eNSP简单校园网络设计报告
配置VRRP虚拟组,SW1作为VLAN10 、20、1000、2000的主网关,作为VLAN30、40、50的备网关;SW2作为VLAN30、40、50的主网关,作为VLAN10 、20、1000、2000的备网关。MSTP同VRRP一样,SW1作为VLAN10 、20、1000、2000的主根桥,作为VLAN30、40、50的备用根桥。无线采用AC+AP的方式,AC旁挂在核心层交换机上,VLAN
·
博主介绍:✌数维网络、7年资深网络工程师经历。csdn博客专家,专注于网络技术领域和毕业项目实战✌
🍅🍅文末获取联系🍅🍅
👇🏻 精选专栏推荐订阅👇🏻 干货满满,提升必备!感兴趣的可以先收藏起来,还有大家在毕设选题,项目以及文档编写等相关问题都可以给我留言咨询,希望帮助更多的人
有实验或毕设相关问题的同学均可参考主页简介,本文仅供参考,如需源文件可私信作者获取。
目录
该设计规划的是一个学校的网络搭建,采用接入层、核心层、汇聚层三层网络。所有接入层汇聚层交换机运行MSTP和VRRP协议,做冗余备份,保护设备和链路稳定性。运行OSPF动态路由协议,方便路由维护。使用dhcp动态分配地址,便于ip地址管理。出口采用防火墙设备,保护网络安全。同时在防火墙上做SNAT,可以让学校内网访问外网。在防火墙上做DNAT,可以让外部网络访问学校服务器。
- 每个楼栋划分一个VLAN,楼栋内互通,各楼栋根据ACL规则实现互通。
- 内网使用私网IP,为每个楼栋分配一个24位掩码长度的私网段,实现上网。
- 楼栋主机采用DHCP自动获取地址,减少管理员手动分配的任务量,方便管理与维护。
- 运行OSPF协议,提高收敛速度。而且OSPF可以适应拓扑变化,路由自动学习,防止路由环路,提高拓扑稳定性。
- 接入层和汇聚层交换机配置MSTP和VRRP技术,实现设备冗余、线路可靠、数据负载分担,能够保证主设备故障后,可以快速切换到备用设备,不影响业务转发。
- 增加防火墙设备,设置安全区域,控制楼栋主机、服务器和外网设备的数据转发,保证学校网络的安全性。
- 出口采用光纤接入,汇聚层交换机进行链路聚合,提高网络带宽,实现运营商万兆接入,千兆到楼栋,百兆到桌面的体验。
- 学校内部实现无线全覆盖,保障内部终端设备可以无线接入并上网。
- 汇聚层交换机配置ACL控制访问技术,实现办公楼和宿舍楼不通,食堂只能和宿舍楼互通,其他楼栋全互通的网络需求。
- 配置端口限制,保证每个交换机的端口最多可以连接一个终端。
- SNAT:应用于内网用户访问Internet时进行的地址转换将私网地址转为公网地址,这里我们采用easy-ip的NAT,保证学校上网采用出接口地址。
- DNAT:使的外网用户能够访问内部服务器,用户访问202.96.137.88:8080时,防火墙将流量能够送给内网的WEB服务器。当用户访问202.96.137.88:21时防火墙将目的地址转换为172.16.50.20:21 访问学校的FTP服务器。
网络的设计原则包括三方面:
(1)可靠性原则:一是业务稳定运行,二是故障恢复时间快。
(2)实用性和可扩展性:符合实际并且便于扩展。
(3)安全性:学校设备和链路都要有冗余备份,还要保护内容的安全。
一个网络的拓扑图能够最直观的呈现这个网络的设计思想,几种经典的网络拓扑结构各有特点。我们使用最标准的核心层、汇聚层、接入层三层架构。要求任何一台设备都不能宕机,所以所有交换机必须要有双机热备冗余备份。学校的网络拓扑如下图所示。
VLAN(Virtual Local Area Network)即虚拟局域网,是将一个物理的LAN在逻辑上划分成多个广播域的通信技术。VLAN内的主机间可以直接通信,而VLAN间不能直接通信,从而将广播报文限制在一个VLAN内。任何一个网络基础都是IP地址,网络设计也都是从IP地址和VLAN划分开始的。划分VALN是隔离广播域最有效的方法。子网划分和vlan划分是网络最基本的组成部分。本次VLAN的划分根据需求出发每个楼栋划分单独的VLAN,使楼栋之间相互独立,更便于管理。本次设计的VLAN和IP地址划分如表2-1所示:
表2-1地址规划
|
楼栋 |
vlan |
ip地址 |
|
办公楼 |
10 |
192.168.10.0/24 |
|
教学楼 |
20 |
192.168.200/24 |
|
图书馆 |
30 |
192.168.30.0/24 |
|
食堂 |
40 |
192.168.40.0/24 |
|
宿舍楼 |
50 |
192.168.50.0/24 |
|
SW1-Core1 |
70 |
192.168.70.0/24 |
|
SW2-Core1 |
80 |
192.168.80.0/24 |
|
管理楼栋 |
100 |
172.16.10.0/24 |
|
AP管理网段 |
200 |
172.16.20.0/24 |
|
终端业务网段 |
1000 |
192.168.100.0/24 |
|
AC管理网段 |
2000 |
172.16.172.0/24 |
|
核心出口网段 |
172 |
172.16.100.0/24 |
为设计合理的拓扑我们需要对设备进行合理的选择,我们使用模拟器现有的设备型号来搭建拓扑,具体设备选型如表2-2所示:
表2-2设备选型表
|
设备 |
型号 |
数量 |
|
二层交换机 |
S3700 |
6 |
|
三层交换机 |
S5700 |
3 |
|
服务器 |
Server |
4 |
|
防火墙 |
USG5500 |
1 |
|
路由器 |
AR2220 |
2 |
|
无线控制器 |
AC6005 |
1 |
|
无线放射器 |
AP2050 |
3 |
|
终端主机(计算机) |
PC、Client |
7、1 |
交换机VLAN的创建、接口的划分、IP地址的配置
Core-SW1
[Huawei]sy Core-SW1
[Core-SW1]vlan b 70 80 100 200 172
Info: This operation may take a few seconds. Please wait for a moment...done.
[Core-SW1]int vlan 70
[Core-SW1-Vlanif70]ip add 172.16.70.2 24
[Core-SW1-Vlanif70]int vlan 80
[Core-SW1-Vlanif80]ip add 172.16.80.2 24
[Core-SW1-Vlanif80]int vlan 100
[Core-SW1-Vlanif100]ip add 172.16.10.254 24
