摘要
该设计规划的是一个公司的网络搭建,采用接入层、核心层、汇聚层三层网络。所有接入层汇聚层交换机运行MSTP和VRRP协议,做冗余备份,保护设备和链路稳定性。运行ospf动态路由协议,方便路由维护。使用dhcp动态分配地址,便于ip地址管理。出口采用防火墙设备,保护网络安全。同时在防火墙上做SNAT,可以让公司内网访问外网。在防火墙上做DNAT,可以让外部网络访问公司服务器。
一 、设计思路
每个部门划分一个VLAN,部门内互通,各部门根据ACL规则实现互通。
内网使用私网IP,为每个部门分配一个24位掩码长度的私网段,实现上网。
部门主机采用DHCP自动获取地址,减少管理员手动分配的任务量,方便管理与维护。
运行OSPF协议,提高收敛速度。而且OSPF可以适应拓扑变化,路由自动学习,防止路由环路,提高拓扑稳定性。
接入层和汇聚层交换机配置MSTP和VRRP技术,实现设备冗余、线路可靠、数据负载分担,能够保证主设备故障后,可以快速切换到备用设备,不影响业务转发。
增加防火墙设备,设置安全区域,控制部门主机、服务器和外网设备的数据转发,保证公司网络的安全性。
出口采用光纤接入,汇聚层交换机进行链路聚合,提高网络带宽,实现运营商万兆接入,千兆到部门,百兆到桌面的体验。
公司内部实现无线全覆盖,保障内部终端设备可以无线接入并上网。
汇聚层交换机配置ACL控制访问技术,实现市场部和行政部不通,财务部只能和行政部互通,其他部门全互通的网络需求。
SNAT:应用于内网用户访问Internet时进行的地址转换将私网地址转为公网地址,这里我们采用easy-ip的NAT,保证公司上网采用出接口地址。
DNAT:使的外网用户能够访问内部服务器,用户访问202.96.137.88:8080时,防火墙将流量能够送给内网的WEB服务器。当用户访问202.96.137.88:21时防火墙将目的地址转换为172.16.50.20:21 访问公司的FTP服务器。
二、网络拓扑图
一个网络的拓扑图能够最直观的呈现这个网络的设计思想,几种经典的网络拓扑结构各有特点。我们使用最标准的核心层、汇聚层、接入层三层架构。要求任何一台设备都不能宕机,所以所有交换机必须要有双机热备冗余备份。公司的网络拓扑如下图所示。
该文件下载地址请点击后面链接:ensp典型中小型企业网搭建(带无线)
如不想开会员的伙伴,可以加我企鹅便宜获取:2685797168
三、配置步骤
基础配置
交换机VLAN的创建、接口的划分、IP地址的配置
Core-SW1配置
[Huawei]sy Core-SW1[Core-SW1]vlan b 70 80 100 200 172Info: This operation may take a few seconds. Please wait for a moment...done.[Core-SW1]int vlan 70[Core-SW1-Vlanif70]ip add 172.16.70.2 24[Core-SW1-Vlanif70]int vlan 80[Core-SW1-Vlanif80]ip add 172.16.80.2 24[Core-SW1-Vlanif80]int vlan 100[Core-SW1-Vlanif100]ip add 172.16.10.254 24[Core-SW1-Vlanif100]int vlan 200[Core-SW1-Vlanif200]ip add 172.16.20.2 24[Core-SW1-Vlanif200]int vlan 172[Core-SW1-Vlanif172]ip add 172.16.172.1 24[Core-SW1-Vlanif172]q[Core-SW1]int g0/0/23[Core-SW1-GigabitEthernet0/0/23]po li a[Core-SW1-GigabitEthernet0/0/23]po de v 70[Core-SW1-GigabitEthernet0/0/23]int g0/0/24[Core-SW1-GigabitEthernet0/0/24]po li a[Core-SW1-GigabitEthernet0/0/24]po de v 80[Core-SW1-GigabitEthernet0/0/24]int g0/0/2[Core-SW1-GigabitEthernet0/0/2]po li a[Core-SW1-GigabitEthernet0/0/2]po de v 100[Core-SW1-GigabitEthernet0/0/2]int g0/0/1[Core-SW1-GigabitEthernet0/0/1]po li a[Core-SW1-GigabitEthernet0/0/1]po de v 200[Core-SW1-GigabitEthernet0/0/1]int g0/0/3[Core-SW1-GigabitEthernet0/0/3]po li a[Core-SW1-GigabitEthernet0/0/3]po de v 172[Core-SW1-GigabitEthernet0/0/3]q
SW1配置
[Huawei]sy SW1[SW1]vlan b 10 20 30 40 50 70 1000 2000[SW1]int vlan 10[SW1-Vlanif10]ip add 192.168.10.1 24[SW1-Vlanif10]int vlan 20[SW1-Vlanif20]ip add 192.168.20.1 24[SW1-Vlanif20]int vlan 30[SW1-Vlanif30]ip add 192.168.30.1 24[SW1-Vlanif30]int vlan 40[SW1-Vlanif40]ip add 192.168.40.1 24[SW1-Vlanif40]int vlan 50[SW1-Vlanif50]ip add 192.168.50.1 24[SW1-Vlanif50]int vlan 1000[SW1-Vlanif1000]ip add 192.168.100.1 24[SW1-Vlanif1000]int vlan 