devbox
代码探险家
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

ensp典型中小型企业网搭建(带无线)_设毕ensp中型网络括扑

作者:代码探险家 | 2024-07-16 08:28:46

设毕ensp中型网络括扑

摘要

该设计规划的是一个公司的网络搭建,采用接入层、核心层、汇聚层三层网络。所有接入层汇聚层交换机运行MSTP和VRRP协议,做冗余备份,保护设备和链路稳定性。运行ospf动态路由协议,方便路由维护。使用dhcp动态分配地址,便于ip地址管理。出口采用防火墙设备,保护网络安全。同时在防火墙上做SNAT,可以让公司内网访问外网。在防火墙上做DNAT,可以让外部网络访问公司服务器。

  • 一 、设计思路

  1. 每个部门划分一个VLAN,部门内互通,各部门根据ACL规则实现互通。

  1. 内网使用私网IP,为每个部门分配一个24位掩码长度的私网段,实现上网。

  1. 部门主机采用DHCP自动获取地址,减少管理员手动分配的任务量,方便管理与维护。

  1. 运行OSPF协议,提高收敛速度。而且OSPF可以适应拓扑变化,路由自动学习,防止路由环路,提高拓扑稳定性。

  1. 接入层和汇聚层交换机配置MSTP和VRRP技术,实现设备冗余、线路可靠、数据负载分担,能够保证主设备故障后,可以快速切换到备用设备,不影响业务转发。

  1. 增加防火墙设备,设置安全区域,控制部门主机、服务器和外网设备的数据转发,保证公司网络的安全性。

  1. 出口采用光纤接入,汇聚层交换机进行链路聚合,提高网络带宽,实现运营商万兆接入,千兆到部门,百兆到桌面的体验。

  1. 公司内部实现无线全覆盖,保障内部终端设备可以无线接入并上网。

  1. 汇聚层交换机配置ACL控制访问技术,实现市场部和行政部不通,财务部只能和行政部互通,其他部门全互通的网络需求。

  1. SNAT:应用于内网用户访问Internet时进行的地址转换将私网地址转为公网地址,这里我们采用easy-ip的NAT,保证公司上网采用出接口地址。

  1. DNAT:使的外网用户能够访问内部服务器,用户访问202.96.137.88:8080时,防火墙将流量能够送给内网的WEB服务器。当用户访问202.96.137.88:21时防火墙将目的地址转换为172.16.50.20:21 访问公司的FTP服务器。

  • 二、网络拓扑图

一个网络的拓扑图能够最直观的呈现这个网络的设计思想,几种经典的网络拓扑结构各有特点。我们使用最标准的核心层、汇聚层、接入层三层架构。要求任何一台设备都不能宕机,所以所有交换机必须要有双机热备冗余备份。公司的网络拓扑如下图所示。

该文件下载地址请点击后面链接:ensp典型中小型企业网搭建(带无线)
如不想开会员的伙伴,可以加我企鹅便宜获取:2685797168

三、配置步骤

  1. 基础配置

交换机VLAN的创建、接口的划分、IP地址的配置

Core-SW1配置

  1. [Huawei]sy Core-SW1
  2. [Core-SW1]vlan b 70 80 100 200 172
  3. Info: This operation may take a few seconds. Please wait for a moment...done.
  4. [Core-SW1]int vlan 70
  5. [Core-SW1-Vlanif70]ip add 172.16.70.2 24
  6. [Core-SW1-Vlanif70]int vlan 80
  7. [Core-SW1-Vlanif80]ip add 172.16.80.2 24
  8. [Core-SW1-Vlanif80]int vlan 100
  9. [Core-SW1-Vlanif100]ip add 172.16.10.254 24
  10. [Core-SW1-Vlanif100]int vlan 200
  11. [Core-SW1-Vlanif200]ip add 172.16.20.2 24
  12. [Core-SW1-Vlanif200]int vlan 172
  13. [Core-SW1-Vlanif172]ip add 172.16.172.1 24
  14. [Core-SW1-Vlanif172]q
  15. [Core-SW1]int g0/0/23
  16. [Core-SW1-GigabitEthernet0/0/23]po li a
  17. [Core-SW1-GigabitEthernet0/0/23]po de v 70
  18. [Core-SW1-GigabitEthernet0/0/23]int g0/0/24
  19. [Core-SW1-GigabitEthernet0/0/24]po li a
  20. [Core-SW1-GigabitEthernet0/0/24]po de v 80
  21. [Core-SW1-GigabitEthernet0/0/24]int g0/0/2
  22. [Core-SW1-GigabitEthernet0/0/2]po li a
  23. [Core-SW1-GigabitEthernet0/0/2]po de v 100
  24. [Core-SW1-GigabitEthernet0/0/2]int g0/0/1
  25. [Core-SW1-GigabitEthernet0/0/1]po li a
  26. [Core-SW1-GigabitEthernet0/0/1]po de v 200
  27. [Core-SW1-GigabitEthernet0/0/1]int g0/0/3
  28. [Core-SW1-GigabitEthernet0/0/3]po li a
  29. [Core-SW1-GigabitEthernet0/0/3]po de v 172
  30. [Core-SW1-GigabitEthernet0/0/3]q

