1.拓扑
2.IP地址规划
| 设备/地址/vlan | 设备/地址 |
| 汇聚交换机/VLAN10 | 192.200.10.0/24 |
| 汇聚交换机/VLAN20 | 192.200.20.0/24 |
| 汇聚交换机/VLAN30 | 192.200.30.0/24 |
| 汇聚交换机/VLAN40 | 192.200.40.0/24 |
| 汇聚交换机/VLAN50 | 192.200.50.0/24 |
| 汇聚交换机/VLAN60 | 192.200.60.0/24 |
| 防火墙/VLAN70/服务器网段 | 192.200.70.0/24 |
| 防火墙/VLAN80/服务器网段 | 192.200.80.0/24 |
3.使用协议说明
VLAN-----------------隔离广播域,优化内网用户上网体验
SVI-------------Vlan间三层通信
DHCP---------------内网主机 自动获取IP地址
OSPF------------------提供内网路由的学习
MSTP--------------------多实例生成树,打破二层环路的同时,实现多vlan的负载均衡
VRRP------------------起到网关冗余作用
NAT--------------------地址转换,提供用户访问互联网
防火墙安全策略----------------------------提供安全策略的访问控制,以及高级的防病毒、入侵检测功能
链路聚合----------------提供链路带宽
4.设备选型
| 序号 | 设备名称 | 品牌 | 规格 | 单位及 | 性能及指标 | 产地 |
| 型号 | 数量 | |||||
| 1 | 接入交换机 | 华为 | CloudEngine S5731-H24P4XC | 30 | S5731-H24P4XC(24个10/100/1000BASE-T以太网端口,4个万兆SFP+,单子卡槽位,PoE+,不含电源) | |
| 2 | 汇聚交换机 | 华为 | CloudEngine S6730-H24X6C | 2 | S6730-H24X6C(24个万兆SFP+,6个40GE QSFP28,可选license升级到6个100GE QSFP28,不含电源 | |
| 3 | 核心路由器 | 华为 | AR2204-24GE | 4 | AR2204-24GE(3GE WAN(1GE Combo),24 GE,1 USB,4 SIC,60W AC Power) | |
| 4 | 防火墙 | 华为 | Secospace USG6310S | 3 | USG6310S-W交流主机(8GE电,1GB内存),WIFI 2.4G+5G |
5.网络配置实施
二层划分vlan、以及接口配置
interface Ethernet0/0/1
port link-type access
port default vlan 10
#文章来源:https://www.toymoban.com/news/detail-846775.html
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
port link-type access
port default vlan 20
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
port link-type access
port default vlan 30
#
interface Ethernet0/0/2
port link-type access
port default vlan 30
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
port link-type access
port default vlan 40
#
interface Ethernet0/0/2
port link-type access
port default vlan 40
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
port link-type access
port default vlan 50
#
interface Ethernet0/0/2
port link-type access
port default vlan 50
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/1
port link-type access
port default vlan 60
#
interface Ethernet0/0/2
port link-type access
port default vlan 60
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
双汇聚交换机上,进行三层SIV接口配置及路由器物理接口以及VRRP配置
汇聚交换机1:
[Huawei]int vlan 10
[Huawei-Vlanif10]ip add 192.200.10.1 255.255.255.0
[Huawei-Vlanif10]vrrp vrid 10 virtual-ip 192.200.10.254
[Huawei-Vlanif10] vrrp vrid 10 priority 120
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]ip add 192.200.20.1 255.255.255.0
[Huawei-Vlanif20]vrrp vrid 20 virtual-ip 192.200.20.254
[Huawei-Vlanif20] vrrp vrid 20 priority 120
[Huawei-Vlanif20]int vlan 30
[Huawei-Vlanif30]ip add 192.200.30.1 255.255.255.0
[Huawei-Vlanif30]vrrp vrid 30 virtual-ip 192.200.30.254
[Huawei-Vlanif30] vrrp vrid 30 priority 120
[Huawei-Vlanif30]int vlan 40
[Huawei-Vlanif40]ip add 192.200.40.1 255.255.255.0
[Huawei-Vlanif40]vrrp vrid 40 virtual-ip 192.200.40.254
[Huawei-Vlanif40]int vlan 50
[Huawei-Vlanif50]ip add 192.200.50.1 255.255.255.0
[Huawei-Vlanif50]vrrp vrid 50 virtual-ip 192.200.50.254
[Huawei-Vlanif50]int vlan 60
[Huawei-Vlanif60]ip add 192.200.60.1 255.255.255.0
[Huawei-Vlanif60]vrrp vrid 60 virtual-ip 192.200.60.254
汇聚交换机2:
[Huawei]int vlan 10
[Huawei-Vlanif10]ip add 192.200.10.2 255.255.255.0
[Huawei-Vlanif10]vrrp vrid 10 virtual-ip 192.200.10.254
