1.拓扑
2.背景及需求
1、办公区分为多个部门,保证500人上网需求。
2、按照多个不同部门规划业务VLAN.
3、网络启用 VRRP+MSTP 网络。采用链路聚合技术保证链路的可靠性。
4、出口部署防火墙,保障内网安全。
5、服务器区域设置dmz增加防火墙(保护内网)
6、设备远程访问进行远程管理。
9、采用两种不同的动态路由协议,分别用于两个局域网内部
3.部门vlan划分及IP地址
地址规划
|----|-----------------|--------|-----------------|
| 部门 | 地址空间 | 所属vlan | Vlan网关 |
| 市场 | 192.168.10.0/24 | Vlan10 | 192.168.10.1/24 |
| 市场 | 192.168.20.0/24 | Vlan20 | 192.168.20.1/24 |
| 人事 | 192.168.30.0/24 | Vlan30 | 192.168.30.1/24 |
| 人事 | 192.168.40.0/24 | Vlan40 | 192.168.40.1/24 |
| 管理 | 192.168.50.0/24 | Vlan50 | 192.168.50.1/24 |
| 管理 | 192.168.60.0/24 | Vlan60 | 192.168.60.1/24 |
| 后勤 | 192.168.70.0/24 | Vlan70 | 192.168.70.1/24 |
| 后勤 | 192.168.80.0/24 | Vlan80 | 192.168.80.1/24 |
接入汇聚设备管理地址
|------|------------------|---------|-----------------|
| 部门 | 地址 | VLAN | 网关 |
| 管理网络 | 192.168.255.0/24 | VLAN255 | 192.168.255.254 |
4.网络配置实施
- 接入层划分vlan、以及接口配置
以人事部门接入交换机为例:
[Huawei]sysname RS-JR
[RS-JR]vlan batch 10 20 30 40 50 60 70 80 255
[RS-JR-aaa]interface Vlanif255
[RS-JR-Vlanif255] ip address 192.168.255.2 255.255.255.0
[RS-JR-Vlanif255]interface Ethernet0/0/1
[RS-JR-Ethernet0/0/1] port link-type trunk
[RS-JR-Ethernet0/0/1] port trunk allow-pass vlan 2 to 4094
IP on the interface Vlanif255 has entered the UP state.
[RS-JR-Ethernet0/0/1]interface Ethernet0/0/2
[RS-JR-Ethernet0/0/2] port link-type trunk
[RS-JR-Ethernet0/0/2] port trunk allow-pass vlan 2 to 4094
[RS-JR-Ethernet0/0/2]interface Ethernet0/0/3
[RS-JR-Ethernet0/0/3] port link-type access
[RS-JR-Ethernet0/0/3] port default vlan 30
[RS-JR-Ethernet0/0/3]interface Ethernet0/0/4
[RS-JR-Ethernet0/0/4] port link-type access
[RS-JR-Ethernet0/0/4] port default vlan 40
[RS-JR-Ethernet0/0/4]#
其他接入配置同理
- 三层SIV接口配置及路由器物理接口以及VRRP配置
以汇聚1交换机为例:
[HJ1]int vlan 10
[HJ1-Vlanif10]ip add 192.168.10.2 255.255.255.0
[HJ1-Vlanif10] vrrp vrid 10 priority 120
[HJ1-Vlanif10]int vlan 20
[HJ1-Vlanif20]ip add 192.168.20.2 255.255.255.0
[HJ1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[HJ1-Vlanif20] vrrp vrid 20 priority 120
[HJ1-Vlanif20]int vlan 30
[HJ1-Vlanif30]ip add 192.168.30.2 255.255.255.0
[HJ1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[HJ1-Vlanif30] vrrp vrid 30 priority 120
[HJ1-Vlanif30]int vlan 40
[HJ1-Vlanif40]ip add 192.168.40.2 255.255.255.0
[HJ1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[HJ1-Vlanif40] vrrp vrid 40 priority 120
[HJ1-Vlanif40]int vlan 50
[HJ1-Vlanif50]ip add 192.168.50.2 255.255.255.0
[HJ1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
[HJ1-Vlanif50] vrrp vrid 50 priority 120
[HJ1-Vlanif50]int vlan 60
[HJ1-Vlanif60]ip add 192.168.60.2 255.255.255.0
[HJ1-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.1