[Core-SW1-Vlanif100]int vlan 200
[Core-SW1-Vlanif200]ip add 172.16.20.2 24
[Core-SW1-Vlanif200]int vlan 172
[Core-SW1-Vlanif172]ip add 172.16.172.1 24
[Core-SW1-Vlanif172]q
[Core-SW1]int g0/0/23
[Core-SW1-GigabitEthernet0/0/23]po li a
[Core-SW1-GigabitEthernet0/0/23]po de v 70
[Core-SW1-GigabitEthernet0/0/23]int g0/0/24
[Core-SW1-GigabitEthernet0/0/24]po li a
[Core-SW1-GigabitEthernet0/0/24]po de v 80
[Core-SW1-GigabitEthernet0/0/24]int g0/0/2
[Core-SW1-GigabitEthernet0/0/2]po li a
[Core-SW1-GigabitEthernet0/0/2]po de v 100
[Core-SW1-GigabitEthernet0/0/2]int g0/0/1
[Core-SW1-GigabitEthernet0/0/1]po li a
[Core-SW1-GigabitEthernet0/0/1]po de v 200
[Core-SW1-GigabitEthernet0/0/1]int g0/0/3
[Core-SW1-GigabitEthernet0/0/3]po li a
[Core-SW1-GigabitEthernet0/0/3]po de v 172
[Core-SW1-GigabitEthernet0/0/3]qSW1
[Huawei]sy SW1
[SW1]vlan b 10 20 30 40 50 70 1000 2000
[SW1]int vlan 10
[SW1-Vlanif10]ip add 192.168.10.1 24
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20]ip add 192.168.20.1 24
[SW1-Vlanif20]int vlan 30
[SW1-Vlanif30]ip add 192.168.30.1 24
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40]ip add 192.168.40.1 24
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50]ip add 192.168.50.1 24
[SW1-Vlanif50]int vlan 1000
[SW1-Vlanif1000]ip add 192.168.100.1 24
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000]ip add 172.16.100.1 24
[SW1-Vlanif2000]int vlan 70
[SW1-Vlanif70]ip add 172.16.70.1 24
[SW1-Vlanif70]q
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]po li t
[SW1-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]po li t
[SW1-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]po li t
[SW1-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
[SW1-GigabitEthernet0/0/3]int g0/0/23
[SW1-GigabitEthernet0/0/23]po li a
[SW1-GigabitEthernet0/0/23]po de v 70
[SW1-GigabitEthernet0/0/23]qSW2
[Huawei]sy SW2
[SW2]vlan b 10 20 30 40 50 80 1000 2000
[SW2]int vlan 10
[SW2-Vlanif10]ip add 192.168.10.2 24
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]ip add 192.168.20.2 24
[SW2-Vlanif20]int vlan 30
[SW2-Vlanif30]ip add 192.168.30.2 24
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]ip add 192.168.40.2 24
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]ip add 192.168.50.2 24
[SW2-Vlanif50]int vlan 80
[SW2-Vlanif80]ip add 172.16.80.1 24
[SW2-Vlanif80]int vlan 1000
[SW2-Vlanif1000]ip add 192.168.100.2 24
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]ip add 172.16.100.2 24
[SW2-Vlanif2000]q
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]po li t
[SW2-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
[SW2-GigabitEthernet0/0/1]int g0/0/2
[SW2-GigabitEthernet0/0/2]po li t
[SW2-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
[SW2-GigabitEthernet0/0/2]int g0/0/3
[SW2-GigabitEthernet0/0/3]po li t
[SW2-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
