摘要

該設(shè)計(jì)規(guī)劃的是一個(gè)公司的網(wǎng)絡(luò)搭建，采用接入層、核心層、匯聚層三層網(wǎng)絡(luò)。所有接入層匯聚層交換機(jī)運(yùn)行MSTP和VRRP協(xié)議，做冗余備份，保護(hù)設(shè)備和鏈路穩(wěn)定性。運(yùn)行ospf動(dòng)態(tài)路由協(xié)議，方便路由維護(hù)。使用dhcp動(dòng)態(tài)分配地址，便于ip地址管理。出口采用防火墻設(shè)備，保護(hù)網(wǎng)絡(luò)安全。同時(shí)在防火墻上做SNAT，可以讓公司內(nèi)網(wǎng)訪(fǎng)問(wèn)外網(wǎng)。在防火墻上做DNAT，可以讓外部網(wǎng)絡(luò)訪(fǎng)問(wèn)公司服務(wù)器。

• 一 、設(shè)計(jì)思路

1. 每個(gè)部門(mén)劃分一個(gè)VLAN，部門(mén)內(nèi)互通，各部門(mén)根據(jù)ACL規(guī)則實(shí)現(xiàn)互通。

1. 內(nèi)網(wǎng)使用私網(wǎng)IP，為每個(gè)部門(mén)分配一個(gè)24位掩碼長(zhǎng)度的私網(wǎng)段，實(shí)現(xiàn)上網(wǎng)。

1. 部門(mén)主機(jī)采用DHCP自動(dòng)獲取地址，減少管理員手動(dòng)分配的任務(wù)量，方便管理與維護(hù)。

1. 運(yùn)行OSPF協(xié)議，提高收斂速度。而且OSPF可以適應(yīng)拓?fù)渥兓?，路由自?dòng)學(xué)習(xí)，防止路由環(huán)路，提高拓?fù)浞€(wěn)定性。

1. 接入層和匯聚層交換機(jī)配置MSTP和VRRP技術(shù)，實(shí)現(xiàn)設(shè)備冗余、線(xiàn)路可靠、數(shù)據(jù)負(fù)載分擔(dān)，能夠保證主設(shè)備故障后，可以快速切換到備用設(shè)備，不影響業(yè)務(wù)轉(zhuǎn)發(fā)。

1. 增加防火墻設(shè)備，設(shè)置安全區(qū)域，控制部門(mén)主機(jī)、服務(wù)器和外網(wǎng)設(shè)備的數(shù)據(jù)轉(zhuǎn)發(fā)，保證公司網(wǎng)絡(luò)的安全性。

1. 出口采用光纖接入，匯聚層交換機(jī)進(jìn)行鏈路聚合，提高網(wǎng)絡(luò)帶寬，實(shí)現(xiàn)運(yùn)營(yíng)商萬(wàn)兆接入，千兆到部門(mén)，百兆到桌面的體驗(yàn)。

1. 公司內(nèi)部實(shí)現(xiàn)無(wú)線(xiàn)全覆蓋，保障內(nèi)部終端設(shè)備可以無(wú)線(xiàn)接入并上網(wǎng)。

1. 匯聚層交換機(jī)配置ACL控制訪(fǎng)問(wèn)技術(shù)，實(shí)現(xiàn)市場(chǎng)部和行政部不通，財(cái)務(wù)部只能和行政部互通，其他部門(mén)全互通的網(wǎng)絡(luò)需求。

1. SNAT:應(yīng)用于內(nèi)網(wǎng)用戶(hù)訪(fǎng)問(wèn)Internet時(shí)進(jìn)行的地址轉(zhuǎn)換將私網(wǎng)地址轉(zhuǎn)為公網(wǎng)地址，這里我們采用easy-ip的NAT，保證公司上網(wǎng)采用出接口地址。

