1、目 錄第一章、總體設計21.1 用戶需求21.2 實施的目的31.3 系統(tǒng)設計原則31.4 設計依據(jù)和規(guī)范41.5 網(wǎng)絡設備服務卡41.6 系統(tǒng)軟件登記表4第二章、杭電網(wǎng)絡工程施工計劃52.1 主要設備清單52.2 施工計劃表6第三章、杭電網(wǎng)絡工程施工過程73.1 網(wǎng)絡設備詳細信息和IP地址分配表73.2 VLAN間訪問規(guī)則83.3 施工流程83.4 施工過程93.4.1 Catalyst 6506的安裝過程93.4.2 配置Catalyst 6506的系統(tǒng)參數(shù)93.4.3 配置Catalyst 6506的VLAN103.4.4 配置配置6509交換機的三層交換模塊153.4.5 配置6506

2、交換機VLAN間的訪問規(guī)則153.4.6 配置6506交換機的CDP和SNMP153.4.7 配置6506交換機的STP163.4.8 配置Catalyst 3500的安裝過程163.4.9 配置Cisco 防火墻PIX 520的安裝過程183.4.10 配置CACHE ENGINE 550的安裝過程193.4.11 配置Cisco3640的安裝過程223.4.12 配置Cisco Works網(wǎng)管軟件243.5 設備模擬連接調(diào)試階段263.6 設備安裝階段263.7 系統(tǒng)連調(diào)階段273.8 INTERNET連接27第四章、具體設備配置實例294.1 Catalyst 6506294.2 ses

3、sion 15344.3 二級交換機Catalyst 3500384.4 防火墻PIX520414.5 CACHE ENGINE 550444.6 Cisco3640路由器45第五章、工程總結(jié)47第一章、總體設計 1.1 用戶需求 此網(wǎng)絡工程所要達到的主要目標如下： (1)支持全校現(xiàn)有的計算機，連接校園內(nèi)實驗大樓、行政大樓、電教大樓、圖書館和成教大樓等，將本校現(xiàn)有的及將來要配置的各種PC、工作站和終端通過高性能的網(wǎng)絡設備連接起來，組成分布式、開放性的網(wǎng)絡環(huán)境，以提高教育科研水平。(2)充分利用原有的主干光纜和樓內(nèi)布線系統(tǒng)，將目前的百兆主干快速以太網(wǎng)升級到千兆主干、百兆交換到桌面的高速交換式以太

4、網(wǎng)。同時，保護原有網(wǎng)絡設備投資，將目前運行的IBM公司系列網(wǎng)絡產(chǎn)品有效地集成到升級系統(tǒng)中。(3)在Internet互連網(wǎng)絡系統(tǒng)平臺上，以數(shù)據(jù)庫、Web、電子郵件、為基礎的系統(tǒng)；并構(gòu)建內(nèi)部Intranet系統(tǒng)，與已有系統(tǒng)實現(xiàn)互聯(lián)。(4)網(wǎng)絡與數(shù)據(jù)安全是目前計算機信息技術所面臨的重要挑戰(zhàn)，解決安全問題的技術與方案有很多，通過防火墻、web cache服務器建設確定完整統(tǒng)一的安全策略（Security Policy）也是校園網(wǎng)可靠運行的保證。(5)考慮與其它學校、科學教育網(wǎng)絡相連，可通過CERNET與國內(nèi)外其它網(wǎng)絡相連接、實現(xiàn)遠程教學。(6)網(wǎng)絡具有友好、一致的用戶界面和豐富的管理應用系統(tǒng)。(7)

5、在網(wǎng)絡升級基礎上規(guī)劃相應的應用系統(tǒng)，具體包括：學校網(wǎng)站的建設OA（辦公管理）系統(tǒng)建設：電子郵件、公文處理、檔案管理、會議管理、電子公告、電子論壇、備忘信息等多媒體輔助教學系統(tǒng)連接原有圖書管理系統(tǒng) VOD視頻點播及視頻會議系統(tǒng) 1.2 實施的目的 分析用戶需求，可知該網(wǎng)絡工程所含的內(nèi)容包括： (1) 運用虛擬網(wǎng)技術，建設杭電校園千兆主干網(wǎng),使其覆蓋全校各主要建筑物，將學校內(nèi)各種PC、LAN連接為一個結(jié)構(gòu)合理、內(nèi)外連通，并支持多種協(xié)議和異種機的園區(qū)網(wǎng)。 (2) 通過在信息中心代理服務器的設立與科教網(wǎng)相連并可與Internet互連。 (3) 新校區(qū)的由于其與科教網(wǎng)相連的特殊性，因此可分別設立獨立的三

6、個代理服務器與Internet互連。 (4) 根據(jù)科學的安全策略，通過Cisco PIX520防火墻配置，從而有效的隔絕內(nèi)網(wǎng)和外網(wǎng)，但同時又能實現(xiàn)公網(wǎng)對杭電校內(nèi)網(wǎng)站和對外開放資源的訪問。(5) 通過Cache Egeine 505與Cisco 6506之間WCCP配置建立高速的Internet訪問通道。(6) 通過CiscoWorks網(wǎng)管軟件實施有效的網(wǎng)絡管理。 1.3 系統(tǒng)設計原則連續(xù)性原則：充分利用現(xiàn)有資源（包括現(xiàn)有的網(wǎng)絡、計算機和應用資源），使系統(tǒng)既能與前期系統(tǒng)相銜接，同時具有一定的可擴充性，為后期工作打下基礎。實用性原則：在保證使用要求和技術可行性的前提下，要選擇易于操作、管理、見效的

7、設計和設備。安全保密原則：設計中應注意各個環(huán)節(jié)的安全保密，統(tǒng)籌規(guī)劃，不可偏廢。信息共享原則：設計必須考慮信息在一定的條件下、一定范圍內(nèi)的共享。先進性原則：系統(tǒng)建設要與當今先進的計算機網(wǎng)絡發(fā)展技術相適應，保證系統(tǒng)的先進性、開放性、高可靠性和可擴展性的有機結(jié)合。 1.4 設計依據(jù)和規(guī)范主機和網(wǎng)絡設備的選型符合下列國家和組織的技術標準和規(guī)范：GB：中華人民共和國國家標準ISO：國際標準組織ITU-T：國際電信聯(lián)盟IEEE：國際電氣與電子工程師協(xié)會EIA：電氣工業(yè)協(xié)會IEC：國際電工協(xié)會 1.5 網(wǎng)絡設備服務卡（見附件） 1.6 系統(tǒng)軟件登記表（見附件）第二章、杭電網(wǎng)絡工程施工計劃 2.1 主要設備清

8、單杭電校園網(wǎng)升級改造工程網(wǎng)絡主干設備清單：No.Product No.DescriptionQty1Ws-c6506Catalyst 6506 chassis12WS-CAC-1300Catalyst 6506 Chassis w/ 1300W AC Power Supply13WS-X6K-S2-MSFC2Catalyst 6000 Supervisor Engine2-A, 2GE, plus MSFC-2 & PFC14WS-X6408-GBICCatalyst 6000 8-port Gigabit Ethernet Module (Req. GBICs)15WS-G54841000B

