摘要
该设计规划的是一个公司的网络搭建,采用接入层、核心层、汇聚层三层网络。所有接入层汇聚层交换机运行MSTP和VRRP协议,做冗余备份,保护设备和链路稳定性。运行ospf动态路由协议,方便路由维护。使用dhcp动态分配地址,便于ip地址管理。出口采用防火墙设备,保护网络安全。同时在防火墙上做SNAT,可以让公司内网访问外网。在防火墙上做DNAT,可以让外部网络访问公司服务器。
-
一 、设计思路
-
每个部门划分一个VLAN,部门内互通,各部门根据ACL规则实现互通。
-
内网使用私网IP,为每个部门分配一个24位掩码长度的私网段,实现上网。
-
部门主机采用DHCP自动获取地址,减少管理员手动分配的任务量,方便管理与维护。
-
运行OSPF协议,提高收敛速度。而且OSPF可以适应拓扑变化,路由自动学习,防止路由环路,提高拓扑稳定性。
-
接入层和汇聚层交换机配置MSTP和VRRP技术,实现设备冗余、线路可靠、数据负载分担,能够保证主设备故障后,可以快速切换到备用设备,不影响业务转发。
-
增加防火墙设备,设置安全区域,控制部门主机、服务器和外网设备的数据转发,保证公司网络的安全性。
-
出口采用光纤接入,汇聚层交换机进行链路聚合,提高网络带宽,实现运营商万兆接入,千兆到部门,百兆到桌面的体验。
-
公司内部实现无线全覆盖,保障内部终端设备可以无线接入并上网。
-
汇聚层交换机配置ACL控制访问技术,实现市场部和行政部不通,财务部只能和行政部互通,其他部门全互通的网络需求。
-
SNAT:应用于内网用户访问Internet时进行的地址转换将私网地址转为公网地址,这里我们采用easy-ip的NAT,保证公司上网采用出接口地址。
-
DNAT:使的外网用户能够访问内部服务器,用户访问202.96.137.88:8080时,防火墙将流量能够送给内网的WEB服务器。当用户访问202.96.137.88:21时防火墙将目的地址转换为172.16.50.20:21 访问公司的FTP服务器。
-
二、网络拓扑图
一个网络的拓扑图能够最直观的呈现这个网络的设计思想,几种经典的网络拓扑结构各有特点。我们使用最标准的核心层、汇聚层、接入层三层架构。要求任何一台设备都不能宕机,所以所有交换机必须要有双机热备冗余备份。公司的网络拓扑如下图所示。
该文件下载地址请点击后面链接:ensp典型中小型企业网搭建(带无线)
三、配置步骤
-
基础配置
交换机VLAN的创建、接口的划分、IP地址的配置
Core-SW1配置
[Huawei]sy Core-SW1
[Core-SW1]vlan b 70 80 100 200 172
Info: This operation may take a few seconds. Please wait for a moment...done.
[Core-SW1]int vlan 70
[Core-SW1-Vlanif70]ip add 172.16.70.2 24
[Core-SW1-Vlanif70]int vlan 80
[Core-SW1-Vlanif80]ip add 172.16.80.2 24
[Core-SW1-Vlanif80]int vlan 100
[Core-SW1-Vlanif100]ip add 172.16.10.254 24
[Core-SW1-Vlanif100]int vlan 200
[Core-SW1-Vlanif200]ip add 172.16.20.2 24
[Core-SW1-Vlanif200]int vlan 172
[Core-SW1-Vlanif172]ip add 172.16.172.1 24
[Core-SW1-Vlanif172]q
[Core-SW1]int g0/0/23
[Core-SW1-GigabitEthernet0/0/23]po li a
[Core-SW1-GigabitEthernet0/0/23]po de v 70
[Core-SW1-GigabitEthernet0/0/23]int g0/0/24
[Core-SW1-GigabitEthernet0/0/24]po li a
[Core-SW1-GigabitEthernet0/0/24]po de v 80
[Core-SW1-GigabitEthernet0/0/24]int g0/0/2
[Core-SW1-GigabitEthernet0/0/2]po li a
[Core-SW1-GigabitEthernet0/0/2]po de v 100
[Core-SW1-GigabitEthernet0/0/2]int g0/0/1
[Core-SW1-GigabitEthernet0/0/1]po li a
[Core-SW1-GigabitEthernet0/0/1]po de v 200
[Core-SW1-GigabitEthernet0/0/1]int g0/0/3
[Core-SW1-GigabitEthernet0/0/3]po li a
[Core-SW1-GigabitEthernet0/0/3]po de v 172
[Core-SW1-GigabitEthernet0/0/3]qSW1配置
[Huawei]sy SW1
[SW1]vlan b 10 20 30 40 50 70 1000 2000
[SW1]int vlan 10
[SW1-Vlanif10]ip add 192.168.10.1 24
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20]ip add 192.168.20.1 24
[SW1-Vlanif20]int vlan 30
[SW1-Vlanif30]ip add 192.168.30.1 24
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40]ip add 192.168.40.1 24
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50]ip add 192.168.50.1 24
[SW1-Vlanif50]int vlan 1000
[SW1-Vlanif1000]ip add 192.168.100.1 24
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000]ip add 172.16.100.1 24
[SW1-Vlanif2000]int vlan 70
[SW1-Vlanif70]ip add 172.16.70.1 24
[SW1-Vlanif70]q
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]po li t
[SW1-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]po li t
[SW1-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]po li t
[SW1-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