1. DNAT:使的外網(wǎng)用戶(hù)能夠訪(fǎng)問(wèn)內(nèi)部服務(wù)器，用戶(hù)訪(fǎng)問(wèn)202.96.137.88:8080時(shí)，防火墻將流量能夠送給內(nèi)網(wǎng)的WEB服務(wù)器。當(dāng)用戶(hù)訪(fǎng)問(wèn)202.96.137.88:21時(shí)防火墻將目的地址轉(zhuǎn)換為172.16.50.20:21 訪(fǎng)問(wèn)公司的FTP服務(wù)器。

• 二、網(wǎng)絡(luò)拓?fù)鋱D

一個(gè)網(wǎng)絡(luò)的拓?fù)鋱D能夠最直觀(guān)的呈現(xiàn)這個(gè)網(wǎng)絡(luò)的設(shè)計(jì)思想，幾種經(jīng)典的網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu)各有特點(diǎn)。我們使用最標(biāo)準(zhǔn)的核心層、匯聚層、接入層三層架構(gòu)。要求任何一臺(tái)設(shè)備都不能宕機(jī)，所以所有交換機(jī)必須要有雙機(jī)熱備冗余備份。公司的網(wǎng)絡(luò)拓?fù)淙缦聢D所示。

該文件下載地址請(qǐng)點(diǎn)擊后面鏈接：ensp典型中小型企業(yè)網(wǎng)搭建(帶無(wú)線(xiàn))

三、配置步驟

1. 基礎(chǔ)配置

交換機(jī)VLAN的創(chuàng)建、接口的劃分、IP地址的配置

Core-SW1配置

[Huawei]sy Core-SW1
[Core-SW1]vlan b 70 80 100 200 172
Info: This operation may take a few seconds. Please wait for a moment...done.
[Core-SW1]int vlan 70
[Core-SW1-Vlanif70]ip add 172.16.70.2 24
[Core-SW1-Vlanif70]int vlan 80
[Core-SW1-Vlanif80]ip add 172.16.80.2 24
[Core-SW1-Vlanif80]int vlan 100
[Core-SW1-Vlanif100]ip add 172.16.10.254 24
[Core-SW1-Vlanif100]int vlan 200
[Core-SW1-Vlanif200]ip add 172.16.20.2 24
[Core-SW1-Vlanif200]int vlan 172
[Core-SW1-Vlanif172]ip add 172.16.172.1 24
[Core-SW1-Vlanif172]q
[Core-SW1]int g0/0/23
[Core-SW1-GigabitEthernet0/0/23]po li a
[Core-SW1-GigabitEthernet0/0/23]po de v 70
[Core-SW1-GigabitEthernet0/0/23]int g0/0/24
[Core-SW1-GigabitEthernet0/0/24]po li a
[Core-SW1-GigabitEthernet0/0/24]po de v 80
[Core-SW1-GigabitEthernet0/0/24]int g0/0/2
[Core-SW1-GigabitEthernet0/0/2]po li a
[Core-SW1-GigabitEthernet0/0/2]po de v 100
[Core-SW1-GigabitEthernet0/0/2]int g0/0/1
[Core-SW1-GigabitEthernet0/0/1]po li a
[Core-SW1-GigabitEthernet0/0/1]po de v 200
[Core-SW1-GigabitEthernet0/0/1]int g0/0/3
[Core-SW1-GigabitEthernet0/0/3]po li a
[Core-SW1-GigabitEthernet0/0/3]po de v 172
[Core-SW1-GigabitEthernet0/0/3]q

SW1配置

[Huawei]sy SW1
[SW1]vlan b 10 20 30 40 50 70 1000 2000
[SW1]int vlan 10
[SW1-Vlanif10]ip add 192.168.10.1 24
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20]ip add 192.168.20.1 24
[SW1-Vlanif20]int vlan 30
[SW1-Vlanif30]ip add 192.168.30.1 24
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40]ip add 192.168.40.1 24
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50]ip add 192.168.50.1 24
[SW1-Vlanif50]int vlan 1000
[SW1-Vlanif1000]ip add 192.168.100.1 24
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000]ip add 172.16.100.1 24
[SW1-Vlanif2000]int vlan 70
[SW1-Vlanif70]ip add 172.16.70.1 24
[SW1-Vlanif70]q
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]po li t
[SW1-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]po li t
[SW1-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]po li t
[SW1-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
[SW1-GigabitEthernet0/0/3]int g0/0/23
[SW1-GigabitEthernet0/0/23]po li a
[SW1-GigabitEthernet0/0/23]po de v 70
[SW1-GigabitEthernet0/0/23]q