9、ASE-SX Short Wavelength GBIC (Multimode only)66WS-X6348-RJ-45Catalyst 6000 48-port 10/100 RJ-45 Module17WS-C6500-SFMCatalyst 6500 Switch Fabric Model18WS-C3524-XL-ENCatalyst 3524 XL Enterprise Edition39WS-C3548-XL-ENCatalyst 3548 XL Enterprise Edition210WS-G54841000BASE-SX Short Wavelength GBIC (Mul

10、timode only)711CISCO3640Cisco 3600 4-slot Modular Router-AC with IP Software112NM-2FE2W2 10/100 Ethernet 2 WAN Card Slot Network Module113PIX-520-1K-CHMidrange PIX Firewall 520, two 10/100 Enet NICs114CE-550Cache Engine 550115CWW-5.0Cisco works for windows 6.0116JSX-FM-2WIBM8274 2 Port Gigabit Ether

11、net Module1Total 2.2 施工計劃表系統(tǒng)設備列表 Cisco 6506主交換機 Cisco 3524二級換機 Cisco 3548二級換機 Cisco PIX520防火墻 Cache Engine 550 Cisco 3640路由器環(huán)境檢查（10分鐘） UPS 電源質(zhì)量 溫度和濕度 接地系統(tǒng)電阻要求設備開包（60分鐘）主交換設備二級交換設路由器防火墻電源線纜系統(tǒng)上電（20分鐘）cisco6506主機系統(tǒng)（10分鐘）各CISCO3500系列主機（60分鐘）系統(tǒng)上電正常以及上電失敗的相應動作對照系統(tǒng)訂單檢查系統(tǒng)的功能部件（30分鐘）中央處理器內(nèi)存磁盤（內(nèi)置以及外置）設備/適配器操作

12、系統(tǒng)安裝（150分鐘*2）升級Cisco3640 IOS操作系統(tǒng)的（150分鐘）安裝在線幫助，包括Info，電子書籍，配置書籍搜索程序第三章、杭電網(wǎng)絡工程施工過程 3.1 網(wǎng)絡設備詳細信息和IP地址分配表(見附表)3.2 VLAN間訪問規(guī)則注： 默認情況下VLAN間的IP包訪問不受限制3.3 施工流程以下是本次工程中網(wǎng)絡設備的施工流程圖 開始配置6506安裝模塊、配置名字、口令、遠端控制 配置 VLAN 配置 MSFC 配置 SNMP配置3500安裝模塊、名字、口令、遠端控制 配置 VLAN 配置 SNMP 配置 網(wǎng)關配置CE-505名字、口令、遠端控制 配置 WCCP 配置 網(wǎng)關、DNS配置

13、PIX安裝網(wǎng)卡、名字、口令、端口狀態(tài) 配置 端口地址 配置 路由 配置 安全規(guī)則配置3640路由器安裝模塊、名字、口令、端口狀態(tài) 配置 端口地址 配置 路由 配置 安全規(guī)則設備到位 整體聯(lián)調(diào) 測試與故障解決 3.4 施工過程 3.4.1 Catalyst 6506的安裝過程模塊安裝安裝6506的電源模塊； WS-X6K-S1A-MSFC2； WS-X6408-GBIC； WS-G5484； WS-X6248-RJ-45； WS-C6500-SFMCisco Catalyst 6506 由工廠根據(jù)定貨單直接安裝好標準配置的模塊，但電源、路由等尚未安裝，所以首先將待安裝的各模塊拆開，裝入6506的

14、電源插槽。上電檢查6506的各個模塊的工作狀態(tài)是否正常：接入6506電源，由于6506有兩個電源作為冗余，所以最好兩個電源分別接入兩路UPS電源上，這樣即使當UPS其中一路電源故障時，不會影響整個6506交換機的正常遠行，當6506交換機上電初始化結(jié)束后，從各個模塊面板上的LED燈的狀態(tài)可以判斷各個模塊的工作狀態(tài)是否正常。 3.4.2 配置Catalyst 6506的系統(tǒng)參數(shù) 當6506交換機初始化結(jié)束后，就進入系統(tǒng)單機配置階段。對于6506來說，首先需要配置系統(tǒng)參數(shù)，其中包括以下幾個部分：機器名、口令和遠程登陸等。以下是具體配置過程：cisco6506 enable cisco6506（en

15、able）set system name cisco6506說明：配置6506的名字為CISCO6506cisco6506 enable cisco6506（enable）set enable password cisco說明：配置6506的enable 口令為ciscocisco6506 enable cisco6506（enable）set interface sc0 1 192.168.9.3/255.255.255.0 cisco6506（enable）set ip route 0.0.0.0/0.0.0.0 192.168.9.254 說明：配置6506的CPU模塊上的以太網(wǎng)IP地址

16、為：192.168.9.3，且只允許本網(wǎng)段任何地址存取 3.4.3 配置Catalyst 6506的VLAN 網(wǎng)絡IP地址分配策略杭電校園網(wǎng)是覆蓋全院的廣域網(wǎng)絡，其網(wǎng)絡主干連接的節(jié)點多，因此，要保證網(wǎng)絡的有效性和可管理性，網(wǎng)絡地址的規(guī)劃與分配是十分重要的問題。網(wǎng)絡地址是一種資源，必須經(jīng)過優(yōu)化的規(guī)劃和設計，因為很難預測網(wǎng)絡將來的規(guī)模和應用情況的發(fā)展，如果規(guī)劃不當，將導致地址資源不夠用，網(wǎng)絡的擴展將受到極大的限制；如果規(guī)劃過于龐大，則在現(xiàn)行運行過程中，網(wǎng)絡的路由將會復雜，影響網(wǎng)絡的效率。網(wǎng)絡地址的分配應遵循以下的原則：唯一性：在同一個互聯(lián)網(wǎng)絡內(nèi)網(wǎng)絡地址應該保持其唯一性；簡單性：地址的分配應該簡單，

17、避免在主干上采用復雜的掩碼方式；連續(xù)性：為同一個網(wǎng)絡區(qū)域分配連續(xù)的網(wǎng)絡地址，便于縮減路由表的表項，提高路由器的處理效率，這種技術稱為地址疊合（Summarization）；可擴充性：為一個網(wǎng)絡區(qū)域分配的網(wǎng)絡地址應該具有一定的容量，便于主機數(shù)量增加時仍然能夠保持地址的連續(xù)性；靈活性：地址分配不應該基于某個網(wǎng)絡路由策略的優(yōu)化方案，應該便于多數(shù)路由策略在該地址分配方案上實現(xiàn)優(yōu)化；可管理性：地址的分配應該有層次，某個局部的變動不要影響上層、全局。在對一個具體部門擁有的某個或幾個子區(qū)劃分子網(wǎng)時，要根據(jù)本部門的具體應用需求來合理分配子網(wǎng)資源，并且要留有一定的余地，這要從子網(wǎng)數(shù)和某一個子網(wǎng)所擁有的最大主機數(shù)

