Design and implementation of a network of small and medium projects

qq3421609946
recently contacted implement a curriculum design, related to the specific application of the ACL, and the relevant requirements as follows.

First, the needs of the target

(1) The company has 1,000 PC
(2) has a total of seven departments, each department should have access to different restrictions, the company has three inter-provincial branch
(3) the company has its own internal and external web sites, the company can provide anonymous FTP, Mail, WWW service, FTP but open only to internal employees.
(4) The company has its own OA system
(5) the company's performance on the Internet each office in each department combine to form a VLAN.

Second, the design content

2.1.VLAN division

According to this experiment, background programs, the entire VLAN divided as follows:
(1) administrative building 120 people, a total of five departments. Divided into five VLAN, each inner Vlan can communicate, each VLAN can not communicate with each other.
(2) Sales 150 people, a total of five departments. Divided into five VLAN, each inner Vlan can communicate, each VLAN can not communicate with each other.
(3) production center 180, a total of three departments. Divided into three one VLAN, each inner Vlan can not communicate with each other communicate with each other, VLAN.

2.2. Net services software and principle

The companies involved in network design WWW server, FTP server and Email server, the principle of the three types of services are as follows:
(1) the WWW server
when you want to get into web pages and other network resources, usually you have to first of all in your browser type the uniform resource locator you want to access the web page (uniform resource locator), abbreviated URL, or a link to that page or resource network by way of a hyperlink. This is the first work after the server name portion of the URL, it called the distributed domain name system is resolved in the global Internet database, and determine which IP address (IPaddress) entered the analysis result.
The next step is for the web page to be accessed, IP WWW server to send an HTTP request. Under normal circumstances, HTML text, images and all other files that make up the web page will soon be requested one by one and sent back to the user.
(2) FTP server
TP server (File Transfer Protocol Server) is to provide file storage and computer access services on the Internet, they provide services in accordance with the FTP protocol. FTP is the File Transfer Protocol (File Transfer Protocol). As the name suggests, it is designed to protocol for transferring files. Simply put, the server supports FTP protocol is the FTP server.
(3) Email Server
Email Server is a device responsible for email delivery management. Usually using the SMTP protocol service. SMTP is defined in RFC 821, which is the role of the mail message from the sender's mail server to recipient's mail server.

Third, outline design

3.1 Network Topology

This course is designed in accordance with the relevant requirements, network topology is as follows:

3.2. Network division

The entire enterprise network topology shown above, according to the experimental requirements, VLAN sub-division and planning in the following table:

（1）行政楼120人，共5个部门。分成5个VLAN，每个Vlan内部可以互相通信，VLAN间不能相互通信。VLAN 从31到35，每个VLAN分配IP数量30个，掩码为255.255.255.224.
（2）销售部门150人，共5个部门。分成5个VLAN，每个Vlan内部可以互相通信，VLAN间不能相互通信。VLAN 从41到45，每个VLAN分配IP数量30个，掩码为255.255.255.224.
（3）生产中心180人，共3个部门。分成3个VLAN，每个Vlan内部可以互相通信，VLAN间不能相互通信。VLAN 从51到53，每个VLAN分配IP数量60个，掩码为255.255.255.192.
（4）WWW服务器链接路由器，对外网提供服务。
（5）Email服务器接入核心交换机VLAN1，对内对外均提供服务。
（6）FTP服务器接入核心交换机VLAN 11，对内提供服务。