SW2配置

[Huawei]sy SW2
[SW2]vlan b 10 20 30 40 50 80 1000 2000
[SW2]int vlan 10
[SW2-Vlanif10]ip add 192.168.10.2 24
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]ip add 192.168.20.2 24
[SW2-Vlanif20]int vlan 30
[SW2-Vlanif30]ip add 192.168.30.2 24
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]ip add 192.168.40.2 24
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]ip add 192.168.50.2 24
[SW2-Vlanif50]int vlan 80
[SW2-Vlanif80]ip add 172.16.80.1 24
[SW2-Vlanif80]int vlan 1000
[SW2-Vlanif1000]ip add 192.168.100.2 24
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]ip add 172.16.100.2 24
[SW2-Vlanif2000]q
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]po li t
[SW2-GigabitEthernet0/0/1]po t all vlan 10 1000 2000
[SW2-GigabitEthernet0/0/1]int g0/0/2
[SW2-GigabitEthernet0/0/2]po li t
[SW2-GigabitEthernet0/0/2]po t all vlan 20 30 1000 2000
[SW2-GigabitEthernet0/0/2]int g0/0/3
[SW2-GigabitEthernet0/0/3]po li t
[SW2-GigabitEthernet0/0/3]po t all vlan 40 50 1000 2000
[SW2-GigabitEthernet0/0/3]int g0/0/24
[SW2-GigabitEthernet0/0/24]po li a
[SW2-GigabitEthernet0/0/24]po de v 80
[SW2-GigabitEthernet0/0/24]q

SW3配置

[huawei]sy SW3
[SW3]vlan b 10 1000 2000
[SW3]int e0/0/1
[SW3-Ethernet0/0/1]po li a
[SW3-Ethernet0/0/1]po de v 10
[SW3-Ethernet0/0/1]int e0/0/2
[SW3-Ethernet0/0/2]po li t
[SW3-Ethernet0/0/2]po t all vlan 2000 1000
[SW3-Ethernet0/0/2]po t pv vlan 2000
[SW3-Ethernet0/0/2]int e0/0/3
[SW3-Ethernet0/0/3]po li t
[SW3-Ethernet0/0/3]po t all vlan 10 1000 2000
[SW3-Ethernet0/0/3]int e0/0/4
[SW3-Ethernet0/0/4]po li t
[SW3-Ethernet0/0/4]po t all vlan 10 1000 2000
[SW3-Ethernet0/0/4]q

SW4配置

[Huawei]sy SW4
[SW4]vlan b 20 30 1000 2000
[SW4]int e0/0/1
[SW4-Ethernet0/0/1]po li a
[SW4-Ethernet0/0/1]po de v 20
[SW4-Ethernet0/0/1]int e0/0/2
[SW4-Ethernet0/0/2]po li a
[SW4-Ethernet0/0/2]po de v 30
[SW4-Ethernet0/0/2]int e0/0/3
[SW4-Ethernet0/0/3]po li t
[SW4-Ethernet0/0/3]po t all vlan 1000 2000
[SW4-Ethernet0/0/3]po t pv vlan 2000
[SW4-Ethernet0/0/3]int e0/0/4
[SW4-Ethernet0/0/4]po li t
[SW4-Ethernet0/0/4]po tr all vlan 20 30 1000 2000
[SW4-Ethernet0/0/4]int e0/0/5
[SW4-Ethernet0/0/5]po li t
[SW4-Ethernet0/0/5]po tr all vlan 20 30 1000 2000
[SW4-Ethernet0/0/5]q

