項目要求:
不同部門(10個部門)間用vlan隔開,主機自己獲取ip地址上網,其他部門不能訪問高管網段和財務所在的網段。
無線分爲內部無線和訪客無線(不能訪問內服網絡)
員工餐廳所在網段不能上網
cisco3945用於連接分部(通過專線,用於分部訪問內部的服務器www和ftp)
所以的上網通過asa5520
不同部門(10個部門)間用vlan隔開,主機自己獲取ip地址上網,其他部門不能訪問高管網段和財務所在的網段。
無線分爲內部無線和訪客無線(不能訪問內服網絡)
員工餐廳所在網段不能上網
cisco3945用於連接分部(通過專線,用於分部訪問內部的服務器www和ftp)
所以的上網通過asa5520
規劃:
我們使用
我們使用
10.10.90.0/24 服務器網段vlan90
10.10.100.0/24 作爲設備管理網段 vlan100
10.10.101.0/24
10.10.102.0/24
10.10.103.0/24
10.10.104.0/24
10.10.105.0/24
10.10.106.0/24
10.10.107.0/24
10.10.108.0/24
10.10.109.0/24 內網AP網段 vlan109
10.10.110.0/24 員工餐廳網段 vlan110
10.10.112.0/24 財務網段 vlan112
10.10.113.0/24 高管網段 vlan113
10.10.114.0/24 訪客AP網段 vlan114
拓撲
4507R配置
DHCP配置
ip dhcp pool vlan100
network 10.10.100.0 255.255.255.0
default-router 10.10.100.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.100.250 10.10.100.254
ip dhcp pool vlan101
network 10.10.101.0 255.255.255.0
default-router 10.10.101.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.101.250 10.10.101.254
......
ip dhcp pool vlan114
network 10.10.114.0 255.255.255.0
default-router 10.10.114.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.114.250 10.10.114.254
network 10.10.100.0 255.255.255.0
default-router 10.10.100.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.100.250 10.10.100.254
ip dhcp pool vlan101
network 10.10.101.0 255.255.255.0
default-router 10.10.101.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.101.250 10.10.101.254
......
ip dhcp pool vlan114
network 10.10.114.0 255.255.255.0
default-router 10.10.114.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.114.250 10.10.114.254
配置接口到
interface GigabitEthernet1/2
description To CiscoASA 5520
no switchport
ip address 10.10.10.2 255.255.255.0
description To CiscoASA 5520
no switchport
ip address 10.10.10.2 255.255.255.0
no shut
interface GigabitEthernet1/3
description To Cisco 3945
switchport access vlan 90
description To Cisco 3945
switchport access vlan 90
no shut
interface GigabitEthernet1/4
description To Cisco 2504 Wireless Controller
switchport mode trunk
description To Cisco 2504 Wireless Controller
switchport mode trunk
vlan 設置
vlan 100
name xxxx
int vlan 100
ip add 10.10.100.254 255.255.255.0
no shut
vlan 101
name xxxx
int vlan 101
ip add 10.10.101.254 255.255.255.0
no shut
......
vlan 112
name xxxx
int vlan 112
ip add 10.10.112.254 255.255.255.0
no shut
ip access-group 112 in
vlan 113
name xxxx
int vlan 113
ip add 10.10.113.254 255.255.255.0
no shut
ip access-group 113 in
vlan 114
name xxxx
int vlan 114
ip add 10.10.114.254 255.255.255.0
no shut
ip access-group 114 in
name xxxx
int vlan 100
ip add 10.10.100.254 255.255.255.0
no shut
vlan 101
name xxxx
int vlan 101
ip add 10.10.101.254 255.255.255.0
no shut
......
vlan 112
name xxxx
int vlan 112
ip add 10.10.112.254 255.255.255.0
no shut
ip access-group 112 in
vlan 113
name xxxx
int vlan 113
ip add 10.10.113.254 255.255.255.0
no shut
ip access-group 113 in
vlan 114
name xxxx
int vlan 114
ip add 10.10.114.254 255.255.255.0
no shut
ip access-group 114 in
服務器端單獨設置
vlan 90
name xxxx
int vlan 90
ip add 10.10.90.253 255.255.255.0
no shut
name xxxx
int vlan 90
ip add 10.10.90.253 255.255.255.0
no shut
訪問控制
access-list 112 deny ip 10.10.100.0 0.0.16.255 10.10.112.0 0.0.0.255
access-list 112 permit ip any any
access-list 113 deny ip 10.10.100.0 0.0.16.255 10.10.113.0 0.0.0.255
access-list 113 permit ip any any
access-list 114 deny ip 10.10.100.0 0.0.16.255 10.10.114.0 0.0.0.255
access-list 114 deny ip 10.10.100.90 0.0.0.255 10.10.114.0 0.0.0.255
access-list 114 permit ip any any
access-list 112 permit ip any any
access-list 113 deny ip 10.10.100.0 0.0.16.255 10.10.113.0 0.0.0.255
access-list 113 permit ip any any
access-list 114 deny ip 10.10.100.0 0.0.16.255 10.10.114.0 0.0.0.255
access-list 114 deny ip 10.10.100.90 0.0.0.255 10.10.114.0 0.0.0.255
access-list 114 permit ip any any
路由設置
ip route 0.0.0.0 0.0.0.0 10.10.10.1
cisco3945配置
接口配置
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.0
ip nat outside
no shut
interface GigabitEthernet0/2
ip address 10.10.90.254 255.255.255.0
description to server
ip nat inside
no shut
ip address 1.1.1.1 255.255.255.0
ip nat outside
no shut
interface GigabitEthernet0/2
ip address 10.10.90.254 255.255.255.0
description to server
ip nat inside
no shut
路由設置
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 10.10.0.0 255.255.0.0 10.10.90.253
ip route 10.10.0.0 255.255.0.0 10.10.90.253
nat設置
access-list 100 permit ip host 10.10.90.10 any
access-list 100 permit ip host 10.10.90.11 any
ip nat inside source list 100 interface GigabitEthernet0/1 overload
access-list 100 permit ip host 10.10.90.11 any
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.10.90.10 80 1.1.1.1 80 extendable
ip nat inside source static tcp 10.10.90.11 22 1.1.1.1 22 extendable
asa5520設置
接口設置
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
訪問控制設置
access-list 100 extended deny ip 10.10.114.0 255.255.255.0 any
access-list 100 extended permit ip 10.10.100.0 255.255.240.0 any
access-list 100 extended permit ip any any
access-list 100 extended permit ip 10.10.100.0 255.255.240.0 any
access-list 100 extended permit ip any any
路由,nat設置
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route inside 10.10.0.0 255.255.0.0 10.10.10.2 1
route inside 10.10.0.0 255.255.0.0 10.10.10.2 1
global (outside) 2 interface
nat (inside) 2 access-list 100
nat (inside) 2 access-list 100