该设计用于模拟公司网络,具体设计思路如下:
1、终端用户通过各自汇聚交换机自动获取IP地址并进行路由。
2、汇聚交换机配置为三层设备通过OSPF与核心交换机进行互通。
3、主备汇聚交换机通过VRRP与生成树技术为终端用户提供冗余。
4、核心交换机通过VRRP、生成树与链路聚合实现冗余备份。
5、防火墙配置NAT转换使得终端用户较为安全的访问外部网络。
6、公司内部部分区域提供无线访问,通过AC+瘦AP的方式实现。
7、总公司服务器对内提供WWW、DNS以及FTP服务。
8、运营商通过BGP实现路由可达。
9、防火墙配置攻击防护。
vlan |
所在部门 |
网络地址 |
子网掩码 |
Vlan16 |
人事部 |
10.0.16.0/24 |
255.255.255.0 |
Vlan17 |
财务部 |
10.0.17.0/24 |
255.255.255.0 |
Vlan18 |
技术部 |
10.0.18.0/24 |
255.255.255.0 |
Vlan19 |
市场部 |
10.0.19.0/24 |
255.255.255.0 |
Vlan20 |
营销部 |
10.0.20.0/24 |
255.255.255.0 |
Vlan21 |
研发部 |
10.0.21.0/24 |
255.255.255.0 |
6.1.1、更改设备命名
sysname FWB
6.1.2、配置接口IP地址
interface GigabitEthernet1/0/0
undo shutdown
ip address 2.2.2.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.0.2.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.0.3.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 192.168.15.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
6.1.3、接口加入指定安全域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
6.1.4、配置OSPF
ospf 1
area 0.0.0.0
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
6.1.5、配置默认路由
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
6.1.6、配置安全策略
security-policy
rule name any
action permit
6.1.7、配置NAT策略
nat-policy
rule name any
source-zone trust
destination-zone untrust
action source-nat easy-ip
6.1.8、配置攻击防护
firewall defend port-scan enable
firewall defend ip-sweep enable
firewall defend teardrop enable
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend tracert enable
firewall defend icmp-unreachable enable
firewall defend icmp-redirect enable
firewall defend large-icmp enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
firewall defend ip-spoofing enable
firewall defend action discard
6.2.1、更改设备命名
#
sysname Core-A
#
6.2.2、关闭域名自动解析功能
undo info-center enable
#
6.2.3、配置VLAN
vlan batch 2 to 100
#
6.2.4、配置生成树优先级
stp instance 0 root primary //调整该设备为生成树主根桥
#
6.2.5、配置SVI接口地址
interface Vlanif1
ip address 10.0.0.1 255.255.255.0
#
interface Vlanif4
ip address 10.0.4.2 255.255.255.0
#
interface Vlanif8
ip address 10.0.8.1 255.255.255.0
#
interface Vlanif100
ip address 10.0.1.2 255.255.255.0
#
6.2.6、配置链路聚合端口
interface Eth-Trunk1 //创建链路聚合端口
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/23
eth-trunk 1 //加入链路聚合组
#
interface GigabitEthernet0/0/24
eth-trunk 1 //加入链路聚合组
#
6.2.7、配置接口类型
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
stp edged-port enable //配置为生成树边缘端口,不参与计算
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 4
stp edged-port enable
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
traffic-policy 1 inbound
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 8
stp edged-port enable
#
6.2.8、配置OSPF
ospf 100 router-id 10.0.1.2 //创建OSPF进程
area 0.0.0.0 //进入区域0
network 10.0.1.0 0.0.0.255 //宣告业务网段
network 10.0.4.0 0.0.0.255
network 10.0.0.0 0.0.0.255
area 0.0.0.3
network 10.0.8.0 0.0.0.255
network 10.0.9.0 0.0.0.255
area 0.0.0.4
network 10.0.10.0 0.0.0.255
vlink-peer 10.0.10.1 //配置虚链路
#
6.2.9、配置默认路由
ip route-static 0.0.0.0 0.0.0.0 10.0.1.1 //配置默认路由
ip route-static 0.0.0.0 0.0.0.0 10.0.4.1 preference 80 //配置备份默认路由
ip route-static 10.0.10.0 255.255.255.0 10.0.8.2 //配置到DMZ区的默认路由
ip route-static 10.0.10.0 255.255.255.0 10.0.9.2 preference 80 //配置到DMZ区的备份默认路由
#
6.2.10配置策略路由调整VLAN17用户流量优先级
acl number 3000
rule 5 permit ip source 10.0.17.0 0.0.0.255
#
traffic classifier 1 operator and
if-match acl 3000
#
traffic behavior 1