SW5配置

[Huawei]sy SW5
[SW5]vlan b 40 50 1000 2000
[SW5]int e0/0/1
[SW5-Ethernet0/0/1]po li a
[SW5-Ethernet0/0/1]po de v 40
[SW5-Ethernet0/0/1]int e0/0/2
[SW5-Ethernet0/0/2]po li a
[SW5-Ethernet0/0/2]po de v 50
[SW5-Ethernet0/0/2]int e0/0/3
[SW5-Ethernet0/0/3]po li t
[SW5-Ethernet0/0/3]po t all vlan 1000 2000
[SW5-Ethernet0/0/3]po t pv vlan 2000
[SW5-Ethernet0/0/3]int e0/0/4
[SW5-Ethernet0/0/4]po li t
[SW5-Ethernet0/0/4]po t all vlan 40 50 1000 2000
[SW5-Ethernet0/0/4]int e0/0/5
[SW5-Ethernet0/0/5]po li t
[SW5-Ethernet0/0/5]po t all vlan 40 50 1000 2000
[SW5-Ethernet0/0/5]q

防火墻安全區(qū)域劃分，接口區(qū)域和IP配置

[USG6000V1]sy FW1
[FW1]fire zone trust
[FW1-zone-trust]add int g1/0/0
[FW1-zone-trust]fire zone untrust
[FW1-zone-untrust]add int g1/0/2
[FW1-zone-untrust]fire zone dmz
[FW1-zone-dmz]add int g1/0/1
[FW1-zone-dmz]q
[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 172.16.50.254 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 202.96.137.88 24
[FW1-GigabitEthernet1/0/2]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 172.16.172.2 24
[FW1-GigabitEthernet1/0/0]q

運(yùn)營(yíng)商路由器接口IP配置

[Huawei]sy ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip add 202.96.137.1 24
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip add 100.100.100.1 24
[ISP-GigabitEthernet0/0/1]q

1. VRRP+MSTP配置

配置VRRP虛擬組，SW1作為VLAN10 、20、1000、2000的主網(wǎng)關(guān)，作為VLAN30、40、50的備網(wǎng)關(guān)；SW2作為VLAN30、40、50的主網(wǎng)關(guān)，作為VLAN10 、20、1000、2000的備網(wǎng)關(guān)。MSTP同VRRP一樣，SW1作為VLAN10 、20、1000、2000的主根橋，作為VLAN30、40、50的備用根橋。SW2作為VLAN30、40、50的主根橋，作為VLAN10 、20、1000、2000的備用根橋。

SW1配置

[SW1]int vlan 10
[SW1-Vlanif10]vrrp vr 10 vi 192.168.10.254
[SW1-Vlanif10]vrrp vr 10 pree
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20]vrrp vr 20 vi 192.168.20.254
[SW1-Vlanif20]vrrp vr 20 pri 110
[SW1-Vlanif20]int vlan 1000
[SW1-Vlanif1000]vrrp vr 100 vi 192.168.100.254
[SW1-Vlanif1000]vrrp vr 100 pri 110
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000]vrrp vr 200 vi 172.16.100.254
[SW1-Vlanif2000]vrrp vr 200 pri 110
[SW1-Vlanif2000]int vlan 30
[SW1-Vlanif30]vrrp vr 30 vi 192.168.30.254 
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40]vrrp vr 40 vi 192.168.40.254 
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50]vrrp vr 50 vi 192.168.50.254 
[SW1-Vlanif50]q
[SW1]stp region-configuration
[SW1-mst-region]region-name huawei
[SW1-mst-region]instance 1 vlan 10 20 1000 2000 
[SW1-mst-region]instance 2 vlan 30 40 50
[SW1-mst-region]active region-configuration
[SW1-mst-region]q
[SW1]stp instance 1 root primary 
[SW1]stp instance 2 root secondary 

