多网络互联互通构建

某单位网络需求：

需求：
楼层分三楼和一楼，中心机房设三楼，一楼设一个弱电柜；
弱点点位350个；
有线230个；
无线25个；
监控45个；
单位内部网（含A网，22个计算机，可可分配ip500个）；办公网（10个计算机，IP可分配数量500个）；无线网（25个ap，IP可分配数量500个）；监控网；门禁网（IP可分配数量255个）；

网络规划

某单位网络地址规划
业务 地址段 子网掩码 网关 可用地址 可用数量 说明
内部VLAN10 10.44.112. 255.255.254.0 10.44.113.254 10.44.112.1-10.44.113.253 500 内部网
来宾VLAN20 10.44.114. 255.255.254.0 10.44.115.254 10.44.114.1-10.44.115.253 500 无线网
192.168.10. 255.255.254.0 192.168.10.1 192.168.10.1-192.168.11.1 500 无线网
数据 10.44.116. 255.255.255.0 10.44.116.254 10.44.116.1-10.44.116.253 254
应用 10.44.117. 255.255.255.0 10.44.117.254 10.44.117.1-10.44.117.253 254
语音 10.44.118. 255.255.255.0 10.44.118.254 10.44.118.1-10.44.118.253 254
视频监控 10.44.119. 255.255.255.0 10.44.119.254 10.44.119.1-10.44.119.253 254 监控
办公VLAN70 10.44.120. 255.255.254.0 10.44.121.254 10.44.120.1-10.44.121.253 500 办公
预留VLAN80 10.44.122. 255.255.255.0 10.44.122.254 10.44.122.1-10.44.122.253 254 总网关10.44.122.2

三层交换机配置

[V200R007C00SPCb00]

time-range shixun02 13:00 to 16:01 Thu
time-range shixun02 from 12:38 2019/3/7 to 17:38 2019/3/7
time-range shban 08:00 to 17:00 daily

drop illegal-mac alarm

l2tp enable

dns resolve
dns server 202.96.113.34 （电信dns）
dns server 202.96.113.35
dns proxy enable

vlan batch 80

ike local-name zhejiang

dhcp enable

pki realm default
enrollment self-signed

ssl policy default_policy type server
pki-realm default

acl name GigabitEthernet0/0/4 2999
rule 5 permit

web
user-set Default
user-set VIP

traffic policy SAC_manager

ip pool l2tpLns1
gateway-list 192.168.100.254
network 192.168.100.0 mask 255.255.255.0

aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password irreversible-cipher %^{%#😗;ABlZDBS{L@K’2;7p)}QLZ86FuW+vptCJ(W1v6HFYP#6nSt;B[GvIuPiUI%^%#
local-user admin privilege level 15
local-user admin service-type terminal http
local-user ad password cipher %^%#]<sY6DY#'h91qK2ka^{U*VUaH|"6pR)W|d,q]V}Y%}%#
local-user ad privilege level 0
local-user ad service-type ppp
local-user longy password cipher %^{%#"[k@@c(7~;I7\T1(Gk(#m[D%L31uBH.<).N\eiT9%}%#
local-user longy privilege level 0
local-user longy service-type ppp

firewall zone zong1
priority 15

firewall zone Local
priority 16

nat alg ftp enable

interface Vlanif1
ip address 192.168.1.1 255.255.255.0
traffic-filter outbound acl name GigabitEthernet0/0/4
dhcp select interface
dhcp server dns-list 192.168.1.1
sa application-statistic enable

interface Vlanif80
ip address 10.44.122.2 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.44.122.1
dhcp server excluded-ip-address 10.44.122.180 10.44.122.253
dhcp server dns-list 202.96.113.34 202.96.113.35
sa application-statistic enable

interface Virtual-Template1
ppp authentication-mode chap
remote address pool l2tpLns1
ip address 192.168.100.254 255.255.255.0

interface GigabitEthernet0/0/0

interface GigabitEthernet0/0/1
port link-type access
port default vlan 80

interface GigabitEthernet0/0/2
port hybrid pvid vlan 80
undo port hybrid vlan 1
port hybrid untagged vlan 80

interface GigabitEthernet0/0/3
port hybrid pvid vlan 80
undo port hybrid vlan 1
port hybrid untagged vlan 80

interface GigabitEthernet0/0/4
tcp adjust-mss 1200
ip address 122.210.93.74 255.255.255.252
nat server protocol tcp global current-interface 8588 inside 10.44.122.101 8588
nat outbound 2999
traffic-policy SAC_manager outbound

interface GigabitEthernet0/0/5
description VirtualPort
sa application-statistic enable

interface Cellular0/0/0
sa application-statistic enable

interface NULL0

l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1

info-center timestamp log format-date

snmp-agent local-engineid 800007DB039C713A276249

http secure-server ssl-policy default_policy
http server enable
http secure-server enable