18、兩個方面來考慮。根據(jù)我們對杭電校園網(wǎng)的網(wǎng)絡地址規(guī)劃和分配的了解，我們采用以C類地址為主B類地址為輔的地址分配原則。前二位（192.168）作為公共網(wǎng)絡地址，第三位作為各VLAN的地址，并第四位的（254）作為各VLAN的網(wǎng)關（地址分配表見附表） 杭電計算機網(wǎng)絡根據(jù)業(yè)務功能的不同，可以分為51個VLAN，51個VLAN各自獨立，分別屬于不同的廣播域，默認情況下不同VLAN間可互相訪問，根據(jù)不同安全策略，access-list表可作訪問控制樓幢機構(gòu)端口分配VLAN IDVLAN命名網(wǎng)關行政樓黨政辦領導1-18VLAN 10DangZheng192.168.10.254人事處19-24VLAN 11

19、RenShi192.168.11.254教務處25-27VLAN 12JiaoWu192.168.12.254科研財務28-32VLAN 13Xz_1_west192.168.13.254研究所33-36VLAN 14YanjiuSheng192.168.14.254組織、宣傳、綜合37-42VLAN 15XuanChuan192.168.15.254離休等192.168.16.254紀監(jiān)、后勤、高教等43-46VLAN 17Xz_2_west192.168.17.254電教CAD1-2VLAN 18Cad192.168.18.254電教3-4VLAN 19DianJiao 192.168.1

20、9.254計算中心5-10VLAN 20Computer_Center192.168.20.254408自備房11-14VLAN 21Student192.168.21.254 樓幢機構(gòu)端口分配VLAN IDVLAN命名網(wǎng)關實驗樓文理學院1-2VLAN 22WenLi192.168.22.254機電分院3-4VLAN 23JiDian192.168.23.254自動化分院5-6VLAN 24ZiDongHua192.168.24.254財經(jīng)分院7-8VLAN 25Caijing192.168.25.254管理分院9-10VLAN 26GuanLi192.168.26.254計算機分院11-12

21、VLAN 27JiSuanJi192.168.27.254電子分院13-14VLAN 28DianZi192.168.28.254通信分院15-16VLAN 29Tongxin192.168.29.254信息分院17-18VLAN 30XinXi192.168.30.254CAE所19-20VLAN 31CAE192.168.31.254設備處21-22VLAN 32SB_other192.168.32.254網(wǎng)管23-35VLAN 37NIC_1(服務器)192.168.37.25437-42VLAN 33NIC_2（備用）192.168.33.25443-48VLAN 46NIC_3 （學

22、生）192.168.46.254計算機分院1-2VLAN 38proxy192.168.38.2543-4VLAN 39computer_1192.168.39.2545-6VLAN 40computer_2192.168.40.2547-8VLAN 41computer_3192.168.41.2549-10VLAN 42computer_4192.168.42.25411-12VLAN 43computer_5192.168.43.25413-14VLAN 44computer_6192.168.44.254 樓幢機構(gòu)端口分配VLAN IDVLAN命名網(wǎng)關圖書館服務器VLAN 45LIB_

23、server192.168.45.254客戶端1-24VLAN 36Lib_1192.168.36.254 具體配置過程如下：cisco6506（enable）set vtp domain hzdzgxycisco6506（enable）set vtp passwd ciscocisco6506（enable）set vlan 10 name dangzheng cisco6506（enable）set vlan 11 name renshi cisco6506（enable）set vlan 12 name jiaowu cisco6506（enable）set vlan 13 name x

24、z_1_west cisco6506（enable）set vlan 14 name yanjiusheng cisco6506（enable）set vlan 15 name xuanchuan cisco6506（enable）set vlan 16 name xz_other1 cisco6506（enable）set vlan 17 name xz_other cisco6506（enable）set vlan 18 name cad cisco6506（enable）set vlan 19 name dianjiao cisco6506（enable）set vlan 20 name

25、 computer_center cisco6506（enable）set vlan 21 name shudent cisco6506（enable）set vlan 22 name wenli cisco6506（enable）set vlan 23 name jidian cisco6506（enable）set vlan 24 name zidonghua cisco6506（enable）set vlan 25 name caijing cisco6506（enable）set vlan 26 name guanli cisco6506（enable）set vlan 27 name

26、 jisuanji cisco6506（enable）set vlan 28 name dianzi cisco6506（enable）set vlan 29 name tongxin cisco6506（enable）set vlan 30 name xinxi cisco6506（enable）set vlan 31 name cae cisco6506（enable）set vlan 32 name sb_other cisco6506（enable）set vlan 33 name nic_2 cisco6506（enable）set vlan 34 name chengjiao ci

27、sco6506（enable）set vlan 35 name lib cisco6506（enable）set vlan 36 name lib_1 cisco6506（enable）set vlan 37 name nic_1 cisco6506（enable）set vlan 38 name proxy cisco6506（enable）set vlan 39 name computer_1 cisco6506（enable）set vlan 40 name computer_2 cisco6506（enable）set vlan 41 name computer_3 cisco6506

28、（enable）set vlan 42 name computer_4 cisco6506（enable）set vlan 43 name computer_5 cisco6506（enable）set vlan 44 name computer_6 cisco6506（enable）set vlan 45 name lib_server cisco6506（enable）set vlan 46 name nic_3 cisco6506（enable）set vlan 48 name dialup cisco6506（enable）set vlan 50 name 408 cisco6506（

29、enable）set vlan 51 name wy type cisco6506（enable）set vlan 999 name cache ! 說明：設置6506的VLAN名字和VTP模式cisco6506（enable）set trunk 2/1 nonegotiate isl 1-1005,1025-4094cisco6506（enable）set trunk 2/2 nonegotiate isl 1-1005,1025-4094cisco6506（enable）set trunk 2/3 nonegotiate isl 1-1005,1025-4094cisco6506（enab

30、le）set trunk 2/4 nonegotiate isl 1-1005,1025-4094cisco6506（enable）set trunk 2/5 nonegotiate isl 1-1005,1025-4094cisco6506（enable）set trunk 2/6 nonegotiate isl 1-1005,1025-4094cisco6506（enable）set trunk 2/7 nonegotiate isl 1-1005,1025-4094cisco6506（enable）set trunk 2/8 nonegotiate isl 1-1005,1025-409

31、4說明：設置6506的第二模塊1-8口為主干模式，并采用ISL協(xié)議并不可磋商。 3.4.4 配置配置6509交換機的三層交換模塊 當在6506上劃分了VLAN以后，桌面工作站就可以根據(jù)不同的需求分別加入到對應的VLAN中去，不同的VLAN的客戶機就分別屬于不同的廣播域，有各自不同的IP地址段，當需要跨網(wǎng)段互相訪問時，就必須通過路由。6506可以帶三層交換MSFC模塊，本系統(tǒng)中由于在6506上有一個超級引擎上配置了一塊MSFC模塊，隨著杭電計算機網(wǎng)絡的發(fā)展，系統(tǒng)可能的情況下，就可以利用CISCO的HSRP協(xié)議作熱備份，再配置一臺或者多臺支持HSRP協(xié)議的三層交換機，即當其中任何一塊MSFC模塊故

