1.拓扑
2.背景及需求
1、办公区分为多个部门,保证500人上网需求。
2、按照多个不同部门规划业务VLAN.
3、网络启用 VRRP+MSTP 网络。采用链路聚合技术保证链路的可靠性。
4、出口部署防火墙,保障内网安全。
5、服务器区域设置dmz增加防火墙(保护内网)
6、设备远程访问进行远程管理。
9、采用两种不同的动态路由协议,分别用于两个局域网内部
3.部门vlan划分及IP地址
地址规划
|----|-----------------|--------|-----------------|
| 部门 | 地址空间 | 所属vlan | Vlan网关 |
| 市场 | 192.168.10.0/24 | Vlan10 | 192.168.10.1/24 |
| 市场 | 192.168.20.0/24 | Vlan20 | 192.168.20.1/24 |
| 人事 | 192.168.30.0/24 | Vlan30 | 192.168.30.1/24 |
| 人事 | 192.168.40.0/24 | Vlan40 | 192.168.40.1/24 |
| 管理 | 192.168.50.0/24 | Vlan50 | 192.168.50.1/24 |
| 管理 | 192.168.60.0/24 | Vlan60 | 192.168.60.1/24 |
| 后勤 | 192.168.70.0/24 | Vlan70 | 192.168.70.1/24 |
| 后勤 | 192.168.80.0/24 | Vlan80 | 192.168.80.1/24 |
接入汇聚设备管理地址
|------|------------------|---------|-----------------|
| 部门 | 地址 | VLAN | 网关 |
| 管理网络 | 192.168.255.0/24 | VLAN255 | 192.168.255.254 |
4.网络配置实施
- 接入层划分vlan、以及接口配置
以人事部门接入交换机为例:
Huaweisysname RS-JR
RS-JRvlan batch 10 20 30 40 50 60 70 80 255
RS-JR-aaainterface Vlanif255
RS-JR-Vlanif255 ip address 192.168.255.2 255.255.255.0
RS-JR-Vlanif255interface Ethernet0/0/1
RS-JR-Ethernet0/0/1 port link-type trunk
RS-JR-Ethernet0/0/1 port trunk allow-pass vlan 2 to 4094
IP on the interface Vlanif255 has entered the UP state.
RS-JR-Ethernet0/0/1interface Ethernet0/0/2
RS-JR-Ethernet0/0/2 port link-type trunk
RS-JR-Ethernet0/0/2 port trunk allow-pass vlan 2 to 4094
RS-JR-Ethernet0/0/2interface Ethernet0/0/3
RS-JR-Ethernet0/0/3 port link-type access
RS-JR-Ethernet0/0/3 port default vlan 30
RS-JR-Ethernet0/0/3interface Ethernet0/0/4
RS-JR-Ethernet0/0/4 port link-type access
RS-JR-Ethernet0/0/4 port default vlan 40
RS-JR-Ethernet0/0/4#
其他接入配置同理
- 三层SIV接口配置及路由器物理接口以及VRRP配置
以汇聚1交换机为例:
HJ1int vlan 10
HJ1-Vlanif10ip add 192.168.10.2 255.255.255.0
HJ1-Vlanif10 vrrp vrid 10 priority 120
HJ1-Vlanif10int vlan 20
HJ1-Vlanif20ip add 192.168.20.2 255.255.255.0
HJ1-Vlanif20vrrp vrid 20 virtual-ip 192.168.20.1
HJ1-Vlanif20 vrrp vrid 20 priority 120
HJ1-Vlanif20int vlan 30
HJ1-Vlanif30ip add 192.168.30.2 255.255.255.0
HJ1-Vlanif30vrrp vrid 30 virtual-ip 192.168.30.1
HJ1-Vlanif30 vrrp vrid 30 priority 120
HJ1-Vlanif30int vlan 40
HJ1-Vlanif40ip add 192.168.40.2 255.255.255.0
HJ1-Vlanif40vrrp vrid 40 virtual-ip 192.168.40.1
HJ1-Vlanif40 vrrp vrid 40 priority 120
HJ1-Vlanif40int vlan 50
HJ1-Vlanif50ip add 192.168.50.2 255.255.255.0
HJ1-Vlanif50vrrp vrid 50 virtual-ip 192.168.50.1
HJ1-Vlanif50 vrrp vrid 50 priority 120
HJ1-Vlanif50int vlan 60
HJ1-Vlanif60ip add 192.168.60.2 255.255.255.0
HJ1-Vlanif60vrrp vrid 60 virtual-ip 192.168.60.1
