HCIE-园区网技术汇总

C Aires

已于 2023-07-24 16:26:56 修改

阅读量319

点赞数 2

分类专栏： HCIE 水晶杯大师之路文章标签：网络协议信息与通信

于 2023-07-21 15:54:30 首次发布

本文链接：https://blog.csdn.net/weixin_53494777/article/details/131800295

版权

HCIE 水晶杯大师之路专栏收录该内容

3 篇文章 1 订阅

订阅专栏

一.网络可靠性

（1）lacp-static 链路聚合

interface Eth-Trunk3
 port link-type trunk
 port trunk allow-pass vlan 100 
 mode lacp-static
 trunkport g0/0/23 
 trunkport g0/0/24

（2）查看链路聚合是否成功

<Huawei>dis eth
Eth-Trunk3's state information is:
Local:
LAG ID: 3                   WorkingMode: STATIC                               
Preempt Delay: Disabled     Hash arithmetic: According to SIP-XOR-DIP         
System Priority: 32768      System ID: 4c1f-cc43-2bec                         
Least Active-linknumber: 1  Max Active-linknumber: 8                          
Operate status: up          Number Of Up Port In Trunk: 2                     
--------------------------------------------------------------------------------
ActorPortName          Status   PortType PortPri PortNo PortKey PortState Weight
//查看到接口Selected 证明链路聚合成功
GigabitEthernet0/0/23  **Selected** 1GE      32768   24     817     10111100  1     
GigabitEthernet0/0/24  **Selected** 1GE      32768   25     817     10111100  1     

Partner:
--------------------------------------------------------------------------------
ActorPortName          SysPri   SystemID        PortPri PortNo PortKey PortState
GigabitEthernet0/0/23  32768    4c1f-cc76-0d0b  32768   24     817     10111100
GigabitEthernet0/0/24  32768    4c1f-cc76-0d0b  32768   25     817     10111100

二.DHCP与DHCP中继

（1）DHCP

地址池方式下发地址，接口下发不做赘述

//全局
DHCP enable
vlan 11
#
ip pool vlan11
 gateway-list 10.1.11.254
 network 10.1.11.0 mask 255.255.255.0
#
//本机做dhcp服务器 全局使用地址池模式
interface Vlanif11
 ip address 10.1.11.254 255.255.255.0
 dhcp select global

（2）DHCP中继

//中继设备
DHCP enable
vlan 11
//地址池使用远端设备的地址池
//远端作为dhcp服务器
interface Vlanif11
 ip address 10.1.11.254 255.255.255.0
 //设置成中继模式
 dhcp select relay
 //远端dhcp地址
 dhcp relay server-ip 10.1.208.253

//远端dhcp设备需要配置
//地址池
ip pool vlan11
 gateway-list 10.1.11.254
 network 10.1.11.0 mask 255.255.255.0
 #
 //使用互联vlan下发全局地址池vlan11对应地址
 //vlan208属于dhcp中继设备与dhcp设备互联vlan
 interface Vlanif208
 ip address 10.1.208.253 255.255.255.252
 dhcp select global

三.园区网多业务划分（基于实例）

概述环境两个汇聚交换机上连核心设备核心设备进行业务划分进行三层路由协议
两类业务Employee与Guest （Employee属于区域1，Guest 属于区域2）