SW1配置

  1. [Huawei]sy SW1
  2. [SW1]vlan b 10 20 30 40 50 70 1000 2000
  3. [SW1]int vlan 10
  4. [SW1-Vlanif10]ip add 192.168.10.1 24
  5. [SW1-Vlanif10]int vlan 20
  6. [SW1-Vlanif20]ip add 192.168.20.1 24
  7. [SW1-Vlanif20]int vlan 30
  8. [SW1-Vlanif30]ip add 192.168.30.1 24
  9. [SW1-Vlanif30]int vlan 40
  10. [SW1-Vlanif40]ip add 192.168.40.1 24
  11. [SW1-Vlanif40]int vlan 50
  12. [SW1-Vlanif50]ip add 192.168.50.1 24
  13. [SW1-Vlanif50]int vlan 1000
  14. [SW1-Vlanif1000]ip add 192.168.100.1 24
  15. [SW1-Vlanif1000]int vlan 2000
  16. [SW1-Vlanif2000]ip add 172.16.100.1 24
  17. [SW1-Vlanif2000]int vlan 70
  18. [SW1-Vlanif70]ip add 172.16.70.1 24
  19. [SW1-Vlanif70]q
  20. [SW1]int g0/0/1
  21. [SW1-GigabitEthernet0/0/1]po li t
  22. [SW1-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
  23. [SW1-GigabitEthernet0/0/1]int g0/0/2
  24. [SW1-GigabitEthernet0/0/2]po li t
  25. [SW1-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
  26. [SW1-GigabitEthernet0/0/2]int g0/0/3
  27. [SW1-GigabitEthernet0/0/3]po li t
  28. [SW1-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
  29. [SW1-GigabitEthernet0/0/3]int g0/0/23
  30. [SW1-GigabitEthernet0/0/23]po li a
  31. [SW1-GigabitEthernet0/0/23]po de v 70
  32. [SW1-GigabitEthernet0/0/23]q

SW2配置

  1. [Huawei]sy SW2
  2. [SW2]vlan b 10 20 30 40 50 80 1000 2000
  3. [SW2]int vlan 10
  4. [SW2-Vlanif10]ip add 192.168.10.2 24
  5. [SW2-Vlanif10]int vlan 20
  6. [SW2-Vlanif20]ip add 192.168.20.2 24
  7. [SW2-Vlanif20]int vlan 30
  8. [SW2-Vlanif30]ip add 192.168.30.2 24
  9. [SW2-Vlanif30]int vlan 40
  10. [SW2-Vlanif40]ip add 192.168.40.2 24
  11. [SW2-Vlanif40]int vlan 50
  12. [SW2-Vlanif50]ip add 192.168.50.2 24
  13. [SW2-Vlanif50]int vlan 80
  14. [SW2-Vlanif80]ip add 172.16.80.1 24
  15. [SW2-Vlanif80]int vlan 1000
  16. [SW2-Vlanif1000]ip add 192.168.100.2 24
  17. [SW2-Vlanif1000]int vlan 2000
  18. [SW2-Vlanif2000]ip add 172.16.100.2 24
  19. [SW2-Vlanif2000]q
  20. [SW2]int g0/0/1
  21. [SW2-GigabitEthernet0/0/1]po li t
  22. [SW2-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
  23. [SW2-GigabitEthernet0/0/1]int g0/0/2
  24. [SW2-GigabitEthernet0/0/2]po li t
  25. [SW2-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
  26. [SW2-GigabitEthernet0/0/2]int g0/0/3
  27. [SW2-GigabitEthernet0/0/3]po li t
  28. [SW2-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
  29. [SW2-GigabitEthernet0/0/3]int g0/0/24
  30. [SW2-GigabitEthernet0/0/24]po li a
  31. [SW2-GigabitEthernet0/0/24]po de v 80
  32. [SW2-GigabitEthernet0/0/24]q