四、详细设计

课程模拟采用软件CISCO PACKET TRACER，版本为5.3.3。模拟的拓扑图如下所示：

在本次的网络模拟中，由下向上为。首先针对每个VLAN，采用一台电脑作为VLAN内信息代表。接入交换机的每个端口划如对应的VLAN，接入核心交换机，核心交换机的核心端口也加入对应的VLAN。核心交换机接路由器和Email、FTP服务器。路由器接入外网和WWW服务器，外网用一台路由器做模拟。
关键设备配置清单如下：
（1）核心交换机
hostname HXJH
ip routing
spanning-tree mode pvst
interface FastEthernet0/1
switchport access vlan 31
switchport mode access
interface FastEthernet0/2
switchport access vlan 32
interface FastEthernet0/3
switchport access vlan 33
interface FastEthernet0/4
switchport access vlan 34
interface FastEthernet0/5
switchport access vlan 35
interface FastEthernet0/6
switchport access vlan 41
interface FastEthernet0/7
switchport access vlan 42
interface FastEthernet0/8
switchport access vlan 43
interface FastEthernet0/9
switchport access vlan 44
interface FastEthernet0/10
switchport access vlan 45
interface FastEthernet0/11
switchport access vlan 51
interface FastEthernet0/12
switchport access vlan 52
interface FastEthernet0/13
switchport access vlan 53
interface FastEthernet0/14
description to email
switchport mode access
interface FastEthernet0/15
switchport access vlan 11
switchport mode access
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode access
interface GigabitEthernet0/2
interface Vlan1
ip address 192.168.1.254 255.255.255.0
interface Vlan11
mac-address 0090.2b76.1201
ip address 192.168.11.254 255.255.255.0
interface Vlan20
mac-address 0090.2b76.1202
ip address 192.168.20.254 255.255.255.0
interface Vlan31
mac-address 0090.2b76.1203
ip address 192.168.30.30 255.255.255.224
ip access-group 131 in
interface Vlan32
mac-address 0090.2b76.1204
ip address 192.168.30.62 255.255.255.224
ip access-group 132 in
interface Vlan33
mac-address 0090.2b76.1205
ip address 192.168.30.94 255.255.255.224
ip access-group 133 in
interface Vlan34
mac-address 0090.2b76.1206
ip address 192.168.30.126 255.255.255.224
ip access-group 134 in
interface Vlan35
mac-address 0090.2b76.1207
ip address 192.168.30.158 255.255.255.224
ip access-group 135 in
interface Vlan41
mac-address 0090.2b76.1208
ip address 192.168.40.30 255.255.255.224
ip access-group 141 in
interface Vlan42
mac-address 0090.2b76.1209
ip address 192.168.40.62 255.255.255.224
ip access-group 142 in
interface Vlan43
mac-address 0090.2b76.120a
ip address 192.168.40.94 255.255.255.224
ip access-group 143 in
interface Vlan44
mac-address 0090.2b76.120b
ip address 192.168.40.126 255.255.255.224
interface Vlan45
mac-address 0090.2b76.120c
ip address 192.168.40.158 255.255.255.224
ip access-group 145 in
interface Vlan51
mac-address 0090.2b76.120d
ip address 192.168.50.62 255.255.255.192
ip access-group 151 in
interface Vlan52
mac-address 0090.2b76.120e
ip address 192.168.50.126 255.255.255.192
ip access-group 152 in
interface Vlan53
mac-address 0090.2b76.120f
ip address 192.168.50.190 255.255.255.192
ip access-group 153 in
interface Vlan153
mac-address 0090.2b76.1210
no ip address
ip access-group 153 in
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.3
ip flow-export version 9
access-list 131 deny ip 192.168.30.0 0.0.0.31 192.168.30.32 0.0.0.31
access-list 131 deny ip 192.168.30.0 0.0.0.31 192.168.30.64 0.0.0.31
access-list 131 deny ip 192.168.30.0 0.0.0.31 192.168.30.96 0.0.0.31