32、障時，另外一塊可以立即接替原來的模塊繼續(xù)工作，切換時間很短。我們可實現(xiàn)51個VLAN分別優(yōu)先運行在多個三層路由模塊上，這樣在系統(tǒng)無故障時，能到達路由數(shù)據(jù)負載分擔的目的。 3.4.5 配置6506交換機VLAN間的訪問規(guī)則 當數(shù)據(jù)在VLAN間路由時，出于對各獨立系統(tǒng)的安全考慮，在各VLAN路由端口上應用訪問列表，使VLAN之間的數(shù)據(jù)按規(guī)則通過。針對每個VLAN的所屬機構(gòu)將安全規(guī)則量化，再依次應用在端口上。Access-list 1 permit any any 其他VLAN的訪問規(guī)則見最后的具體配置。 3.4.6 配置6506交換機的CDP和SNMP 當交換機需要被網(wǎng)管時，必須配置交換機的CDP

33、和SNMP參數(shù)，其中CDP協(xié)議是CISCO公司特有的一種協(xié)議，而SNMP是標準的簡單網(wǎng)絡管理協(xié)議。其中SNMP協(xié)議需要有一個COMMUNITY NAME控制對交換機的讀寫，在本次工程中，我們定義了以下的COMMUNITY NAME：READWRITE：PRIVATEREADONLY：PUBLIC以下是具體配置命令：cisco6506enablecisco6506(enable)set cdp enable說明：啟用6506交換機的CDP協(xié)議。Cisco6506(enable)set snmp enable all說明：啟用6506交換機的SNMP功能，并啟用默認的關鍵字PUBLIC為只讀，PR

34、IVATE為讀寫。 3.4.7 配置6506交換機的STP 由于在設計的過程中，為了增加網(wǎng)絡的可靠性，在核心層交換機與匯接層交換機之間、以及核心應用中均設計了雙冗余鏈路。為了避免這些冗余鏈路所形成的透明橋接問題，必須使生成樹協(xié)議（STP）有效工作。啟動生成樹cisco6506(enable)set spantree enable all 3.4.8 配置Catalyst 3500的安裝過程 Catalyst 3500系列是CISCO公司的提供1000兆上行端口的桌面交換機，本次工程中包括3臺catalyst3524交換機和2臺catalyst3548交換機，配置過程完全一樣。以下是具體配置過程

35、：3524的配置：Current configuration:!version 12.0no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname lib說明：配置3524的NAME 為lib。enable secret 5 $1$G3SM$DbzVKE3l/fkYHpoi0XUug/enable password cisco說明：配置3524的口令interface FastEthernet0/1switchport acce

36、ss vlan 35說明：配置端口1屬于VLAN135interface GigabitEthernet0/1switchport mode trunkswitchport trunk encapsulation dot1q 說明：兩個千兆的上行口配置為TRUNK方式。interface VLAN1ip address 192.168.9.5 255.255.255.0no ip directed-broadcastno ip route-cache說明：配置VLAN1的IP地址vtp client說明：配置VTP為CLIENT方式vtp domain hzdzgxy 說明：配置VTP域名為h

37、zdzgxyline vty 0 4password ciscologinline vty 5 15password ciscologin說明：配置遠程登陸的口令為cisco 3.4.9 配置Cisco 防火墻PIX 520的安裝過程配置PIX的基本屬性 將PIX 安放至機架，經(jīng)檢測電源系統(tǒng)后接上電源，并加電主機。將CONSOLE 口連接到PC的串口上，運行Hyper Terminal 程序從CONSOLE口進入PIX系統(tǒng)；此時系統(tǒng)提示pixfirewall。輸入命令：enable，進入特權模式，此時系統(tǒng)提示為pixfirewall#。輸入命令：configure terminal，對系統(tǒng)進行

38、初始化設置。配置以太口參數(shù)： interface ethernet0 auto (auto選項表明系統(tǒng)自適應網(wǎng)卡類型) interface ethernet1 auto interface ethernet2 auto配置各功能段的安全級別： nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50配置各網(wǎng)卡的IP地址： ip address outside 210.32.39.253 255.255.255.0 ip address inside

39、 10.0.0.254 255.255.255.0 ip address dmz 210.32.32.254 255.255.255.0指定外部地址范圍： global (outside) 1 210.32.38.254 global (dmz) 1 192.168.1.1-192.168.1.253 global (dmz) 1 192.168.1.254指定要進行轉(zhuǎn)換的內(nèi)部地址： nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0設置靜態(tài)的地址轉(zhuǎn)換，將真實地址與提供服務的私有地址綁定static (dmz,o

40、utside) 210.32.32.1 210.32.32.1 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.21 210.32.32.21 netmask 255.255.255.255 0static (dmz,outside) 210.32.32.18 210.32.32.18 netmask 255.255.255.255 0static (dmz,outside) 210.32.32.10 210.32.32.10 netmask 255.255.255.255 0static (dmz,outside) 210.

41、32.32.32 210.32.32.32 netmask 255.255.255.255 0static (dmz,outside) 210.32.32.23 210.32.32.23 netmask 255.255.255.255 0static (dmz,outside) 210.32.32.150 210.32.32.150 netmask 255.255.255.255 0 static (dmz,outside) 210.32.32.20 210.32.32.20 netmask 255.255.255.255 0static (dmz,outside) 210.32.32.229

42、 210.32.32.229 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.50 210.32.32.50 netmask 255.255.255.255 0 0指定要進行靜態(tài)轉(zhuǎn)換的IP地址能夠通過的協(xié)議conduit permit icmp any any 允許所有ICMP通信conduit permit tcp host 210.32.32.21 range ftp www anyconduit permit tcp host 210.32.32.10 range ftp www anyconduit permit ud

43、p host 210.32.32.1 eq domain anyconduit permit tcp host 210.32.32.150 eq www anyconduit permit tcp host 210.32.32.18 range smtp pop3 anyconduit permit tcp host 210.32.32.20 eq www anyconduit permit tcp host 210.32.32.229 anyconduit permit tcp host 210.32.32.50 eq telnet anyconduit permit tcp host 21

44、0.32.32.23 eq www any設置指向內(nèi)、外部網(wǎng)的缺省路由route outside 0.0.0.0 0.0.0.0 210.32.39.254 1route inside 192.168.0.0 255.255.0.0 10.0.0.253 1系統(tǒng)允許的主機對防火墻端口的TELNET訪問telnet 192.168.9.3 255.255.255.0telnet 210.32.32.0 255.255.255.0telnet 192.168.9.3 255.255.255.255 3.4.10 配置CACHE ENGINE 550的安裝過程指定登陸的用戶名和口令user add

45、admin uid 0 password 1 b9ccbQcQe9 capability admin-accessuser add wy uid 5019 password 1 eeQQeRRSS capability admin-access指定主機名hostname cisco_ce_505指定以太網(wǎng)的IP地址interface ethernet 0 ip address 192.168.199.1 255.255.255.0 ip broadcast-address 192.168.199.255!interface ethernet 1exit定義網(wǎng)關!ip default-gatew