SW2配置

[SW2]int vlan 10
[SW2-Vlanif10]vrrp vr 10 vi 192.168.10.254 
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]vrrp vr 20 vi 192.168.20.254
[SW2-Vlanif20]int vlan 1000
[SW2-Vlanif1000]vrrp vr 100 vi 192.168.100.254
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]vrrp vr 200 vi 172.16.100.254
[SW2-Vlanif2000]int vlan 30
[SW2-Vlanif30]vrrp vr 30 vi 192.168.30.254 
[SW2-Vlanif30]vrrp vr 30 pri 110
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]vrrp vr 40 vi 192.168.40.254 
[SW2-Vlanif40]vrrp vr 40 pri 110
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]vrrp vr 50 vi 192.168.50.254 
[SW2-Vlanif50]vrrp vr 50 pri 110
[SW2-Vlanif50]q
[SW2]stp region-configuration
[SW2-mst-region] region-name huawei
[SW2-mst-region] instance 1 vlan 10 20 1000 2000
[SW2-mst-region] instance 2 vlan 30 40 50
[SW2-mst-region] active region-configuration
[SW2-mst-region]q
[SW2]stp instance 1 root secondary 
[SW2]stp instance 2 root primary

SW3配置

[SW3]stp region-configuration
[SW3-mst-region] region-name huawei
[SW3-mst-region] instance 1 vlan 10 20 1000 2000
[SW3-mst-region] instance 2 vlan 30 40 50
[SW3-mst-region] active region-configuration

SW4配置

[SW4]stp region-configuration
[SW4-mst-region] region-name huawei
[SW4-mst-region] instance 1 vlan 10 20 1000 2000
[SW4-mst-region] instance 2 vlan 30 40 50
[SW4-mst-region] active region-configuration

SW5配置

[SW5]stp region-configuration
[SW5-mst-region] region-name huawei
[SW5-mst-region] instance 1 vlan 10 20 1000 2000
[SW5-mst-region] instance 2 vlan 30 40 50
[SW5-mst-region] active region-configuration

1. 鏈路聚合配置

在匯聚交換機(jī)之間配置鏈路聚合。其一提高網(wǎng)絡(luò)帶寬，兩條線(xiàn)路聚合帶寬成倍增加。其二增加線(xiàn)路穩(wěn)定性，當(dāng)一條線(xiàn)路損壞，流量轉(zhuǎn)發(fā)不故障。其三匯聚交換機(jī)上行故障，流量通過(guò)匯聚層聚合鏈路轉(zhuǎn)發(fā)數(shù)據(jù)，增加冗余性。

SW1配置

[SW1]int eth1
[SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 0/0/5
[SW1-Eth-Trunk1]po li t
[SW1-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
[SW1-Eth-Trunk1]q

SW2配置

[SW2]int eth1
[SW2-Eth-Trunk1]trunkport GigabitEthernet  0/0/4 0/0/5
[SW2-Eth-Trunk1]po li t
[SW2-Eth-Trunk1]po t all vlan 10 20 30 40 50 1000 2000
[SW2-Eth-Trunk1]q

1. 路由配置

邊界路由器配置缺省外指。內(nèi)網(wǎng)配置OSPF動(dòng)態(tài)路由，實(shí)現(xiàn)網(wǎng)絡(luò)互通。

FW1配置

[FW1]ip route-s 0.0.0.0 0 202.96.137.1
[FW1]ospf 1 route 1.1.1.1 
[FW1-ospf-1]a 0
[FW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]q
[FW1-ospf-1]default-route-advertise always 
[FW1-ospf-1]q

Core-SW1配置

[Core-SW1]ospf 1 router-id 2.2.2.2
[Core-SW1-ospf-1]a 0
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.172.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.10.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]net 172.16.20.0 0.0.0.255
[Core-SW1-ospf-1-area-0.0.0.0]q
[Core-SW1-ospf-1]q

SW1配置

[SW1]ospf 1 router-id 3.3.3.3
[SW1-ospf-1]a 0
[SW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]net 172.16.70.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]q
[SW1-ospf-1]q

SW2配置

[SW2]ospf 1 router-id 4.4.4.4
[SW2-ospf-1]a 0
[SW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 172.16.100.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]net 172.16.80.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]q
[SW2-ospf-1]q

1. DHCP配置

為了實(shí)現(xiàn)內(nèi)部終端主機(jī)的DHCP上網(wǎng),需要配置DHCP服務(wù)器,這里DHCP服務(wù)器在VLAN100網(wǎng)段,配置如下.

