项目场景/要求:
① 信息中心配置Eth-trunk实现链路冗余
② 企业内网划分多个vlan ,减小广播域大小,提高网络稳定性
③ 核心交换机作为用户网关实现vlan间路由
④ 所有用户均为自动获取ip地址
⑤ 出口配置NAT实现地址转换
⑥ 在企业出口将内网服务器的80端口映射出去,允许外网用户访问
⑦ 所有设备都可以被telnet远程管理
⑧ 所有校区之间可以互访且出口实现冗余
⑨ 企业财务服务器,只允许(vlan 40)的员工访问。
⑩ 禁止vlan 20 员工访问外网且关键设备做好实时监控
实搭拓扑图:
具体操作:
步骤一:vlan trunk eth-trunk配置
**接入sw8:**
[JR_sw8]int Eth-Trunk 1
[JR_sw8-Eth-Trunk1]mode lacp-static
[JR_sw8-Eth-Trunk1]trunkport GigabitEthernet
[JR_sw8-Eth-Trunk1]trunkport GigabitEthernet 0/0/1 0/0/2
[JR_sw8-Eth-Trunk1]port link-type trunk
[JR_sw8-Eth-Trunk1]port trunk allow-pass vlan 200 900 #900为管理网段
[JR_sw8]vlan batch 200 900
[JR_sw8]port-group group-member Ethernet 0/0/2 Ethernet 0/0/3
[JR_sw8-port-group]port link-type access
[JR_sw8-port-group]port default vlan 200
---------------------------------------------------
**核心sw1:**
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]mode lacp-static
[HX_sw1-Eth-Trunk1]trunkport gi 0/0/2 0/0/5
[HX_sw1-Eth-Trunk1]port link-type trunk
[HX_sw1-Eth-Trunk1]port trunk allow-pass vlan 200 900
[HX_sw1]vlan batch 200 900 10 20 30 40 800
[HX_sw1]int g0/0/1
[HX_sw1-GigabitEthernet0/0/1]port link-type trunk
[HX_sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 900
[HX_sw1-GigabitEthernet0/0/1]int g0/0/3
[HX_sw1-GigabitEthernet0/0/3]po li tr
[HX_sw1-GigabitEthernet0/0/3]po tr all vl 30 900
[HX_sw1-GigabitEthernet0/0/3]int g0/0/4
[HX_sw1-GigabitEthernet0/0/4]po li tr
[HX_sw1-GigabitEthernet0/0/4]po tr all vl 40 900
[HX_sw1]int g0/0/24
[HX_sw1-GigabitEthernet0/0/24]po li ac
[HX_sw1-GigabitEthernet0/0/24]po de vl 800
----------------------------------------------------
接入sw5:(sw6,sw7,sw9同理)
[Huawei]sys JR_sw5
[JR_sw5]vlan batch 10 900
[JR_sw5]port-group group-member e0/0/2 e0/0/3
[JR_sw5-port-group]port link-type access
[JR_sw5-port-group]port default vlan 10
[JR_sw5]int g0/0/1
[JR_sw5-GigabitEthernet0/0/1]port link-type trunk
[JR_sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 900
**汇聚sw5:(sw3,sw4,swN同理)**
[HJ_sw2]vlan batch 10 20 900
[HJ_sw2]int GigabitEthernet 0/0/2
[HJ_sw2-GigabitEthernet0/0/2]port link-type trunk
[HJ_sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 900
[HJ_sw2-GigabitEthernet0/0/2]int g0/0/3
[HJ_sw2-GigabitEthernet0/0/3]port link-type trunk
[HJ_sw2-GigabitEthernet0/0/3]port tr allow-pass vlan 20 900
[HJ_sw2-GigabitEthernet0/0/3]int g0/0/1
[HJ_sw2-GigabitEthernet0/0/1]po li tr
[HJ_sw2-GigabitEthernet0/0/1]po tr al vl 10 20 900
步骤二:网关SVI配置
**核心sw1:**
[HX_sw1]int Vlanif 10
[HX_sw1-Vlanif10]ip add 192.168.10.1 24
[HX_sw1]int Vlanif 20
[HX_sw1-Vlanif20]ip address 192.168.20.1 24
[HX_sw1-Vlanif20]int vl 30
[HX_sw1-Vlanif30]ip address 192.168.30.1 24
[HX_sw1-Vlanif30]int vl 40
[HX_sw1-Vlanif40]ip add 192.168.40.1 24