access-list 131 deny ip 192.168.30.0 0.0.0.31 192.168.30.128 0.0.0.31
access-list 131 deny ip 192.168.30.0 0.0.0.31 192.168.40.0 0.0.0.255
access-list 131 deny ip 192.168.30.0 0.0.0.31 192.168.50.0 0.0.0.255
access-list 131 permit ip any any
access-list 132 deny ip 192.168.30.32 0.0.0.31 192.168.30.0 0.0.0.31
access-list 132 deny ip 192.168.30.32 0.0.0.31 192.168.30.96 0.0.0.31
access-list 132 deny ip 192.168.30.32 0.0.0.31 192.168.30.128 0.0.0.31
access-list 132 deny ip 192.168.30.32 0.0.0.31 192.168.40.0 0.0.0.255
access-list 132 deny ip 192.168.30.32 0.0.0.31 192.168.50.0 0.0.0.255
access-list 132 permit ip any any
access-list 133 deny ip 192.168.30.64 0.0.0.31 192.168.30.0 0.0.0.31
access-list 133 deny ip 192.168.30.64 0.0.0.31 192.168.30.32 0.0.0.31
access-list 133 deny ip 192.168.30.64 0.0.0.31 192.168.30.96 0.0.0.31
access-list 133 deny ip 192.168.30.64 0.0.0.31 192.168.30.128 0.0.0.31
access-list 133 deny ip 192.168.30.64 0.0.0.31 192.168.40.0 0.0.0.255
access-list 133 deny ip 192.168.30.64 0.0.0.31 192.168.50.0 0.0.0.255
access-list 133 permit ip any any
access-list 134 deny ip 192.168.30.96 0.0.0.31 192.168.30.0 0.0.0.31
access-list 134 deny ip 192.168.30.96 0.0.0.31 192.168.30.32 0.0.0.31
access-list 134 deny ip 192.168.30.96 0.0.0.31 192.168.30.64 0.0.0.31
access-list 134 deny ip 192.168.30.96 0.0.0.31 192.168.30.128 0.0.0.31
access-list 134 deny ip 192.168.30.96 0.0.0.31 192.168.40.0 0.0.0.255
access-list 134 deny ip 192.168.30.96 0.0.0.31 192.168.50.0 0.0.0.255
access-list 134 permit ip any any
access-list 135 deny ip 192.168.30.128 0.0.0.31 192.168.30.0 0.0.0.31
access-list 135 deny ip 192.168.30.128 0.0.0.31 192.168.30.32 0.0.0.31
access-list 135 deny ip 192.168.30.128 0.0.0.31 192.168.30.64 0.0.0.31
access-list 135 deny ip 192.168.30.128 0.0.0.31 192.168.30.96 0.0.0.31
access-list 135 deny ip 192.168.30.128 0.0.0.31 192.168.40.0 0.0.0.255
access-list 135 deny ip 192.168.30.128 0.0.0.31 192.168.50.0 0.0.0.255
access-list 135 permit ip any any
access-list 141 deny ip 192.168.40.0 0.0.0.31 192.168.30.0 0.0.0.255
access-list 141 deny ip 192.168.40.0 0.0.0.31 192.168.50.0 0.0.0.255
access-list 141 deny ip 192.168.40.0 0.0.0.31 192.168.40.0 0.0.0.255
access-list 141 permit ip any any
access-list 142 deny ip 192.168.40.32 0.0.0.31 192.168.40.0 0.0.0.31
access-list 142 deny ip 192.168.40.32 0.0.0.31 192.168.40.64 0.0.0.31
access-list 142 deny ip 192.168.40.32 0.0.0.31 192.168.40.96 0.0.0.31
access-list 142 deny ip 192.168.40.32 0.0.0.31 192.168.40.128 0.0.0.31
access-list 142 deny ip 192.168.40.32 0.0.0.31 192.168.50.0 0.0.0.255
access-list 142 deny ip 192.168.40.32 0.0.0.31 192.168.40.0 0.0.0.255
access-list 142 permit ip any any
access-list 143 deny ip 192.168.40.64 0.0.0.31 192.168.40.0 0.0.0.31
access-list 143 deny ip 192.168.40.64 0.0.0.31 192.168.40.32 0.0.0.31
access-list 143 deny ip 192.168.40.64 0.0.0.31 192.168.40.96 0.0.0.31
access-list 143 deny ip 192.168.40.64 0.0.0.31 192.168.40.128 0.0.0.31
access-list 143 deny ip 192.168.40.64 0.0.0.31 192.168.30.0 0.0.0.255
access-list 143 deny ip 192.168.40.64 0.0.0.31 192.168.50.0 0.0.0.255
access-list 143 permit ip any any
access-list 144 deny ip 192.168.40.96 0.0.0.31 192.168.40.0 0.0.0.31