（1）汇聚交换机

//汇聚1
ospf 1 router-id 2.2.2.2
//Employee
 area 0.0.0.1
 //内网11.21网段，与核心设备互联网段208网段
  network 10.1.11.254 0.0.0.0
  network 10.1.21.254 0.0.0.0
  network 10.1.208.254 0.0.0.0
#
//汇聚2
ospf 1 router-id 3.3.3.3
//Employee
 area 0.0.0.1
  //内网31.41网段，与核心设备互联网段209网段
  network 10.1.31.254 0.0.0.0
  network 10.1.41.254 0.0.0.0
  network 10.1.209.254 0.0.0.0
#
//核心分为三部分
//核心Employee业务
ospf 1 router-id 1.1.1.1 vpn-instance Employee
//使用vpn实例需要关闭此功能
 vpn-instance-capability simple
 area 0.0.0.1
   //对接汇聚1
  network 10.1.208.253 0.0.0.0
  //对接汇聚2
  network 10.1.209.253 0.0.0.0
  //直连服务器网段
  network 10.1.60.254 0.0.0.0
  //Employee 无线业务网段
  network 10.1.51.254 0.0.0.0
  network 10.1.52.254 0.0.0.0
  network 10.1.53.254 0.0.0.0
  network 10.1.54.254 0.0.0.0
  network 10.1.55.254 0.0.0.0
  //需要对接防火墙网段
  network 10.1.206.1 0.0.0.0
#
//核心Guest业务
ospf 3 router-id 1.1.1.3 vpn-instance Guest
 vpn-instance-capability simple
 area 0.0.0.2
   //Guest无线业务网段
  network 10.1.101.254 0.0.0.0
  network 10.1.102.254 0.0.0.0
  network 10.1.103.254 0.0.0.0
  network 10.1.104.254 0.0.0.0
  network 10.1.105.254 0.0.0.0
  //需要对接防火墙网段
  network 10.1.207.1 0.0.0.0
#
//核心Pulic上网业务
ospf 2 router-id 1.1.1.2
//对接出口路由器ospf
 area 0.0.0.0
  network 10.1.200.2 0.0.0.0
  network 10.1.200.6 0.0.0.0
 area 0.0.0.1
 //对接防火墙区域1
 //Employee 过滤了deny_Guest 
  filter ip-prefix deny_Guest import
  network 10.1.204.1 0.0.0.0
 //对接防火墙区域2
 //Guest 过滤了deny_Employee 
 area 0.0.0.2
  filter ip-prefix deny_Employee import
  network 10.1.205.1 0.0.0.0
#

（2）业务隔离

//前缀列表规则
ip ip-prefix deny_Employee  deny 10.1.11.0 24
ip ip-prefix deny_Employee  deny 10.1.21.0 24
ip ip-prefix deny_Employee  deny 10.1.31.0 24
ip ip-prefix deny_Employee  deny 10.1.41.0 24
ip ip-prefix deny_Employee  deny 10.1.51.0 24
ip ip-prefix deny_Employee  deny 10.1.52.0 24
ip ip-prefix deny_Employee  deny 10.1.53.0 24
ip ip-prefix deny_Employee  deny 10.1.54.0 24
ip ip-prefix deny_Employee  deny 10.1.55.0 24
ip ip-prefix deny_Employee  permit 0.0.0.0 0 less-equal 32
ip ip-prefix deny_Guest  deny 10.1.101.0 24
ip ip-prefix deny_Guest  deny 10.1.102.0 24
ip ip-prefix deny_Guest  deny 10.1.103.0 24
ip ip-prefix deny_Guest  deny 10.1.104.0 24
ip ip-prefix deny_Guest  deny 10.1.105.0 24
ip ip-prefix deny_Guest  permit 0.0.0.0 0 less-equal 32
//引用路由协议区域下
filter ip-prefix deny_Employee import

四.防火墙与核心交换对接

（1）根墙vlan资源分配到虚拟系统

//开启虚拟系统
vsys enable
//204 205对接核心pubilc 206 207对接对应的ospf实例
vlan batch 204 to 207
//分配vlan到虚拟墙
vsys name Guest
 assign vlan 205
 assign vlan 207
vsys name Employee 
 assign vlan 204
 assign vlan 206

（2）根墙需要配置的

//vlanif /Virtual-if口/接口
#
interface Vlanif204
 ip binding vpn-instance Employee
 ip address 10.1.204.2 255.255.255.252
 service-manage ping permit
#
interface Vlanif205
 ip binding vpn-instance Guest
 ip address 10.1.205.2 255.255.255.252
 service-manage ping permit
#
interface Vlanif206
 ip binding vpn-instance Employee
 ip address 10.1.206.2 255.255.255.252
 service-manage ping permit
#
interface Vlanif207
 ip binding vpn-instance Guest
 ip address 10.1.207.2 255.255.255.252
 service-manage ping permit
#
interface Virtual-if1
 ip address 10.1.255.253 255.255.255.255
#
interface Virtual-if2
 ip address 10.1.200.254 255.255.255.255
#
#
interface GigabitEthernet1/0/1
 portswitch
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 204 to 205
#
interface GigabitEthernet1/0/2
 portswitch
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 206 to 207
//ospf配置
ospf 1 router-id 4.4.4.1 vpn-instance Employee
 vpn-instance-capability simple
 area 0.0.0.1
  network 10.1.204.2 0.0.0.0
  network 10.1.206.2 0.0.0.0
#
ospf 2 router-id 4.4.4.2 vpn-instance Guest
 vpn-instance-capability simple
 area 0.0.0.2
  network 10.1.205.2 0.0.0.0
  network 10.1.207.2 0.0.0.0
#
//虚拟系统互访
ip route-static vpn-instance Employee 10.1.101.0 255.255.255.0 vpn-instance Gues
t
ip route-static vpn-instance Employee 10.1.102.0 255.255.255.0 vpn-instance Gues
t
ip route-static vpn-instance Employee 10.1.103.0 255.255.255.0 vpn-instance Gues
t
ip route-static vpn-instance Employee 10.1.104.0 255.255.255.0 vpn-instance Gues
t
ip route-static vpn-instance Employee 10.1.105.0 255.255.255.0 vpn-instance Gues
t
ip route-static vpn-instance Guest 10.1.60.99 255.255.255.255 vpn-instance Emplo
yee