HJ1-Vlanif60 vrrp vrid 60 priority 120
HJ1-Vlanif60int vlan 70
HJ1-Vlanif70ip add 192.168.70.2 255.255.255.0
HJ1-Vlanif70vrrp vrid 70 virtual-ip 192.168.70.1
HJ1-Vlanif70 vrrp vrid 70 priority 120
HJ1-Vlanif70int vlan 80
HJ1-Vlanif80ip add 192.168.80.2 255.255.255.0
HJ1-Vlanif80vrrp vrid 80 virtual-ip 192.168.80.1
HJ1-Vlanif80 vrrp vrid 80 priority 120
HJ1-Vlanif80int vlan 255
HJ1-Vlanif255ip add 192.168.255.252 255.255.255.0
HJ1-Vlanif255vrrp vrid 255 virtual-ip 192.168.255.254
HJ1-Vlanif255 vrrp vrid 255 priority 120
其他SVI接口配置相同
3、 配置MSTP,主备模式
HJ1stp instance 0 root primary //汇聚交换机1主根
HJ2stp instance 0 root secondary //汇聚交换机2次根桥
4、链路聚合配置
HJ1int Eth-Trunk 0 //链路聚合接口
HJ1-Eth-Trunk0port link-type trunk
HJ1-Eth-Trunk0port trunk allow-pass vlan all
HJ1-Eth-Trunk0trunkport GigabitEthernet 0/0/5 to 0/0/6
interface Eth-Trunk0
port link-type trunk
port trunk allow-pass vlan 2 to 4094
5、 DHCP配置
以汇聚交换机为例:
HJ1ip pool vlan10
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan10network 192.168.10.0 mask 255.255.255.0
HJ1-ip-pool-vlan10 dns-list 114.114.114.114
HJ1-ip-pool-vlan10 gateway-list 192.168.10.1
HJ1-ip-pool-vlan10ip pool vlan20
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan20network 192.168.20.0 mask 255.255.255.0
HJ1-ip-pool-vlan20 dns-list 114.114.114.114
HJ1-ip-pool-vlan20 gateway-list 192.168.20.1
HJ1-ip-pool-vlan20ip pool vlan30
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan30network 192.168.30.0 mask 255.255.255.0
HJ1-ip-pool-vlan30 dns-list 114.114.114.114
HJ1-ip-pool-vlan30 gateway-list 192.168.30.1
HJ1-ip-pool-vlan30ip pool vlan40
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan40network 192.168.40.0 mask 255.255.255.0
HJ1-ip-pool-vlan40 dns-list 114.114.114.114
HJ1-ip-pool-vlan40 gateway-list 192.168.40.1
HJ1-ip-pool-vlan40ip pool vlan50
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan50network 192.168.50.0 mask 255.255.255.0
HJ1-ip-pool-vlan50 dns-list 114.114.114.114
HJ1-ip-pool-vlan50 gateway-list 192.168.50.1
HJ1-ip-pool-vlan50ip pool vlan60
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan60network 192.168.60.0 mask 255.255.255.0
HJ1-ip-pool-vlan60 dns-list 114.114.114.114
HJ1-ip-pool-vlan60 gateway-list 192.168.60.1
HJ1-ip-pool-vlan60ip pool vlan70
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan70network 192.168.70.0 mask 255.255.255.0
HJ1-ip-pool-vlan70 dns-list 114.114.114.114
HJ1-ip-pool-vlan70 gateway-list 192.168.70.1
HJ1-ip-pool-vlan70ip pool vlan80
Info:It's successful to create an IP address pool.