access-list 144 deny ip 192.168.40.96 0.0.0.31 192.168.40.32 0.0.0.31
access-list 144 deny ip 192.168.40.96 0.0.0.31 192.168.40.64 0.0.0.31
access-list 144 deny ip 192.168.40.96 0.0.0.31 192.168.40.128 0.0.0.31
access-list 144 deny ip 192.168.40.96 0.0.0.31 192.168.30.0 0.0.0.255
access-list 144 deny ip 192.168.40.96 0.0.0.31 192.168.50.0 0.0.0.255
access-list 144 permit ip any any
access-list 145 deny ip 192.168.40.128 0.0.0.31 192.168.40.0 0.0.0.31
access-list 145 deny ip 192.168.40.128 0.0.0.31 192.168.40.32 0.0.0.31
access-list 145 deny ip 192.168.40.128 0.0.0.31 192.168.40.64 0.0.0.31
access-list 145 deny ip 192.168.40.128 0.0.0.31 192.168.40.96 0.0.0.31
access-list 145 deny ip 192.168.40.128 0.0.0.31 192.168.30.0 0.0.0.255
access-list 145 deny ip 192.168.40.128 0.0.0.31 192.168.50.0 0.0.0.255
access-list 145 permit ip any any
access-list 151 deny ip 192.168.50.0 0.0.0.63 192.168.50.64 0.0.0.63
access-list 151 deny ip 192.168.50.0 0.0.0.63 192.168.50.128 0.0.0.63
access-list 151 deny ip 192.168.50.0 0.0.0.63 192.168.30.0 0.0.0.255
access-list 151 deny ip 192.168.50.0 0.0.0.63 192.168.40.0 0.0.0.255
access-list 151 permit ip any any
access-list 152 deny ip 192.168.50.64 0.0.0.63 192.168.50.0 0.0.0.63
access-list 152 deny ip 192.168.50.64 0.0.0.63 192.168.50.128 0.0.0.63
access-list 152 deny ip 192.168.50.64 0.0.0.63 192.168.30.0 0.0.0.255
access-list 152 deny ip 192.168.50.64 0.0.0.63 192.168.40.0 0.0.0.255
access-list 152 permit ip any any
access-list 153 deny ip 192.168.50.128 0.0.0.63 192.168.50.0 0.0.0.63
access-list 153 deny ip 192.168.50.128 0.0.0.63 192.168.50.64 0.0.0.63
access-list 153 deny ip 192.168.50.128 0.0.0.63 192.168.30.0 0.0.0.255
access-list 153 deny ip 192.168.50.128 0.0.0.63 192.168.40.0 0.0.0.255
access-list 153 permit ip any any
no cdp run
line con 0
line aux 0
line vty 0 4
login
end
（2）路由器0
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.10.10.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet1/0
ip address 11.11.11.1 255.255.255.252
duplex auto
speed auto
router rip
network 11.0.0.0
network 192.10.10.0
network 192.168.1.0
end
（3）外网路由器
interface FastEthernet0/0
ip address 11.11.11.2 255.255.255.252
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
router rip
network 11.0.0.0
end

五、调试分析

The test requirements are as follows:
(1) required to maintain independence and isolation of communication between the different groups.
(2) provide external WWW service, provided for internal file transfer service, accessible both inside and outside the Email service.
Verification process is as follows:
(1) In VLAN31 computer that mimics the sales department 1 Internet isolation and Emial, FTP service.

Email Access service successfully.

FTP access success

VLAN isolation success
(2) provide external WWW service, provided for internal file transfer service, Email service that can be accessed both inside and outside.
FTP service verification has been successful, the Network Authentication out by the WWW and Email service on the device.

WWW service successfully.

Email the success of

the external FTP server is not reachable.
Throughout the experiment shown above, completion of the experiment.