[HJ1-Vlanif60] vrrp vrid 60 priority 120
[HJ1-Vlanif60]int vlan 70
[HJ1-Vlanif70]ip add 192.168.70.2 255.255.255.0
[HJ1-Vlanif70]vrrp vrid 70 virtual-ip 192.168.70.1
[HJ1-Vlanif70] vrrp vrid 70 priority 120
[HJ1-Vlanif70]int vlan 80
[HJ1-Vlanif80]ip add 192.168.80.2 255.255.255.0
[HJ1-Vlanif80]vrrp vrid 80 virtual-ip 192.168.80.1
[HJ1-Vlanif80] vrrp vrid 80 priority 120
[HJ1-Vlanif80]int vlan 255
[HJ1-Vlanif255]ip add 192.168.255.252 255.255.255.0
[HJ1-Vlanif255]vrrp vrid 255 virtual-ip 192.168.255.254
[HJ1-Vlanif255] vrrp vrid 255 priority 120
其他SVI接口配置相同
3、 配置MSTP,主备模式
[HJ1]stp instance 0 root primary //汇聚交换机1主根
[HJ2]stp instance 0 root secondary //汇聚交换机2次根桥
4、链路聚合配置
[HJ1]int Eth-Trunk 0 //链路聚合接口
[HJ1-Eth-Trunk0]port link-type trunk
[HJ1-Eth-Trunk0]port trunk allow-pass vlan all
[HJ1-Eth-Trunk0]trunkport GigabitEthernet 0/0/5 to 0/0/6
interface Eth-Trunk0
port link-type trunk
port trunk allow-pass vlan 2 to 4094
5、 DHCP配置
以汇聚交换机为例:
[HJ1]ip pool vlan10
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan10]network 192.168.10.0 mask 255.255.255.0
[HJ1-ip-pool-vlan10] dns-list 114.114.114.114
[HJ1-ip-pool-vlan10] gateway-list 192.168.10.1
[HJ1-ip-pool-vlan10]ip pool vlan20
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan20]network 192.168.20.0 mask 255.255.255.0
[HJ1-ip-pool-vlan20] dns-list 114.114.114.114
[HJ1-ip-pool-vlan20] gateway-list 192.168.20.1
[HJ1-ip-pool-vlan20]ip pool vlan30
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan30]network 192.168.30.0 mask 255.255.255.0
[HJ1-ip-pool-vlan30] dns-list 114.114.114.114
[HJ1-ip-pool-vlan30] gateway-list 192.168.30.1
[HJ1-ip-pool-vlan30]ip pool vlan40
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan40]network 192.168.40.0 mask 255.255.255.0
[HJ1-ip-pool-vlan40] dns-list 114.114.114.114
[HJ1-ip-pool-vlan40] gateway-list 192.168.40.1
[HJ1-ip-pool-vlan40]ip pool vlan50
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan50]network 192.168.50.0 mask 255.255.255.0
[HJ1-ip-pool-vlan50] dns-list 114.114.114.114
[HJ1-ip-pool-vlan50] gateway-list 192.168.50.1
[HJ1-ip-pool-vlan50]ip pool vlan60
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan60]network 192.168.60.0 mask 255.255.255.0
[HJ1-ip-pool-vlan60] dns-list 114.114.114.114
[HJ1-ip-pool-vlan60] gateway-list 192.168.60.1
[HJ1-ip-pool-vlan60]ip pool vlan70
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan70]network 192.168.70.0 mask 255.255.255.0
[HJ1-ip-pool-vlan70] dns-list 114.114.114.114
[HJ1-ip-pool-vlan70] gateway-list 192.168.70.1
[HJ1-ip-pool-vlan70]ip pool vlan80
Info:It's successful to create an IP address pool.
