项目要求:
不同部门(10个部门)间用vlan隔开,主机自己获取ip地址上网,其他部门不能访问高管网段和财务所在的网段。
无线分为内部无线和访客无线(不能访问内服网络)
员工餐厅所在网段不能上网
cisco3945用于连接分部(通过专线,用于分部访问内部的服务器www和ftp)
所以的上网通过asa5520
不同部门(10个部门)间用vlan隔开,主机自己获取ip地址上网,其他部门不能访问高管网段和财务所在的网段。
无线分为内部无线和访客无线(不能访问内服网络)
员工餐厅所在网段不能上网
cisco3945用于连接分部(通过专线,用于分部访问内部的服务器www和ftp)
所以的上网通过asa5520
规划:
我们使用
我们使用
10.10.90.0/24 服务器网段vlan90
10.10.100.0/24 作为设备管理网段 vlan100
10.10.101.0/24
10.10.102.0/24
10.10.103.0/24
10.10.104.0/24
10.10.105.0/24
10.10.106.0/24
10.10.107.0/24
10.10.108.0/24
10.10.109.0/24 内网AP网段 vlan109
10.10.110.0/24 员工餐厅网段 vlan110
10.10.112.0/24 财务网段 vlan112
10.10.113.0/24 高管网段 vlan113
10.10.114.0/24 访客AP网段 vlan114
拓扑
4507R配置
DHCP配置
ip dhcp pool vlan100
network 10.10.100.0 255.255.255.0
default-router 10.10.100.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.100.250 10.10.100.254
ip dhcp pool vlan101
network 10.10.101.0 255.255.255.0
default-router 10.10.101.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.101.250 10.10.101.254
......
ip dhcp pool vlan114
network 10.10.114.0 255.255.255.0
default-router 10.10.114.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.114.250 10.10.114.254
network 10.10.100.0 255.255.255.0
default-router 10.10.100.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.100.250 10.10.100.254
ip dhcp pool vlan101
network 10.10.101.0 255.255.255.0
default-router 10.10.101.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.101.250 10.10.101.254
......
ip dhcp pool vlan114
network 10.10.114.0 255.255.255.0
default-router 10.10.114.254
dns-server 219.141.136.10 8.8.8.8
exit
ip dhcp excluded-address 10.10.114.250 10.10.114.254
配置接口到
interface GigabitEthernet1/2
description To CiscoASA 5520
no switchport
ip address 10.10.10.2 255.255.255.0
description To CiscoASA 5520
no switchport
ip address 10.10.10.2 255.255.255.0
no shut
interface GigabitEthernet1/3
description To Cisco 3945
switchport access vlan 90
description To Cisco 3945
switchport access vlan 90
no shut
interface GigabitEthernet1/4
description To Cisco 2504 Wireless Controller
switchport mode trunk
description To Cisco 2504 Wireless Controller
switchport mode trunk
vlan 设置
vlan 100
name xxxx
int vlan 100
ip add 10.10.100.254 255.255.255.0
no shut
vlan 101
name xxxx
int vlan 101
ip add 10.10.101.254 255.255.255.0
no shut
......
vlan 112
name xxxx
int vlan 112
ip add 10.10.112.254 255.255.255.0
no shut
ip access-group 112 in
vlan 113
name xxxx
int vlan 113
ip add 10.10.113.254 255.255.255.0
no shut
ip access-group 113 in
vlan 114
name xxxx
int vlan 114
ip add 10.10.114.254 255.255.255.0
no shut
ip access-group 114 in
name xxxx
int vlan 100
ip add 10.10.100.254 255.255.255.0
no shut
vlan 101
name xxxx
int vlan 101
ip add 10.10.101.254 255.255.255.0
no shut
......
vlan 112
name xxxx
int vlan 112
ip add 10.10.112.254 255.255.255.0
no shut
ip access-group 112 in
vlan 113
name xxxx
int vlan 113
ip add 10.10.113.254 255.255.255.0
no shut
ip access-group 113 in
vlan 114
name xxxx
int vlan 114
ip add 10.10.114.254 255.255.255.0
no shut
ip access-group 114 in
服务器端单独设置
vlan 90
name xxxx
int vlan 90
ip add 10.10.90.253 255.255.255.0
no shut
name xxxx
int vlan 90
ip add 10.10.90.253 255.255.255.0
no shut
访问控制
access-list 112 deny ip 10.10.100.0 0.0.16.255 10.10.112.0 0.0.0.255
access-list 112 permit ip any any
access-list 113 deny ip 10.10.100.0 0.0.16.255 10.10.113.0 0.0.0.255
access-list 113 permit ip any any
access-list 114 deny ip 10.10.100.0 0.0.16.255 10.10.114.0 0.0.0.255
access-list 114 deny ip 10.10.100.90 0.0.0.255 10.10.114.0 0.0.0.255
access-list 114 permit ip any any
access-list 112 permit ip any any
access-list 113 deny ip 10.10.100.0 0.0.16.255 10.10.113.0 0.0.0.255
access-list 113 permit ip any any
access-list 114 deny ip 10.10.100.0 0.0.16.255 10.10.114.0 0.0.0.255
access-list 114 deny ip 10.10.100.90 0.0.0.255 10.10.114.0 0.0.0.255
access-list 114 permit ip any any
路由设置
ip route 0.0.0.0 0.0.0.0 10.10.10.1
cisco3945配置
接口配置
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.0
ip nat outside
no shut
interface GigabitEthernet0/2
ip address 10.10.90.254 255.255.255.0
description to server
ip nat inside
no shut
ip address 1.1.1.1 255.255.255.0
ip nat outside
no shut
interface GigabitEthernet0/2
ip address 10.10.90.254 255.255.255.0
description to server
ip nat inside
no shut
路由设置
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 10.10.0.0 255.255.0.0 10.10.90.253
ip route 10.10.0.0 255.255.0.0 10.10.90.253
nat设置
access-list 100 permit ip host 10.10.90.10 any
access-list 100 permit ip host 10.10.90.11 any
ip nat inside source list 100 interface GigabitEthernet0/1 overload
access-list 100 permit ip host 10.10.90.11 any
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.10.90.10 80 1.1.1.1 80 extendable
ip nat inside source static tcp 10.10.90.11 22 1.1.1.1 22 extendable
asa5520设置
接口设置
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.252
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
访问控制设置
access-list 100 extended deny ip 10.10.114.0 255.255.255.0 any
access-list 100 extended permit ip 10.10.100.0 255.255.240.0 any
access-list 100 extended permit ip any any
access-list 100 extended permit ip 10.10.100.0 255.255.240.0 any
access-list 100 extended permit ip any any
路由,nat设置
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
route inside 10.10.0.0 255.255.0.0 10.10.10.2 1
route inside 10.10.0.0 255.255.0.0 10.10.10.2 1
global (outside) 2 interface
nat (inside) 2 access-list 100
nat (inside) 2 access-list 100