46、ay 192.168.199.254定義DNS名ip name-server 210.32.32.1定義域名ip domain-name 定義路由ip route 0.0.0.0 0.0.0.0 192.168.199.254cron file /local/etc/crontab!bypass auth-traffic allhttp cache-cookieshttp max-ttl days text 4 binary 3http cache-authenticatedhttp object max-size 6144http persistent-connections timeout

47、 8 max-idle 1000定義WCCP訪問協(xié)議的路由器地址wccp router-list 1 192.168.199.254wccp port-list 1 80wccp web-cache router-list-num 1 weight 20 password *定義主路由器地址（在有多路由器情況下）wccp home-router 192.168.199.254wccp version 2wccp shutdown max-wait 1!snmp-server community summerno radius-server host 192.168.46.1 auth-port

48、 1812radius-server key *authentication login local enableauthentication configuration local enabletransaction-logs archive files 1transaction-logs enabletransaction-logs export interval every-day at 00:00transaction-logs export enabletransaction-logs sanitizerule block dst-port 33定義代理服務器的地址和能夠通過的地址r

49、ule use-proxy 202.38.124.241 3128 dst-ip 216.101.192.85 255.255.255.0rule use-proxy 202.38.124.241 3128 domain .*rule use-proxy 202.38.124.241 3128 domain .*rule no-cache url-regex .*cgi-bin.*rule no-cache url-regex .*aw-cgi.*!end 3.4.11 配置Cisco3640的安裝過程version 12.0service timestamps debug uptimeser

50、vice timestamps log uptimeno service password-encryption定義主機名hostname cisco3640!定義訪問的口令enable secret 5 $1$sWZw$EdlT9Yphojj6nJVo06bne0enable password cisco3640!ip subnet-zero定義域名ip domain-name 定義DNS名ip name-server 202.96.96.68!定義外地接口的IP地址interface FastEthernet2/0ip address 210.32.176.26 255.255.255.0

51、no ip directed-broadcastduplex autospeed auto定義內(nèi)部接口的IP地址interface FastEthernet2/1 ip address 210.32.39.254 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto定義網(wǎng)關ip default-gateway 210.32.176.25ip classless定義內(nèi)外路由ip route 0.0.0.0 0.0.0.0 210.32.176.25ip

52、route 210.32.32.0 255.255.248.0 210.32.39.253no ip http server!snmp-server engineID local 000000090200000628AC87A1snmp-server community summer RO!line con 0 transport input noneline aux 0定義遠程登陸的口令line vty 0 4 password cisco login!end 3.4.12 配置Cisco Works網(wǎng)管軟件CiscoWorks的設計層次為基于國際通用網(wǎng)絡管理軟件之上的應用系統(tǒng)，其結(jié)構(gòu)如下圖

53、： 通過CiscoWorks和CWSI可以很好地實現(xiàn)對含有Cisco軟件與硬件產(chǎn)品的企業(yè)網(wǎng)絡進行基于 SNMP的監(jiān)視、控制與管理。一、CiscoWorks的安裝1、選取INSTALL二、選用integrate ciscoworks 5.0 with whatsup gold三、選取需要管理的網(wǎng)絡設備四、完成3.5 設備模擬連接調(diào)試階段 設備安裝階當單機調(diào)試完畢后，就進入系統(tǒng)連調(diào)階段。由于有多個單位是多模光纖通路，且不在本地。所以只有先進行模擬連接測試。除了線路問題，與以后的實際情況完全一樣。3.6 設備安裝階段 在所有的設備模擬調(diào)試完畢后，就進行設備的安裝工作。設備的安裝主要是把實驗樓2樓信息

54、中心機房里的所有網(wǎng)絡設備都安裝到2米的標準機柜里，并且將信息中心所有的線路根據(jù)VLAN進行重新規(guī)劃和整理，各個網(wǎng)絡分中心交換機安裝在1.2米機柜中。在本次工程安排中，信息中心大樓機房的2M標準機柜：用于安裝6509交換機、服務器交換機、樓層交換機和PIX防火墻等；信息中心原有的2M機柜用于放置二級接入交換機設備。把所有的設備都安裝到位以后，再把UPS電源接入到位。3.7 系統(tǒng)連調(diào)階段 在所有的網(wǎng)絡設備都安裝到位以后，包括所有的主機放置到DMZ區(qū)后。就可以進行整個系統(tǒng)的連調(diào)。3.8 INTERNET連接 在將整個系統(tǒng)遷移到10M專線的同時，我們將PIX防火墻放在系統(tǒng)與外部連接處，以提供網(wǎng)絡的安全

55、保障。在進入內(nèi)部系統(tǒng)后，連接到PIX內(nèi)部網(wǎng)段的PC機通過上網(wǎng)計費服務器進入統(tǒng)一管理。對處INTERNET服務的WEB、DNS、SMTP和POP3服務器接入PIX服務器的DMZ段，用于保護應有服務器的安全和對內(nèi)外提供服務。在杭電INTERNET系統(tǒng)中還配置了一臺WEB高速緩存服務器，在內(nèi)部用戶訪問外部站點時，通過WCCP協(xié)議首先訪問CACHE ENGINE 550服務器，如CACHE ENGINE 550服務器中已有訪問過的站點則進行內(nèi)部訪問從而有效率減少網(wǎng)絡流量，而達到高速訪問的目的。整個連接情況圖示于杭電網(wǎng)絡拓樸圖：需要說明的幾點：1、防火墻上做了地址轉(zhuǎn)換，將內(nèi)部的私有地址轉(zhuǎn)換成公有地址訪問

56、INTERNET。2、防火墻上開放了用于INTERNET信息發(fā)布所需要的幾個端口，包括TCP的53，23，25，110，80和UDP的53端口，分別用于DNS，SMTP，POP3和WEB等服務。3、在防火墻上做了多個靜態(tài)的地址映射將內(nèi)部地址192.168.0.0映射為外部地址。4、保護應用服務器的安全。 這樣當INTERNET上的用戶訪問這兩個公有地址時防火墻將自動將訪問請求轉(zhuǎn)給兩個內(nèi)部的私有地址。 5、CACHE ENGINE網(wǎng)絡流量緩沖的目的。第四章、具體設備配置實例 4.1 Catalyst 65066506交換機模塊配置文檔begin!# * NON-DEFAULT CONFIGURA

57、TION *!#time: Wed Oct 31 2001, 04:00:50 !#version 6.1(2)!set password $2$ohhi$Pka/lgvq4acxpVc0ecW660set enablepass $2$F1/Q$NKbNCtkZmFVg2HO7PIhZZ/!#errordetectionset errordetection portcounter enable!#systemset system name cisco6506!#!#vtpset vtp domain hzdzgxyset vtp passwd ciscoset vlan 1 name defa