[HJ1-ip-pool-vlan80]network 192.168.80.0 mask 255.255.255.0
[HJ1-ip-pool-vlan80] dns-list 114.114.114.114
[HJ1-ip-pool-vlan80] gateway-list 192.168.80.1
[HJ1-ip-pool-vlan80]q
[HJ1]dhcp enable
[HJ1]int vlan 10
[HJ1-Vlanif10]dhcp select global
[HJ1-Vlanif10]int vlan 20
[HJ1-Vlanif20]dhcp select global
[HJ1-Vlanif20]int vlan 30
[HJ1-Vlanif30]dhcp select global
[HJ1-Vlanif30]int vlan 40
[HJ1-Vlanif40]dhcp select global
[HJ1-Vlanif40]int vlan 50
[HJ1-Vlanif50]dhcp select global
[HJ1-Vlanif50]int vlan 60
[HJ1-Vlanif60]dhcp select global
[HJ1-Vlanif60]int vlan 70
[HJ1-Vlanif70]dhcp select global
[HJ1-Vlanif70]int vlan 80
[HJ1-Vlanif80]dhcp select global
6、 配置OSPF实现全网互通、
//此配置 其他设备 均相同 宣告各自直连网段即可
[HJ1-ospf-1]a 0
[HJ1-ospf-1-area-0.0.0.0]network 192.168.0.0 0.0.255.255
[HJ1-ospf-1-area-0.0.0.0]network 10.10.10.2 0.0.0.0
[HJ2]ospf 1
[HJ2-ospf-1]a 0
[HJ2-ospf-1-area-0.0.0.0]net
[HJ2-ospf-1-area-0.0.0.0]network 192.168.0.0 0.0.255.255
[HJ2-ospf-1-area-0.0.0.0]network 20.20.20.2 0.0.0.0
[HX]ospf 1
[HX-ospf-1]a 0
[HX-ospf-1-area-0.0.0.0]network 10.10.10.0 0.0.0.255
[HX-ospf-1-area-0.0.0.0]network 20.20.20.0 0.0.0.255
[HX-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[HX-ospf-1]a 1
[HX-ospf-1-area-0.0.0.1]net
[HX-ospf-1-area-0.0.0.1]network 192.168.2.0 0.0.0.255
[USG6000V1]ospf 1
[USG6000V1-ospf-1]a 1
[USG6000V1-ospf-1-area-0.0.0.1]network 192.168.2.0 0.0.0.255
7、 出口NAT配置
nat-policy
rule name ISP
source-zone trust
destination-zone untrust
action source-nat easy-ip //NAT转换方式 = easy-IP
8、防火墙出口安全策略
security-policy
rule name ISp //上网流量
source-zone trust
destination-zone untrust
action permit
9、数据中心防火墙配置
[USG6000V1]ospf 1
[USG6000V1-ospf-1]a 0
[USG6000V1-ospf-1-area-0.0.0.0]network 0.0.0.0 255.255.255.255
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust-dmz
[USG6000V1-policy-security-rule-trust-dmz]source-zone trust
[USG6000V1-policy-security-rule-trust-dmz]destination-zone dmz
[USG6000V1-policy-security-rule-trust-dmz]action permit
10、设备管理配置
[RS-JR-aaa-domain-default_admin] local-user admin password cipher admin@123
[RS-JR-aaa] local-user admin privilege level 15
[RS-JR-aaa] local-user admin service-type telnet
[RS-JR-Ethernet0/0/4]user-interface con 0
[RS-JR-ui-console0]user-interface vty 0 4
[RS-JR-ui-vty0-4] authentication-mode aaa
[RS-JR-ui-vty0-4] protocol inbound all
11、分支网关地址、路由rip配置
[Huawei]rip 1
[Huawei-rip-1]network 30.0.0.0
[Huawei-rip-1]default-route originate
[Huawei-rip-1]
[Huawei]rip 1
[Huawei-rip-1]net
[Huawei-rip-1]network 30.0.0.0
[Huawei-rip-1]network 192.168.110.0
[Huawei-rip-1]net 192.168.100.0
[Huawei-Vlanif10]ip add 192.168.100.254 24
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]ip add 192.168.110.254 24
5.网络测试
私信作者获取