2000[SW1-Vlanif2000]ip add 172.16.100.1 24[SW1-Vlanif2000]int vlan 70[SW1-Vlanif70]ip add 172.16.70.1 24[SW1-Vlanif70]q[SW1]int g0/0/1[SW1-GigabitEthernet0/0/1]po li t[SW1-GigabitEthernet0/0/1]po t all vlan 10 1000 2000[SW1-GigabitEthernet0/0/1]int g0/0/2[SW1-GigabitEthernet0/0/2]po li t[SW1-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000[SW1-GigabitEthernet0/0/2]int g0/0/3[SW1-GigabitEthernet0/0/3]po li t[SW1-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000[SW1-GigabitEthernet0/0/3]int g0/0/23[SW1-GigabitEthernet0/0/23]po li a[SW1-GigabitEthernet0/0/23]po de v 70[SW1-GigabitEthernet0/0/23]q
SW2配置
[Huawei]sy SW2[SW2]vlan b 10 20 30 40 50 80 1000 2000[SW2]int vlan 10[SW2-Vlanif10]ip add 192.168.10.2 24[SW2-Vlanif10]int vlan 20[SW2-Vlanif20]ip add 192.168.20.2 24[SW2-Vlanif20]int vlan 30[SW2-Vlanif30]ip add 192.168.30.2 24[SW2-Vlanif30]int vlan 40[SW2-Vlanif40]ip add 192.168.40.2 24[SW2-Vlanif40]int vlan 50[SW2-Vlanif50]ip add 192.168.50.2 24[SW2-Vlanif50]int vlan 80[SW2-Vlanif80]ip add 172.16.80.1 24[SW2-Vlanif80]int vlan 1000[SW2-Vlanif1000]ip add 192.168.100.2 24[SW2-Vlanif1000]int vlan 2000[SW2-Vlanif2000]ip add 172.16.100.2 24[SW2-Vlanif2000]q[SW2]int g0/0/1[SW2-GigabitEthernet0/0/1]po li t[SW2-GigabitEthernet0/0/1]po t all vlan 10 1000 2000[SW2-GigabitEthernet0/0/1]int g0/0/2[SW2-GigabitEthernet0/0/2]po li t[SW2-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000[SW2-GigabitEthernet0/0/2]int g0/0/3[SW2-GigabitEthernet0/0/3]po li t[SW2-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000[SW2-GigabitEthernet0/0/3]int g0/0/24[SW2-GigabitEthernet0/0/24]po li a[SW2-GigabitEthernet0/0/24]po de v 80[SW2-GigabitEthernet0/0/24]q
SW3配置
[huawei]sy SW3[SW3]vlan b 10 1000 2000[SW3]int e0/0/1[SW3-Ethernet0/0/1]po li a[SW3-Ethernet0/0/1]po de v 10[SW3-Ethernet0/0/1]int e0/0/2[SW3-Ethernet0/0/2]po li t[SW3-Ethernet0/0/2]po t all vlan 2000 1000[SW3-Ethernet0/0/2]po t pv vlan 2000[SW3-Ethernet0/0/2]int e0/0/3[SW3-Ethernet0/0/3]po li t[SW3-Ethernet0/0/3]po t all vlan 10 1000 2000[SW3-Ethernet0/0/3]int e0/0/4[SW3-Ethernet0/0/4]po li t[SW3-Ethernet0/0/4]po t all vlan 10 1000 2000[SW3-Ethernet0/0/4]q
SW4配置
[Huawei]sy SW4[SW4]vlan b 20 30 1000 2000[SW4]int e0/0/1[SW4-Ethernet0/0/1]po li a[SW4-Ethernet0/0/1]po de v 20[SW4-Ethernet0/0/1]int e0/0/2[SW4-Ethernet0/0/2]po li a[SW4-Ethernet0/0/2]po de v 30[SW4-Ethernet0/0/2]int e0/0/3[SW4-Ethernet0/0/3]po li t[SW4-Ethernet0/0/3]po t all vlan 1000 2000[SW4-Ethernet0/0/3]po t pv vlan 2000[SW4-Ethernet0/0/3]int e0/0/4[SW4-Ethernet0/0/4]po li t[SW4-Ethernet0/0/4]po tr all vlan 20 30 1000 2000[SW4-Ethernet0/0/4]int e0/0/5[SW4-Ethernet0/0/5]po li t[SW4-Ethernet0/0/5]po tr all vlan 20 30 1000 2000[SW4-Ethernet0/0/5]q