SW3配置

  1. [huawei]sy SW3
  2. [SW3]vlan b 10 1000 2000
  3. [SW3]int e0/0/1
  4. [SW3-Ethernet0/0/1]po li a
  5. [SW3-Ethernet0/0/1]po de v 10
  6. [SW3-Ethernet0/0/1]int e0/0/2
  7. [SW3-Ethernet0/0/2]po li t
  8. [SW3-Ethernet0/0/2]po t all vlan 2000 1000
  9. [SW3-Ethernet0/0/2]po t pv vlan 2000
  10. [SW3-Ethernet0/0/2]int e0/0/3
  11. [SW3-Ethernet0/0/3]po li t
  12. [SW3-Ethernet0/0/3]po t all vlan 10 1000 2000
  13. [SW3-Ethernet0/0/3]int e0/0/4
  14. [SW3-Ethernet0/0/4]po li t
  15. [SW3-Ethernet0/0/4]po t all vlan 10 1000 2000
  16. [SW3-Ethernet0/0/4]q

SW4配置

  1. [Huawei]sy SW4
  2. [SW4]vlan b 20 30 1000 2000
  3. [SW4]int e0/0/1
  4. [SW4-Ethernet0/0/1]po li a
  5. [SW4-Ethernet0/0/1]po de v 20
  6. [SW4-Ethernet0/0/1]int e0/0/2
  7. [SW4-Ethernet0/0/2]po li a
  8. [SW4-Ethernet0/0/2]po de v 30
  9. [SW4-Ethernet0/0/2]int e0/0/3
  10. [SW4-Ethernet0/0/3]po li t
  11. [SW4-Ethernet0/0/3]po t all vlan 1000 2000
  12. [SW4-Ethernet0/0/3]po t pv vlan 2000
  13. [SW4-Ethernet0/0/3]int e0/0/4
  14. [SW4-Ethernet0/0/4]po li t
  15. [SW4-Ethernet0/0/4]po tr all vlan 20 30 1000 2000
  16. [SW4-Ethernet0/0/4]int e0/0/5
  17. [SW4-Ethernet0/0/5]po li t
  18. [SW4-Ethernet0/0/5]po tr all vlan 20 30 1000 2000
  19. [SW4-Ethernet0/0/5]q

SW5配置

  1. [Huawei]sy SW5
  2. [SW5]vlan b 40 50 1000 2000
  3. [SW5]int e0/0/1
  4. [SW5-Ethernet0/0/1]po li a
  5. [SW5-Ethernet0/0/1]po de v 40
  6. [SW5-Ethernet0/0/1]int e0/0/2
  7. [SW5-Ethernet0/0/2]po li a
  8. [SW5-Ethernet0/0/2]po de v 50
  9. [SW5-Ethernet0/0/2]int e0/0/3
  10. [SW5-Ethernet0/0/3]po li t
  11. [SW5-Ethernet0/0/3]po t all vlan 1000 2000
  12. [SW5-Ethernet0/0/3]po t pv vlan 2000
  13. [SW5-Ethernet0/0/3]int e0/0/4
  14. [SW5-Ethernet0/0/4]po li t
  15. [SW5-Ethernet0/0/4]po t all vlan 40 50 1000 2000
  16. [SW5-Ethernet0/0/4]int e0/0/5
  17. [SW5-Ethernet0/0/5]po li t
  18. [SW5-Ethernet0/0/5]po t all vlan 40 50 1000 2000
  19. [SW5-Ethernet0/0/5]q

防火墙安全区域划分,接口区域和IP配置

  1. [USG6000V1]sy FW1
  2. [FW1]fire zone trust
  3. [FW1-zone-trust]add int g1/0/0
  4. [FW1-zone-trust]fire zone untrust
  5. [FW1-zone-untrust]add int g1/0/2
  6. [FW1-zone-untrust]fire zone dmz
  7. [FW1-zone-dmz]add int g1/0/1
  8. [FW1-zone-dmz]q
  9. [FW1]int g1/0/1
  10. [FW1-GigabitEthernet1/0/1]ip add 172.16.50.254 24
  11. [FW1-GigabitEthernet1/0/1]int g1/0/2
  12. [FW1-GigabitEthernet1/0/2]ip add 202.96.137.88 24
  13. [FW1-GigabitEthernet1/0/2]int g1/0/0
  14. [FW1-GigabitEthernet1/0/0]ip add 172.16.172.2 24
  15. [FW1-GigabitEthernet1/0/0]q