DHCP配置

[Huawei]sy DHCP
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]ip add 172.16.10.100 24
[DHCP-GigabitEthernet0/0/0]q
[DHCP]ip route-s 0.0.0.0 0 172.16.10.254
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254 
[DHCP-ip-pool-vlan10]dns 172.16.50.30
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.1 192.168.10.2
[DHCP-ip-pool-vlan10]ip pool vlan20
[DHCP-ip-pool-vlan20] gateway-list 192.168.20.254 
[DHCP-ip-pool-vlan20] network 192.168.20.0 mask 255.255.255.0 
[DHCP-ip-pool-vlan20] excluded-ip-address 192.168.20.1 192.168.20.2 
[DHCP-ip-pool-vlan20] dns-list 172.16.50.30 
[DHCP-ip-pool-vlan20]ip pool vlan30
[DHCP-ip-pool-vlan30] gateway-list 192.168.30.254 
[DHCP-ip-pool-vlan30] network 192.168.30.0 mask 255.255.255.0 
[DHCP-ip-pool-vlan30] excluded-ip-address 192.168.30.1 192.168.30.2 
[DHCP-ip-pool-vlan30] dns-list 172.16.50.30 
[DHCP-ip-pool-vlan30]ip pool vlan40
[DHCP-ip-pool-vlan40] gateway-list 192.168.40.254 
[DHCP-ip-pool-vlan40] network 192.168.40.0 mask 255.255.255.0 
[DHCP-ip-pool-vlan40] excluded-ip-address 192.168.40.1 192.168.40.2 
[DHCP-ip-pool-vlan40] dns-list 172.16.50.30 
[DHCP-ip-pool-vlan40]ip pool vlan50
[DHCP-ip-pool-vlan50] gateway-list 192.168.50.254 
[DHCP-ip-pool-vlan50] network 192.168.50.0 mask 255.255.255.0 
[DHCP-ip-pool-vlan50] excluded-ip-address 192.168.50.1 192.168.50.2 
[DHCP-ip-pool-vlan50] dns-list 172.16.50.30 
[DHCP-ip-pool-vlan50]ip pool vlan1000
[DHCP-ip-pool-vlan1000] gateway-list 192.168.100.254 
[DHCP-ip-pool-vlan1000] network 192.168.100.0 mask 255.255.255.0 
[DHCP-ip-pool-vlan1000]excluded-ip-address 192.168.100.1 192.168.100.2 
[DHCP-ip-pool-vlan1000] dns-list 172.16.50.30 
[DHCP-ip-pool-vlan1000]ip pool vlan2000
[DHCP-ip-pool-vlan2000]gateway-list 172.16.100.254                                                   [DHCP-ip-pool-vlan2000] network 172.16.100.0 mask 255.255.255.0 
[DHCP-ip-pool-vlan2000] excluded-ip-address 172.16.100.1 172.16.100.2 
[DHCP-ip-pool-vlan2000] dns-list 172.16.50.30 
[DHCP-ip-pool-vlan2000] option 43 sub-option 3 ascii 172.16.20.1
[DHCP-ip-pool-vlan2000]q
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]dhcp select global 
[DHCP-GigabitEthernet0/0/0]q

SW1配置

[SW1]dhcp enable 
[SW1]int vlan 10
[SW1-Vlanif10] dhcp select relay 
[SW1-Vlanif10] dhcp relay server-ip 172.16.10.100 
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20] dhcp select relay
[SW1-Vlanif20] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif20]int vlan 30
[SW1-Vlanif30] dhcp select relay
[SW1-Vlanif30] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif30]int vlan 40
[SW1-Vlanif40] dhcp select relay
[SW1-Vlanif40] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif40]int vlan 50
[SW1-Vlanif50] dhcp select relay
[SW1-Vlanif50] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif50]int vlan 1000
[SW1-Vlanif1000] dhcp select relay
[SW1-Vlanif1000] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif1000]int vlan 2000
[SW1-Vlanif2000] dhcp select relay
[SW1-Vlanif2000] dhcp relay server-ip 172.16.10.100
[SW1-Vlanif2000]q