58、ult type ethernet mtu 1500 said 100001 state active set vlan 10 name dangzheng type ethernet mtu 1500 said 100010 state active set vlan 11 name renshi type ethernet mtu 1500 said 100011 state active set vlan 12 name jiaowu type ethernet mtu 1500 said 100012 state active set vlan 13 name xz_1_west ty

59、pe ethernet mtu 1500 said 100013 state active set vlan 14 name yanjiusheng type ethernet mtu 1500 said 100014 state active set vlan 15 name xuanchuan type ethernet mtu 1500 said 100015 state active set vlan 16 name xz_other1 type ethernet mtu 1500 said 100016 state active set vlan 17 name xz_other t

60、ype ethernet mtu 1500 said 100017 state active set vlan 18 name cad type ethernet mtu 1500 said 100018 state active set vlan 19 name dianjiao type ethernet mtu 1500 said 100019 state active set vlan 20 name computer_center type ethernet mtu 1500 said 100020 state active set vlan 21 name shudent type

61、 ethernet mtu 1500 said 100021 state active set vlan 22 name wenli type ethernet mtu 1500 said 100022 state active set vlan 23 name jidian type ethernet mtu 1500 said 100023 state active set vlan 24 name zidonghua type ethernet mtu 1500 said 100024 state active set vlan 25 name caijing type ethernet

62、 mtu 1500 said 100025 state active set vlan 26 name guanli type ethernet mtu 1500 said 100026 state active set vlan 27 name jisuanji type ethernet mtu 1500 said 100027 state active set vlan 28 name dianzi type ethernet mtu 1500 said 100028 state active set vlan 29 name tongxin type ethernet mtu 1500

63、 said 100029 state active set vlan 30 name xinxi type ethernet mtu 1500 said 100030 state active set vlan 31 name cae type ethernet mtu 1500 said 100031 state active set vlan 32 name sb_other type ethernet mtu 1500 said 100032 state active set vlan 33 name nic_2 type ethernet mtu 1500 said 100033 st

64、ate active set vlan 34 name chengjiao type ethernet mtu 1500 said 100034 state active set vlan 35 name lib type ethernet mtu 1500 said 100035 state active set vlan 36 name lib_1 type ethernet mtu 1500 said 100036 state active set vlan 37 name nic_1 type ethernet mtu 1500 said 100037 state active set

65、 vlan 38 name proxy type ethernet mtu 1500 said 100038 state active set vlan 39 name computer_1 type ethernet mtu 1500 said 100039 state active set vlan 40 name computer_2 type ethernet mtu 1500 said 100040 state active set vlan 41 name computer_3 type ethernet mtu 1500 said 100041 state active set

66、vlan 42 name computer_4 type ethernet mtu 1500 said 100042 state active set vlan 43 name computer_5 type ethernet mtu 1500 said 100043 state active set vlan 44 name computer_6 type ethernet mtu 1500 said 100044 state active set vlan 45 name lib_server type ethernet mtu 1500 said 100045 state active

67、set vlan 46 name nic_3 type ethernet mtu 1500 said 100046 state active set vlan 48 name dialup type ethernet mtu 1500 said 100048 state active set vlan 50 name 408 type ethernet mtu 1500 said 100050 state active set vlan 51 name wy type ethernet mtu 1500 said 100051 state active set vlan 999 name ca

68、che type ethernet mtu 1500 said 100999 state active set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active stp ieee set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active stp

69、 ibm set vlan 47set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active mode srb aremaxhop 7 stemaxhop 7 backupcrf off !#ipset interface sc0 1 192.168.9.3/255.255.255.0 192.168.9.255set ip route 0.0.0.0/0.0.0.0 192.168.9.254 !#set boot commandset boot config-register 0x2se

70、t boot system flash bootflash:cat6000-sup2.6-1-2.bin!#port channelset port channel 4/46-48 15set port channel 1/1-2 33set port channel 4/2-8 35set port channel 4/9-14 36set port channel 4/15-22 37set port channel 4/23-30 38set port channel 4/31-38 39set port channel 4/39-45 40set port channel 4/1 75

71、set port channel 2/1-8 362!# default port status is enable!#module 1 : 2-port 1000BaseX Supervisorset vlan 34 1/1set vlan 45 1/2set trunk 1/1 off isl 1-1005,1025-4094set trunk 1/2 off isl 1-1005,1025-4094set port channel 1/1-2 mode off!#module 2 : 8-port 1000BaseX Ethernetset udld enable 2/2-3,2/6,2

72、/8 set trunk 2/1 nonegotiate isl 1-1005,1025-4094set trunk 2/2 nonegotiate isl 1-1005,1025-4094set trunk 2/3 nonegotiate isl 1-1005,1025-4094set trunk 2/4 nonegotiate isl 1-1005,1025-4094set trunk 2/5 nonegotiate isl 1-1005,1025-4094set trunk 2/6 nonegotiate isl 1-1005,1025-4094set trunk 2/7 nonegot

73、iate isl 1-1005,1025-4094set trunk 2/8 nonegotiate isl 1-1005,1025-4094set port channel 2/1 mode onset port channel 2/2-8 mode off!#module 3 empty!#module 4 : 48-port 10/100BaseTX Ethernetset vlan 22 4/1-2set vlan 23 4/3-4set vlan 24 4/5-6set vlan 25 4/7-8set vlan 26 4/9-10set vlan 27 4/11-12set vla

74、n 28 4/13-14set vlan 29 4/15-16set vlan 30 4/17-18set vlan 31 4/19-20set vlan 32 4/21-22set vlan 33 4/41-42set vlan 37 4/23-35set vlan 46 4/43-48set vlan 48 4/38set vlan 50 4/37set vlan 51 4/39set vlan 999 4/40set trunk 4/1 off negotiate 1-1005,1025-4094set trunk 4/2 off negotiate 1-1005,1025-4094se

75、t trunk 4/3 off negotiate 1-1005,1025-4094set trunk 4/4 off negotiate 1-1005,1025-4094set trunk 4/5 off negotiate 1-1005,1025-4094set trunk 4/6 off negotiate 1-1005,1025-4094set trunk 4/7 off negotiate 1-1005,1025-4094set trunk 4/8 off negotiate 1-1005,1025-4094set trunk 4/9 off negotiate 1-1005,102

76、5-4094set trunk 4/10 off negotiate 1-1005,1025-4094set trunk 4/11 off negotiate 1-1005,1025-4094set trunk 4/12 off negotiate 1-1005,1025-4094set trunk 4/13 off negotiate 1-1005,1025-4094set trunk 4/14 off negotiate 1-1005,1025-4094set trunk 4/15 off negotiate 1-1005,1025-4094set trunk 4/16 off negot

77、iate 1-1005,1025-4094set trunk 4/17 off negotiate 1-1005,1025-4094set trunk 4/18 off negotiate 1-1005,1025-4094set trunk 4/19 off negotiate 1-1005,1025-4094set trunk 4/20 off negotiate 1-1005,1025-4094set trunk 4/21 off negotiate 1-1005,1025-4094set trunk 4/22 off negotiate 1-1005,1025-4094set trunk

