基于OSPF的企业内网安全优化

1.拓扑

2.IP地址规划

设备/地址/vlan	设备/地址
汇聚交换机/VLAN10	192.200.10.0/24
汇聚交换机/VLAN20	192.200.20.0/24
汇聚交换机/VLAN30	192.200.30.0/24
汇聚交换机/VLAN40	192.200.40.0/24
汇聚交换机/VLAN50	192.200.50.0/24
汇聚交换机/VLAN60	192.200.60.0/24
防火墙/VLAN70/服务器网段	192.200.70.0/24
防火墙/VLAN80/服务器网段	192.200.80.0/24

3.使用协议说明

VLAN-----------------隔离广播域，优化内网用户上网体验

SVI-------------Vlan间三层通信

DHCP---------------内网主机 自动获取IP地址

OSPF------------------提供内网路由的学习

MSTP--------------------多实例生成树，打破二层环路的同时，实现多vlan的负载均衡

VRRP------------------起到网关冗余作用

NAT--------------------地址转换，提供用户访问互联网

防火墙安全策略----------------------------提供安全策略的访问控制，以及高级的防病毒、入侵检测功能

链路聚合----------------提供链路带宽

4.设备选型

序号

设备名称

品牌

规格

单位及

性能及指标

产地

型号

数量

1

接入交换机

华为

CloudEngine S5731-H24P4XC

30

S5731-H24P4XC(24个10/100/1000BASE-T以太网端口,4个万兆SFP+,单子卡槽位,PoE+,不含电源)

2

汇聚交换机

华为

CloudEngine S6730-H24X6C

2

S6730-H24X6C(24个万兆SFP+,6个40GE QSFP28，可选license升级到6个100GE QSFP28,不含电源

3

核心路由器

华为

AR2204-24GE

4

AR2204-24GE(3GE WAN(1GE Combo),24 GE,1 USB,4 SIC,60W AC Power)

4

防火墙

华为

Secospace USG6310S

3

USG6310S-W交流主机(8GE电,1GB内存),WIFI 2.4G+5G

5.网络配置实施

二层划分vlan、以及接口配置

interface Ethernet0/0/1

 port link-type access

 port default vlan 10

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 10

#

interface Ethernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 20

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 20

#

interface Ethernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 30

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 30

#

interface Ethernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 40

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 40

#

interface Ethernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 50

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 50

#

interface Ethernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/1

 port link-type access

 port default vlan 60

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 60

#

interface Ethernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface Ethernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