[SW1-GigabitEthernet0/0/3]int g0/0/23
[SW1-GigabitEthernet0/0/23]po li a
[SW1-GigabitEthernet0/0/23]po de v 70
[SW1-GigabitEthernet0/0/23]qSW2配置
[Huawei]sy SW2
[SW2]vlan b 10 20 30 40 50 80 1000 2000
[SW2]int vlan 10
[SW2-Vlanif10]ip add 192.168.10.2 24
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]ip add 192.168.20.2 24
[SW2-Vlanif20]int vlan 30
[SW2-Vlanif30]ip add 192.168.30.2 24
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]ip add 192.168.40.2 24
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]ip add 192.168.50.2 24
[SW2-Vlanif50]int vlan 80
[SW2-Vlanif80]ip add 172.16.80.1 24
[SW2-Vlanif80]int vlan 1000
[SW2-Vlanif1000]ip add 192.168.100.2 24
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]ip add 172.16.100.2 24
[SW2-Vlanif2000]q
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]po li t
[SW2-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
[SW2-GigabitEthernet0/0/1]int g0/0/2
[SW2-GigabitEthernet0/0/2]po li t
[SW2-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
[SW2-GigabitEthernet0/0/2]int g0/0/3
[SW2-GigabitEthernet0/0/3]po li t
[SW2-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
[SW2-GigabitEthernet0/0/3]int g0/0/24
[SW2-GigabitEthernet0/0/24]po li a
[SW2-GigabitEthernet0/0/24]po de v 80
[SW2-GigabitEthernet0/0/24]qSW3配置
[huawei]sy SW3
[SW3]vlan b 10 1000 2000
[SW3]int e0/0/1
[SW3-Ethernet0/0/1]po li a
[SW3-Ethernet0/0/1]po de v 10
[SW3-Ethernet0/0/1]int e0/0/2
[SW3-Ethernet0/0/2]po li t
[SW3-Ethernet0/0/2]po t all vlan 2000 1000
[SW3-Ethernet0/0/2]po t pv vlan 2000
[SW3-Ethernet0/0/2]int e0/0/3
[SW3-Ethernet0/0/3]po li t
[SW3-Ethernet0/0/3]po t all vlan 10 1000 2000
[SW3-Ethernet0/0/3]int e0/0/4
[SW3-Ethernet0/0/4]po li t
[SW3-Ethernet0/0/4]po t all vlan 10 1000 2000
[SW3-Ethernet0/0/4]qSW4配置
[Huawei]sy SW4
[SW4]vlan b 20 30 1000 2000
[SW4]int e0/0/1
[SW4-Ethernet0/0/1]po li a
[SW4-Ethernet0/0/1]po de v 20
[SW4-Ethernet0/0/1]int e0/0/2
[SW4-Ethernet0/0/2]po li a
[SW4-Ethernet0/0/2]po de v 30
[SW4-Ethernet0/0/2]int e0/0/3
[SW4-Ethernet0/0/3]po li t
[SW4-Ethernet0/0/3]po t all vlan 1000 2000
[SW4-Ethernet0/0/3]po t pv vlan 2000
[SW4-Ethernet0/0/3]int e0/0/4
[SW4-Ethernet0/0/4]po li t
[SW4-Ethernet0/0/4]po tr all vlan 20 30 1000 2000
[SW4-Ethernet0/0/4]int e0/0/5
[SW4-Ethernet0/0/5]po li t
[SW4-Ethernet0/0/5]po tr all vlan 20 30 1000 2000
[SW4-Ethernet0/0/5]qSW5配置
[Huawei]sy SW5
[SW5]vlan b 40 50 1000 2000
[SW5]int e0/0/1
[SW5-Ethernet0/0/1]po li a
[SW5-Ethernet0/0/1]po de v 40
[SW5-Ethernet0/0/1]int e0/0/2
[SW5-Ethernet0/0/2]po li a
[SW5-Ethernet0/0/2]po de v 50
[SW5-Ethernet0/0/2]int e0/0/3
[SW5-Ethernet0/0/3]po li t
[SW5-Ethernet0/0/3]po t all vlan 1000 2000
[SW5-Ethernet0/0/3]po t pv vlan 2000
[SW5-Ethernet0/0/3]int e0/0/4
[SW5-Ethernet0/0/4]po li t
[SW5-Ethernet0/0/4]po t all vlan 40 50 1000 2000
[SW5-Ethernet0/0/4]int e0/0/5
[SW5-Ethernet0/0/5]po li t
[SW5-Ethernet0/0/5]po t all vlan 40 50 1000 2000
[SW5-Ethernet0/0/5]q防火墙安全区域划分,接口区域和IP配置
[USG6000V1]sy FW1
[FW1]fire zone trust
[FW1-zone-trust]add int g1/0/0
[FW1-zone-trust]fire zone untrust
[FW1-zone-untrust]add int g1/0/2
[FW1-zone-untrust]fire zone dmz