78、 4/23 off negotiate 1-1005,1025-4094set trunk 4/24 off negotiate 1-1005,1025-4094set trunk 4/25 off negotiate 1-1005,1025-4094set trunk 4/26 off negotiate 1-1005,1025-4094set trunk 4/27 off negotiate 1-1005,1025-4094set trunk 4/28 off negotiate 1-1005,1025-4094set trunk 4/29 off negotiate 1-1005,102

79、5-4094set trunk 4/30 off negotiate 1-1005,1025-4094set trunk 4/31 off negotiate 1-1005,1025-4094set trunk 4/32 off negotiate 1-1005,1025-4094set trunk 4/33 off negotiate 1-1005,1025-4094set trunk 4/34 off negotiate 1-1005,1025-4094set trunk 4/35 off negotiate 1-1005,1025-4094set trunk 4/36 off negot

80、iate 1-1005,1025-4094set trunk 4/37 off negotiate 1-1005,1025-4094set trunk 4/38 off negotiate 1-1005,1025-4094set trunk 4/39 off negotiate 1-1005,1025-4094set trunk 4/40 off negotiate 1-1005,1025-4094set trunk 4/41 off negotiate 1-1005,1025-4094set trunk 4/42 off negotiate 1-1005,1025-4094set trunk

81、 4/43 off negotiate 1-1005,1025-4094set trunk 4/44 off negotiate 1-1005,1025-4094set trunk 4/45 off negotiate 1-1005,1025-4094set trunk 4/46 off negotiate 1-1005,1025-4094set trunk 4/47 off negotiate 1-1005,1025-4094set trunk 4/48 off negotiate 1-1005,1025-4094set port channel 4/1-48 mode off!#modul

82、e 5 : 0-port Switch Fabric Module!#module 6 empty!#module 15 : 1-port Multilayer Switch Feature Card!#module 16 emptyend 4.2 session 156506路由模塊配置!version 12.1service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname cisco6506_route / 定義主機名 /!boot system flas

83、h bootflash:c6msfc2-is-mz.121-3a.E4!ip subnet-zeroip wccp web-cache password hziee / 起用WCCP協(xié)議 /ip cefip domain-name / 定義域名 /ip name-server 210.32.32.1 / 定義DNS服務器/!ip multicast-routing!interface Vlan1 ip address 192.168.9.254 255.255.255.0 ip wccp web-cache redirect out / 定義WEB IP包的輸出口/!interface Vla

84、n10 / 定義VLAN 10 / ip address 192.168.10.254 255.255.255.0 /定義VLAN 10的網(wǎng)關和子網(wǎng)地址/!interface Vlan11 ip address 192.168.11.254 255.255.255.0!interface Vlan12 ip address 192.168.12.254 255.255.255.0!interface Vlan13 ip address 192.168.13.254 255.255.255.0!interface Vlan14 ip address 192.168.14.254 255.255.

85、255.0!interface Vlan15 ip address 192.168.15.254 255.255.255.0!interface Vlan16 ip address 192.168.16.254 255.255.255.0!interface Vlan17 ip address 192.168.17.254 255.255.255.0!interface Vlan18 ip address 192.168.18.254 255.255.255.0!interface Vlan19 ip address 192.168.19.254 255.255.255.0!interface

86、 Vlan20 ip address 192.168.20.254 255.255.255.0!interface Vlan21 ip address 192.168.21.254 255.255.255.0!interface Vlan22 ip address 192.168.22.254 255.255.255.0!interface Vlan23 ip address 192.168.23.254 255.255.255.0!interface Vlan24 ip address 192.168.24.254 255.255.255.0!interface Vlan25 ip addr

87、ess 192.168.25.254 255.255.255.0!interface Vlan26 ip address 192.168.26.254 255.255.255.0!interface Vlan27 ip address 192.168.27.254 255.255.255.0!interface Vlan28 ip address 192.168.28.254 255.255.255.0!interface Vlan29 ip address 192.168.29.254 255.255.255.0!interface Vlan30 ip address 192.168.30.

88、254 255.255.255.0!interface Vlan31 ip address 192.168.31.254 255.255.255.0!interface Vlan32 ip address 192.168.32.254 255.255.255.0!interface Vlan33 ip address 192.168.33.254 255.255.255.0!interface Vlan34 ip address 192.168.34.254 255.255.255.0!interface Vlan35 ip address 192.168.35.254 255.255.255

89、.0!interface Vlan36 ip address 192.168.36.254 255.255.255.0!interface Vlan37 ip address 192.168.37.254 255.255.255.0!interface Vlan38 ip address 192.168.38.254 255.255.255.0!interface Vlan39 ip address 192.168.39.254 255.255.255.0!interface Vlan40 ip address 192.168.40.254 255.255.255.0!interface Vl

90、an41 ip address 192.168.41.254 255.255.255.0!interface Vlan42 ip address 192.168.42.254 255.255.255.0!interface Vlan43 ip address 192.168.43.254 255.255.255.0!interface Vlan44 ip address 192.168.44.254 255.255.255.0!interface Vlan45 ip address 192.168.45.254 255.255.255.0!interface Vlan46 ip address

91、 192.168.46.254 255.255.255.0!interface Vlan47 ip address 192.168.47.254 255.255.255.0!interface Vlan48 ip address 192.168.48.254 255.255.255.0!interface Vlan50 ip address 192.168.50.254 255.255.255.0!interface Vlan51 ip address 192.168.51.254 255.255.255.0!interface Vlan999 ip address 192.168.199.2

92、54 255.255.255.0!router rip network 192.168.0.0!router igrp 100 network 192.168.0.0!ip classlessip route 0.0.0.0 0.0.0.0 192.168.9.10no ip http server!line con 0 transport input noneline vty 0 4 password cisco login!end 4.3 二級交換機Catalyst 3500以圖書館二級交換機為例Current configuration:!version 12.0no service p

93、adservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname lib!enable secret 5 $1$G3SM$DbzVKE3l/fkYHpoi0XUug/enable password cisco!ip subnet-zero! interface FastEthernet0/1 switchport access vlan 35!interface FastEthernet0/2 switchport access vlan 35!interf

94、ace FastEthernet0/3 switchport access vlan 35!interface FastEthernet0/4 switchport access vlan 35!interface FastEthernet0/5 switchport access vlan 35!interface FastEthernet0/6 switchport access vlan 35!interface FastEthernet0/7 switchport access vlan 35!interface FastEthernet0/8 switchport access vl

95、an 35 interface FastEthernet0/9 switchport access vlan 35!interface FastEthernet0/10 switchport access vlan 35!interface FastEthernet0/11 switchport access vlan 35!interface FastEthernet0/12 switchport access vlan 35!interface FastEthernet0/13 switchport access vlan 35!interface FastEthernet0/14 swi

96、tchport access vlan 35!interface FastEthernet0/15 switchport access vlan 35!interface FastEthernet0/16switchport access vlan 35!interface FastEthernet0/17 switchport access vlan 35!interface FastEthernet0/18 switchport access vlan 35!interface FastEthernet0/19 switchport access vlan 35!interface Fas

