基于OSPF的企业内网安全优化

1.拓扑

2.IP地址规划

|------------------|-----------------|
| 设备/地址/vlan | 设备/地址 |
| 汇聚交换机/VLAN10 | 192.200.10.0/24 |
| 汇聚交换机/VLAN20 | 192.200.20.0/24 |
| 汇聚交换机/VLAN30 | 192.200.30.0/24 |
| 汇聚交换机/VLAN40 | 192.200.40.0/24 |
| 汇聚交换机/VLAN50 | 192.200.50.0/24 |
| 汇聚交换机/VLAN60 | 192.200.60.0/24 |
| 防火墙/VLAN70/服务器网段 | 192.200.70.0/24 |
| 防火墙/VLAN80/服务器网段 | 192.200.80.0/24 |

3.使用协议说明

VLAN-----------------隔离广播域，优化内网用户上网体验

SVI-------------Vlan间三层通信

DHCP---------------内网主机自动获取IP地址

OSPF------------------提供内网路由的学习

MSTP--------------------多实例生成树，打破二层环路的同时，实现多vlan的负载均衡

VRRP------------------起到网关冗余作用

NAT--------------------地址转换，提供用户访问互联网

防火墙安全策略----------------------------提供安全策略的访问控制，以及高级的防病毒、入侵检测功能

链路聚合----------------提供链路带宽

4.设备选型

|----|-------|----|---------------------------|-----|-------------------------------------------------------------------|----|---|-------|----|--------------------------|---|----------------------------------------------------------------------|---|
| 序号 | 设备名称 | 品牌 | 规格 | 单位及 | 性能及指标 | 产地 |
| 序号 | 设备名称 | 品牌 | 型号 | 数量 | 性能及指标 | 产地 |
| 1 | 接入交换机 | 华为 | CloudEngine S5731-H24P4XC | 30 | S5731-H24P4XC(24个10/100/1000BASE-T以太网端口,4个万兆SFP+,单子卡槽位,PoE+,不含电源) | |
| 1 | 接入交换机 | 华为 | CloudEngine S5731-H24P4XC | 30 | S5731-H24P4XC(24个10/100/1000BASE-T以太网端口,4个万兆SFP+,单子卡槽位,PoE+,不含电源) | | 2 | 汇聚交换机 | 华为 | CloudEngine S6730-H24X6C | 2 | S6730-H24X6C(24个万兆SFP+,6个40GE QSFP28，可选license升级到6个100GE QSFP28,不含电源 | |
| 3 | 核心路由器 | 华为 | AR2204-24GE | 4 | AR2204-24GE(3GE WAN(1GE Combo),24 GE,1 USB,4 SIC,60W AC Power) | |
| 4 | 防火墙 | 华为 | Secospace USG6310S | 3 | USG6310S-W交流主机(8GE电,1GB内存),WIFI 2.4G+5G | |