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/4 122.210.93.73
ip route-static 10.44.112.0 255.255.254.0 10.44.122.254
ip route-static 10.44.114.0 255.255.254.0 10.44.122.254
ip route-static 10.44.120.0 255.255.254.0 10.44.122.254
ip route-static 10.44.122.0 255.255.255.0 10.44.122.254
ip route-static 192.168.10.0 255.255.254.0 10.44.122.254
ip route-static 192.168.100.0 255.255.255.0 Virtual-Template1 122.210.93.73 preference 59

fib regularly-refresh disable

user-interface con 0
authentication-mode aaa
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4

wlan ac

voice

diagnose

ops

autostart

Return

3.3三层交换机配置
sysname HUAWEI

vlan batch 5 10 20 30 40 50 61 to 64 70 80

authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile

telnet server enable

dhcp enable

dhcp snooping enable

radius-server template default

free-rule-template name default_free_rule

portal-access-profile name portal_access_profile

vlan 5
management-vlan

ip pool 70
gateway-list 10.44.121.254
network 10.44.120.0 mask 255.255.254.0
excluded-ip-address 10.44.120.1 10.44.120.15
excluded-ip-address 10.44.120.17 10.44.120.50
excluded-ip-address 10.44.121.199 10.44.121.208
excluded-ip-address 10.44.121.210 10.44.121.253
dns-list 202.96.113.34

ip pool 5
network 10.10.127.0 mask 255.255.255.0

ip pool 80
dns-list 202.96.113.34

ip pool 20
gateway-list 10.44.115.254
network 10.44.114.0 mask 255.255.254.0
excluded-ip-address 10.44.115.200 10.44.115.253
lease day 0 hour 20 minute 0
dns-list 202.96.113.34

ip pool 10
network 10.44.112.0 mask 255.255.254.0
excluded-ip-address 10.44.112.1 10.44.112.98
excluded-ip-address 10.44.112.100

aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
local-aaa-user password policy administrator
password expire 0
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user admin password irreversible-cipher $1a$0yHT3ocvfM$zPB=)&=!t&pyB:#~mqmMc@KaTeX parse error: Expected 'EOF', got '&' at position 1: &̲M"2Mz#Gao,~QCT3…
local-user admin privilege level 15
local-user admin service-type telnet

interface Vlanif1

interface Vlanif5
ip address 10.44.127.254 255.255.255.0

interface Vlanif10
ip address 10.44.113.254 255.255.254.0
dhcp select global

interface Vlanif20
ip address 10.44.115.254 255.255.254.0
dhcp select global

interface Vlanif30
ip address 10.44.116.254 255.255.255.0

interface Vlanif40
ip address 10.44.117.254 255.255.255.0

interface Vlanif50
ip address 10.44.118.254 255.255.255.0

interface Vlanif61
ip address 10.44.119.30 255.255.255.224
dhcp select global

interface Vlanif62
ip address 10.44.119.62 255.255.255.224
dhcp select global

interface Vlanif63
ip address 10.44.119.94 255.255.255.224
dhcp select global

interface Vlanif64
ip address 10.44.119.126 255.255.255.224

interface Vlanif70
ip address 10.44.121.254 255.255.254.0
dhcp select global

interface Vlanif80
ip address 10.44.122.254 255.255.255.0

interface Vlanif90
ip address 10.44.123.254 255.255.255.0

interface Vlanif100
ip address 10.44.124.254 255.255.255.0

interface Vlanif110
ip address 10.44.125.254 255.255.255.0

interface Vlanif120
ip address 10.44.126.254 255.255.255.0

interface Eth-Trunk1
port link-type trunk

interface GigabitEthernet0/0/1
port link-type access
port default vlan 80

interface GigabitEthernet0/0/2

interface GigabitEthernet0/0/3

interface GigabitEthernet0/0/4

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 10 20 70
stp edged-port enable

interface GigabitEthernet0/0/8
port link-type access
port default vlan 70
stp disable
stp edged-port enable

interface GigabitEthernet0/0/9
port link-type access
port default vlan 70
stp edged-port enable

interface GigabitEthernet0/0/10
port link-type access
port default vlan 70
stp edged-port enable

interface GigabitEthernet0/0/11
port link-type access
port default vlan 20
stp edged-port enable

interface GigabitEthernet0/0/12
port link-type access
port default vlan 70
stp edged-port enable

interface GigabitEthernet0/0/13
port link-type access
port default vlan 70
stp edged-port enable

interface GigabitEthernet0/0/14
port link-type access
port default vlan 70
stp edged-port enable

interface GigabitEthernet0/0/15
port link-type access
port default vlan 70
stp edged-port enable

interface GigabitEthernet0/0/16
port link-type access
port default vlan 10
stp edged-port enable

interface GigabitEthernet0/0/17
port link-type access
port default vlan 10
stp edged-port enable

interface GigabitEthernet0/0/18
port link-type trunk
port trunk allow-pass vlan 61 to 64
stp edged-port enable

interface GigabitEthernet0/0/19

interface GigabitEthernet0/0/20

interface GigabitEthernet0/0/21

interface GigabitEthernet0/0/22

interface GigabitEthernet0/0/23

interface GigabitEthernet0/0/24

interface GigabitEthernet0/0/25

interface GigabitEthernet0/0/26

interface GigabitEthernet0/0/27

interface GigabitEthernet0/0/28

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 10.44.122.2
ip route-static 10.44.112.0 255.255.254.0 10.44.122.2
ip route-static 10.44.114.0 255.255.254.0 10.44.122.2
ip route-static 10.44.120.0 255.255.254.0 10.44.122.2
ip route-static 192.168.10.0 255.255.254.0 10.44.115.253

user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode aaa
idle-timeout 15 0
protocol inbound telnet
user-interface vty 16 20

dot1x-access-profile name dot1x_access_profile

mac-access-profile name mac_access_profile

Return