[Huawei-Vlanif10]int vlan 20
[Huawei-Vlanif20]ip add 192.200.20.2 255.255.255.0
[Huawei-Vlanif20]vrrp vrid 20 virtual-ip 192.200.20.254
[Huawei-Vlanif20]int vlan 30
[Huawei-Vlanif30]ip add 192.200.30.2 255.255.255.0
[Huawei-Vlanif30]vrrp vrid 30 virtual-ip 192.200.30.254
[Huawei-Vlanif30]int vlan 40
[Huawei-Vlanif40]ip add 192.200.40.2 255.255.255.0
[Huawei-Vlanif40]vrrp vrid 40 virtual-ip 192.200.40.254
[Huawei-Vlanif40] vrrp vrid 40 priority 120
[Huawei-Vlanif40]int vlan 50
[Huawei-Vlanif50]ip add 192.200.50.2 255.255.255.0
[Huawei-Vlanif50]vrrp vrid 50 virtual-ip 192.200.50.254
[Huawei-Vlanif50] vrrp vrid 50 priority 120
[Huawei-Vlanif50]int vlan 60
[Huawei-Vlanif60]ip add 192.200.60.2 255.255.255.0
[Huawei-Vlanif60]vrrp vrid 60 virtual-ip 192.200.60.254
[Huawei-Vlanif60] vrrp vrid 60 priority 120
MSTP配置
stp region
region-name Huawei
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
active region-configuration
调整MSTP实例优先级
[Huawei]stp instance 1 root primary
[Huawei]stp instance 2 root secondary
链路聚合配置
[Huawei-Eth-Trunk0]trunkport GigabitEthernet 0/0/23 to 0/0/24
[Huawei-Eth-Trunk0]port link-type t
[Huawei-Eth-Trunk0]port trunk allow-pass vlan all
DHCP配置
定义DHCP地址池:
ip pool vlan10
network 192.200.10.0 mask 255.255.255.0
dns-list 114.114.114.114
gateway-list 192.200.10.254
ip pool vlan20
network 192.200.20.0 mask 255.255.255.0
dns-list 114.114.114.114
gateway-list 192.200.20.254
ip pool vlan30
network 192.200.30.0 mask 255.255.255.0
dns-list 114.114.114.114
gateway-list 192.200.30.254
ip pool vlan40
network 192.200.40.0 mask 255.255.255.0
dns-list 114.114.114.114
gateway-list 192.200.40.254
ip pool vlan50
network 192.200.50.0 mask 255.255.255.0
dns-list 114.114.114.114
gateway-list 192.200.50.254
ip pool vlan60
network 192.200.60.0 mask 255.255.255.0
dns-list 114.114.114.114
gateway-list 192.200.60.254
开启DHCP以及接口下调用
[Huawei] dhcp enable
[Huawei] int vlan 10
[Huawei-Vlanif10] dhcp se g
[Huawei-Vlanif10] int vlan 20
[Huawei-Vlanif20] dhcp se g
[Huawei-Vlanif20] int vlan 30
[Huawei-Vlanif30] dhcp se g
[Huawei-Vlanif30] int vlan 40
[Huawei-Vlanif40] dhcp se g
[Huawei-Vlanif40] int vlan 50
[Huawei-Vlanif50] dhcp se g
[Huawei-Vlanif50] int vlan 60
[Huawei-Vlanif60] dhcp se g
路由协议OSPF配置
ospf 1
area 0.0.0.0
network 10.0.0.0 0.0.255.255
area 0.0.0.1
network 192.200.0.0 0.0.255.255
配置OSPF优化,配置静默端口
[Huawei-ospf-1]silent-interface Vlanif 10
[Huawei-ospf-1]silent-interface Vlanif 20
[Huawei-ospf-1]silent-interface Vlanif 30
[Huawei-ospf-1]silent-interface Vlanif 40
[Huawei-ospf-1]silent-interface Vlanif 50
[Huawei-ospf-1]silent-interface Vlanif 60
核心层配置
[Huawei]ospf 1
[Huawei-ospf-1]a 0
[Huawei-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.255.255
出口防火墙配置安全策略
security-policy
rule name ISP
source-zone trust
destination-zone untrust
action permit
防火墙NAT策略
rule name ISP
source-zone trust
destination-zone untrust
action source-nat easy-ip
防火墙做NAT SERVER 映射
[USG6000V1]nat server protocol tcp global 100.100.100.100 8080 inside 192.2
00.80.10 www
服务器区域防火墙配置
security-policy
rule name server
source-zone trust
destination-zone dmz
action permit
#
6.网络测试
私信获取文章来源地址https://www.toymoban.com/news/detail-846775.html
到了这里,关于基于OSPF的企业内网安全优化的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