[HX_sw1-Vlanif40]int vl 200
[HX_sw1-Vlanif200]ip add 192.168.200.1 24
[HX_sw1-Vlanif200]int vl 800
[HX_sw1-Vlanif800]ip add 192.168.254.2 24
[HX_sw1-Vlanif800]dis ip int br
步骤三:DHCP配置
[HX_sw1]dhcp enable
[HX_sw1]ip pool syl_vlan10
[HX_sw1-ip-pool-syl_vlan10]network 192.168.10.0 mask 24
[HX_sw1-ip-pool-syl_vlan10]gateway-list 192.168.10.1
[HX_sw1-ip-pool-syl_vlan10]dns-list 114.114.114.114 8.8.8.8
[HX_sw1]ip pool syl_vlan20
[HX_sw1-ip-pool-syl_vlan20]network 192.168.20.0 mask 24
[HX_sw1-ip-pool-syl_vlan20]gateway-list 192.168.20.1
[HX_sw1-ip-pool-syl_vlan20]dns-list 114.114.114.114 8.8.8.8
[HX_sw1]ip pool jxl_vlan30
[HX_sw1-ip-pool-jxl_vlan30]network 192.168.30.0 mask 24
[HX_sw1-ip-pool-jxl_vlan30]gateway-list 192.168.30.1
[HX_sw1-ip-pool-jxl_vlan30]dns-list 114.114.114.114 8.8.8.8
[HX_sw1]ip pool xzl_vlan40
[HX_sw1-ip-pool-xzl_vlan40]network 192.168.40.0 mask 24
[HX_sw1-ip-pool-xzl_vlan40]gateway-list 192.168.40.1
[HX_sw1-ip-pool-xzl_vlan40]dns-list 114.114.114.114 8.8.8.8
[HX_sw1]int Vlanif 10
[HX_sw1-Vlanif10]dhcp select global
[HX_sw1-Vlanif10]int Vlanif 20
[HX_sw1-Vlanif20]dhcp select global
[HX_sw1-Vlanif20]int Vlanif 30
[HX_sw1-Vlanif30]dhcp select global
[HX_sw1-Vlanif30]int Vlanif 40
[HX_sw1-Vlanif40]dhcp select global
步骤四:OSPF配置
**出口R1**
[Huawei]int g4/0/0
[Huawei-GigabitEthernet4/0/0]ip add 192.168.254.1 24
[Huawei-GigabitEthernet4/0/0]int g3/0/0
[Huawei-GigabitEthernet3/0/0]ip add 12.1.1.1 29
[Huawei-GigabitEthernet3/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 13.1.1.1 29
[Huawei-GigabitEthernet0/0/1]int g1/0/0
[Huawei-GigabitEthernet1/0/0]ip add 192.168.104.1 30
[Huawei-GigabitEthernet1/0/0]int g2/0/0
[Huawei-GigabitEthernet2/0/0]ip add 192.168.105.1 30
---------------------------------------------------------
R2 R3 R4 R5 同上分别配置相应的ip地址
---------------------------------------------------------
**核心sw1:**
[HX_sw1]ospf 1 router-id 1.1.1.1
[HX_sw1-ospf-1]ar
[HX_sw1-ospf-1]area 0
[HX_sw1-ospf-1-area-0.0.0.0]ne
[HX_sw1-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.255
[HX_sw1-ospf-1-area-0.0.0.0]ne
[HX_sw1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[HX_sw1-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[HX_sw1-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[HX_sw1-ospf-1-area-0.0.0.0]network 192.168.40.0 0.0.0.255
[HX_sw1-ospf-1-area-0.0.0.0]network 192.168.254.0 0.0.0.255
---------------------------------------------------------
**出口R1**
[chukou_R1]ospf 1 router-id 2.2.2.2
[chukou_R1-ospf-1]area 0
[chukou_R1-ospf-1-area-0.0.0.0]network 192.168.254.0 0.0.0.255
[chukou_R1-ospf-1-area-0.0.0.0]network 192.168.105.0 0.0.0.3
[chukou_R1-ospf-1-area-0.0.0.0]network 192.168.104.1 0.0.0.0 #也可以宣告精确路由
