背景需求
(1)随着企业业务数量大幅增加,以及网络应用的高速发展,现有IPv4地址已不能满足需求,根据通信架构合理规划IPv6网络,对企业网络进行构建及扩充。
(2)企业业务量上升网络主机对外部访问量增加,单一网关设计的网络不再满足高可用性的要求,需要根据企业网络需求,设计多个网关的主/备运行,在当前运行网关设备故障或维护时,依然可以保证业务流量的畅通。
(3)依照企业网络规划,需要基于IPv6设计的路由协议及地址可兼容与企业网关备份策略及技术,合理配置网管设备,使其可用于IPv6网络网关备份。
(4)接入层划分vlan实现二层隔离。
(5)使用vrrp6技术实现网关冗余备份
(6)使用ospfv3技术实现内网互联互通
(7)使用dhcpv6技术实现终端自动获取ip地址
(8)使用防火墙配置安全策略保护内网安全
将该公司申请的/48进一步划分为/46, 分配给各部门
| 接入单位 | 地址 | 所属vlan |
| 行政部 | 2001:100:200:1::/64 | 10 |
| IT部 | 2001:100:200:2::/64 | 20 |
| 商务部 | 2001:100:200:3::/64 | 30 |
| 办公有线 | 2001:100:200:4::/64 | 40 |
| 车间 | 2001:100:200:5::/64 | 50 |
| 测试 | 2001:100:200:6::/64 | 60 |
| 服务器 | 2001:100:200:7::/64 | N/A |
设备互联地址
| 名称 | 地址 |
| FW---核心1 | 2001:100:200:abc::/126 |
| FW---核心2 | 2001:100:200:abc::4/126 |
| FW---服务器核心1 | 2001:100:200:abc::8/126 |
| FW---服务器核心2 | 2001:100:200:abc::C/126 |
| 出口地址 | 2005::/64 |
拓扑
配置过程
Vlan创建
vlan batch 10 20 30 40
vlan batch 50 60
其他交换机配置相同
交换机接口划分
办公楼接入交换机
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 10
#
车间接入交换机
interface GigabitEthernet0/0/1
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#接入交换机
其他配置均相同 加入相应vlan即可
汇聚交换机配置
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
#
生产车间汇聚交换机
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 50 60
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 50 60
#
核心配置业务接口
开启ipv6
其他设备均要开启ipv6功能
配置接口ipv6地址,配置vrrp网关
interface GigabitEthernet0/0/0.10
dot1q termination vid 10
ipv6 enable
ipv6 address 2001:100:200:1::1/64
undo ipv6 nd ra halt
ospfv3 1 area 0.0.0.0
vrrp6 vrid 10 virtual-ip FE80::1 link-local
vrrp6 vrid 10 virtual-ip 2001:100:200:1::3
vrrp6 vrid 10 priority 120
arp broadcast enable
#
interface GigabitEthernet0/0/0.20
dot1q termination vid 20
ipv6 enable
ipv6 address 2001:100:200:2::1/64
undo ipv6 nd ra halt
ospfv3 1 area 0.0.0.0
vrrp6 vrid 20 virtual-ip FE80::2 link-local
vrrp6 vrid 20 virtual-ip 2001:100:200:2::3
vrrp6 vrid 20 priority 120
arp broadcast enable
dhcpv6 server vlan20
#
interface GigabitEthernet0/0/0.30
dot1q termination vid 30
ipv6 enable
ipv6 address 2001:100:200:3::1/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 30 virtual-ip FE80::3 link-local
vrrp6 vrid 30 virtual-ip 2001:100:200:3::3
arp broadcast enable
#
interface GigabitEthernet0/0/0.40
dot1q termination vid 40
ipv6 enable
ipv6 address 2001:100:200:4::1/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 40 virtual-ip FE80::4 link-local
vrrp6 vrid 40 virtual-ip 2001:100:200:4::3
arp broadcast enable
#
备份配置
interface GigabitEthernet0/0/0.10
dot1q termination vid 10
ipv6 enable
ipv6 address 2001:100:200:1::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 10 virtual-ip FE80::1 link-local
vrrp6 vrid 10 virtual-ip 2001:100:200:1::3
arp broadcast enable
#
interface GigabitEthernet0/0/0.20
dot1q termination vid 20
ipv6 enable
ipv6 address 2001:100:200:2::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 20 virtual-ip FE80::2 link-local
vrrp6 vrid 20 virtual-ip 2001:100:200:2::3
arp broadcast enable
#
interface GigabitEthernet0/0/0.30
dot1q termination vid 30
<Huawei>
