文章简介:最近有小伙伴私信问有没有总分公司的企业网设计,本文用华为ensp对企业网络进行了规划和模拟,也同样适用于校园、医院等场景。如有需要可私信作者,可以根据定制化需求做修改。
---------------------------------------------------------------------------------------------------------------------------
目录
需求
- 总公司:VRRP+MSTP
- LSW3是主根桥,LSW4是备份根桥
- 总公司和分公司事业部采用DHCP全局获取地址,server自动分配
- 总公司内网采用OSPF,并启用OSPF密码认证,分公司采用rip
- 提升OSPF性能,网络类型修改为P2P
- R2、LSP、R5采用PPP 、CHAP认证
- R2、R5之间配置IPSEC(有IKE的动态命令)
- 设备配置Stelnet登录,LSP除外
- 链路聚合
- 总公司事业部可以访问server,但分公司只能访问server1
- 总公司和分公司都能访问LSP,但需要配置easyip
- 最后,总公司可以访问分公司的事业部
拓扑图
配置思路与过程
1、接入层实现
对于接入层根据规划,接入用户的端口加入相关VLAN,上行trunk口允许相关vlan通过。
[Acc-01]vlan batch 10 //创建相应的vlan
配置接入用户接口
[Acc-01-Ethernet0/0/3]port link-type access
[Acc-01-Ethernet0/0/3]port default vlan 10
[Acc-01-Ethernet0/0/4]port link-type access
[Acc-01-Ethernet0/0/4]port default vlan 10
配置上行口
[Acc-01-Ethernet0/0/1]port link-type trunk
[Acc-01-Ethernet0/0/1]port trunk allow-pass vlan all
[Acc-01-Ethernet0/0/2]port link-type trunk
[Acc-01-Ethernet0/0/2]port trunk allow-pass vlan all
(其他接入配置相同)
接入层交换机、汇聚交换机上配置MSTP多实例生成树,将相关vlan加入不同的实例。
stp region-configuration //进入MSTP模式
region-name huawei //配置域名为huawei
instance 1 vlan 10 20 //将vlan80 加入实例1中
instance 2 vlan 30 40 //将vlan90加入实例2中
active region-configuration //激活配置
2、汇聚层实现
(1)DHCP实现
尽量在汇聚交换机上部署DHCP,减少核心设备负担
配置DHCP:
[Huawei-ip-pool-vlan10]network 192.168.10.0 mask 255.255.255.0
[Huawei-ip-pool-vlan10] dns-list 114.114.114.114
[Huawei-ip-pool-vlan10] gateway-list 192.168.10.254
[Huawei-ip-pool-vlan10]ip pool vlan20
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-vlan20]network 192.168.20.0 mask 255.255.255.0
[Huawei-ip-pool-vlan20] dns-list 114.114.114.114
[Huawei-ip-pool-vlan20] gateway-list 192.168.20.254
[Huawei-ip-pool-vlan20]ip pool vlan30
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-vlan30]network 192.168.30.0 mask 255.255.255.0
[Huawei-ip-pool-vlan30] dns-list 114.114.114.114
[Huawei-ip-pool-vlan30] gateway-list 192.168.30.254
[Huawei-ip-pool-vlan30]ip pool vlan40
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-vlan40]network 192.168.40.0 mask 255.255.255.0
[Huawei-ip-pool-vlan40] dns-list 114.114.114.114
[Huawei-ip-pool-vlan40] gateway-list 192.168.40.254
(2)MSTP+VRRP:
stp instance 1 root primary //指定本交换机为主根桥
stp instance 2 root sec //指定本交换机为次根桥
3)网关配置 以及网关VRRP配置
interface Vlanif10 //主网关
ip address 192.168.10.1 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
interface Vlanif10 //备份网关
ip address 192.168.10.2 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
5)配置链路聚合
在两台汇聚交换机间设置链路聚合,关键代码如下:
interface eth-trunk 0 //创建ID为0的Eth-Trunk接口
trunkport GigabitEthernet 0/0/23 to 0/0/24 将 23 24号口加入到聚合组中
port link-type trunk //放行vlan
port trunk allow-pass vlan all
(对端配置完全相同)
3、网络出口实现
(1)部署NAT:
NAT关键代码如下: 由于有ipsec vpn 需要将去往分部的流量 不做NAT转换
[Huawei-acl-basic-3001] rule 5 deny ip destination 192.168.65.0 0.0.0.255
[Huawei-acl-basic-3001] rule 10 deny ip destination 192.168.69.0 0.0.0.255
[Huawei-acl-basic-3001] rule 15 permit ip source 192.168.0.0 0.0.255.255