SW5配置
[Huawei]sy SW5[SW5]vlan b 40 50 1000 2000[SW5]int e0/0/1[SW5-Ethernet0/0/1]po li a[SW5-Ethernet0/0/1]po de v 40[SW5-Ethernet0/0/1]int e0/0/2[SW5-Ethernet0/0/2]po li a[SW5-Ethernet0/0/2]po de v 50[SW5-Ethernet0/0/2]int e0/0/3[SW5-Ethernet0/0/3]po li t[SW5-Ethernet0/0/3]po t all vlan 1000 2000[SW5-Ethernet0/0/3]po t pv vlan 2000[SW5-Ethernet0/0/3]int e0/0/4[SW5-Ethernet0/0/4]po li t[SW5-Ethernet0/0/4]po t all vlan 40 50 1000 2000[SW5-Ethernet0/0/4]int e0/0/5[SW5-Ethernet0/0/5]po li t[SW5-Ethernet0/0/5]po t all vlan 40 50 1000 2000[SW5-Ethernet0/0/5]q
防火墙安全区域划分,接口区域和IP配置
[USG6000V1]sy FW1[FW1]fire zone trust[FW1-zone-trust]add int g1/0/0[FW1-zone-trust]fire zone untrust[FW1-zone-untrust]add int g1/0/2[FW1-zone-untrust]fire zone dmz[FW1-zone-dmz]add int g1/0/1[FW1-zone-dmz]q[FW1]int g1/0/1[FW1-GigabitEthernet1/0/1]ip add 172.16.50.254 24[FW1-GigabitEthernet1/0/1]int g1/0/2[FW1-GigabitEthernet1/0/2]ip add 202.96.137.88 24[FW1-GigabitEthernet1/0/2]int g1/0/0[FW1-GigabitEthernet1/0/0]ip add 172.16.172.2 24[FW1-GigabitEthernet1/0/0]q
运营商路由器接口IP配置
[Huawei]sy ISP[ISP]int g0/0/0[ISP-GigabitEthernet0/0/0]ip add 202.96.137.1 24[ISP-GigabitEthernet0/0/0]int g0/0/1[ISP-GigabitEthernet0/0/1]ip add 100.100.100.1 24[ISP-GigabitEthernet0/0/1]q
VRRP+MSTP配置
配置VRRP虚拟组,SW1作为VLAN10 、20、1000、2000的主网关,作为VLAN30、40、50的备网关;SW2作为VLAN30、40、50的主网关,作为VLAN10 、20、1000、2000的备网关。MSTP同VRRP一样,SW1作为VLAN10 、20、1000、2000的主根桥,作为VLAN30、40、50的备用根桥。SW2作为VLAN30、40、50的主根桥,作为VLAN10 、20、1000、2000的备用根桥。
SW1配置
[SW1]int vlan 10[SW1-Vlanif10]vrrp vr 10 vi 192.168.10.254[SW1-Vlanif10]vrrp vr 10 pree[SW1-Vlanif10]int vlan 20[SW1-Vlanif20]vrrp vr 20 vi 192.168.20.254[SW1-Vlanif20]vrrp vr 20 pri 110[SW1-Vlanif20]int vlan 1000[SW1-Vlanif1000]vrrp vr 100 vi 192.168.100.254[SW1-Vlanif1000]vrrp vr 100 pri 110[SW1-Vlanif1000]int vlan 2000[SW1-Vlanif2000]vrrp vr 200 vi 172.16.100.254[SW1-Vlanif2000]vrrp vr 200 pri 110[SW1-Vlanif2000]int vlan 30[SW1-Vlanif30]vrrp vr 30 vi 192.168.30.254 [SW1-Vlanif30]int vlan 40[SW1-Vlanif40]vrrp vr 40 vi 192.168.40.254 [SW1-Vlanif40]int vlan 50[SW1-Vlanif50]vrrp vr 50 vi 192.168.50.254 [SW1-Vlanif50]q[SW1]stp region-configuration[SW1-mst-region]region-name huawei[SW1-mst-region]instance 1 vlan 10 20 1000 2000 [SW1-mst-region]instance 2 vlan 30 40 50[SW1-mst-region]active region-configuration[SW1-mst-region]q[SW1]stp instance 1 root primary [SW1]stp instance 2 root secondary
SW2配置
