基于ensp模拟器的医院网络设计（全程配置教学）

B站UP：驴毛小小

拓扑描述：
1.医院网络含有门诊部、放射科、急诊部、行政部等四个主要部门，通过vlan划分技术，将不同部门进行二层隔离。

2.通过三层交换进行通信22汇聚层与核心层进行MSTP协议部署，将vlan10、vlan20和vlan30映射至实例5中，
将vlan40、vlan50和vlan51映射至实例6中，并且SW1作为实例5的主用根桥，实例6的备用根桥,SW2反之。

3.汇聚层与核心层交换机互联链路采用链路聚合，模式为lacp静态

4.在核心层采用VRRP技术，为用户提供网关冗余，其中vlan10、vlan20以及vlan30的主用网关在SW1上，备用网关在SW2上，vlan40、vlan51主用网关在SW2上，备用网关在SW1上。

5.医院内网IGP采用OSPF协议学习网络地址。

6.医院无线通络采用旁挂AC+AP二层组网技术

7.医院用户终端统一管理分配，通过DHCP服务器动态获取IP地址，由于服务器需要跨网段分配IP，因此采用DHCP中继技术

8.内网访问外网需要通过NAT技术进行地址转换，并且采用easy-ip方式

9.通过NAT-server,将内网FTP服务器、HTTP服务器映射为公网地址-200.1.1.100，提供给外网用户访问

10.在核心层三层交换机部署telnet协议，只能网络管理员才能进行远程登录管理,其余用户不行。

11.通过ACL技术实现行政部只能访问服务器和外网，禁止与医院其他科室访问，外网只能访问内网服务器，其余内网用户可以正常访问

DHCP

sysname DHCP

#
dhcp enable
#
ip pool VLAN10
 gateway-list 192.168.10.254 
 network 192.168.10.0 mask 255.255.255.0 
 excluded-ip-address 192.168.10.252 192.168.10.253 
#
ip pool vlan20
 gateway-list 192.168.20.254 
 network 192.168.20.0 mask 255.255.255.0 
 excluded-ip-address 192.168.20.252 192.168.20.253 
#
ip pool vlan30
 gateway-list 192.168.30.254 
 network 192.168.30.0 mask 255.255.255.0 
 excluded-ip-address 192.168.30.252 192.168.30.253 
#
ip pool VLAN40
 gateway-list 192.168.40.254 
 network 192.168.40.0 mask 255.255.255.0 
 excluded-ip-address 192.168.40.252 192.168.40.253 
#
ip pool vlan51
 gateway-list 192.168.51.254 
 network 192.168.51.0 mask 255.255.255.0 
 excluded-ip-address 192.168.51.252 192.168.51.253 
#

interface GigabitEthernet0/0/0
 ip address 192.168.60.1 255.255.255.0 
 dhcp select global

ip route-static 0.0.0.0 0.0.0.0 192.168.60.254

FW

sysname FW
#

interface GigabitEthernet1/0/0
 ip address 192.168.11.1 255.255.255.0
#
interface GigabitEthernet1/0/1n
 ip address 192.168.12.1 255.255.255.0
#
interface GigabitEthernet1/0/2
 ip address 192.168.60.254 255.255.255.0

#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 add interface GigabitEthernet1/0/2
#
ospf 1
 area 0.0.0.0
  network 192.168.11.0 0.0.0.255
  network 192.168.12.0 0.0.0.255
  network 192.168.60.0 0.0.0.255
#

#
firewall detect ftp
#
security-policy
 rule name DMZ-Trust
  source-zone dmz
  source-zone trust
  destination-zone dmz
  destination-zone trust
  action permit

SW2

#
sysname SW2
#
vlan batch 10 20 30 40 50 to 51 521
#
stp instance 5 root secondary
stp instance 6 root primary

dhcp enable
#
stp region-configuration
 region-name huawei
 revision-level 6
 instance 5 vlan 10 20 30 
 instance 6 vlan 40 50 to 51 
 active region-configuration
#
acl number 3000  
 rule 5 permit ip source 192.168.13.0 0.0.0.255 
 rule 15 deny ip 
#
drop-profile default

 local-user huawei password huawei@123
 local-user huawei privilege level 6
 local-user huawei service-type telnet

#
interface Vlanif10
 ip address 192.168.10.253 255.255.255.0 
 vrrp vrid 10 virtual-ip 192.168.10.254
 dhcp select relay
 dhcp relay server-ip 192.168.60.1
#
interface Vlanif20
 ip address 192.168.20.253 255.255.255.0 
 vrrp vrid 20 virtual-ip 192.168.20.254
 dhcp select relay
 dhcp relay server-ip 192.168.60.1
#
interface Vlanif30
 ip address 192.168.30.253 255.255.255.0 
 vrrp vrid 30 virtual-ip 192.168.30.254
 dhcp select relay
 dhcp relay server-ip 192.168.60.1
#
interface Vlanif40
 ip address 192.168.40.253 255.255.255.0 
 vrrp vrid 40 virtual-ip 192.168.40.254
 vrrp vrid 40 priority 110
 dhcp select relay
 dhcp relay server-ip 192.168.60.1
#
interface Vlanif51
 ip address 192.168.51.253 255.255.255.0 
 vrrp vrid 51 virtual-ip 192.168.51.254
 vrrp vrid 51 priority 110
 dhcp select relay
 dhcp relay server-ip 192.168.60.1
#
interface Vlanif521
 ip address 192.168.12.2 255.255.255.0 

#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 mode lacp-static
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 521
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094

#
interface GigabitEthernet0/0/10
 eth-trunk 1
#
interface GigabitEthernet0/0/11
 eth-trunk 1
#
interface GigabitEthernet0/0/12
 eth-trunk 1

#
ospf 1 
 silent-interface Vlanif10
 silent-interface Vlanif20
 silent-interface Vlanif30
 silent-interface Vlanif40
 silent-interface Vlanif51
 area 0.0.0.0 
  network 192.168.12.0 0.0.0.255 
  network 192.168.10.0 0.0.0.255 
  network 192.168.20.0 0.0.0.255 
  network 192.168.30.0 0.0.0.255 
  network 192.168.40.0 0.0.0.255 
  network 192.168.51.0 0.0.0.255 

B站工坊下单