[SW2-GigabitEthernet0/0/3]int g0/0/24
[SW2-GigabitEthernet0/0/24]po li a
[SW2-GigabitEthernet0/0/24]po de v 80
[SW2-GigabitEthernet0/0/24]qSW3
[huawei]sy SW3
[SW3]vlan b 10 1000 2000
[SW3]int e0/0/1
[SW3-Ethernet0/0/1]po li a
[SW3-Ethernet0/0/1]po de v 10
[SW3-Ethernet0/0/1]int e0/0/2
[SW3-Ethernet0/0/2]po li t
[SW3-Ethernet0/0/2]po t all vlan 2000 1000
[SW3-Ethernet0/0/2]po t pv vlan 2000
[SW3-Ethernet0/0/2]int e0/0/3
[SW3-Ethernet0/0/3]po li t
[SW3-Ethernet0/0/3]po t all vlan 10 1000 2000
[SW3-Ethernet0/0/3]int e0/0/4
[SW3-Ethernet0/0/4]po li t
[SW3-Ethernet0/0/4]po t all vlan 10 1000 2000
[SW3-Ethernet0/0/4]qSW4
[Huawei]sy SW4
[SW4]vlan b 20 30 1000 2000
[SW4]int e0/0/1
[SW4-Ethernet0/0/1]po li a
[SW4-Ethernet0/0/1]po de v 20
[SW4-Ethernet0/0/1]int e0/0/2
[SW4-Ethernet0/0/2]po li a
[SW4-Ethernet0/0/2]po de v 30
[SW4-Ethernet0/0/2]int e0/0/3
[SW4-Ethernet0/0/3]po li t
[SW4-Ethernet0/0/3]po t all vlan 1000 2000
[SW4-Ethernet0/0/3]po t pv vlan 2000
[SW4-Ethernet0/0/3]int e0/0/4
[SW4-Ethernet0/0/4]po li t
[SW4-Ethernet0/0/4]po tr all vlan 20 30 1000 2000
[SW4-Ethernet0/0/4]int e0/0/5
[SW4-Ethernet0/0/5]po li t
[SW4-Ethernet0/0/5]po tr all vlan 20 30 1000 2000
[SW4-Ethernet0/0/5]qSW5
[Huawei]sy SW5
[SW5]vlan b 40 50 1000 2000
[SW5]int e0/0/1
[SW5-Ethernet0/0/1]po li a
[SW5-Ethernet0/0/1]po de v 40
[SW5-Ethernet0/0/1]int e0/0/2
[SW5-Ethernet0/0/2]po li a
[SW5-Ethernet0/0/2]po de v 50
[SW5-Ethernet0/0/2]int e0/0/3
[SW5-Ethernet0/0/3]po li t
[SW5-Ethernet0/0/3]po t all vlan 1000 2000
[SW5-Ethernet0/0/3]po t pv vlan 2000
[SW5-Ethernet0/0/3]int e0/0/4
[SW5-Ethernet0/0/4]po li t
[SW5-Ethernet0/0/4]po t all vlan 40 50 1000 2000
[SW5-Ethernet0/0/4]int e0/0/5
[SW5-Ethernet0/0/5]po li t
[SW5-Ethernet0/0/5]po t all vlan 40 50 1000 2000
[SW5-Ethernet0/0/5]q防火墙安全区域划分,接口区域和IP配置
[USG6000V1]sy FW1
[FW1]fire zone trust
[FW1-zone-trust]add int g1/0/0
[FW1-zone-trust]fire zone untrust
[FW1-zone-untrust]add int g1/0/2
[FW1-zone-untrust]fire zone dmz
[FW1-zone-dmz]add int g1/0/1
[FW1-zone-dmz]q
[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 172.16.50.254 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 202.96.137.88 24
[FW1-GigabitEthernet1/0/2]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 172.16.172.2 24
[FW1-GigabitEthernet1/0/0]q
运营商路由器接口IP配置
[Huawei]sy ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip add 202.96.137.1 24
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip add 100.100.100.1 24
[ISP-GigabitEthernet0/0/1]q配置VRRP虚拟组,SW1作为VLAN10 、20、1000、2000的主网关,作为VLAN30、40、50的备网关;SW2作为VLAN30、40、50的主网关,作为VLAN10 、20、1000、2000的备网关。MSTP同VRRP一样,SW1作为VLAN10 、20、1000、2000的主根桥,作为VLAN30、40、50的备用根桥。SW2作为VLAN30、40、50的主根桥,作为VLAN10 、20、1000、2000的备用根桥。
SW1
[SW1]int vlan 10
[SW1-Vlanif10]vrrp vr 10 vi 192.168.10.254
[SW1-Vlanif10]vrrp vr 10 pree
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20]vrrp vr 20 vi 192.168.20.254