[FW1-zone-dmz]add int g1/0/1
[FW1-zone-dmz]q
[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 172.16.50.254 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 202.96.137.88 24
[FW1-GigabitEthernet1/0/2]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 172.16.172.2 24
[FW1-GigabitEthernet1/0/0]q运营商路由器接口IP配置
[Huawei]sy ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip add 202.96.137.1 24
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip add 100.100.100.1 24
[ISP-GigabitEthernet0/0/1]q-
VRRP+MSTP配置
配置VRRP虚拟组,SW1作为VLAN10 、20、1000、2000的主网关,作为VLAN30、40、50的备网关;SW2作为VLAN30、40、50的主网关,作为VLAN10 、20、1000、2000的备网关。MSTP同VRRP一样,SW1作为VLAN10 、20、1000、2000的主根桥,作为VLAN30、40、50的备用根桥。SW2作为VLAN30、40、50的主根桥,作为VLAN10 、20、1000、2000的备用根桥。
SW1配置
[SW1]int vlan 10
[SW1-Vlanif10]vrrp vr 10 vi 192.168.10.254
[SW1-Vlanif10]vrrp vr 10 pree
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20]vrrp vr 20 vi 192.168.20.254
[SW1-Vlanif20]vrrp vr 20 pri 110
[SW1-Vlanif20]int vlan 1000
[SW1-Vlanif1000]vrrp vr 100 vi 192.168.100.254
[SW1-Vlanif1000]vrrp vr 100 pri 110
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000]vrrp vr 200 vi 172.16.100.254
[SW1-Vlanif2000]vrrp vr 200 pri 110
[SW1-Vlanif2000]int vlan 30
[SW1-Vlanif30]vrrp vr 30 vi 192.168.30.254
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40]vrrp vr 40 vi 192.168.40.254
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50]vrrp vr 50 vi 192.168.50.254
[SW1-Vlanif50]q
[SW1]stp region-configuration
[SW1-mst-region]region-name huawei
[SW1-mst-region]instance 1 vlan 10 20 1000 2000
[SW1-mst-region]instance 2 vlan 30 40 50
[SW1-mst-region]active region-configuration
[SW1-mst-region]q
[SW1]stp instance 1 root primary
[SW1]stp instance 2 root secondary SW2配置
[SW2]int vlan 10
[SW2-Vlanif10]vrrp vr 10 vi 192.168.10.254
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]vrrp vr 20 vi 192.168.20.254
[SW2-Vlanif20]int vlan 1000
[SW2-Vlanif1000]vrrp vr 100 vi 192.168.100.254
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]vrrp vr 200 vi 172.16.100.254
[SW2-Vlanif2000]int vlan 30
[SW2-Vlanif30]vrrp vr 30 vi 192.168.30.254
[SW2-Vlanif30]vrrp vr 30 pri 110
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]vrrp vr 40 vi 192.168.40.254
[SW2-Vlanif40]vrrp vr 40 pri 110
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]vrrp vr 50 vi 192.168.50.254
[SW2-Vlanif50]vrrp vr 50 pri 110
[SW2-Vlanif50]q
[SW2]stp region-configuration
[SW2-mst-region] region-name huawei
[SW2-mst-region] instance 1 vlan 10 20 1000 2000
[SW2-mst-region] instance 2 vlan 30 40 50
[SW2-mst-region] active region-configuration
[SW2-mst-region]q
[SW2]stp instance 1 root secondary
[SW2]stp instance 2 root primarySW3配置
[SW3]stp region-configuration
[SW3-mst-region] region-name huawei
[SW3-mst-region] instance 1 vlan 10 20 1000 2000
[SW3-mst-region] instance 2 vlan 30 40 50
[SW3-mst-region] active region-configurationSW4配置
[SW4]stp region-configuration
[SW4-mst-region] region-name huawei
[SW4-mst-region] instance 1 vlan 10 20 1000 2000
[SW4-mst-region] instance 2 vlan 30 40 50
[SW4-mst-region] active region-configurationSW5配置