97、tEthernet0/20 switchport access vlan 35!interface FastEthernet0/21 switchport access vlan 35!interface FastEthernet0/22 switchport access vlan 35!interface FastEthernet0/23 switchport access vlan 35! interface FastEthernet0/24 switchport access vlan 35!interface GigabitEthernet0/1 switchport mode tr

98、unk!interface GigabitEthernet0/2!interface VLAN1 ip address 192.168.9.5 255.255.255.0 no ip directed-broadcast no ip route-cache!line con 0 transport input none stopbits 1line vty 0 4 password cisco loginline vty 5 15 password cisco login !endlib# 4.4 防火墻PIX520配置明細PIX Version 4.4(7)nameif ethernet0

99、outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50enable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname ciscopix520fixup protocol ftp 21fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp 25fixup proto

100、col sqlnet 1521namespager lines 24logging onno logging timestampno logging consoleno logging monitorno logging bufferedlogging trap debugginglogging facility 20logging queue 512logging host dmz 210.32.32.10interface ethernet0 autointerface ethernet1 autointerface ethernet2 automtu outside 1500mtu in

101、side 1500mtu dmz 1500ip address outside 210.32.39.253 255.255.255.0ip address inside 10.0.0.254 255.255.255.0ip address dmz 210.32.32.254 255.255.255.0no failoverfailover timeout 0:00:00failover ip address outside 0.0.0.0failover ip address inside 0.0.0.0failover ip address dmz 0.0.0.0arp timeout 14

102、400global (outside) 1 210.32.38.254global (dmz) 1 192.168.1.1-192.168.1.253global (dmz) 1 192.168.1.254nat (inside) 1 0.0.0.0 0.0.0.0 0 0nat (dmz) 0 0.0.0.0 0.0.0.0 0 0static (dmz,outside) 210.32.32.1 210.32.32.1 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.21 210.32.32.21 netmask 255.2

103、55.255.255 0 0static (dmz,outside) 210.32.32.18 210.32.32.18 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.10 210.32.32.10 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.32 210.32.32.32 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.23 210.32.32.23 netmask 255.255.2

104、55.255 0 0static (dmz,outside) 210.32.32.150 210.32.32.150 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.20 210.32.32.20 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.229 210.32.32.229 netmask 255.255.255.255 0 0static (dmz,outside) 210.32.32.50 210.32.32.50 netmask 255.255.2

105、55.255 0 0conduit permit icmp any anyconduit permit tcp host 210.32.32.21 range ftp www anyconduit permit tcp host 210.32.32.10 range ftp www anyconduit permit udp host 210.32.32.1 eq domain anyconduit permit tcp host 210.32.32.150 eq www anyconduit permit tcp host 210.32.32.18 range smtp pop3 anyco

106、nduit permit tcp host 210.32.32.20 eq www anyconduit permit tcp host 210.32.32.229 anyconduit permit tcp host 210.32.32.50 eq telnet anyconduit permit tcp host 210.32.32.23 eq www anyno rip outside passiveno rip outside defaultno rip inside passiveno rip inside defaultno rip dmz passiveno rip dmz de

107、faultno rip inside defaultno rip dmz passiveno rip dmz defaultroute outside 0.0.0.0 0.0.0.0 210.32.39.254 1route inside 192.168.0.0 255.255.0.0 10.0.0.253 1timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00timeout rpc 0:10:00 h323 0:05:00timeout uauth 0:05:00 absoluteaaa-server TACAC

108、S+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server authout protocol radiusaaa-server authout (inside) host 192.168.51.16 summer timeout 2snmp-server host inside 192.168.51.16no snmp-server locationsnmp-server contact wysnmp-server community publicno snmp-server enable trapstelnet 192.168

109、.9.3 255.255.255.0telnet 210.32.32.0 255.255.255.0telnet 192.168.9.3 255.255.255.255telnet timeout 5terminal width 80Cryptochecksum:f756acfb04cb93a391a1fad88b1c72beciscopix520# 4.5 CACHE ENGINE 550配置明細!user add admin uid 0 password 1 b9ccbQcQe9 capability admin-accessuser add wy uid 5019 password 1

110、eeQQeRRSS capability admin-access!hostname cisco_ce_505!interface ethernet 0 ip address 192.168.199.1 255.255.255.0 ip broadcast-address 192.168.199.255exit!interface ethernet 1exit!ip default-gateway 192.168.199.254ip name-server 210.32.32.1ip domain-name ip route 0.0.0.0 0.0.0.0 192.168.199.254cro

111、n file /local/etc/crontab!bypass auth-traffic allhttp cache-cookieshttp max-ttl days text 4 binary 3http cache-authenticatedhttp object max-size 6144http persistent-connections timeout 8 max-idle 1000wccp router-list 1 192.168.199.254wccp port-list 1 80wccp web-cache router-list-num 1 weight 20 pass

112、word *wccp home-router 192.168.199.254wccp version 2wccp shutdown max-wait 1!snmp-server community summerno radius-server host 192.168.46.1 auth-port 1812radius-server key *authentication login local enableauthentication configuration local enabletransaction-logs archive files 1transaction-logs enab

113、letransaction-logs export interval every-day at 00:00transaction-logs export enabletransaction-logs sanitizerule block dst-port 33rule use-proxy 202.38.124.241 3128 dst-ip 216.101.192.85 255.255.255.0rule use-proxy 202.38.124.241 3128 domain .*rule use-proxy 202.38.124.241 3128 domain .*rule no-cach

114、e url-regex .*cgi-bin.*rule no-cache url-regex .*aw-cgi.*!end 4.6 Cisco3640路由器配置明細!version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname cisco3640!enable secret 5 $1$sWZw$EdlT9Yphojj6nJVo06bne0enable password cisco3640!ip subnet-zeroip domain

115、-name ip name-server 202.96.96.68!interface FastEthernet2/0 ip address 210.32.176.26 255.255.255.0 no ip directed-broadcast duplex auto speed auto!interface FastEthernet2/1 ip address 210.32.39.254 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto!ip

116、default-gateway 210.32.176.25ip classlessip route 0.0.0.0 0.0.0.0 210.32.176.25ip route 210.32.32.0 255.255.248.0 210.32.39.253no ip http server!snmp-server engineID local 000000090200000628AC87A1snmp-server community summer RO!line con 0 transport input noneline aux 0line vty 0 4 password cisco login!end 第五章、工程總結(jié) 在廣泛調(diào)研的基礎上，通過專業(yè)的設計，經(jīng)過近1個月嚴格規(guī)范的施工，杭州電子工學院千兆網(wǎng)升級工程已經(jīng)順利完成。2001年9月10日設備全部到貨后，對所有設備進行了到貨清點驗收工作，并進行了詳細的登記，認真細致地進行了主機和網(wǎng)絡設備開箱檢查。由浙江托普軟件公司工程師進行了主機應用軟件的安裝調(diào)試和整個網(wǎng)絡的設備安裝調(diào)試工作。經(jīng)過一個多月的系統(tǒng)試運行測試，說明主機及網(wǎng)絡系統(tǒng)工作良好，性能優(yōu)越。