[SW1-Vlanif20]vrrp vr 20 pri 110
[SW1-Vlanif20]int vlan 1000
[SW1-Vlanif1000]vrrp vr 100 vi 192.168.100.254
[SW1-Vlanif1000]vrrp vr 100 pri 110
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000]vrrp vr 200 vi 172.16.100.254
[SW1-Vlanif2000]vrrp vr 200 pri 110
[SW1-Vlanif2000]int vlan 30
[SW1-Vlanif30]vrrp vr 30 vi 192.168.30.254
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40]vrrp vr 40 vi 192.168.40.254
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50]vrrp vr 50 vi 192.168.50.254
[SW1-Vlanif50]q
[SW1]stp region-configuration
[SW1-mst-region]region-name huawei
[SW1-mst-region]instance 1 vlan 10 20 1000 2000
[SW1-mst-region]instance 2 vlan 30 40 50
[SW1-mst-region]active region-configuration
[SW1-mst-region]q
[SW1]stp instance 1 root primary
[SW1]stp instance 2 root secondarySW2
[SW2]int vlan 10
[SW2-Vlanif10]vrrp vr 10 vi 192.168.10.254
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]vrrp vr 20 vi 192.168.20.254
[SW2-Vlanif20]int vlan 1000
[SW2-Vlanif1000]vrrp vr 100 vi 192.168.100.254
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]vrrp vr 200 vi 172.16.100.254
[SW2-Vlanif2000]int vlan 30
[SW2-Vlanif30]vrrp vr 30 vi 192.168.30.254
[SW2-Vlanif30]vrrp vr 30 pri 110
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]vrrp vr 40 vi 192.168.40.254
[SW2-Vlanif40]vrrp vr 40 pri 110
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]vrrp vr 50 vi 192.168.50.254
[SW2-Vlanif50]vrrp vr 50 pri 110
[SW2-Vlanif50]q
[SW2]stp region-configuration
[SW2-mst-region] region-name huawei
[SW2-mst-region] instance 1 vlan 10 20 1000 2000
[SW2-mst-region] instance 2 vlan 30 40 50
[SW2-mst-region] active region-configuration
[SW2-mst-region]q
[SW2]stp instance 1 root secondary
[SW2]stp instance 2 root primarySW3
[SW3]stp region-configuration
[SW3-mst-region] region-name huawei
[SW3-mst-region] instance 1 vlan 10 20 1000 2000
[SW3-mst-region] instance 2 vlan 30 40 50
[SW3-mst-region] active region-configurationSW4
[SW4]stp region-configuration
[SW4-mst-region] region-name huawei
[SW4-mst-region] instance 1 vlan 10 20 1000 2000
[SW4-mst-region] instance 2 vlan 30 40 50
[SW4-mst-region] active region-configurationSW5
[SW5]stp region-configuration
[SW5-mst-region] region-name huawei
[SW5-mst-region] instance 1 vlan 10 20 1000 2000
[SW5-mst-region] instance 2 vlan 30 40 50
[SW5-mst-region] active region-configuration在汇聚交换机之间配置链路聚合。其一提高网络带宽,两条线路聚合带宽成倍增加。其二增加线路稳定性,当一条线路损坏,流量转发不故障。其三汇聚交换机上行故障,流量通过汇聚层聚合链路转发数据,增加冗余性。
SW1
[SW1]int eth1
[SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5
[SW1-Eth-Trunk1]po li t
[SW1-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
[SW1-Eth-Trunk1]qSW2
[SW2]int eth1
[SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5
[SW2-Eth-Trunk1]po li t
[SW2-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