[Huawei]int s1/0/0
[Huawei-Serial1/0/0]ip add 202.168.10.2 24
[Huawei-Serial1/0/0]nat outbound 3001
分部的NAT配置同理
4、路由协议实现
核心交换机通过双上行与出口设备相连,通过三层OSPF路由技术
//此配置 其他设备 均相同 宣告各自直连网段即可
[Core-A-ospf-1]area 0
[Core-A-ospf-1-area-0.0.0.0]network 192.168.0.0 0.0.255.255
//修改OSPF接口网络类型
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ospf network-type p2p
其他接口同理
//OSPF 认证
[Huawei]ospf 1
[Huawei-ospf-1]a 0
[Huawei-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher admin@123
出口路由配置:
[Huawei]ip route-static 0.0.0.0 0 202.169.10.3 //出口默认指向运营商
[Huawei]ospf 1
[Huawei-ospf-1]default-route-advertise
分部的RIP配置:
[Huawei]rip 1
[Huawei-rip-1]v 2
[Huawei-rip-1]undo summary
[Huawei-rip-1]network 192.168.56.0
[Huawei-rip-1]network 192.168.65.0
[Huawei]rip 1
[Huawei-rip-1]undo su
[Huawei-rip-1]v 2
[Huawei-rip-1]network 192.168.69.0
[Huawei-rip-1]network 192.168.57.0
[Huawei]rip 1
[Huawei-rip-1]undo su
[Huawei-rip-1]v 2
[Huawei-rip-1]network 192.168.56.0
[Huawei-rip-1]network 192.168.57.0
[Huawei-rip-1]default-route originate
[Huawei]ip route-static 0.0.0.0 0 202.169.20.3
5、VPN ipsec 功能
[Huawei]ike proposal 1
[Huawei]ike peer R4 v2 //ike对端协商策略
[Huawei-ike-peer-R4]remote-address 202.169.20.4
[Huawei-ike-peer-R4]ike-proposal 1
[Huawei-ike-peer-R4]pre-shared-key cipher admin@123
//匹配流量
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.65.0 0.0.0.2
55
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.65.0 0.0.0.
255
rule 15 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.65.0 0.0.0.
255
rule 20 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.65.0 0.0.0.
255
rule 25 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.65.0 0.0.0.
255
rule 30 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.69.0 0.0.0.
255
rule 35 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.69.0 0.0.0.
255
rule 40 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.69.0 0.0.0.
255
rule 45 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.69.0 0.0.0.
255
rule 50 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.69.0 0.0.0.
255
#
[Huawei]ipsec policy p1 10 isakmp //ipsec 策略
[Huawei-ipsec-policy-isakmp-p1-10]security acl 3000
[Huawei-ipsec-policy-isakmp-p1-10]proposal 1
[Huawei-ipsec-policy-isakmp-p1-10]ike-peer R4
[Huawei]int s1/0/0 //接口绑定策略
[Huawei-Serial1/0/0]ipsec policy p1
对端配置同理即可
6、PPP认证
用户名 密码 均为 user@123
[Huawei-aaa]local-user user@123 password cipher user@123 privilege level 15
[Huawei-aaa]local-user user@123 service-type ppp
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap
ppp chap user user@123
ppp chap password cipher user@123
对端配置同理
7、Stelnet功能配置
aaa
local-user admin service-type ssh
local-user admin password cipher admin@123
stelnet server enable
ssh user admin
ssh authentication-type default password
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa
[Huawei-ui-vty0-4]protocol inbound all
验证
私信获取
1438
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