运营商路由器接口IP配置

  1. [Huawei]sy ISP
  2. [ISP]int g0/0/0
  3. [ISP-GigabitEthernet0/0/0]ip add 202.96.137.1 24
  4. [ISP-GigabitEthernet0/0/0]int g0/0/1
  5. [ISP-GigabitEthernet0/0/1]ip add 100.100.100.1 24
  6. [ISP-GigabitEthernet0/0/1]q

  1. VRRP+MSTP配置

配置VRRP虚拟组,SW1作为VLAN10 、20、1000、2000的主网关,作为VLAN30、40、50的备网关;SW2作为VLAN30、40、50的主网关,作为VLAN10 、20、1000、2000的备网关。MSTP同VRRP一样,SW1作为VLAN10 、20、1000、2000的主根桥,作为VLAN30、40、50的备用根桥。SW2作为VLAN30、40、50的主根桥,作为VLAN10 、20、1000、2000的备用根桥。

SW1配置

  1. [SW1]int vlan 10
  2. [SW1-Vlanif10]vrrp vr 10 vi 192.168.10.254
  3. [SW1-Vlanif10]vrrp vr 10 pree
  4. [SW1-Vlanif10]int vlan 20
  5. [SW1-Vlanif20]vrrp vr 20 vi 192.168.20.254
  6. [SW1-Vlanif20]vrrp vr 20 pri 110
  7. [SW1-Vlanif20]int vlan 1000
  8. [SW1-Vlanif1000]vrrp vr 100 vi 192.168.100.254
  9. [SW1-Vlanif1000]vrrp vr 100 pri 110
  10. [SW1-Vlanif1000]int vlan 2000
  11. [SW1-Vlanif2000]vrrp vr 200 vi 172.16.100.254
  12. [SW1-Vlanif2000]vrrp vr 200 pri 110
  13. [SW1-Vlanif2000]int vlan 30
  14. [SW1-Vlanif30]vrrp vr 30 vi 192.168.30.254 
  15. [SW1-Vlanif30]int vlan 40
  16. [SW1-Vlanif40]vrrp vr 40 vi 192.168.40.254 
  17. [SW1-Vlanif40]int vlan 50
  18. [SW1-Vlanif50]vrrp vr 50 vi 192.168.50.254 
  19. [SW1-Vlanif50]q
  20. [SW1]stp region-configuration
  21. [SW1-mst-region]region-name huawei
  22. [SW1-mst-region]instance 1 vlan 10 20 1000 2000 
  23. [SW1-mst-region]instance 2 vlan 30 40 50
  24. [SW1-mst-region]active region-configuration
  25. [SW1-mst-region]q
  26. [SW1]stp instance 1 root primary 
  27. [SW1]stp instance 2 root secondary

SW2配置

  1. [SW2]int vlan 10
  2. [SW2-Vlanif10]vrrp vr 10 vi 192.168.10.254 
  3. [SW2-Vlanif10]int vlan 20
  4. [SW2-Vlanif20]vrrp vr 20 vi 192.168.20.254
  5. [SW2-Vlanif20]int vlan 1000
  6. [SW2-Vlanif1000]vrrp vr 100 vi 192.168.100.254
  7. [SW2-Vlanif1000]int vlan 2000
  8. [SW2-Vlanif2000]vrrp vr 200 vi 172.16.100.254
  9. [SW2-Vlanif2000]int vlan 30
  10. [SW2-Vlanif30]vrrp vr 30 vi 192.168.30.254 
  11. [SW2-Vlanif30]vrrp vr 30 pri 110
  12. [SW2-Vlanif30]int vlan 40
  13. [SW2-Vlanif40]vrrp vr 40 vi 192.168.40.254 
  14. [SW2-Vlanif40]vrrp vr 40 pri 110
  15. [SW2-Vlanif40]int vlan 50
  16. [SW2-Vlanif50]vrrp vr 50 vi 192.168.50.254 
  17. [SW2-Vlanif50]vrrp vr 50 pri 110
  18. [SW2-Vlanif50]q
  19. [SW2]stp region-configuration
  20. [SW2-mst-region] region-name huawei
  21. [SW2-mst-region] instance 1 vlan 10 20 1000 2000
  22. [SW2-mst-region] instance 2 vlan 30 40 50
  23. [SW2-mst-region] active region-configuration
  24. [SW2-mst-region]q
  25. [SW2]stp instance 1 root secondary 
  26. [SW2]stp instance 2 root primary

