 40
ex
sw5 configuration
en
conf t
hos sw5
vtp domain cisco
vtp mode client
vtp password 123456
int range f0/3-4
switchport mode trunk
ex
int range f0/1-2
switchport mode access
switchport access vlan 50
ex
sw6 configuration
en
conf t
hos sw1
vtp domain cisco
vtp mode client
vtp password 123456
int range f0/3-4
switchport mode trunk
ex
int range f0/1-2
switchport mode access
switchport access vlan 60
sw7 configuration
en
conf t
hos sw7
vtp domain cisco
vtp mode client
vtp password 123456
int range f0/1-2
switchport mode trunk
ex
int range f0/3-5
switchport mode access
switchport access vlan 70
ex
fw1 configuration
conf t
hos fw1
int g1/1
ip address 192.168.5.1 255.255.255.0
security-level 100
nameif trust-1
no sh
int g1/2
ip address 192.168.6.1 255.255.255.0
security-level 100
nameif trust-2
no sh
//上面的接口 0级
int g1/3
ip address 192.168.3.2 255.255.255.0
security-level 0
nameif untrust
no sh
ex
//fw1-ospf配置
en
conf t
router ospf 30
network 192.168.3.0 255.255.255.0 area 0
network 192.168.5.0 255.255.255.0 area 0
network 192.168.6.0 255.255.255.0 area 0
ex
//(防火墙未配置的话会阻止流量的穿越)
//配置拓展访问控制列表
en
conf t
access-list fangxin extended permit ip any any
access-group fangxin in interface ?
(此处需要一一对应查看)
access-group fangxin in interface trust-1
access-group fangxin out interface trust-1
access-group fangxin in interface trust-2
access-group fangxin out interface trust-2
access-group fangxin in interface untrust
access-group fangxin out interface untrust
fw2 configuration
en
conf t
hos fw2
int e0/0
ip address 192.168.7.1 255.255.255.0
security-level 100
nameif p-trust-1
no sh
int e0/1
ip address 192.168.8.1 255.255.255.0
security-level 100
nameif p-trust-2
no sh
//上面的接口 0级
int e0/2
ip address 192.168.4.2 255.255.255.0
security-level 0
nameif p-untrust
no sh
ex
//配置拓展访问控制列表
en
conf t
access-list fangxin extended permit ip any any
access-group fangxin in interface ?
(此处需要一一对应查看)
access-group fangxin in interface p-trust-1
access-group fangxin out interface p-trust-1
access-group fangxin in interface p-trust-2
access-group fangxin out interface p-trust-2
access-group fangxin in interface p-untrust
access-group fangxin out interface p-untrust
//fw2-ospf
en
conf t
router ospf 80
network 192.168.4.0 255.255.255.0 area 0
network 192.168.7.0 255.255.255.0 area 0
network 192.168.8.0 255.255.255.0 area 0
ex
CO-R2160 configuration
//需要接入NM-2E2W串口
en
conf t
hos CO-R2160
int E1/0
ip address 192.168.3.1 255.255.255.0
no sh
int E1/1
ip address 192.168.4.1 255.255.255.0
no sh
int f0/1
ip address 192.168.9.1 255.255.255.0
no sh
int f0/0
ip address 192.168.2.1 255.255.255.0
no sh
ex
// 配置网管电脑
//配置网管电脑可以实现远程管理
en
conf t
//只允许5台设备访问
access-list 1 permit ip any any
line vty 0 4
password 123456
enable password 123456
username luoqianqian password 123456
//配置CO-R2160-ospf
en
router ospf 40
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
network 192.168.9.0 0.0.0.255 area 0
ex
CK-R2160 configuration
en
conf t
hos CK-R2160
int f0/0
ip address 192.168.2.2 255.255.255.0
no sh
ip nat inside
int s0/0/0
ip address 200.10.10.1 255.255.255.240
clock rate 64000
no sh
ip nat outside
ex
// 配置CK-R2160web服务器的静态映射
en
conf t
ip nat inside source static 192.168.70.3 200.10.10.3
// 配置CK-R2160-ospf
en
router ospf 50
network 192.168.2.0 0.0.0.255 area 0
default-information originate
ex
//配置默认路由
ip route 0.0.0.0 0.0.0.0 200.10.10.2
//配置nat地址池
ip nat pool DZC 200.10.10.1 200.10.10.1 netmask 255.255.255.252
//配置访问控制列表,匹配所有的数据访问到此处
access-list 1 permit any
ip nat inside source list 1 pool DZC overload
ip nat inside source list 1 interface s0/0/0
ISP-R2160 configuration
en
conf t
hos ISP-R2160
int s0/0/0
ip address 200.10.10.2 255.255.255.252
no sh
int f0/0
ip address 200.10.20.1 255.255.255.240
no sh
ex