一、 网络设计要求
1、北京与上海分公司实现互联互通,针对财务部门的敏感数据使用IPSEV VPN加密访问
2、北京总部汇聚交换机3560作为DHCP服务器自动分配IP地址
3、北京总部下属三个部门技术部VLAN10 总经理: VLAN 20 财务部:VLAN30,上海分公司下设财务部VLAN 40
4、使用安全访问控制策略控制不允许技术部访问财务部,允许总经理访问财务部
5、北京总部核心路由器2811与上海分公司路由器2811建立IPSEC VPN,北京分公司与上海分公司财务部之间的访问实现IPSEC VPN加密传输。技术部门等其他部门实现正常上网功能,增加模拟备份线路主线路坏掉后通过浮动静态路由实现走备用线路。
6、北京路由器配置静态路由实现内部各个部门的通信,汇聚及核心配置默认路由,内部各个部门能够正常访问公司内部FTP/WEB/MAIL等相关服务器资源。
7、上海分公司为节省成本使用单台路由器作为接入网关并配置单臂路由实现内部不同网段之间的互访。
二、 网络拓扑设计:
大多数的网络都可以被层次性划分为三个逻辑服务单元:核心骨干网(Backbone)、汇聚网(Distribute)和接入网(Local-access),模块化网络设计方法的目标在于把一个大型的网络元素划分成一个个互连的网络层次。层次性结构如下图所示:
一、 地址规划:
|
部门 |
地址空间 |
所属VLAN |
|
总经理 副总经理 |
192.168.20.0/24 |
VLAN 20 |
|
北京技术部 |
192.168.10.0/24 |
VLAN 10 |
|
北京财务部 |
192.168.30.0/24 |
VLAN 20 |
|
北京服务器区 |
10.100.0.0/24 |
VLAN 30 |
|
上海财务部 |
192.168.40.0/24 |
VLAN 40 |
|
上海服务器 |
10.100.1.0/24 |
VLAN 50 |
二、 网络配置说明
1、北京汇聚交换机配置
ip dhcp pool Jishubu ------配置技术部DHCP地址池
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool Boss ------配置总经理DHCP地址池
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
ip dhcp pool Caiwu ------配置财务DHCP地址池
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
ip routing ------开启交换机路由模式
spanning-tree mode pvst
interface FastEthernet0/1
switchport access vlan 99 ------配置与路由器互联VLAN
switchport mode access
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk -----配置与接入交换机trunk
interface FastEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0 ---配置技术部网关
ip access-group 101 in ---配置安全策略ACL绑定都三层VLAN接口实现数据*过包**滤及控制
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0 ---配置总经理网关
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0 ---配置财务部网关
!
interface Vlan50
ip address 10.100.0.254 255.255.255.0 ---配置服务器网关
!
!
interface Vlan99
ip address 10.0.0.2 255.255.255.252 ---配置与路由器互联IP
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1 -- ---配置默认路由到路由器
!
ip flow-export version 9
!
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 –ACL安全扩展列表拒绝的原IP和要访问的目的IP段
access-list 101 permit ip any any---其他数据报文允许放行
!
end
2、北京出口核心路由器配置
!
hostname BJ_Router
!
!
ip cef
no ipv6 cef
!
!
crypto isakmp policy 1 ---配置IPSEC IKE协商
authentication pre-share ---认证共享密钥
group 2
!
crypto isakmp key mykey address 1.1.1.2 ---对端上海IKE IP
!
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac ---加密参数与上海一致
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set myset
match address 101 --- 配置的IPSECVPN与定义的ACL 关联产生IPSECVPN加密
!