SW3配置

  1. [SW3]stp region-configuration
  2. [SW3-mst-region] region-name huawei
  3. [SW3-mst-region] instance 1 vlan 10 20 1000 2000
  4. [SW3-mst-region] instance 2 vlan 30 40 50
  5. [SW3-mst-region] active region-configuration

SW4配置

  1. [SW4]stp region-configuration
  2. [SW4-mst-region] region-name huawei
  3. [SW4-mst-region] instance 1 vlan 10 20 1000 2000
  4. [SW4-mst-region] instance 2 vlan 30 40 50
  5. [SW4-mst-region] active region-configuration

SW5配置

  1. [SW5]stp region-configuration
  2. [SW5-mst-region] region-name huawei
  3. [SW5-mst-region] instance 1 vlan 10 20 1000 2000
  4. [SW5-mst-region] instance 2 vlan 30 40 50
  5. [SW5-mst-region] active region-configuration

  1. 链路聚合配置

在汇聚交换机之间配置链路聚合。其一提高网络带宽,两条线路聚合带宽成倍增加。其二增加线路稳定性,当一条线路损坏,流量转发不故障。其三汇聚交换机上行故障,流量通过汇聚层聚合链路转发数据,增加冗余性。

SW1配置

  1. [SW1]int eth1
  2. [SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5
  3. [SW1-Eth-Trunk1]po li t
  4. [SW1-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
  5. [SW1-Eth-Trunk1]q

SW2配置

  1. [SW2]int eth1
  2. [SW2-Eth-Trunk1]trunkport GigabitEthernet  0/0/4 0/0/5
  3. [SW2-Eth-Trunk1]po li t
  4. [SW2-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
  5. [SW2-Eth-Trunk1]q

  1. 路由配置

边界路由器配置缺省外指。内网配置OSPF动态路由,实现网络互通。

FW1配置

  1. [FW1]ip route-s 0.0.0.0 0 202.96.137.1
  2. [FW1]ospf 1 route 1.1.1.1 
  3. [FW1-ospf-1]a 0
  4. [FW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
  5. [FW1-ospf-1-area-0.0.0.0]q
  6. [FW1-ospf-1]default-route-advertise always 
  7. [FW1-ospf-1]q

Core-SW1配置

  1. [Core-SW1]ospf 1 router-id 2.2.2.2
  2. [Core-SW1-ospf-1]a 0
  3. [Core-SW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
  4. [Core-SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
  5. [Core-SW1-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
  6. [Core-SW1-ospf-1-area-0.0.0.0]net 172.16.10.0 0.0.0.255
  7. [Core-SW1-ospf-1-area-0.0.0.0]net 172.16.20.0 0.0.0.255
  8. [Core-SW1-ospf-1-area-0.0.0.0]q
  9. [Core-SW1-ospf-1]q

SW1配置

  1. [SW1]ospf 1 router-id 3.3.3.3
  2. [SW1-ospf-1]a 0
  3. [SW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
  4. [SW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
  5. [SW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
  6. [SW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
  7. [SW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
  8. [SW1-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
  9. [SW1-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
  10. [SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
  11. [SW1-ospf-1-area-0.0.0.0]q
  12. [SW1-ospf-1]q

SW2配置

  1. [SW2]ospf 1 router-id 4.4.4.4
  2. [SW2-ospf-1]a 0
  3. [SW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
  4. [SW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
  5. [SW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
  6. [SW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
  7. [SW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
  8. [SW2-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
  9. [SW2-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
  10. [SW2-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
  11. [SW2-ospf-1-area-0.0.0.0]q
  12. [SW2-ospf-1]q

  1. DHCP配置

为了实现内部终端主机的DHCP上网,需要配置DHCP服务器,这里DHCP服务器在VLAN100网段,配置如下.

