一、網絡設計要求
1、北京與上海分公司實現互聯互通,針對財務部門的敏感數據使用IPSEV VPN加密訪問
2、北京總部匯聚交換機3560作為DHCP服務器自動分配IP地址
3、北京總部下屬三個部門技術部VLAN10 總經理: VLAN 20 財務部:VLAN30,上海分公司下設財務部VLAN 40
4、使用安全訪問控制策略控制不允許技術部訪問財務部,允許總經理訪問財務部
5、北京總部核心路由器2811與上海分公司路由器2811建立IPSEC VPN,北京分公司與上海分公司財務部之間的訪問實現IPSEC VPN加密傳輸。技術部門等其他部門實現正常上網功能,增加模擬備份線路主線路壞掉後通過浮動靜態路由實現走備用線路。
6、北京路由器配置靜態路由實現內部各個部門的通信,匯聚及核心配置默認路由,內部各個部門能夠正常訪問公司內部FTP/WEB/MAIL等相關服務器資源。
7、上海分公司為節省成本使用單臺路由器作為接入網關並配置單臂路由實現內部不同網段之間的互訪。
二、 網絡拓撲設計:
大多數的網絡都可以被層次性劃分為三個邏輯服務單元:核心骨幹網(Backbone)、匯聚網(Distribute)和接入網(Local-access),模塊化網絡設計方法的目標在於把一個大型的網絡元素劃分成一個個互連的網絡層次。層次性結構如下圖所示:
一、地址規劃:
部門 | 地址空間 | 所屬VLAN |
總經理 副總經理 | 192.168.20.0/24 | VLAN 20 |
北京技術部 | 192.168.10.0/24 | VLAN 10 |
北京財務部 | 192.168.30.0/24 | VLAN 20 |
北京服務器區 | 10.100.0.0/24 | VLAN 30 |
上海財務部 | 192.168.40.0/24 | VLAN 40 |
上海服務器 | 10.100.1.0/24 | VLAN 50 |
二、網絡配置說明
1、北京匯聚交換機配置
ip dhcp pool Jishubu ------配置技術部DHCP地址池
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool Boss ------配置總經理DHCP地址池
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
ip dhcp pool Caiwu ------配置財務DHCP地址池
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
ip routing ------開啟交換機路由模式
spanning-tree mode pvst
interface FastEthernet0/1
switchport access vlan 99 ------配置與路由器互聯VLAN
switchport mode access
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk -----配置與接入交換機trunk
interface FastEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0 ---配置技術部網關
ip access-group 101 in ---配置安全策略ACL綁定都三層VLAN接口實現數據包過濾及控制
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0 ---配置總經理網關
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0 ---配置財務部網關
!
interface Vlan50
ip address 10.100.0.254 255.255.255.0 ---配置服務器網關
!
!
interface Vlan99
ip address 10.0.0.2 255.255.255.252 ---配置與路由器互聯IP
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1 -- ---配置默認路由到路由器
!
ip flow-export version 9
!
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 –ACL安全擴展列表拒絕的原IP和要訪問的目的IP段
access-list 101 permit ip any any---其他數據報文允許放行
!
end
2、北京出口核心路由器配置
!
hostname BJ_Router
!
!
ip cef
no ipv6 cef
!
!
crypto isakmp policy 1 ---配置IPSEC IKE協商
authentication pre-share ---認證共享密鑰
group 2
!
crypto isakmp key mykey address 1.1.1.2 ---對端上海IKE IP
!
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac ---加密參數與上海一致
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set myset
match address 101 --- 配置的IPSECVPN與定義的ACL 關聯產生IPSECVPN加密
!
