基于OSPF的企业内网安全优化

1.拓扑

2.IP地址规划

|------------------|-----------------|
| 设备/地址/vlan | 设备/地址 |
| 汇聚交换机/VLAN10 | 192.200.10.0/24 |
| 汇聚交换机/VLAN20 | 192.200.20.0/24 |
| 汇聚交换机/VLAN30 | 192.200.30.0/24 |
| 汇聚交换机/VLAN40 | 192.200.40.0/24 |
| 汇聚交换机/VLAN50 | 192.200.50.0/24 |
| 汇聚交换机/VLAN60 | 192.200.60.0/24 |
| 防火墙/VLAN70/服务器网段 | 192.200.70.0/24 |
| 防火墙/VLAN80/服务器网段 | 192.200.80.0/24 |

3.使用协议说明

VLAN-----------------隔离广播域，优化内网用户上网体验

SVI-------------Vlan间三层通信

DHCP---------------内网主机自动获取IP地址

OSPF------------------提供内网路由的学习

MSTP--------------------多实例生成树，打破二层环路的同时，实现多vlan的负载均衡

VRRP------------------起到网关冗余作用

NAT--------------------地址转换，提供用户访问互联网

防火墙安全策略----------------------------提供安全策略的访问控制，以及高级的防病毒、入侵检测功能

链路聚合----------------提供链路带宽

4.设备选型

|----|-------|----|---------------------------|-----|-------------------------------------------------------------------|----|---|-------|----|--------------------------|---|----------------------------------------------------------------------|---|
| 序号 | 设备名称 | 品牌 | 规格 | 单位及 | 性能及指标 | 产地 |
| 序号 | 设备名称 | 品牌 | 型号 | 数量 | 性能及指标 | 产地 |
| 1 | 接入交换机 | 华为 | CloudEngine S5731-H24P4XC | 30 | S5731-H24P4XC(24个10/100/1000BASE-T以太网端口,4个万兆SFP+,单子卡槽位,PoE+,不含电源) | |
| 1 | 接入交换机 | 华为 | CloudEngine S5731-H24P4XC | 30 | S5731-H24P4XC(24个10/100/1000BASE-T以太网端口,4个万兆SFP+,单子卡槽位,PoE+,不含电源) | | 2 | 汇聚交换机 | 华为 | CloudEngine S6730-H24X6C | 2 | S6730-H24X6C(24个万兆SFP+,6个40GE QSFP28，可选license升级到6个100GE QSFP28,不含电源 | |
| 3 | 核心路由器 | 华为 | AR2204-24GE | 4 | AR2204-24GE(3GE WAN(1GE Combo),24 GE,1 USB,4 SIC,60W AC Power) | |
| 4 | 防火墙 | 华为 | Secospace USG6310S | 3 | USG6310S-W交流主机(8GE电,1GB内存),WIFI 2.4G+5G | |