DHCP配置

  1. [Huawei]sy DHCP
  2. [DHCP]int g0/0/0
  3. [DHCP-GigabitEthernet0/0/0]ip add 172.16.10.100 24
  4. [DHCP-GigabitEthernet0/0/0]q
  5. [DHCP]ip route-s 0.0.0.0 0 172.16.10.254
  6. [DHCP]ip pool vlan10
  7. [DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
  8. [DHCP-ip-pool-vlan10]gateway-list 192.168.10.254 
  9. [DHCP-ip-pool-vlan10]dns 172.16.50.30
  10. [DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.1 192.168.10.2
  11. [DHCP-ip-pool-vlan10]ip pool vlan20
  12. [DHCP-ip-pool-vlan20] gateway-list 192.168.20.254 
  13. [DHCP-ip-pool-vlan20] network 192.168.20.0 mask 255.255.255.0 
  14. [DHCP-ip-pool-vlan20] excluded-ip-address 192.168.20.1 192.168.20.2 
  15. [DHCP-ip-pool-vlan20] dns-list 172.16.50.30 
  16. [DHCP-ip-pool-vlan20]ip pool vlan30
  17. [DHCP-ip-pool-vlan30] gateway-list 192.168.30.254 
  18. [DHCP-ip-pool-vlan30] network 192.168.30.0 mask 255.255.255.0 
  19. [DHCP-ip-pool-vlan30] excluded-ip-address 192.168.30.1 192.168.30.2 
  20. [DHCP-ip-pool-vlan30] dns-list 172.16.50.30 
  21. [DHCP-ip-pool-vlan30]ip pool vlan40
  22. [DHCP-ip-pool-vlan40] gateway-list 192.168.40.254 
  23. [DHCP-ip-pool-vlan40] network 192.168.40.0 mask 255.255.255.0 
  24. [DHCP-ip-pool-vlan40] excluded-ip-address 192.168.40.1 192.168.40.2 
  25. [DHCP-ip-pool-vlan40] dns-list 172.16.50.30 
  26. [DHCP-ip-pool-vlan40]ip pool vlan50
  27. [DHCP-ip-pool-vlan50] gateway-list 192.168.50.254 
  28. [DHCP-ip-pool-vlan50] network 192.168.50.0 mask 255.255.255.0 
  29. [DHCP-ip-pool-vlan50] excluded-ip-address 192.168.50.1 192.168.50.2 
  30. [DHCP-ip-pool-vlan50] dns-list 172.16.50.30 
  31. [DHCP-ip-pool-vlan50]ip pool vlan1000
  32. [DHCP-ip-pool-vlan1000] gateway-list 192.168.100.254 
  33. [DHCP-ip-pool-vlan1000] network 192.168.100.0 mask 255.255.255.0 
  34. [DHCP-ip-pool-vlan1000]excluded-ip-address 192.168.100.1 192.168.100.2 
  35. [DHCP-ip-pool-vlan1000] dns-list 172.16.50.30 
  36. [DHCP-ip-pool-vlan1000]ip pool vlan2000
  37. [DHCP-ip-pool-vlan2000]gateway-list 172.16.100.254                                                   [DHCP-ip-pool-vlan2000] network 172.16.100.0 mask 255.255.255.0 
  38. [DHCP-ip-pool-vlan2000] excluded-ip-address 172.16.100.1 172.16.100.2 
  39. [DHCP-ip-pool-vlan2000] dns-list 172.16.50.30 
  40. [DHCP-ip-pool-vlan2000] option 43 sub-option 3 ascii 172.16.20.1
  41. [DHCP-ip-pool-vlan2000]q
  42. [DHCP]int g0/0/0
  43. [DHCP-GigabitEthernet0/0/0]dhcp select global 
  44. [DHCP-GigabitEthernet0/0/0]q

SW1配置

  1. [SW1]dhcp enable 
  2. [SW1]int vlan 10
  3. [SW1-Vlanif10] dhcp select relay 
  4. [SW1-Vlanif10] dhcp relay server-ip 172.16.10.100 
  5. [SW1-Vlanif10]int vlan 20
  6. [SW1-Vlanif20] dhcp select relay
  7. [SW1-Vlanif20] dhcp relay server-ip 172.16.10.100
  8. [SW1-Vlanif20]int vlan 30
  9. [SW1-Vlanif30] dhcp select relay
  10. [SW1-Vlanif30] dhcp relay server-ip 172.16.10.100
  11. [SW1-Vlanif30]int vlan 40
  12. [SW1-Vlanif40] dhcp select relay
  13. [SW1-Vlanif40] dhcp relay server-ip 172.16.10.100
  14. [SW1-Vlanif40]int vlan 50
  15. [SW1-Vlanif50] dhcp select relay
  16. [SW1-Vlanif50] dhcp relay server-ip 172.16.10.100
  17. [SW1-Vlanif50]int vlan 1000
  18. [SW1-Vlanif1000] dhcp select relay
  19. [SW1-Vlanif1000] dhcp relay server-ip 172.16.10.100
  20. [SW1-Vlanif1000]int vlan 2000
  21. [SW1-Vlanif2000] dhcp select relay
  22. [SW1-Vlanif2000] dhcp relay server-ip 172.16.10.100
  23. [SW1-Vlanif2000]q