双汇聚交换机上，进行三层SIV接口配置及路由器物理接口以及VRRP配置

汇聚交换机1：

[Huawei]int vlan 10

[Huawei-Vlanif10]ip add 192.200.10.1 255.255.255.0

[Huawei-Vlanif10]vrrp vrid 10 virtual-ip 192.200.10.254

[Huawei-Vlanif10] vrrp vrid 10 priority 120

[Huawei-Vlanif10]int vlan 20

[Huawei-Vlanif20]ip add 192.200.20.1 255.255.255.0

[Huawei-Vlanif20]vrrp vrid 20 virtual-ip 192.200.20.254

[Huawei-Vlanif20] vrrp vrid 20 priority 120

[Huawei-Vlanif20]int vlan 30

[Huawei-Vlanif30]ip add 192.200.30.1 255.255.255.0

[Huawei-Vlanif30]vrrp vrid 30 virtual-ip 192.200.30.254

[Huawei-Vlanif30] vrrp vrid 30 priority 120

[Huawei-Vlanif30]int vlan 40

[Huawei-Vlanif40]ip add 192.200.40.1 255.255.255.0

[Huawei-Vlanif40]vrrp vrid 40 virtual-ip 192.200.40.254

[Huawei-Vlanif40]int vlan 50

[Huawei-Vlanif50]ip add 192.200.50.1 255.255.255.0

[Huawei-Vlanif50]vrrp vrid 50 virtual-ip 192.200.50.254

[Huawei-Vlanif50]int vlan 60

[Huawei-Vlanif60]ip add 192.200.60.1 255.255.255.0

[Huawei-Vlanif60]vrrp vrid 60 virtual-ip 192.200.60.254

汇聚交换机2：

[Huawei]int vlan 10

[Huawei-Vlanif10]ip add 192.200.10.2 255.255.255.0

[Huawei-Vlanif10]vrrp vrid 10 virtual-ip 192.200.10.254

[Huawei-Vlanif10]int vlan 20

[Huawei-Vlanif20]ip add 192.200.20.2 255.255.255.0

[Huawei-Vlanif20]vrrp vrid 20 virtual-ip 192.200.20.254

[Huawei-Vlanif20]int vlan 30

[Huawei-Vlanif30]ip add 192.200.30.2 255.255.255.0

[Huawei-Vlanif30]vrrp vrid 30 virtual-ip 192.200.30.254

[Huawei-Vlanif30]int vlan 40

[Huawei-Vlanif40]ip add 192.200.40.2 255.255.255.0

[Huawei-Vlanif40]vrrp vrid 40 virtual-ip 192.200.40.254

[Huawei-Vlanif40] vrrp vrid 40 priority 120

[Huawei-Vlanif40]int vlan 50

[Huawei-Vlanif50]ip add 192.200.50.2 255.255.255.0

[Huawei-Vlanif50]vrrp vrid 50 virtual-ip 192.200.50.254

[Huawei-Vlanif50] vrrp vrid 50 priority 120

[Huawei-Vlanif50]int vlan 60

[Huawei-Vlanif60]ip add 192.200.60.2 255.255.255.0

[Huawei-Vlanif60]vrrp vrid 60 virtual-ip 192.200.60.254

[Huawei-Vlanif60] vrrp vrid 60 priority 120

MSTP配置

stp region

 region-name Huawei

 instance 1 vlan 10 20 30 

 instance 2 vlan 40 50 60

 active region-configuration

调整MSTP实例优先级

[Huawei]stp instance  1 root  primary  

[Huawei]stp instance  2 root  secondary  

链路聚合配置

[Huawei-Eth-Trunk0]trunkport GigabitEthernet  0/0/23 to 0/0/24

[Huawei-Eth-Trunk0]port link-type t

[Huawei-Eth-Trunk0]port trunk allow-pass vlan all

DHCP配置

定义DHCP地址池：

ip pool vlan10

network 192.200.10.0 mask 255.255.255.0

  dns-list 114.114.114.114

 gateway-list 192.200.10.254

ip pool vlan20

network 192.200.20.0 mask 255.255.255.0

  dns-list 114.114.114.114

 gateway-list 192.200.20.254

ip pool vlan30

network 192.200.30.0 mask 255.255.255.0

  dns-list 114.114.114.114

 gateway-list 192.200.30.254

ip pool vlan40

network 192.200.40.0 mask 255.255.255.0

  dns-list 114.114.114.114

 gateway-list 192.200.40.254

ip pool vlan50

network 192.200.50.0 mask 255.255.255.0

  dns-list 114.114.114.114

 gateway-list 192.200.50.254

ip pool vlan60

network 192.200.60.0 mask 255.255.255.0

  dns-list 114.114.114.114

 gateway-list 192.200.60.254

开启DHCP以及接口下调用

[Huawei] dhcp enable

[Huawei]  int vlan 10

[Huawei-Vlanif10]  dhcp se g

[Huawei-Vlanif10] int vlan 20

[Huawei-Vlanif20]  dhcp se g

[Huawei-Vlanif20] int vlan 30

[Huawei-Vlanif30]  dhcp se g

[Huawei-Vlanif30] int vlan 40

[Huawei-Vlanif40]  dhcp se g

[Huawei-Vlanif40] int vlan 50

[Huawei-Vlanif50]  dhcp se g

[Huawei-Vlanif50] int vlan 60

[Huawei-Vlanif60]  dhcp se g

路由协议OSPF配置

ospf 1

area 0.0.0.0

  network 10.0.0.0 0.0.255.255

 area 0.0.0.1

  network 192.200.0.0 0.0.255.255

配置OSPF优化，配置静默端口

[Huawei-ospf-1]silent-interface Vlanif  10

[Huawei-ospf-1]silent-interface Vlanif 20

[Huawei-ospf-1]silent-interface Vlanif 30

[Huawei-ospf-1]silent-interface Vlanif 40

[Huawei-ospf-1]silent-interface Vlanif 50

[Huawei-ospf-1]silent-interface Vlanif 60

核心层配置

[Huawei]ospf 1

[Huawei-ospf-1]a 0

[Huawei-ospf-1-area-0.0.0.0]network  10.0.0.0 0.0.255.255

出口防火墙配置安全策略

security-policy

 rule name ISP

  source-zone trust

  destination-zone untrust

  action permit

防火墙NAT策略

rule name ISP

  source-zone trust

  destination-zone untrust

  action source-nat easy-ip

防火墙做NAT SERVER 映射

[USG6000V1]nat server  protocol  tcp  global  100.100.100.100 8080 inside  192.2

00.80.10 www

服务器区域防火墙配置

security-policy

 rule name server

  source-zone trust

  destination-zone dmz

  action permit

#

6.网络测试

私信获取