[SW5]stp region-configuration
[SW5-mst-region] region-name huawei
[SW5-mst-region] instance 1 vlan 10 20 1000 2000
[SW5-mst-region] instance 2 vlan 30 40 50
[SW5-mst-region] active region-configuration-
链路聚合配置
在汇聚交换机之间配置链路聚合。其一提高网络带宽,两条线路聚合带宽成倍增加。其二增加线路稳定性,当一条线路损坏,流量转发不故障。其三汇聚交换机上行故障,流量通过汇聚层聚合链路转发数据,增加冗余性。
SW1配置
[SW1]int eth1
[SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5
[SW1-Eth-Trunk1]po li t
[SW1-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
[SW1-Eth-Trunk1]qSW2配置
[SW2]int eth1
[SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5
[SW2-Eth-Trunk1]po li t
[SW2-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
[SW2-Eth-Trunk1]q-
路由配置
边界路由器配置缺省外指。内网配置OSPF动态路由,实现网络互通。
FW1配置
[FW1]ip route-s 0.0.0.0 0 202.96.137.1
[FW1]ospf 1 route 1.1.1.1
[FW1-ospf-1]a 0
[FW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]q
[FW1-ospf-1]default-route-advertise always
[FW1-ospf-1]qCore-SW1配置
[Core-SW1]ospf 1 router-id 2.2.2.2
[Core-SW1-ospf-1]a 0
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.10.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.20.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]q
[Core-SW1-ospf-1]qSW1配置
[SW1]ospf 1 router-id 3.3.3.3
[SW1-ospf-1]a 0
[SW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]q
[SW1-ospf-1]qSW2配置
[SW2]ospf 1 router-id 4.4.4.4
[SW2-ospf-1]a 0
[SW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]q
[SW2-ospf-1]q-
DHCP配置
为了实现内部终端主机的DHCP上网,需要配置DHCP服务器,这里DHCP服务器在VLAN100网段,配置如下.
DHCP配置
[Huawei]sy DHCP
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]ip add 172.16.10.100 24
[DHCP-GigabitEthernet0/0/0]q
[DHCP]ip route-s 0.0.0.0 0 172.16.10.254
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[DHCP-ip-pool-vlan10]dns 172.16.50.30
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.1 192.168.10.2
[DHCP-ip-pool-vlan10]ip pool vlan20
[DHCP-ip-pool-vlan20] gateway-list 192.168.20.254
[DHCP-ip-pool-vlan20] network 192.168.20.0 mask 255.255.255.0
[DHCP-ip-pool-vlan20] excluded-ip-address 192.168.20.1 192.168.20.2
[DHCP-ip-pool-vlan20] dns-list 172.16.50.30
[DHCP-ip-pool-vlan20]ip pool vlan30
[DHCP-ip-pool-vlan30] gateway-list 192.168.30.254
[DHCP-ip-pool-vlan30] network 192.168.30.0 mask 255.255.255.0
[DHCP-ip-pool-vlan30] excluded-ip-address 192.168.30.1 192.168.30.2
[DHCP-ip-pool-vlan30] dns-list 172.16.50.30
[DHCP-ip-pool-vlan30]ip pool vlan40
[DHCP-ip-pool-vlan40] gateway-list 192.168.40.254
[DHCP-ip-pool-vlan40] network 192.168.40.0 mask 255.255.255.0
[DHCP-ip-pool-vlan40] excluded-ip-address 192.168.40.1 192.168.40.2
[DHCP-ip-pool-vlan40] dns-list 172.16.50.30
[DHCP-ip-pool-vlan40]ip pool vlan50
[DHCP-ip-pool-vlan50] gateway-list 192.168.50.254
[DHCP-ip-pool-vlan50] network 192.168.50.0 mask 255.255.255.0
[DHCP-ip-pool-vlan50] excluded-ip-address 192.168.50.1 192.168.50.2
[DHCP-ip-pool-vlan50] dns-list 172.16.50.30
[DHCP-ip-pool-vlan50]ip pool vlan1000
[DHCP-ip-pool-vlan1000] gateway-list 192.168.100.254
[DHCP-ip-pool-vlan1000] network 192.168.100.0 mask 255.255.255.0
[DHCP-ip-pool-vlan1000]excluded-ip-address 192.168.100.1 192.168.100.2
[DHCP-ip-pool-vlan1000] dns-list 172.16.50.30