5.网络配置实施

二层划分vlan、以及接口配置

interface Ethernet0/0/1

port link-type access

port default vlan 10

interface Ethernet0/0/2

port link-type access

port default vlan 10

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 20

interface Ethernet0/0/2

port link-type access

port default vlan 20

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 30

interface Ethernet0/0/2

port link-type access

port default vlan 30

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 40

interface Ethernet0/0/2

port link-type access

port default vlan 40

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 50

interface Ethernet0/0/2

port link-type access

port default vlan 50

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/1

port link-type access

port default vlan 60

interface Ethernet0/0/2

port link-type access

port default vlan 60

interface Ethernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

双汇聚交换机上，进行三层SIV接口配置及路由器物理接口以及VRRP配置

汇聚交换机1：

Huawei\]int vlan 10 \[Huawei-Vlanif10\]ip add 192.200.10.1 255.255.255.0 \[Huawei-Vlanif10\]vrrp vrid 10 virtual-ip 192.200.10.254 \[Huawei-Vlanif10\] vrrp vrid 10 priority 120 \[Huawei-Vlanif10\]int vlan 20 \[Huawei-Vlanif20\]ip add 192.200.20.1 255.255.255.0 \[Huawei-Vlanif20\]vrrp vrid 20 virtual-ip 192.200.20.254 \[Huawei-Vlanif20\] vrrp vrid 20 priority 120 \[Huawei-Vlanif20\]int vlan 30 \[Huawei-Vlanif30\]ip add 192.200.30.1 255.255.255.0 \[Huawei-Vlanif30\]vrrp vrid 30 virtual-ip 192.200.30.254 \[Huawei-Vlanif30\] vrrp vrid 30 priority 120 \[Huawei-Vlanif30\]int vlan 40 \[Huawei-Vlanif40\]ip add 192.200.40.1 255.255.255.0 \[Huawei-Vlanif40\]vrrp vrid 40 virtual-ip 192.200.40.254 \[Huawei-Vlanif40\]int vlan 50 \[Huawei-Vlanif50\]ip add 192.200.50.1 255.255.255.0 \[Huawei-Vlanif50\]vrrp vrid 50 virtual-ip 192.200.50.254 \[Huawei-Vlanif50\]int vlan 60 \[Huawei-Vlanif60\]ip add 192.200.60.1 255.255.255.0 \[Huawei-Vlanif60\]vrrp vrid 60 virtual-ip 192.200.60.254 汇聚交换机2： \[Huawei\]int vlan 10 \[Huawei-Vlanif10\]ip add 192.200.10.2 255.255.255.0 \[Huawei-Vlanif10\]vrrp vrid 10 virtual-ip 192.200.10.254 \[Huawei-Vlanif10\]int vlan 20 \[Huawei-Vlanif20\]ip add 192.200.20.2 255.255.255.0 \[Huawei-Vlanif20\]vrrp vrid 20 virtual-ip 192.200.20.254 \[Huawei-Vlanif20\]int vlan 30 \[Huawei-Vlanif30\]ip add 192.200.30.2 255.255.255.0 \[Huawei-Vlanif30\]vrrp vrid 30 virtual-ip 192.200.30.254 \[Huawei-Vlanif30\]int vlan 40 \[Huawei-Vlanif40\]ip add 192.200.40.2 255.255.255.0 \[Huawei-Vlanif40\]vrrp vrid 40 virtual-ip 192.200.40.254 \[Huawei-Vlanif40\] vrrp vrid 40 priority 120 \[Huawei-Vlanif40\]int vlan 50 \[Huawei-Vlanif50\]ip add 192.200.50.2 255.255.255.0 \[Huawei-Vlanif50\]vrrp vrid 50 virtual-ip 192.200.50.254 \[Huawei-Vlanif50\] vrrp vrid 50 priority 120 \[Huawei-Vlanif50\]int vlan 60 \[Huawei-Vlanif60\]ip add 192.200.60.2 255.255.255.0 \[Huawei-Vlanif60\]vrrp vrid 60 virtual-ip 192.200.60.254 \[Huawei-Vlanif60\] vrrp vrid 60 priority 120 MSTP配置 stp region region-name Huawei instance 1 vlan 10 20 30 instance 2 vlan 40 50 60 active region-configuration 调整MSTP实例优先级 \[Huawei\]stp instance 1 root primary \[Huawei\]stp instance 2 root secondary 链路聚合配置 \[Huawei-Eth-Trunk0\]trunkport GigabitEthernet 0/0/23 to 0/0/24 \[Huawei-Eth-Trunk0\]port link-type t \[Huawei-Eth-Trunk0\]port trunk allow-pass vlan all DHCP配置 定义DHCP地址池： ip pool vlan10 network 192.200.10.0 mask 255.255.255.0 dns-list 114.114.114.114 gateway-list 192.200.10.254 ip pool vlan20 network 192.200.20.0 mask 255.255.255.0 dns-list 114.114.114.114 gateway-list 192.200.20.254 ip pool vlan30 network 192.200.30.0 mask 255.255.255.0 dns-list 114.114.114.114 gateway-list 192.200.30.254 ip pool vlan40 network 192.200.40.0 mask 255.255.255.0 dns-list 114.114.114.114 gateway-list 192.200.40.254 ip pool vlan50 network 192.200.50.0 mask 255.255.255.0 dns-list 114.114.114.114 gateway-list 192.200.50.254 ip pool vlan60 network 192.200.60.0 mask 255.255.255.0 dns-list 114.114.114.114 gateway-list 192.200.60.254 开启DHCP以及接口下调用 \[Huawei\] dhcp enable \[Huawei\] int vlan 10 \[Huawei-Vlanif10\] dhcp se g \[Huawei-Vlanif10\] int vlan 20 \[Huawei-Vlanif20\] dhcp se g \[Huawei-Vlanif20\] int vlan 30 \[Huawei-Vlanif30\] dhcp se g \[Huawei-Vlanif30\] int vlan 40 \[Huawei-Vlanif40\] dhcp se g \[Huawei-Vlanif40\] int vlan 50 \[Huawei-Vlanif50\] dhcp se g \[Huawei-Vlanif50\] int vlan 60 \[Huawei-Vlanif60\] dhcp se g 路由协议OSPF配置 ospf 1 area 0.0.0.0 network 10.0.0.0 0.0.255.255 area 0.0.0.1 network 192.200.0.0 0.0.255.255 配置OSPF优化，配置静默端口 \[Huawei-ospf-1\]silent-interface Vlanif 10 \[Huawei-ospf-1\]silent-interface Vlanif 20 \[Huawei-ospf-1\]silent-interface Vlanif 30 \[Huawei-ospf-1\]silent-interface Vlanif 40 \[Huawei-ospf-1\]silent-interface Vlanif 50 \[Huawei-ospf-1\]silent-interface Vlanif 60 核心层配置 \[Huawei\]ospf 1 \[Huawei-ospf-1\]a 0 \[Huawei-ospf-1-area-0.0.0.0\]network 10.0.0.0 0.0.255.255 出口防火墙配置安全策略 security-policy rule name ISP source-zone trust destination-zone untrust action permit 防火墙NAT策略 rule name ISP source-zone trust destination-zone untrust action source-nat easy-ip 防火墙做NAT SERVER 映射 \[USG6000V1\]nat server protocol tcp global 100.100.100.100 8080 inside 192.2 00.80.10 www 服务器区域防火墙配置 security-policy rule name server source-zone trust destination-zone dmz action permit # ## 6.网络测试 私信获取