[SW2]int vlan 10[SW2-Vlanif10]vrrp vr 10 vi 192.168.10.254 [SW2-Vlanif10]int vlan 20[SW2-Vlanif20]vrrp vr 20 vi 192.168.20.254[SW2-Vlanif20]int vlan 1000[SW2-Vlanif1000]vrrp vr 100 vi 192.168.100.254[SW2-Vlanif1000]int vlan 2000[SW2-Vlanif2000]vrrp vr 200 vi 172.16.100.254[SW2-Vlanif2000]int vlan 30[SW2-Vlanif30]vrrp vr 30 vi 192.168.30.254 [SW2-Vlanif30]vrrp vr 30 pri 110[SW2-Vlanif30]int vlan 40[SW2-Vlanif40]vrrp vr 40 vi 192.168.40.254 [SW2-Vlanif40]vrrp vr 40 pri 110[SW2-Vlanif40]int vlan 50[SW2-Vlanif50]vrrp vr 50 vi 192.168.50.254 [SW2-Vlanif50]vrrp vr 50 pri 110[SW2-Vlanif50]q[SW2]stp region-configuration[SW2-mst-region] region-name huawei[SW2-mst-region] instance 1 vlan 10 20 1000 2000[SW2-mst-region] instance 2 vlan 30 40 50[SW2-mst-region] active region-configuration[SW2-mst-region]q[SW2]stp instance 1 root secondary [SW2]stp instance 2 root primary
SW3配置
[SW3]stp region-configuration[SW3-mst-region] region-name huawei[SW3-mst-region] instance 1 vlan 10 20 1000 2000[SW3-mst-region] instance 2 vlan 30 40 50[SW3-mst-region] active region-configuration
SW4配置
[SW4]stp region-configuration[SW4-mst-region] region-name huawei[SW4-mst-region] instance 1 vlan 10 20 1000 2000[SW4-mst-region] instance 2 vlan 30 40 50[SW4-mst-region] active region-configuration
SW5配置
[SW5]stp region-configuration[SW5-mst-region] region-name huawei[SW5-mst-region] instance 1 vlan 10 20 1000 2000[SW5-mst-region] instance 2 vlan 30 40 50[SW5-mst-region] active region-configuration
链路聚合配置
在汇聚交换机之间配置链路聚合。其一提高网络带宽,两条线路聚合带宽成倍增加。其二增加线路稳定性,当一条线路损坏,流量转发不故障。其三汇聚交换机上行故障,流量通过汇聚层聚合链路转发数据,增加冗余性。
SW1配置
[SW1]int eth1[SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5[SW1-Eth-Trunk1]po li t[SW1-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000[SW1-Eth-Trunk1]q
SW2配置
[SW2]int eth1[SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5[SW2-Eth-Trunk1]po li t[SW2-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000[SW2-Eth-Trunk1]q
路由配置
边界路由器配置缺省外指。内网配置OSPF动态路由,实现网络互通。
FW1配置
[FW1]ip route-s 0.0.0.0 0 202.96.137.1[FW1]ospf 1 route 1.1.1.1 [FW1-ospf-1]a 0[FW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255[FW1-ospf-1-area-0.0.0.0]q[FW1-ospf-1]default-route-advertise always [FW1-ospf-1]q
Core-SW1配置
[Core-SW1]ospf 1 router-id 2.2.2.2[Core-SW1-ospf-1]a 0[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.10.0 0.0.0.255[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.20.0 0.0.0.255[Core-SW1-ospf-1-area-0.0.0.0]q[Core-SW1-ospf-1]q
SW1配置
[SW1]ospf 1 router-id 3.3.3.3[SW1-ospf-1]a 0[SW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255[SW1-ospf-1-area-0.0.0.0]q[SW1-ospf-1]q
SW2配置
[SW2]ospf 1 router-id 4.4.4.4[SW2-ospf-1]a 0[SW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255[SW2-ospf-1-area-0.0.0.0]q[SW2-ospf-1]q
DHCP配置
为了实现内部终端主机的DHCP上网,需要配置DHCP服务器,这里DHCP服务器在VLAN100网段,配置如下.