SW2配置

  1. [SW2]int vlan 10
  2. [SW2-Vlanif10]dhcp select relay 
  3. [SW2-Vlanif10]dhcp relay server-ip 172.16.10.100
  4. [SW2-Vlanif10]int vlan 20
  5. [SW2-Vlanif20]dhcp select relay
  6. [SW2-Vlanif20]dhcp relay server-ip 172.16.10.100
  7. [SW2-Vlanif20]int vlan 30
  8. [SW2-Vlanif30]dhcp select relay
  9. [SW2-Vlanif30]dhcp relay server-ip 172.16.10.100
  10. [SW2-Vlanif30]int vlan 40
  11. [SW2-Vlanif40]dhcp select relay
  12. [SW2-Vlanif40]dhcp relay server-ip 172.16.10.100
  13. [SW2-Vlanif40]int vlan 50
  14. [SW2-Vlanif50]dhcp select relay
  15. [SW2-Vlanif50]dhcp relay server-ip 172.16.10.100
  16. [SW2-Vlanif50]int vlan 1000
  17. [SW2-Vlanif1000]dhcp select relay
  18. [SW2-Vlanif1000]dhcp relay server-ip 172.16.10.100
  19. [SW2-Vlanif1000]int vlan 2000
  20. [SW2-Vlanif2000]dhcp select relay
  21. [SW2-Vlanif2000]dhcp relay server-ip 172.16.10.100
  22. [SW2-Vlanif2000]q

  1. 无线配置

无线采用AC+AP的方式,AC旁挂在核心层交换机上,VLAN200作为AC的管理VLAN,VLAN2000作为AP的业务网段,VLAN1000作为无线接入终端的业务网段。

AC配置

  1. [AC6005]sy AC
  2. [AC]vlan b 200
  3. [AC]int g0/0/1
  4. [AC-GigabitEthernet0/0/1]po li a
  5. [AC-GigabitEthernet0/0/1]po de v 200
  6. [AC-GigabitEthernet0/0/1]q
  7. [AC]wlan 
  8. [AC-wlan-view]regulatory-domain-profile name wlan
  9. [AC-wlan-regulate-domain-wlan]country-code CN
  10. [AC-wlan-regulate-domain-wlan]q
  11. [AC-wlan-view]ap-group name ap
  12. [AC-wlan-ap-group-ap]regulatory-domain-profile wlan
  13. [AC-wlan-ap-group-ap]q
  14. [AC]int vlan 200
  15. [AC-Vlanif200]ip add 172.16.20.1 24
  16. [AC-Vlanif200]q
  17. [AC]capwap source interface Vlanif 200
  18. [AC]int vlan 200
  19. [AC-Vlanif200]ip add 172.16.20.1 255.255.255.0
  20. [AC]wlan
  21. [AC-wlan-view]ap auth-mode mac-auth 
  22. [AC-wlan-view]ap-id 1 ap-mac 00e0-fcd7-3f50
  23. [AC-wlan-ap-1]ap-group ap
  24. [AC-wlan-ap-3]ap-name ap1
  25. [AC-wlan-view]ap-id 2 ap-mac 00e0-fc26-6370
  26. [AC-wlan-ap-2]ap-group ap
  27. [AC-wlan-ap-3]ap-name ap2
  28. [AC-wlan-ap-2]ap-id 3 ap-mac 00e0-fc6d-5330
  29. [AC-wlan-ap-3]ap-group ap
  30. [AC-wlan-ap-3]ap-name ap3
  31. [AC-wlan-ap-3]q
  32. [AC-wlan-view]security-profile name security
  33. [AC-wlan-sec-prof-security]security wpa2 psk pass-phrase huawei@123 aes
  34. [AC-wlan-sec-prof-security]q
  35. [AC-wlan-view]ssid-profile name ssid
  36. [AC-wlan-ssid-prof-ssid]ssid wifi
  37. [AC-wlan-ssid-prof-ssid]q
  38. [AC-wlan-view]vap-profile name vap
  39. [AC-wlan-vap-prof-vap]forward-mode tunnel
  40. [AC-wlan-vap-prof-vap]service-vlan vlan-id 1000
  41. [AC-wlan-vap-prof-vap]security-profile security
  42. [AC-wlan-vap-prof-vap]ssid-profile ssid
  43. [AC-wlan-vap-prof-vap]q
  44. [AC-wlan-ap-group-ap]vap-profile vap wlan 1 radio all
  45. [AC-wlan-ap-group-ap]q