Please check whether system data has been changed, and save data in time
Configuration console time out, please press any key to log on
<Huawei>dis cu int
[V200R003C00]
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.10
dot1q termination vid 10
ipv6 enable
ipv6 address 2001:100:200:1::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 10 virtual-ip FE80::1 link-local
vrrp6 vrid 10 virtual-ip 2001:100:200:1::3
arp broadcast enable
#
interface GigabitEthernet0/0/0.20
dot1q termination vid 20
ipv6 enable
ipv6 address 2001:100:200:2::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 20 virtual-ip FE80::2 link-local
vrrp6 vrid 20 virtual-ip 2001:100:200:2::3
arp broadcast enable
#
interface GigabitEthernet0/0/0.30
dot1q termination vid 30
ipv6 enable
ipv6 address 2001:100:200:3::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 30 virtual-ip FE80::3 link-local
vrrp6 vrid 30 virtual-ip 2001:100:200:3::3
vrrp6 vrid 30 priority 120
arp broadcast enable
#
interface GigabitEthernet0/0/0.40
dot1q termination vid 40
ipv6 enable
ipv6 address 2001:100:200:4::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 40 virtual-ip FE80::4 link-local
vrrp6 vrid 40 virtual-ip 2001:100:200:4::3
vrrp6 vrid 40 priority 120
arp broadcast enable
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.50
dot1q termination vid 50
ipv6 enable
ipv6 address 2001:100:200:5::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 50 virtual-ip FE80::5 link-local
vrrp6 vrid 50 virtual-ip 2001:100:200:5::3
arp broadcast enable
#
interface GigabitEthernet0/0/1.60
dot1q termination vid 60
ipv6 enable
ipv6 address 2001:100:200:6::2/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 60 virtual-ip FE80::6 link-local
vrrp6 vrid 60 virtual-ip 2001:100:200:6::3
arp broadcast enable
#
配置DHCPv6
关闭ra报文抑制
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 2001:100:200:7::1/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server server
配置自动配置 RA标志位 使用有状态dhcpv6 获取地址
配置地址池
dhcpv6 pool server
address prefix 2001:100:200:7::/64
excluded-address 2001:100:200:7::1
excluded-address 2001:100:200:7::3
#
OSPFv3 配置
interface GigabitEthernet0/0/2
ipv6 enable
ipv6 address 2001:100:200:ABC::1/126
ospfv3 1 area 0.0.0.0
#
ospfv3 1
router-id 1.1.1.1
#
其他配置均相同 创建ospfv3 进程 进入接口启用ospfv3 以及区域
防火墙配置
去往ISP路由
ipv6 route-static :: 0 2005::2
Ospfv3 引入默认
安全区域配置
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/4
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
配置安全策略
security-policy
rule name tr-un
source-zone trust
destination-zone untrust
action permit
rule name tr-dmz
source-zone trust
destination-zone dmz
action permit
#
防火墙OSPF宣告配置
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 2001:100:200:ABC::5/126
ospfv3 1 area 0.0.0.0
#
interface GigabitEthernet1/0/2
undo shutdown
ipv6 enable
ipv6 address 2001:100:200:ABC::A/126
ospfv3 1 area 0.0.0.0
#
interface GigabitEthernet1/0/3
undo shutdown
ipv6 enable
ipv6 address 2001:100:200:ABC::E/126
ospfv3 1 area 0.0.0.0
测试
私信获取
7万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