（3）虚拟墙里配置

//区域划分
//Employee
firewall zone trust
 set priority 85
 add interface Vlanif206
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
 add interface Vlanif204
#
//Guest
firewall zone trust
 set priority 85
 add interface Vlanif207
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
 add interface Vlanif205
#
//Guest
//设置地址集和服务集
ip address-set WLAN_Guest type object
 address 0 10.1.101.0 mask 24
 address 1 10.1.102.0 mask 24
 address 2 10.1.103.0 mask 24
 address 3 10.1.104.0 mask 24
 address 4 10.1.105.0 mask 24
//服务集
ip service-set Guest_Service type object 16
 service 0 protocol tcp destination-port 3389
 service 1 protocol icmp
//安全策略
security-policy
 rule name permit_60.99
  source-zone trust
  destination-zone untrust
  source-address address-set WLAN_Guest
  service Guest_Service
  action permit
 rule name deny_other
  source-zone trust
  destination-zone untrust
  source-address address-set WLAN_Guest
  destination-address 10.1.60.0 mask 255.255.255.0
  action deny
 rule name to_internet
  source-zone trust
  destination-zone untrust
  source-address address-set WLAN_Guest
  action permit
///
rule move  2 before 1 //把2放在一前
rule move  1 bottom //放到最下
rule move  2 top //放到最上
安全策略需要调换位置

五.无线ac-ap配置

AP-上线

AC-配置下发地址释放wifi信号

注释：先确保设备上线在进行配置

//AC
//划分vlan
vlan batch 51 to 55 100 to 105
//vlan ac下发vlan地址池
vlan pool Employee
 vlan 51 to 55
vlan pool Guest
 vlan 101 to 105
 //管理vlan 开启capwap隧道
capwap source interface vlanif100
## 五部走
1.安全模板
  security-profile name SE
  security wpa-wpa2 psk pass-phrase Huawei@123
2. ssid模板
  ssid-profile name Guest
  ssid X_Guest
  ssid-profile name Employee
  ssid X_Employee
3.vap模板
 vap-profile name Employee
  forward-mode tunnel
  service-vlan vlan-pool Employee
  ssid-profile Employee
  security-profile SE
4.绑定ap组
ap-group name A
vap-profile Employee wlan 1 radio all
5.上线设备绑定
 ap-id 0(上线设备id)
  ap-group name A

六.出口路由器nat地址转换

(1)Easy Ip

#
acl number 2000  
 rule 5 permit 
#
//出接口
interface GigabitEthernet4/0/2
 ip address 10.255.1.1 255.255.255.0 
 nat outbound 2000

(2)NAPT

//ACL
#
acl number 2000  
 rule 5 permit 
#
//公网申请的地址段
 nat address-group 1 10.255.4.2 10.255.4.100
//出接口
interface GigabitEthernet4/0/3
 ip address 10.255.4.1 255.255.255.0 
 nat outbound 2000 address-group 1

(3)目的地址端口映射

使用场景：外网用户访问企业内网服务器

//出接口
nat server protocol tcp global current-interface 8081 inside 10.1.60.101 www

(4)源地址端口映射

使用场景：多网络出口解决来回路径不一致问题

//目的映射设备的内网用户端口
//先定义acl策略 从外网接口访问内网服务器的浏览 在进行
acl number 3001  
 rule 5 permit tcp destination 10.255.4.1 0 destination-port eq 8081 
#
//出接口
interface GigabitEthernet0/0/1
//内网网段
 ip address 10.1.200.5 255.255.255.252 
 nat outbound 3001

C Aires

关注

2
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
HCIE-园区网技术汇总

两类业务Employee与Guest （Employee属于区域1，Guest 属于区域2）概述环境两个汇聚交换机上连核心设备核心设备进行业务划分进行三层路由协议。使用场景：多网络出口解决来回路径不一致问题。地址池方式下发地址，接口下发不做赘述。使用场景：外网用户访问企业内网服务器。注释：先确保设备上线在进行配置。
复制链接

扫一扫