  1. 控制访问技术ACL配置

市场部、研发部、人力部互通,市场部不通行政部,行政部、研发部、人力部互通、财务部只能和行政部互通。

SW1配置

  1. [SW1]acl number 3000
  2. [SW1-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
  3. [SW1-acl-adv-3000] rule 10 permit ip
  4. [SW1-acl-adv-3000]acl number 3001
  5. [SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.255
  6. [SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
  7. [SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
  8. [SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
  9. [SW1-acl-adv-3001]rule per ip 
  10. [SW1]int g0/0/1
  11. [SW1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
  12. [SW1-GigabitEthernet0/0/1]q
  13. [SW1]int g0/0/3
  14. [SW1-GigabitEthernet0/0/3]traffic-filter inbound acl 3001

SW2配置

  1. [SW2]acl number 3000
  2. [SW2-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
  3. [SW2-acl-adv-3000] rule 10 permit ip
  4. [SW2-acl-adv-3000]acl number 3001
  5. [SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.25
  6. [SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
  7. [SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
  8. [SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
  9. [SW2-acl-adv-3001]rule per ip 
  10. [SW2]int g0/0/1
  11. [SW2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
  12. [SW2-GigabitEthernet0/0/1]q
  13. [SW2]int g0/0/3
  14. [SW2-GigabitEthernet0/0/3]traffic-filter inbound acl 3001

  1. 防火墙安全策略配置

放通trust到untrust的上网数据,放通trust到dmz访问服务器的数据,放通untrust到dmz的web服务器数据.

  1. [FW1]security-policy
  2. [FW1-policy-security]rule name t-u
  3. [FW1-policy-security-rule-t-u]source-zone trust 
  4. [FW1-policy-security-rule-t-u]destination-zone untrust 
  5. [FW1-policy-security-rule-t-u]ac p
  6. [FW1-policy-security-rule-t-u]q
  7. [FW1-policy-security]rule name t-d
  8. [FW1-policy-security-rule-t-d]source-zone trust 
  9. [FW1-policy-security-rule-t-d]destination-zone dmz
  10. [FW1-policy-security-rule-t-d]ac p
  11. [FW1-policy-security-rule-t-d]rule name u-d
  12. [FW1-policy-security-rule-u-d]source-zone untrust 
  13. [FW1-policy-security-rule-u-d]destination-zone dmz 
  14. [FW1-policy-security-rule-u-d]destination-address 172.16.50.10 32
  15. [FW1-policy-security-rule-u-d]destination-address 172.16.50.20 32
  16. [FW1-policy-security-rule-u-d]service http ftp
  17. [FW1-policy-security-rule-u-d]ac p
  18. [FW1-policy-security-rule-u-d]q
  19. [FW1-policy-security]q

  1. NAT策略配置

  1. [FW1]nat-policy 
  2. [FW1-policy-nat]rule name t-u-nat
  3. [FW1-policy-nat-rule-t-u-nat]source-zone trust 
  4. [FW1-policy-nat-rule-t-u-nat]destination-zone untrust 
  5. [FW1-policy-nat-rule-t-u-nat]action source-nat easy-ip 
  6. [FW1-policy-nat-rule-t-u-nat]q
  7. [FW1-policy-nat]q

  1. NAT Server配置

  1. [FW1]nat server pro tcp global 202.96.137.88 8080 inside 172.16.50.10 www     
  2. [FW1]nat server pro tcp global 202.96.137.88 ftp inside 172.16.50.20 ftp

四、网络测试

  1. DHCP测试

  1. 访问外网测试

  1. 无线登录测试

  1. VRRP主备选举测试

SW1 vlan10 20 100 200 为主,vlan30 40 50 位备

SW2 vlan30 40 50 位主,vlan10 20 100 200 为备

  1. 负载分担测试

市场部、研发部、无线业务走SW1

人力部、财务部、行政部走SW2

  1. 核心路由表查看,邻居建立关系查看

  1. ACL测试

市场部、研发部、人力部互通

市场部不通行政部

行政部、研发部、人力部互通

财务部只能和行政部互通

  1. 内网访问服务器测试

  1. 外网NAT Server测试

外网客户端访问内网WEB服务器测试

外网客户端访问内网FTP服务器测试

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/代码探险家/article/detail/833159
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号