DHCP配置
[Huawei]sy DHCP[DHCP]int g0/0/0[DHCP-GigabitEthernet0/0/0]ip add 172.16.10.100 24[DHCP-GigabitEthernet0/0/0]q[DHCP]ip route-s 0.0.0.0 0 172.16.10.254[DHCP]ip pool vlan10[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254 [DHCP-ip-pool-vlan10]dns 172.16.50.30[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.1 192.168.10.2[DHCP-ip-pool-vlan10]ip pool vlan20[DHCP-ip-pool-vlan20] gateway-list 192.168.20.254 [DHCP-ip-pool-vlan20] network 192.168.20.0 mask 255.255.255.0 [DHCP-ip-pool-vlan20] excluded-ip-address 192.168.20.1 192.168.20.2 [DHCP-ip-pool-vlan20] dns-list 172.16.50.30 [DHCP-ip-pool-vlan20]ip pool vlan30[DHCP-ip-pool-vlan30] gateway-list 192.168.30.254 [DHCP-ip-pool-vlan30] network 192.168.30.0 mask 255.255.255.0 [DHCP-ip-pool-vlan30] excluded-ip-address 192.168.30.1 192.168.30.2 [DHCP-ip-pool-vlan30] dns-list 172.16.50.30 [DHCP-ip-pool-vlan30]ip pool vlan40[DHCP-ip-pool-vlan40] gateway-list 192.168.40.254 [DHCP-ip-pool-vlan40] network 192.168.40.0 mask 255.255.255.0 [DHCP-ip-pool-vlan40] excluded-ip-address 192.168.40.1 192.168.40.2 [DHCP-ip-pool-vlan40] dns-list 172.16.50.30 [DHCP-ip-pool-vlan40]ip pool vlan50[DHCP-ip-pool-vlan50] gateway-list 192.168.50.254 [DHCP-ip-pool-vlan50] network 192.168.50.0 mask 255.255.255.0 [DHCP-ip-pool-vlan50] excluded-ip-address 192.168.50.1 192.168.50.2 [DHCP-ip-pool-vlan50] dns-list 172.16.50.30 [DHCP-ip-pool-vlan50]ip pool vlan1000[DHCP-ip-pool-vlan1000] gateway-list 192.168.100.254 [DHCP-ip-pool-vlan1000] network 192.168.100.0 mask 255.255.255.0 [DHCP-ip-pool-vlan1000]excluded-ip-address 192.168.100.1 192.168.100.2 [DHCP-ip-pool-vlan1000] dns-list 172.16.50.30 [DHCP-ip-pool-vlan1000]ip pool vlan2000[DHCP-ip-pool-vlan2000]gateway-list 172.16.100.254 [DHCP-ip-pool-vlan2000] network 172.16.100.0 mask 255.255.255.0 [DHCP-ip-pool-vlan2000] excluded-ip-address 172.16.100.1 172.16.100.2 [DHCP-ip-pool-vlan2000] dns-list 172.16.50.30 [DHCP-ip-pool-vlan2000] option 43 sub-option 3 ascii 172.16.20.1[DHCP-ip-pool-vlan2000]q[DHCP]int g0/0/0[DHCP-GigabitEthernet0/0/0]dhcp select global [DHCP-GigabitEthernet0/0/0]q
SW1配置
[SW1]dhcp enable [SW1]int vlan 10[SW1-Vlanif10] dhcp select relay [SW1-Vlanif10] dhcp relay server-ip 172.16.10.100 [SW1-Vlanif10]int vlan 20[SW1-Vlanif20] dhcp select relay[SW1-Vlanif20] dhcp relay server-ip 172.16.10.100[SW1-Vlanif20]int vlan 30[SW1-Vlanif30] dhcp select relay[SW1-Vlanif30] dhcp relay server-ip 172.16.10.100[SW1-Vlanif30]int vlan 40[SW1-Vlanif40] dhcp select relay[SW1-Vlanif40] dhcp relay server-ip 172.16.10.100[SW1-Vlanif40]int vlan 50[SW1-Vlanif50] dhcp select relay[SW1-Vlanif50] dhcp relay server-ip 172.16.10.100[SW1-Vlanif50]int vlan 1000[SW1-Vlanif1000] dhcp select relay[SW1-Vlanif1000] dhcp relay server-ip 172.16.10.100[SW1-Vlanif1000]int vlan 2000[SW1-Vlanif2000] dhcp select relay[SW1-Vlanif2000] dhcp relay server-ip 172.16.10.100[SW1-Vlanif2000]q