!!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map mymap
!
interface Ethernet1/0
no ip address
duplex auto
speed auto
!
interface Ethernet1/1
no ip address
duplex auto
speed auto
!
interface Ethernet1/2
ip address 10.1.2.1 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface Ethernet1/3
no ip address
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip nat inside source list 198 interface FastEthernet0/1 overload-配置NAT实现上网功能
ip classless
ip route 192.168.10.0 255.255.255.0 10.0.0.2 –配置北京内网回程路由
ip route 192.168.20.0 255.255.255.0 10.0.0.2 –配置北京内网回程路由
ip route 192.168.30.0 255.255.255.0 10.0.0.2 –配置北京内网回程路由
ip route 0.0.0.0 0.0.0.0 1.1.1.2 -–配置默认路由到上海
ip route 0.0.0.0 0.0.0.0 10.1.2.2 100 ---此处配置静态路由优先级为100低于默认路由优先级1,因此此静态路由隐藏路由表中,当第一条路由生效后才生效。
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255—IPSECVPN的加密数据ACL列表
access-list 198 permit ip 192.168.10.0 0.0.0.255 any ----允许NAT上网的ACL
access-list 198 permit ip 192.168.20.0 0.0.0.255 any ----允许NAT上网的ACL
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
3、北京出口核心路由器配置!
hostname SH_Router
!crypto isakmp policy 1 ---IPSEC VPN配置与北京路由器参数一致
authentication pre-share
group 2
!
crypto isakmp key mykey address 1.1.1.1
!
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 101 ----IPSEC VPN的感兴趣流为ACL101 触发IPSEC VPN
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 40
ip address 192.168.40.254 255.255.255.0 ----上海财务部的网关子接口终结VLAN40对接财务部交换机透传的VLAN40报文
!
interface FastEthernet0/0.2
encapsulation dot1Q 100
ip address 10.100.1.254 255.255.255.0 ----上海服务器的网关子接口终结VLAN100对接接入交换机透传的VLAN100报文
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface Ethernet1/0
no ip address
duplex auto
speed auto
!
interface Ethernet1/1
no ip address
duplex auto
speed auto
!
interface Ethernet1/2
no ip address
duplex auto
speed auto
!
interface Ethernet1/3
ip address 10.1.3.1 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 10.1.3.2 100
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255---配置IPSEC VPN的定义感兴趣流触发IPSECVPN
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
(以下IPSEC VPN增值讲解)
VPN加密实验讲解:
BJ_Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 -------默认没有VPN加密数据传输
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.:1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
北京财务部PC5 ping 上海财务部
PC>ping 192.168.40.1
Pinging 192.168.40.1 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Ping statistics for 192.168.40.1:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
BJ_Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0 ----加密数据报文增加
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.:1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x373C0B92(926682002)
inbound esp sas:
spi: 0x61C82399(1640506265)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3442)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x373C0B92(926682002)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3442)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
北京财务部PC5 再ping 4个报文
PC>
PC>ping 192.168.40.1
Pinging 192.168.40.1 with 32 bytes of data:
Reply from 192.168.40.1: bytes=32 time=8ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
Reply from 192.168.40.1: bytes=32 time=0ms TTL=125
BJ_Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: mymap, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0 -----ping 通 4个 报文 增加4个VPN加密报文
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.:1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x373C0B92(926682002)
inbound esp sas:
spi: 0x61C82399(1640506265)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3191)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x373C0B92(926682002)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: FPGA:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4525504/3191)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
北京财务部PC5 路由跟踪天津财务
PC>
PC>tracert 192.168.40.1
Tracing route to 192.168.40.1 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 192.168.30.254
2 0 ms 1 ms 1 ms 10.0.0.1
3 * 0 ms 0 ms 1.1.1.2
4 0 ms 0 ms 1 ms 192.168.40.1
Trace complete.
北京路由器配置静态浮动路由,当IPSEC VPN线路出问题后走备份线路,模拟shutdown 北京路由器F0/1接口
PC>tracert 192.168.40.1
Tracing route to 192.168.40.1 over a maximum of 30 hops:
1 1 ms 0 ms 8 ms 192.168.30.254
2 0 ms 1 ms 0 ms 10.0.0.1
3 0 ms 0 ms 0 ms 10.1.2.2
4 0 ms 0 ms 0 ms 10.1.3.1
5 0 ms 1 ms 0 ms 192.168.40.1
Trace complete.