----------------------------------------------------------
**R4**
[XXQ1_R4]ospf 1 router-id 4.4.4.4
[XXQ1_R4-ospf-1]area 0
[XXQ1_R4-ospf-1-area-0.0.0.0]network 192.168.104.2 0.0.0.0
[XXQ1_R4-ospf-1-area-0.0.0.0]network 192.168.100.1 0.0.0.0
-----------------------------------------------------------
**R5**
[XXQ2_R4]ospf 1 router-id 5.5.5.5
[XXQ2_R4-ospf-1]area 0
[XXQ2_R4-ospf-1-area-0.0.0.0]network 192.168.105.2 0.0.0.0
[XXQ2_R4-ospf-1-area-0.0.0.0]network 192.168.150.1 0.0.0.0
步骤五:广域网出口选路
**缺省:**
核心SW1:
[HX_sw1]ip route-static 0.0.0.0 0 192.168.254.1
出口R1:
[chukou_R1]ip route-static 0.0.0.0 0 12.1.1.6
[chukou_R1]ip route-static 0.0.0.0 0 13.1.1.6 preference 70 #联通备份 优先级数字越大越不优先,默认是60
步骤六:NAT配置
**出口R1:**
[chukou_R1]acl 2000
[chukou_R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[chukou_R1-acl-basic-2000]int g3/0/0
[chukou_R1-GigabitEthernet3/0/0]nat outbound 2000
[chukou_R1-GigabitEthernet3/0/0]int g0/0/1
[chukou_R1-GigabitEthernet0/0/1]nat outbound 2000
[chukou_R1-GigabitEthernet3/0/0]nat server protocol tcp global current-interface 80 inside 192.168.200.10 80 #把web服务器映射出去 地址用该接口公网地址
[chukou_R1-GigabitEthernet0/0/1]nat server protocol tcp global current-interface 80 inside 192.168.200.10 80
步骤七:telnet远程管理配置
sw1:(sw2,sw3,sw4,sw5,sw6,sw7,sw8,sw9同理)
[HX_sw1]telnet server enable
[HX_sw1]aaa
[HX_sw1-aaa]local-user garliccc privilege level 3 password cipher 123
[HX_sw1-aaa]local-user garliccc service-type telnet
[HX_sw1]user-interface vty 0 4
[HX_sw1-ui-vty0-4]authentication-mode aaa
[HX_sw1-ui-vty0-4]protocol inbound telnet (新机中只允许SSH,配置该命令实现Telnet)
[HX_sw1]int Vlanif 900
[HX_sw1-Vlanif900]ip add 192.168.255.1 24
---------------------------------------------------------------
其中sw2,sw3,sw4,sw5,sw6,sw7,sw8,sw9需回包路由使其可以管理:
[JR_sw8]ip route-static 0.0.0.0 0 192.168.255.1
步骤八:远程控制配置 ACL
只允许(vlan 40)的员工访问:
[HX_sw1]acl 3000
[HX_sw1-acl-adv-3000]rule permit ip source 192.168.40.0 0.0.0.255 destination 192.168.200.20 0
[HX_sw1-acl-adv-3000]rule deny ip source any destination 192.168.200.20 0
[HX_sw1]int Eth-Trunk 1
[HX_sw1-Eth-Trunk1]traffic-filter outbound acl 3000
----------------------------------------------------------
禁止vlan 20 员工访问外网且关键设备做好实时监控:
[chukou_R1-acl-adv-3001]rule permit ip destination 192.168.0.0.0.0.255.255
[chukou_R1-acl-adv-3001]rule deny ip source 192.168.20.0 0.0.0.255
[chukou_R1-acl-adv-3001]int gi4/0/0
[chukou_R1-GigabitEthernet4/0/0]traffic-filter inbound acl 3001
步骤九:SNMP运维监控
所有网管设备上均配置:
[HX_sw1]snmp-agent sys-info version all
[HX_sw1]snmp-agent
[HX_sw1]snmp-agent community write garliccc
[HX_sw1]snmp-agent community read garliccc
完成效果:
完成所有要求。
扫一扫
2796
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