HJ1-ip-pool-vlan80network 192.168.80.0 mask 255.255.255.0
HJ1-ip-pool-vlan80 dns-list 114.114.114.114
HJ1-ip-pool-vlan80 gateway-list 192.168.80.1
HJ1-ip-pool-vlan80q
HJ1dhcp enable
HJ1int vlan 10
HJ1-Vlanif10dhcp select global
HJ1-Vlanif10int vlan 20
HJ1-Vlanif20dhcp select global
HJ1-Vlanif20int vlan 30
HJ1-Vlanif30dhcp select global
HJ1-Vlanif30int vlan 40
HJ1-Vlanif40dhcp select global
HJ1-Vlanif40int vlan 50
HJ1-Vlanif50dhcp select global
HJ1-Vlanif50int vlan 60
HJ1-Vlanif60dhcp select global
HJ1-Vlanif60int vlan 70
HJ1-Vlanif70dhcp select global
HJ1-Vlanif70int vlan 80
HJ1-Vlanif80dhcp select global
6、 配置OSPF实现全网互通、
//此配置 其他设备 均相同 宣告各自直连网段即可
HJ1-ospf-1a 0
HJ1-ospf-1-area-0.0.0.0network 192.168.0.0 0.0.255.255
HJ1-ospf-1-area-0.0.0.0network 10.10.10.2 0.0.0.0
HJ2ospf 1
HJ2-ospf-1a 0
HJ2-ospf-1-area-0.0.0.0net
HJ2-ospf-1-area-0.0.0.0network 192.168.0.0 0.0.255.255
HJ2-ospf-1-area-0.0.0.0network 20.20.20.2 0.0.0.0
HXospf 1
HX-ospf-1a 0
HX-ospf-1-area-0.0.0.0network 10.10.10.0 0.0.0.255
HX-ospf-1-area-0.0.0.0network 20.20.20.0 0.0.0.255
HX-ospf-1-area-0.0.0.0network 192.168.3.0 0.0.0.255
HX-ospf-1a 1
HX-ospf-1-area-0.0.0.1net
HX-ospf-1-area-0.0.0.1network 192.168.2.0 0.0.0.255
USG6000V1ospf 1
USG6000V1-ospf-1a 1
USG6000V1-ospf-1-area-0.0.0.1network 192.168.2.0 0.0.0.255
7、 出口NAT配置
nat-policy
rule name ISP
source-zone trust
destination-zone untrust
action source-nat easy-ip //NAT转换方式 = easy-IP
8、防火墙出口安全策略
security-policy
rule name ISp //上网流量
source-zone trust
destination-zone untrust
action permit
9、数据中心防火墙配置
USG6000V1ospf 1
USG6000V1-ospf-1a 0
USG6000V1-ospf-1-area-0.0.0.0network 0.0.0.0 255.255.255.255
USG6000V1security-policy
USG6000V1-policy-securityrule name trust-dmz
USG6000V1-policy-security-rule-trust-dmzsource-zone trust
USG6000V1-policy-security-rule-trust-dmzdestination-zone dmz
USG6000V1-policy-security-rule-trust-dmzaction permit
10、设备管理配置
RS-JR-aaa-domain-default_admin local-user admin password cipher admin@123
RS-JR-aaa local-user admin privilege level 15
RS-JR-aaa local-user admin service-type telnet
RS-JR-Ethernet0/0/4user-interface con 0
RS-JR-ui-console0user-interface vty 0 4
RS-JR-ui-vty0-4 authentication-mode aaa
RS-JR-ui-vty0-4 protocol inbound all
11、分支网关地址、路由rip配置
Huaweirip 1
Huawei-rip-1network 30.0.0.0
Huawei-rip-1default-route originate
Huawei-rip-1
Huaweirip 1
Huawei-rip-1net
Huawei-rip-1network 30.0.0.0
Huawei-rip-1network 192.168.110.0
Huawei-rip-1net 192.168.100.0
Huawei-Vlanif10ip add 192.168.100.254 24
Huawei-Vlanif10int vlan 20
Huawei-Vlanif20ip add 192.168.110.254 24
5.网络测试
私信作者获取