SW2配置

[SW2]int vlan 10
[SW2-Vlanif10]dhcp select relay 
[SW2-Vlanif10]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]dhcp select relay
[SW2-Vlanif20]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif20]int vlan 30
[SW2-Vlanif30]dhcp select relay
[SW2-Vlanif30]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif30]int vlan 40
[SW2-Vlanif40]dhcp select relay
[SW2-Vlanif40]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif40]int vlan 50
[SW2-Vlanif50]dhcp select relay
[SW2-Vlanif50]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif50]int vlan 1000
[SW2-Vlanif1000]dhcp select relay
[SW2-Vlanif1000]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif1000]int vlan 2000
[SW2-Vlanif2000]dhcp select relay
[SW2-Vlanif2000]dhcp relay server-ip 172.16.10.100
[SW2-Vlanif2000]q

1. 無(wú)線(xiàn)配置

無(wú)線(xiàn)采用AC+AP的方式，AC旁?huà)煸诤诵膶咏粨Q機(jī)上，VLAN200作為AC的管理VLAN，VLAN2000作為AP的業(yè)務(wù)網(wǎng)段，VLAN1000作為無(wú)線(xiàn)接入終端的業(yè)務(wù)網(wǎng)段。

AC配置

[AC6005]sy AC
[AC]vlan b 200
[AC]int g0/0/1
[AC-GigabitEthernet0/0/1]po li a
[AC-GigabitEthernet0/0/1]po de v 200
[AC-GigabitEthernet0/0/1]q
[AC]wlan 
[AC-wlan-view]regulatory-domain-profile name wlan
[AC-wlan-regulate-domain-wlan]country-code CN
[AC-wlan-regulate-domain-wlan]q
[AC-wlan-view]ap-group name ap
[AC-wlan-ap-group-ap]regulatory-domain-profile wlan
[AC-wlan-ap-group-ap]q
[AC]int vlan 200
[AC-Vlanif200]ip add 172.16.20.1 24
[AC-Vlanif200]q
[AC]capwap source interface Vlanif 200
[AC]int vlan 200
[AC-Vlanif200]ip add 172.16.20.1 255.255.255.0
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth 
[AC-wlan-view]ap-id 1 ap-mac 00e0-fcd7-3f50
[AC-wlan-ap-1]ap-group ap
[AC-wlan-ap-3]ap-name ap1
[AC-wlan-view]ap-id 2 ap-mac 00e0-fc26-6370
[AC-wlan-ap-2]ap-group ap
[AC-wlan-ap-3]ap-name ap2
[AC-wlan-ap-2]ap-id 3 ap-mac 00e0-fc6d-5330
[AC-wlan-ap-3]ap-group ap
[AC-wlan-ap-3]ap-name ap3
[AC-wlan-ap-3]q
[AC-wlan-view]security-profile name security
[AC-wlan-sec-prof-security]security wpa2 psk pass-phrase huawei@123 aes
[AC-wlan-sec-prof-security]q
[AC-wlan-view]ssid-profile name ssid
[AC-wlan-ssid-prof-ssid]ssid wifi
[AC-wlan-ssid-prof-ssid]q
[AC-wlan-view]vap-profile name vap
[AC-wlan-vap-prof-vap]forward-mode tunnel
[AC-wlan-vap-prof-vap]service-vlan vlan-id 1000
[AC-wlan-vap-prof-vap]security-profile security
[AC-wlan-vap-prof-vap]ssid-profile ssid
[AC-wlan-vap-prof-vap]q
[AC-wlan-ap-group-ap]vap-profile vap wlan 1 radio all
[AC-wlan-ap-group-ap]q

1. 控制訪(fǎng)問(wèn)技術(shù)ACL配置

市場(chǎng)部、研發(fā)部、人力部互通，市場(chǎng)部不通行政部，行政部、研發(fā)部、人力部互通、財(cái)務(wù)部只能和行政部互通。

SW1配置

[SW1]acl number 3000
[SW1-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
[SW1-acl-adv-3000] rule 10 permit ip
[SW1-acl-adv-3000]acl number 3001
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
[SW1-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
[SW1-acl-adv-3001]rule per ip 
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[SW1-GigabitEthernet0/0/1]q
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]traffic-filter inbound acl 3001