[SW2-Eth-Trunk1]q边界路由器配置缺省外指。内网配置OSPF动态路由,实现网络互通。
FW1
[FW1]ip route-s 0.0.0.0 0 202.96.137.1
[FW1]ospf 1 route 1.1.1.1
[FW1-ospf-1]a 0
[FW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]q
[FW1-ospf-1]default-route-advertise always
[FW1-ospf-1]qCore-SW1
[Core-SW1]ospf 1 router-id 2.2.2.2
[Core-SW1-ospf-1]a 0
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.10.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.20.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]q
[Core-SW1-ospf-1]qSW1
[SW1]ospf 1 router-id 3.3.3.3
[SW1-ospf-1]a 0
[SW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]q
[SW1-ospf-1]qSW2
[SW2]ospf 1 router-id 4.4.4.4
[SW2-ospf-1]a 0
[SW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]q
[SW2-ospf-1]q为了实现内部终端主机的DHCP上网,需要配置DHCP服务器,这里DHCP服务器在VLAN100网段,配置如下.
DHCP
[Huawei]sy DHCP
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]ip add 172.16.10.100 24
[DHCP-GigabitEthernet0/0/0]q
[DHCP]ip route-s 0.0.0.0 0 172.16.10.254
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[DHCP-ip-pool-vlan10]dns 172.16.50.30
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.1 192.168.10.2
[DHCP-ip-pool-vlan10]ip pool vlan20
[DHCP-ip-pool-vlan20] gateway-list 192.168.20.254
[DHCP-ip-pool-vlan20] network 192.168.20.0 mask 255.255.255.0
[DHCP-ip-pool-vlan20] excluded-ip-address 192.168.20.1 192.168.20.2
[DHCP-ip-pool-vlan20] dns-list 172.16.50.30
[DHCP-ip-pool-vlan20]ip pool vlan30
[DHCP-ip-pool-vlan30] gateway-list 192.168.30.254
[DHCP-ip-pool-vlan30] network 192.168.30.0 mask 255.255.255.0
[DHCP-ip-pool-vlan30] excluded-ip-address 192.168.30.1 192.168.30.2
[DHCP-ip-pool-vlan30] dns-list 172.16.50.30
[DHCP-ip-pool-vlan30]ip pool vlan40
[DHCP-ip-pool-vlan40] gateway-list 192.168.40.254
[DHCP-ip-pool-vlan40] network 192.168.40.0 mask 255.255.255.0
[DHCP-ip-pool-vlan40] excluded-ip-address 192.168.40.1 192.168.40.2
[DHCP-ip-pool-vlan40] dns-list 172.16.50.30
[DHCP-ip-pool-vlan40]ip pool vlan50
[DHCP-ip-pool-vlan50] gateway-list 192.168.50.254
[DHCP-ip-pool-vlan50] network 192.168.50.0 mask 255.255.255.0
[DHCP-ip-pool-vlan50] excluded-ip-address 192.168.50.1 192.168.50.2
[DHCP-ip-pool-vlan50] dns-list 172.16.50.30
[DHCP-ip-pool-vlan50]ip pool vlan1000
[DHCP-ip-pool-vlan1000] gateway-list 192.168.100.254
[DHCP-ip-pool-vlan1000] network 192.168.100.0 mask 255.255.255.0
[DHCP-ip-pool-vlan1000]excluded-ip-address 192.168.100.1 192.168.100.2
[DHCP-ip-pool-vlan1000] dns-list 172.16.50.30
[DHCP-ip-pool-vlan1000]ip pool vlan2000
[DHCP-ip-pool-vlan2000]gateway-list 172.16.100.254 [DHCP-ip-pool-vlan2000] network 172.16.100.0 mask 255.255.255.0
[DHCP-ip-pool-vlan2000] excluded-ip-address 172.16.100.1 172.16.100.2
[DHCP-ip-pool-vlan2000] dns-list 172.16.50.30
[DHCP-ip-pool-vlan2000] option 43 sub-option 3 ascii 172.16.20.1
[DHCP-ip-pool-vlan2000]q
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]dhcp select global