[DHCP-ip-pool-vlan1000]ip pool vlan2000
[DHCP-ip-pool-vlan2000]gateway-list 172.16.100.254 [DHCP-ip-pool-vlan2000] network 172.16.100.0 mask 255.255.255.0
[DHCP-ip-pool-vlan2000] excluded-ip-address 172.16.100.1 172.16.100.2
[DHCP-ip-pool-vlan2000] dns-list 172.16.50.30
[DHCP-ip-pool-vlan2000] option 43 sub-option 3 ascii 172.16.20.1
[DHCP-ip-pool-vlan2000]q
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]dhcp select global
[DHCP-GigabitEthernet0/0/0]qSW1配置
[SW1]dhcp enable
[SW1]int vlan 10
[SW1-Vlanif10] dhcp select relay
[SW1-Vlanif10] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20] dhcp select relay
[SW1-Vlanif20] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif20]int vlan 30
[SW1-Vlanif30] dhcp select relay
[SW1-Vlanif30] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40] dhcp select relay
[SW1-Vlanif40] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50] dhcp select relay
[SW1-Vlanif50] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif50]int vlan 1000
[SW1-Vlanif1000] dhcp select relay
[SW1-Vlanif1000] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000] dhcp select relay
[SW1-Vlanif2000] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif2000]qSW2配置
[SW2]int vlan 10
[SW2-Vlanif10]dhcp select relay
[SW2-Vlanif10]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]dhcp select relay
[SW2-Vlanif20]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif20]int vlan 30
[SW2-Vlanif30]dhcp select relay
[SW2-Vlanif30]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]dhcp select relay
[SW2-Vlanif40]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]dhcp select relay
[SW2-Vlanif50]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif50]int vlan 1000
[SW2-Vlanif1000]dhcp select relay
[SW2-Vlanif1000]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]dhcp select relay
[SW2-Vlanif2000]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif2000]q-
无线配置
无线采用AC+AP的方式,AC旁挂在核心层交换机上,VLAN200作为AC的管理VLAN,VLAN2000作为AP的业务网段,VLAN1000作为无线接入终端的业务网段。
AC配置
[AC6005]sy AC
[AC]vlan b 200
[AC]int g0/0/1
[AC-GigabitEthernet0/0/1]po li a
[AC-GigabitEthernet0/0/1]po de v 200
[AC-GigabitEthernet0/0/1]q
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name wlan
[AC-wlan-regulate-domain-wlan]country-code CN
[AC-wlan-regulate-domain-wlan]q
[AC-wlan-view]ap-group name ap
[AC-wlan-ap-group-ap]regulatory-domain-profile wlan
[AC-wlan-ap-group-ap]q
[AC]int vlan 200
[AC-Vlanif200]ip add 172.16.20.1 24
[AC-Vlanif200]q
[AC]capwap source interface Vlanif 200
[AC]int vlan 200
[AC-Vlanif200]ip add 172.16.20.1 255.255.255.0
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth
[AC-wlan-view]ap-id 1 ap-mac 00e0-fcd7-3f50
[AC-wlan-ap-1]ap-group ap
[AC-wlan-ap-3]ap-name ap1
[AC-wlan-view]ap-id 2 ap-mac 00e0-fc26-6370
[AC-wlan-ap-2]ap-group ap
[AC-wlan-ap-3]ap-name ap2
[AC-wlan-ap-2]ap-id 3 ap-mac 00e0-fc6d-5330
[AC-wlan-ap-3]ap-group ap
[AC-wlan-ap-3]ap-name ap3
[AC-wlan-ap-3]q
[AC-wlan-view]security-profile name security
[AC-wlan-sec-prof-security]security wpa2 psk pass-phrase huawei@123 aes
[AC-wlan-sec-prof-security]q