SW2配置
[SW2]int vlan 10[SW2-Vlanif10]dhcp select relay [SW2-Vlanif10]dhcp relay server-ip 172.16.10.100[SW2-Vlanif10]int vlan 20[SW2-Vlanif20]dhcp select relay[SW2-Vlanif20]dhcp relay server-ip 172.16.10.100[SW2-Vlanif20]int vlan 30[SW2-Vlanif30]dhcp select relay[SW2-Vlanif30]dhcp relay server-ip 172.16.10.100[SW2-Vlanif30]int vlan 40[SW2-Vlanif40]dhcp select relay[SW2-Vlanif40]dhcp relay server-ip 172.16.10.100[SW2-Vlanif40]int vlan 50[SW2-Vlanif50]dhcp select relay[SW2-Vlanif50]dhcp relay server-ip 172.16.10.100[SW2-Vlanif50]int vlan 1000[SW2-Vlanif1000]dhcp select relay[SW2-Vlanif1000]dhcp relay server-ip 172.16.10.100[SW2-Vlanif1000]int vlan 2000[SW2-Vlanif2000]dhcp select relay[SW2-Vlanif2000]dhcp relay server-ip 172.16.10.100[SW2-Vlanif2000]q
无线配置
无线采用AC+AP的方式,AC旁挂在核心层交换机上,VLAN200作为AC的管理VLAN,VLAN2000作为AP的业务网段,VLAN1000作为无线接入终端的业务网段。
AC配置
[AC6005]sy AC[AC]vlan b 200[AC]int g0/0/1[AC-GigabitEthernet0/0/1]po li a[AC-GigabitEthernet0/0/1]po de v 200[AC-GigabitEthernet0/0/1]q[AC]wlan [AC-wlan-view]regulatory-domain-profile name wlan[AC-wlan-regulate-domain-wlan]country-code CN[AC-wlan-regulate-domain-wlan]q[AC-wlan-view]ap-group name ap[AC-wlan-ap-group-ap]regulatory-domain-profile wlan[AC-wlan-ap-group-ap]q[AC]int vlan 200[AC-Vlanif200]ip add 172.16.20.1 24[AC-Vlanif200]q[AC]capwap source interface Vlanif 200[AC]int vlan 200[AC-Vlanif200]ip add 172.16.20.1 255.255.255.0[AC]wlan[AC-wlan-view]ap auth-mode mac-auth [AC-wlan-view]ap-id 1 ap-mac 00e0-fcd7-3f50[AC-wlan-ap-1]ap-group ap[AC-wlan-ap-3]ap-name ap1[AC-wlan-view]ap-id 2 ap-mac 00e0-fc26-6370[AC-wlan-ap-2]ap-group ap[AC-wlan-ap-3]ap-name ap2[AC-wlan-ap-2]ap-id 3 ap-mac 00e0-fc6d-5330[AC-wlan-ap-3]ap-group ap[AC-wlan-ap-3]ap-name ap3[AC-wlan-ap-3]q[AC-wlan-view]security-profile name security[AC-wlan-sec-prof-security]security wpa2 psk pass-phrase huawei@123 aes[AC-wlan-sec-prof-security]q[AC-wlan-view]ssid-profile name ssid[AC-wlan-ssid-prof-ssid]ssid wifi[AC-wlan-ssid-prof-ssid]q[AC-wlan-view]vap-profile name vap[AC-wlan-vap-prof-vap]forward-mode tunnel[AC-wlan-vap-prof-vap]service-vlan vlan-id 1000[AC-wlan-vap-prof-vap]security-profile security[AC-wlan-vap-prof-vap]ssid-profile ssid[AC-wlan-vap-prof-vap]q[AC-wlan-ap-group-ap]vap-profile vap wlan 1 radio all[AC-wlan-ap-group-ap]q
控制访问技术ACL配置