[DHCP-GigabitEthernet0/0/0]qSW1
[SW1]dhcp enable
[SW1]int vlan 10
[SW1-Vlanif10] dhcp select relay
[SW1-Vlanif10] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20] dhcp select relay
[SW1-Vlanif20] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif20]int vlan 30
[SW1-Vlanif30] dhcp select relay
[SW1-Vlanif30] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40] dhcp select relay
[SW1-Vlanif40] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50] dhcp select relay
[SW1-Vlanif50] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif50]int vlan 1000
[SW1-Vlanif1000] dhcp select relay
[SW1-Vlanif1000] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000] dhcp select relay
[SW1-Vlanif2000] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif2000]qSW2
[SW2]int vlan 10
[SW2-Vlanif10]dhcp select relay
[SW2-Vlanif10]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]dhcp select relay
[SW2-Vlanif20]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif20]int vlan 30
[SW2-Vlanif30]dhcp select relay
[SW2-Vlanif30]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]dhcp select relay
[SW2-Vlanif40]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]dhcp select relay
[SW2-Vlanif50]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif50]int vlan 1000
[SW2-Vlanif1000]dhcp select relay
[SW2-Vlanif1000]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]dhcp select relay
[SW2-Vlanif2000]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif2000]q无线采用AC+AP的方式,AC旁挂在核心层交换机上,VLAN200作为AC的管理VLAN,VLAN2000作为AP的业务网段,VLAN1000作为无线接入终端的业务网段。
AC
[AC6005]sy AC
[AC]vlan b 200
[AC]int g0/0/1
[AC-GigabitEthernet0/0/1]po li a
[AC-GigabitEthernet0/0/1]po de v 200
[AC-GigabitEthernet0/0/1]q
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name wlan
[AC-wlan-regulate-domain-wlan]country-code CN
[AC-wlan-regulate-domain-wlan]q
[AC-wlan-view]ap-group name ap
[AC-wlan-ap-group-ap]regulatory-domain-profile wlan
[AC-wlan-ap-group-ap]q
[AC]int vlan 200
[AC-Vlanif200]ip add 172.16.20.1 24
[AC-Vlanif200]q
[AC]capwap source interface Vlanif 200
[AC]int vlan 200
[AC-Vlanif200]ip add 172.16.20.1 255.255.255.0
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth
[AC-wlan-view]ap-id 1 ap-mac 00e0-fcd7-3f50
[AC-wlan-ap-1]ap-group ap
[AC-wlan-ap-3]ap-name ap1
[AC-wlan-view]ap-id 2 ap-mac 00e0-fc26-6370
[AC-wlan-ap-2]ap-group ap
[AC-wlan-ap-3]ap-name ap2
[AC-wlan-ap-2]ap-id 3 ap-mac 00e0-fc6d-5330
[AC-wlan-ap-3]ap-group ap
[AC-wlan-ap-3]ap-name ap3
[AC-wlan-ap-3]q
[AC-wlan-view]security-profile name security
[AC-wlan-sec-prof-security]security wpa2 psk pass-phrase huawei@123 aes
[AC-wlan-sec-prof-security]q
[AC-wlan-view]ssid-profile name ssid
[AC-wlan-ssid-prof-ssid]ssid wifi
[AC-wlan-ssid-prof-ssid]q
[AC-wlan-view]vap-profile name vap
[AC-wlan-vap-prof-vap]forward-mode tunnel