5.网络配置实施

二层划分vlan、以及接口配置

interface Ethernet0/0/1

port link-type access

port default vlan 10

interface Ethernet0/0/2

port link-type access

port default vlan 10

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 20

interface Ethernet0/0/2

port link-type access

port default vlan 20

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 30

interface Ethernet0/0/2

port link-type access

port default vlan 30

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 40

interface Ethernet0/0/2

port link-type access

port default vlan 40

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 50

interface Ethernet0/0/2

port link-type access

port default vlan 50

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 60

interface Ethernet0/0/2

port link-type access

port default vlan 60

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

双汇聚交换机上，进行三层SIV接口配置及路由器物理接口以及VRRP配置

汇聚交换机1：

$Huawei$ int vlan 10

$Huawei-Vlanif10$ ip add 192.200.10.1 255.255.255.0

$Huawei-Vlanif10$ vrrp vrid 10 virtual-ip 192.200.10.254

$Huawei-Vlanif10$ vrrp vrid 10 priority 120

$Huawei-Vlanif10$ int vlan 20

$Huawei-Vlanif20$ ip add 192.200.20.1 255.255.255.0

$Huawei-Vlanif20$ vrrp vrid 20 virtual-ip 192.200.20.254

$Huawei-Vlanif20$ vrrp vrid 20 priority 120

$Huawei-Vlanif20$ int vlan 30

$Huawei-Vlanif30$ ip add 192.200.30.1 255.255.255.0

$Huawei-Vlanif30$ vrrp vrid 30 virtual-ip 192.200.30.254

$Huawei-Vlanif30$ vrrp vrid 30 priority 120

$Huawei-Vlanif30$ int vlan 40

$Huawei-Vlanif40$ ip add 192.200.40.1 255.255.255.0

$Huawei-Vlanif40$ vrrp vrid 40 virtual-ip 192.200.40.254

$Huawei-Vlanif40$ int vlan 50

$Huawei-Vlanif50$ ip add 192.200.50.1 255.255.255.0

$Huawei-Vlanif50$ vrrp vrid 50 virtual-ip 192.200.50.254

$Huawei-Vlanif50$ int vlan 60

$Huawei-Vlanif60$ ip add 192.200.60.1 255.255.255.0

$Huawei-Vlanif60$ vrrp vrid 60 virtual-ip 192.200.60.254

汇聚交换机2：

$Huawei$ int vlan 10

$Huawei-Vlanif10$ ip add 192.200.10.2 255.255.255.0

$Huawei-Vlanif10$ vrrp vrid 10 virtual-ip 192.200.10.254

$Huawei-Vlanif10$ int vlan 20

$Huawei-Vlanif20$ ip add 192.200.20.2 255.255.255.0

$Huawei-Vlanif20$ vrrp vrid 20 virtual-ip 192.200.20.254

$Huawei-Vlanif20$ int vlan 30

$Huawei-Vlanif30$ ip add 192.200.30.2 255.255.255.0

$Huawei-Vlanif30$ vrrp vrid 30 virtual-ip 192.200.30.254

$Huawei-Vlanif30$ int vlan 40

$Huawei-Vlanif40$ ip add 192.200.40.2 255.255.255.0

$Huawei-Vlanif40$ vrrp vrid 40 virtual-ip 192.200.40.254

$Huawei-Vlanif40$ vrrp vrid 40 priority 120

$Huawei-Vlanif40$ int vlan 50

$Huawei-Vlanif50$ ip add 192.200.50.2 255.255.255.0

$Huawei-Vlanif50$ vrrp vrid 50 virtual-ip 192.200.50.254

$Huawei-Vlanif50$ vrrp vrid 50 priority 120

$Huawei-Vlanif50$ int vlan 60

$Huawei-Vlanif60$ ip add 192.200.60.2 255.255.255.0

$Huawei-Vlanif60$ vrrp vrid 60 virtual-ip 192.200.60.254

$Huawei-Vlanif60$ vrrp vrid 60 priority 120

MSTP配置

stp region

region-name Huawei

instance 1 vlan 10 20 30

instance 2 vlan 40 50 60

active region-configuration

调整MSTP实例优先级

$Huawei$ stp instance 1 root primary

$Huawei$ stp instance 2 root secondary

链路聚合配置

$Huawei-Eth-Trunk0$ trunkport GigabitEthernet 0/0/23 to 0/0/24

$Huawei-Eth-Trunk0$ port link-type t

$Huawei-Eth-Trunk0$ port trunk allow-pass vlan all

DHCP配置

定义DHCP地址池：

ip pool vlan10

network 192.200.10.0 mask 255.255.255.0

dns-list 114.114.114.114

gateway-list 192.200.10.254

ip pool vlan20

network 192.200.20.0 mask 255.255.255.0

dns-list 114.114.114.114

gateway-list 192.200.20.254

ip pool vlan30

network 192.200.30.0 mask 255.255.255.0

dns-list 114.114.114.114

gateway-list 192.200.30.254

ip pool vlan40

network 192.200.40.0 mask 255.255.255.0

dns-list 114.114.114.114

gateway-list 192.200.40.254

ip pool vlan50

network 192.200.50.0 mask 255.255.255.0

dns-list 114.114.114.114

gateway-list 192.200.50.254

ip pool vlan60

network 192.200.60.0 mask 255.255.255.0

dns-list 114.114.114.114

gateway-list 192.200.60.254

开启DHCP以及接口下调用

$Huawei$ dhcp enable

$Huawei$ int vlan 10

$Huawei-Vlanif10$ dhcp se g

$Huawei-Vlanif10$ int vlan 20

$Huawei-Vlanif20$ dhcp se g

$Huawei-Vlanif20$ int vlan 30

$Huawei-Vlanif30$ dhcp se g

$Huawei-Vlanif30$ int vlan 40

$Huawei-Vlanif40$ dhcp se g

$Huawei-Vlanif40$ int vlan 50

$Huawei-Vlanif50$ dhcp se g

$Huawei-Vlanif50$ int vlan 60

$Huawei-Vlanif60$ dhcp se g

路由协议OSPF配置

ospf 1

area 0.0.0.0

network 10.0.0.0 0.0.255.255

area 0.0.0.1

network 192.200.0.0 0.0.255.255

配置OSPF优化，配置静默端口

$Huawei-ospf-1$ silent-interface Vlanif 10

$Huawei-ospf-1$ silent-interface Vlanif 20

$Huawei-ospf-1$ silent-interface Vlanif 30

$Huawei-ospf-1$ silent-interface Vlanif 40

$Huawei-ospf-1$ silent-interface Vlanif 50

$Huawei-ospf-1$ silent-interface Vlanif 60

核心层配置

$Huawei$ ospf 1

$Huawei-ospf-1$ a 0

$Huawei-ospf-1-area-0.0.0.0$ network 10.0.0.0 0.0.255.255

出口防火墙配置安全策略

security-policy

rule name ISP

source-zone trust

destination-zone untrust

action permit

防火墙NAT策略

rule name ISP

source-zone trust

destination-zone untrust

action source-nat easy-ip

防火墙做NAT SERVER 映射

$USG6000V1$ nat server protocol tcp global 100.100.100.100 8080 inside 192.2

00.80.10 www

服务器区域防火墙配置

security-policy

rule name server

source-zone trust

destination-zone dmz

action permit

6.网络测试

私信获取