SW2配置

[SW2]acl number 3000
[SW2-acl-adv-3000] rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
[SW2-acl-adv-3000] rule 10 permit ip
[SW2-acl-adv-3000]acl number 3001
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.10.0 0.0.0.25
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.20.0 0.0.0.255
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.30.0 0.0.0.255
[SW2-acl-adv-3001]rule deny ip sou 192.168.40.0 0.0.0.255 de 192.168.100.0 0.0.0.255
[SW2-acl-adv-3001]rule per ip 
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
[SW2-GigabitEthernet0/0/1]q
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]traffic-filter inbound acl 3001

1. 防火墻安全策略配置

放通trust到untrust的上網(wǎng)數(shù)據(jù),放通trust到dmz訪(fǎng)問(wèn)服務(wù)器的數(shù)據(jù),放通untrust到dmz的web服務(wù)器數(shù)據(jù).

[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]source-zone trust 
[FW1-policy-security-rule-t-u]destination-zone untrust 
[FW1-policy-security-rule-t-u]ac p
[FW1-policy-security-rule-t-u]q
[FW1-policy-security]rule name t-d
[FW1-policy-security-rule-t-d]source-zone trust 
[FW1-policy-security-rule-t-d]destination-zone dmz
[FW1-policy-security-rule-t-d]ac p
[FW1-policy-security-rule-t-d]rule name u-d
[FW1-policy-security-rule-u-d]source-zone untrust 
[FW1-policy-security-rule-u-d]destination-zone dmz 
[FW1-policy-security-rule-u-d]destination-address 172.16.50.10 32
[FW1-policy-security-rule-u-d]destination-address 172.16.50.20 32
[FW1-policy-security-rule-u-d]service http ftp
[FW1-policy-security-rule-u-d]ac p
[FW1-policy-security-rule-u-d]q
[FW1-policy-security]q

1. NAT策略配置

[FW1]nat-policy 
[FW1-policy-nat]rule name t-u-nat
[FW1-policy-nat-rule-t-u-nat]source-zone trust 
[FW1-policy-nat-rule-t-u-nat]destination-zone untrust 
[FW1-policy-nat-rule-t-u-nat]action source-nat easy-ip 
[FW1-policy-nat-rule-t-u-nat]q
[FW1-policy-nat]q

1. NAT Server配置

[FW1]nat server pro tcp global 202.96.137.88 8080 inside 172.16.50.10 www     
[FW1]nat server pro tcp global 202.96.137.88 ftp inside 172.16.50.20 ftp

四、網(wǎng)絡(luò)測(cè)試

1. DHCP測(cè)試

1. 訪(fǎng)問(wèn)外網(wǎng)測(cè)試

1. 無(wú)線(xiàn)登錄測(cè)試

1. VRRP主備選舉測(cè)試

SW1 vlan10 20 100 200 為主,vlan30 40 50 位備

SW2 vlan30 40 50 位主，vlan10 20 100 200 為備

1. 負(fù)載分擔(dān)測(cè)試

市場(chǎng)部、研發(fā)部、無(wú)線(xiàn)業(yè)務(wù)走SW1

人力部、財(cái)務(wù)部、行政部走SW2

1. 核心路由表查看，鄰居建立關(guān)系查看

1. ACL測(cè)試

市場(chǎng)部、研發(fā)部、人力部互通

市場(chǎng)部不通行政部

行政部、研發(fā)部、人力部互通

財(cái)務(wù)部只能和行政部互通

1. 內(nèi)網(wǎng)訪(fǎng)問(wèn)服務(wù)器測(cè)試

1. 外網(wǎng)NAT Server測(cè)試

外網(wǎng)客戶(hù)端訪(fǎng)問(wèn)內(nèi)網(wǎng)WEB服務(wù)器測(cè)試

外網(wǎng)客戶(hù)端訪(fǎng)問(wèn)內(nèi)網(wǎng)FTP服務(wù)器測(cè)試文章來(lái)源地址http://www.zghlxwxcb.cn/news/detail-453372.html