[AC-wlan-vap-prof-vap]service-vlan vlan-id 1000
[AC-wlan-vap-prof-vap]security-profile security
[AC-wlan-vap-prof-vap]ssid-profile ssid
[AC-wlan-vap-prof-vap]q
[AC-wlan-ap-group-ap]vap-profile vap wlan 1 radio all
[AC-wlan-ap-group-ap]q办公楼、教学楼、图书馆互通,办公楼不通宿舍楼,宿舍楼、教学楼、图书馆互通、食堂只能和宿舍楼互通。
[SW1]acl number 3000
[SW1-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
[SW1-acl-adv-3000] rule 10 permit ip
[SW1-acl-adv-3000]acl number 3001
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
[SW1-acl-adv-3001]rule per ip
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[SW1-GigabitEthernet0/0/1]q
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]traffic-filter inbound acl 3001
[SW2]acl number 3000
[SW2-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
[SW2-acl-adv-3000] rule 10 permit ip
[SW2-acl-adv-3000]acl number 3001
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.25
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
[SW2-acl-adv-3001]rule per ip
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[SW2-GigabitEthernet0/0/1]q
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]traffic-filter inbound acl 3001放通trust到untrust的上网数据,放通trust到dmz访问服务器的数据,放通untrust到dmz的web服务器数据.
[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]source-zone trust
[FW1-policy-security-rule-t-u]destination-zone untrust
[FW1-policy-security-rule-t-u]ac p
[FW1-policy-security-rule-t-u]q
[FW1-policy-security]rule name t-d
[FW1-policy-security-rule-t-d]source-zone trust
[FW1-policy-security-rule-t-d]destination-zone dmz
[FW1-policy-security-rule-t-d]ac p
[FW1-policy-security-rule-t-d]rule name u-d
[FW1-policy-security-rule-u-d]source-zone untrust
[FW1-policy-security-rule-u-d]destination-zone dmz
[FW1-policy-security-rule-u-d]destination-address 172.16.50.10 32
[FW1-policy-security-rule-u-d]destination-address 172.16.50.20 32
[FW1-policy-security-rule-u-d]service http ftp
[FW1-policy-security-rule-u-d]ac p
[FW1-policy-security-rule-u-d]q
[FW1-policy-security]q为内网访问互联网提供地址转换,同时屏蔽内网地址信息。
[FW1]nat-policy
[FW1-policy-nat]rule name t-u-nat
[FW1-policy-nat-rule-t-u-nat]source-zone trust
[FW1-policy-nat-rule-t-u-nat]destination-zone untrust
[FW1-policy-nat-rule-t-u-nat]action source-nat easy-ip
[FW1-policy-nat-rule-t-u-nat]q
[FW1-policy-nat]q对外发布学校内网WEB服务器和FTP服务器,便于外网中的用户访问学校官网。
[FW1]nat server pro tcp global 202.96.137.88 8080 inside 172.16.50.10 www
[FW1]nat server pro tcp global 202.96.137.88 ftp inside 172.16.50.20 ftp这里一台设备配置为例,以SW3为例配置:
[SW3]port-group group-member e0/0/1 e0/0/5 to e0/0/22
[SW3-port-group]port-security enable #开启端口安全
[SW3-port-group]port-security max-mac-num 1 #接口下最多接一个主机
[SW3-port-group]port-security protect-action shutdown #违规关闭端口
[SW3-port-group]port-security aging-time 30 #30分钟内该端口不能在接其他设备(第一台设备接入会绑定该设备MAC地址,30分钟不会释放)如需完整配置测试文档,可关注私信作者获取。
有“AI”的1024 = 2048,欢迎大家加入2048 AI社区
更多推荐
71
0- 0
已为社区贡献4条内容
所有评论(0)