[AC-wlan-view]ssid-profile name ssid
[AC-wlan-ssid-prof-ssid]ssid wifi
[AC-wlan-ssid-prof-ssid]q
[AC-wlan-view]vap-profile name vap
[AC-wlan-vap-prof-vap]forward-mode tunnel
[AC-wlan-vap-prof-vap]service-vlan vlan-id 1000
[AC-wlan-vap-prof-vap]security-profile security
[AC-wlan-vap-prof-vap]ssid-profile ssid
[AC-wlan-vap-prof-vap]q
[AC-wlan-ap-group-ap]vap-profile vap wlan 1 radio all
[AC-wlan-ap-group-ap]q-
控制访问技术ACL配置
市场部、研发部、人力部互通,市场部不通行政部,行政部、研发部、人力部互通、财务部只能和行政部互通。
SW1配置
[SW1]acl number 3000
[SW1-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
[SW1-acl-adv-3000] rule 10 permit ip
[SW1-acl-adv-3000]acl number 3001
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
[SW1-acl-adv-3001]rule per ip
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[SW1-GigabitEthernet0/0/1]q
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]traffic-filter inbound acl 3001SW2配置
[SW2]acl number 3000
[SW2-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
[SW2-acl-adv-3000] rule 10 permit ip
[SW2-acl-adv-3000]acl number 3001
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.25
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
[SW2-acl-adv-3001]rule per ip
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[SW2-GigabitEthernet0/0/1]q
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]traffic-filter inbound acl 3001-
防火墙安全策略配置
放通trust到untrust的上网数据,放通trust到dmz访问服务器的数据,放通untrust到dmz的web服务器数据.
[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]source-zone trust
[FW1-policy-security-rule-t-u]destination-zone untrust
[FW1-policy-security-rule-t-u]ac p
[FW1-policy-security-rule-t-u]q
[FW1-policy-security]rule name t-d
[FW1-policy-security-rule-t-d]source-zone trust
[FW1-policy-security-rule-t-d]destination-zone dmz
[FW1-policy-security-rule-t-d]ac p
[FW1-policy-security-rule-t-d]rule name u-d
[FW1-policy-security-rule-u-d]source-zone untrust
[FW1-policy-security-rule-u-d]destination-zone dmz
[FW1-policy-security-rule-u-d]destination-address 172.16.50.10 32
[FW1-policy-security-rule-u-d]destination-address 172.16.50.20 32
[FW1-policy-security-rule-u-d]service http ftp
[FW1-policy-security-rule-u-d]ac p
[FW1-policy-security-rule-u-d]q
[FW1-policy-security]q-
NAT策略配置
[FW1]nat-policy
[FW1-policy-nat]rule name t-u-nat
[FW1-policy-nat-rule-t-u-nat]source-zone trust
[FW1-policy-nat-rule-t-u-nat]destination-zone untrust
[FW1-policy-nat-rule-t-u-nat]action source-nat easy-ip
[FW1-policy-nat-rule-t-u-nat]q
[FW1-policy-nat]q-
NAT Server配置
[FW1]nat server pro tcp global 202.96.137.88 8080 inside 172.16.50.10 www
[FW1]nat server pro tcp global 202.96.137.88 ftp inside 172.16.50.20 ftp四、网络测试
-
DHCP测试
-
访问外网测试
-
无线登录测试
-
VRRP主备选举测试
SW1 vlan10 20 100 200 为主,vlan30 40 50 位备
SW2 vlan30 40 50 位主,vlan10 20 100 200 为备
-
负载分担测试
市场部、研发部、无线业务走SW1
人力部、财务部、行政部走SW2
-
核心路由表查看,邻居建立关系查看
-
ACL测试
市场部、研发部、人力部互通
市场部不通行政部
行政部、研发部、人力部互通
财务部只能和行政部互通
-
内网访问服务器测试
-
外网NAT Server测试
外网客户端访问内网WEB服务器测试文章来源:https://www.toymoban.com/news/detail-453372.html
外网客户端访问内网FTP服务器测试文章来源地址https://www.toymoban.com/news/detail-453372.html
到了这里,关于ensp典型中小型企业网搭建(带无线)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