市场部、研发部、人力部互通,市场部不通行政部,行政部、研发部、人力部互通、财务部只能和行政部互通。
SW1配置
[SW1]acl number 3000[SW1-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255[SW1-acl-adv-3000] rule 10 permit ip[SW1-acl-adv-3000]acl number 3001[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.255[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255[SW1-acl-adv-3001]rule per ip [SW1]int g0/0/1[SW1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000[SW1-GigabitEthernet0/0/1]q[SW1]int g0/0/3[SW1-GigabitEthernet0/0/3]traffic-filter inbound acl 3001
SW2配置
[SW2]acl number 3000[SW2-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255[SW2-acl-adv-3000] rule 10 permit ip[SW2-acl-adv-3000]acl number 3001[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.25[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255[SW2-acl-adv-3001]rule per ip [SW2]int g0/0/1[SW2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000[SW2-GigabitEthernet0/0/1]q[SW2]int g0/0/3[SW2-GigabitEthernet0/0/3]traffic-filter inbound acl 3001
防火墙安全策略配置
放通trust到untrust的上网数据,放通trust到dmz访问服务器的数据,放通untrust到dmz的web服务器数据.
[FW1]security-policy[FW1-policy-security]rule name t-u[FW1-policy-security-rule-t-u]source-zone trust [FW1-policy-security-rule-t-u]destination-zone untrust [FW1-policy-security-rule-t-u]ac p[FW1-policy-security-rule-t-u]q[FW1-policy-security]rule name t-d[FW1-policy-security-rule-t-d]source-zone trust [FW1-policy-security-rule-t-d]destination-zone dmz[FW1-policy-security-rule-t-d]ac p[FW1-policy-security-rule-t-d]rule name u-d[FW1-policy-security-rule-u-d]source-zone untrust [FW1-policy-security-rule-u-d]destination-zone dmz [FW1-policy-security-rule-u-d]destination-address 172.16.50.10 32[FW1-policy-security-rule-u-d]destination-address 172.16.50.20 32[FW1-policy-security-rule-u-d]service http ftp[FW1-policy-security-rule-u-d]ac p[FW1-policy-security-rule-u-d]q[FW1-policy-security]q
NAT策略配置
[FW1]nat-policy [FW1-policy-nat]rule name t-u-nat[FW1-policy-nat-rule-t-u-nat]source-zone trust [FW1-policy-nat-rule-t-u-nat]destination-zone untrust [FW1-policy-nat-rule-t-u-nat]action source-nat easy-ip [FW1-policy-nat-rule-t-u-nat]q[FW1-policy-nat]q
NAT Server配置
[FW1]nat server pro tcp global 202.96.137.88 8080 inside 172.16.50.10 www [FW1]nat server pro tcp global 202.96.137.88 ftp inside 172.16.50.20 ftp
四、网络测试
DHCP测试
访问外网测试
无线登录测试
VRRP主备选举测试
SW1 vlan10 20 100 200 为主,vlan30 40 50 位备
SW2 vlan30 40 50 位主,vlan10 20 100 200 为备
负载分担测试
市场部、研发部、无线业务走SW1
人力部、财务部、行政部走SW2
核心路由表查看,邻居建立关系查看
ACL测试
市场部、研发部、人力部互通
市场部不通行政部
行政部、研发部、人力部互通
财务部只能和行政部互通
内网访问服务器测试
外网NAT Server测试
外网客户端访问内网WEB服务器测试
外网客户端访问内网FTP服务器测试