!!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map mymap
!
interface Ethernet1/0
no ip address
duplex auto
speed auto
!
interface Ethernet1/1
no ip address
duplex auto
speed auto
!
interface Ethernet1/2
ip address 10.1.2.1 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface Ethernet1/3
no ip address
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip nat inside source list 198 interface FastEthernet0/1 overload-配置NAT實現上網功能
ip classless
ip route 192.168.10.0 255.255.255.0 10.0.0.2 –配置北京內網回程路由
ip route 192.168.20.0 255.255.255.0 10.0.0.2 –配置北京內網回程路由
ip route 192.168.30.0 255.255.255.0 10.0.0.2 –配置北京內網回程路由
ip route 0.0.0.0 0.0.0.0 1.1.1.2 -–配置默認路由到上海
ip route 0.0.0.0 0.0.0.0 10.1.2.2 100 ---此處配置靜態路由優先級為100低於默認路由優先級1,因此此靜態路由隱藏路由表中,當第一條路由生效後才生效。
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255—IPSECVPN的加密數據ACL列表
access-list 198 permit ip 192.168.10.0 0.0.0.255 any ----允許NAT上網的ACL
access-list 198 permit ip 192.168.20.0 0.0.0.255 any ----允許NAT上網的ACL
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
3、北京出口核心路由器配置!
hostname SH_Router
!crypto isakmp policy 1 ---IPSEC VPN配置與北京路由器參數一致
authentication pre-share
group 2
!
crypto isakmp key mykey address 1.1.1.1
!
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 101 ----IPSEC VPN的感興趣流為ACL101 觸發IPSEC VPN
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 40
ip address 192.168.40.254 255.255.255.0 ----上海財務部的網關子接口終結VLAN40對接財務部交換機透傳的VLAN40報文
!
interface FastEthernet0/0.2
encapsulation dot1Q 100
ip address 10.100.1.254 255.255.255.0 ----上海服務器的網關子接口終結VLAN100對接接入交換機透傳的VLAN100報文
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface Ethernet1/0
no ip address
duplex auto
speed auto
!
interface Ethernet1/1
no ip address
duplex auto
speed auto
!
interface Ethernet1/2
no ip address
duplex auto
speed auto
!
interface Ethernet1/3
ip address 10.1.3.1 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 10.1.3.2 100
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255---配置IPSEC VPN的定義感興趣流觸發IPSECVPN
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
(以下IPSEC VPN增值講解)
VPN加密實驗講解:
BJ_Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 -------默認沒有VPN加密數據傳輸
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.:1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
北京財務部PC5 ping 上海財務部
PC>ping 192.168.40.1
Pinging 192.168.40.1 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Ping statistics for 192.168.40.1:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
BJ_Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0 ----加密數據報文增加
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.:1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x373C0B92(926682002)
inbound esp sas:
spi: 0x61C82399(1640506265)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3442)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x373C0B92(926682002)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3442)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
北京財務部PC5 再ping 4個報文
PC>
PC>ping 192.168.40.1
Pinging 192.168.40.1 with 32 bytes of data:
Reply from 192.168.40.1: bytes=32 time=8ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
BJ_Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0 -----ping 通 4個 報文 增加4個VPN加密報文
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.:1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x373C0B92(926682002)
inbound esp sas:
spi: 0x61C82399(1640506265)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3191)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x373C0B92(926682002)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3191)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
北京財務部PC5 路由跟蹤天津財務
PC>
PC>tracert 192.168.40.1
Tracing route to 192.168.40.1 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 192.168.30.254
2 0 ms 1 ms 1 ms 10.0.0.1
3 * 0 ms 0 ms 1.1.1.2
4 0 ms 0 ms 1 ms 192.168.40.1
Trace complete.
北京路由器配置靜態浮動路由,當IPSEC VPN線路出問題後走備份線路,模擬shutdown 北京路由器F0/1接口
PC>tracert 192.168.40.1
Tracing route to 192.168.40.1 over a maximum of 30 hops:
1 1 ms 0 ms 8 ms 192.168.30.254
2 0 ms 1 ms 0 ms 10.0.0.1
3 0 ms 0 ms 0 ms 10.1.2.2
4 0 ms 0 ms 0 ms 10.1.3.1
5 0 ms 1 ms 0 ms 192.168.40.1
Trace complete.
閱讀更多 專注分享網絡技術 的文章