remark dscp ef
#
traffic policy 1
classifier 1 behavior 1
#
6.3.1、更改设备命名
#
sysname Huiju-A
#
6.3.2、关闭域名自动解析功能
undo info-center enable
#
6.3.3、配置VLAN
#
vlan batch 2 to 100
#
6.3.4、开启DHCP功能
#
dhcp enable
#
6.3.5、开启BFD功能用以加快OSPF收敛速度
#
Bfd //全局开启BFD进程
#
ospf 100 router-id 10.0.0.3 //创建OSPF进程
bfd all-interfaces enable //开启BFD
#
6.3.6、配置DHCP
ip pool 16
gateway-list 10.0.16.1 //配置网关
network 10.0.16.0 mask 255.255.255.0 //配置所属网段
dns-list 10.0.10.101 //指定DNS
#
ip pool 17
gateway-list 10.0.17.1
network 10.0.17.0 mask 255.255.255.0
dns-list 10.0.10.101
#
interface Vlanif16
dhcp select global //配置DHCP获取类型
#
interface Vlanif17
dhcp select global
#
interface Vlanif18
dhcp select global
#
6.3.7、配置SVI接口地址
interface Vlanif1
ip address 10.0.0.3 255.255.255.0
#
interface Vlanif16
ip address 10.0.16.2 255.255.255.0
#
interface Vlanif17
ip address 10.0.17.2 255.255.255.0
#
interface Vlanif18
ip address 10.0.18.2 255.255.255.0
#
6.3.8、配置VRRP
interface Vlanif16
vrrp vrid 16 virtual-ip 10.0.16.1 //定义虚拟地址
vrrp vrid 16 priority 120 //配置优先级
#
interface Vlanif17
vrrp vrid 17 virtual-ip 10.0.17.1
vrrp vrid 17 priority 120
#
interface Vlanif18
vrrp vrid 18 virtual-ip 10.0.18.1
vrrp vrid 18 priority 120
#
6.3.9、配置接口类型
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
Undo trunk allow-pass vlan 1
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
Undo trunk allow-pass vlan 1
#
6.3.10、配置OSPF
ospf 100 router-id 10.0.0.3 //创建OSPF进程
silent-interface all //配置静默接口
undo silent-interface Vlanif1 //允许vlan1发送Hello报文
area 0.0.0.0 //进入区域0
network 10.0.0.0 0.0.0.255 //宣告业务网段
area 0.0.0.1
network 10.0.16.0 0.0.0.255
network 10.0.17.0 0.0.0.255
network 10.0.18.0 0.0.0.255
Stub //配置为末节区域
6.3.11、配置默认路由
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1 //配置默认路由
ip route-static 0.0.0.0 0.0.0.0 10.0.0.2 preference 80 //配置备份默认路由
#
6.4.1、更改设备命名
sysname SW1
#
6.4.2、关闭自动解析功能
#
undo info-center enable
#
6.4.3、创建VLAN
#
vlan batch 2 to 100
#
6.4.4、配置DHCP Snooping
#
dhcp enable //开启DHCP 功能
#
dhcp snooping enable //开启DHCP Snooping
#
interface GigabitEthernet0/0/1
dhcp snooping trusted //配置接口为可信端口
#
interface GigabitEthernet0/0/2
dhcp snooping trusted
6.4.5、配置接口类型及端口安全
interface Ethernet0/0/1
port link-type access
port default vlan 16
stp edged-port enable //开启生成树边缘端口
port-security enable //开启端口安全
port-security max-mac-num 2 //配置允学习的MAC地址数量
arp anti-attack rate-limit enable //开启ARP攻击检测
arp anti-attack rate-limit 50 1 //配置ARP攻击判定速率
broadcast-suppression 50 //开启广播风暴检测
dhcp snooping enable //开启dhcp snooping
#
interface Ethernet0/0/2
port link-type access
port default vlan 16
stp edged-port enable
port-security enable
port-security max-mac-num 2
arp anti-attack rate-limit enable
arp anti-attack rate-limit 50 1
broadcast-suppression 50
dhcp snooping enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
dhcp snooping trusted
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
dhcp snooping trusted
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2
stp edged-port enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 3
stp edged-port enable
#
6.5.1、更改设备命名
sysname ISP-A
6.5.2、配置接口IP地址
interface GigabitEthernet0/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 2.2.2.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 3.3.3.1 255.255.255.0
#
6.5.3、配置BGP进程
bgp 100
peer 3.3.3.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //注入直连路由
peer 3.3.3.2 enable