企业网络的网络拓扑搭建

 设计思路

该设计用于模拟公司网络，具体设计思路如下：

1、终端用户通过各自汇聚交换机自动获取IP地址并进行路由。

2、汇聚交换机配置为三层设备通过OSPF与核心交换机进行互通。

3、主备汇聚交换机通过VRRP与生成树技术为终端用户提供冗余。

4、核心交换机通过VRRP、生成树与链路聚合实现冗余备份。

5、防火墙配置NAT转换使得终端用户较为安全的访问外部网络。

6、公司内部部分区域提供无线访问，通过AC+瘦AP的方式实现。

7、总公司服务器对内提供WWW、DNS以及FTP服务。

8、运营商通过BGP实现路由可达。

9、防火墙配置攻击防护。

地址规划

vlan划分

vlan	所在部门	网络地址	子网掩码
Vlan16	人事部	10.0.16.0/24	255.255.255.0
Vlan17	财务部	10.0.17.0/24	255.255.255.0
Vlan18	技术部	10.0.18.0/24	255.255.255.0
Vlan19	市场部	10.0.19.0/24	255.255.255.0
Vlan20	营销部	10.0.20.0/24	255.255.255.0
Vlan21	研发部	10.0.21.0/24	255.255.255.0

5.3实现功能

5.3.1 FTP

WEB

DNS

 网络的配置

防火墙配置

6.1.1、更改设备命名

sysname FWB

6.1.2、配置接口IP地址

interface GigabitEthernet1/0/0

 undo shutdown

 ip address 2.2.2.2 255.255.255.0

 service-manage http permit

 service-manage https permit

 service-manage ping permit

 service-manage ssh permit

 service-manage snmp permit

 service-manage telnet permit

#

interface GigabitEthernet1/0/1

 undo shutdown

 ip address 10.0.2.1 255.255.255.0

 service-manage http permit

 service-manage https permit

 service-manage ping permit

 service-manage ssh permit

 service-manage snmp permit

 service-manage telnet permit

#

interface GigabitEthernet1/0/2

 undo shutdown

 ip address 10.0.3.2 255.255.255.0

 service-manage http permit

 service-manage https permit

 service-manage ping permit

 service-manage ssh permit

 service-manage snmp permit

 service-manage telnet permit

#

interface GigabitEthernet1/0/3

 undo shutdown

 ip address 192.168.15.2 255.255.255.0

 service-manage http permit

 service-manage https permit

 service-manage ping permit

 service-manage ssh permit

 service-manage snmp permit

 service-manage telnet permit

6.1.3、接口加入指定安全域

firewall zone trust

 set priority 85

 add interface GigabitEthernet1/0/1

 add interface GigabitEthernet1/0/3

#

firewall zone untrust

 set priority 5

 add interface GigabitEthernet1/0/0

6.1.4、配置OSPF

ospf 1

 area 0.0.0.0

  network 10.0.2.0 0.0.0.255

  network 10.0.3.0 0.0.0.255

6.1.5、配置默认路由

ip route-static 0.0.0.0 0.0.0.0 2.2.2.1

6.1.6、配置安全策略

security-policy

 rule name any

  action permit

6.1.7、配置NAT策略

nat-policy

 rule name any

  source-zone trust

  destination-zone untrust

  action source-nat easy-ip

6.1.8、配置攻击防护

 firewall defend port-scan enable

 firewall defend ip-sweep enable

 firewall defend teardrop enable

 firewall defend time-stamp enable

 firewall defend route-record enable

 firewall defend source-route enable

 firewall defend ip-fragment enable

 firewall defend tcp-flag enable

 firewall defend winnuke enable

 firewall defend fraggle enable

 firewall defend tracert enable

 firewall defend icmp-unreachable enable

 firewall defend icmp-redirect enable

 firewall defend large-icmp enable

 firewall defend ping-of-death enable

 firewall defend smurf enable

 firewall defend land enable

 firewall defend ip-spoofing enable

 firewall defend action discard

6.2核心交换机配置

6.2.1、更改设备命名

#

sysname Core-A

#

6.2.2、关闭域名自动解析功能

undo info-center enable

#

6.2.3、配置VLAN

vlan batch 2 to 100

#

6.2.4、配置生成树优先级

stp instance 0 root primary       //调整该设备为生成树主根桥

#

6.2.5、配置SVI接口地址

interface Vlanif1

 ip address 10.0.0.1 255.255.255.0

#

interface Vlanif4

 ip address 10.0.4.2 255.255.255.0

#

interface Vlanif8

 ip address 10.0.8.1 255.255.255.0

#

interface Vlanif100

 ip address 10.0.1.2 255.255.255.0

#

6.2.6、配置链路聚合端口

interface Eth-Trunk1        //创建链路聚合端口

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/23

 eth-trunk 1              //加入链路聚合组

#

interface GigabitEthernet0/0/24

 eth-trunk 1              //加入链路聚合组

#

6.2.7、配置接口类型

interface GigabitEthernet0/0/1

 port link-type access

 port default vlan 100

 stp edged-port enable       //配置为生成树边缘端口，不参与计算

#

interface GigabitEthernet0/0/2

 port link-type access

 port default vlan 4

 stp edged-port enable

#

interface GigabitEthernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 traffic-policy 1 inbound

#

interface GigabitEthernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/5

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/6

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/7

 port link-type access

 port default vlan 8

 stp edged-port enable

#

6.2.8、配置OSPF

ospf 100 router-id 10.0.1.2       //创建OSPF进程

 area 0.0.0.0                  //进入区域0

  network 10.0.1.0 0.0.0.255    //宣告业务网段

  network 10.0.4.0 0.0.0.255

  network 10.0.0.0 0.0.0.255

 area 0.0.0.3

  network 10.0.8.0 0.0.0.255

  network 10.0.9.0 0.0.0.255

 area 0.0.0.4

  network 10.0.10.0 0.0.0.255

  vlink-peer 10.0.10.1        //配置虚链路

#

6.2.9、配置默认路由

ip route-static 0.0.0.0 0.0.0.0 10.0.1.1      //配置默认路由

ip route-static 0.0.0.0 0.0.0.0 10.0.4.1 preference 80      //配置备份默认路由

ip route-static 10.0.10.0 255.255.255.0 10.0.8.2      //配置到DMZ区的默认路由

ip route-static 10.0.10.0 255.255.255.0 10.0.9.2 preference 80        //配置到DMZ区的备份默认路由

#

6.2.10配置策略路由调整VLAN17用户流量优先级

acl number 3000

 rule 5 permit ip source 10.0.17.0 0.0.0.255

#

traffic classifier 1 operator and

 if-match acl 3000

#

traffic behavior 1

 remark dscp ef

#

traffic policy 1

 classifier 1 behavior 1

#

6.3汇聚交换机配置

6.3.1、更改设备命名

#

sysname Huiju-A

#

6.3.2、关闭域名自动解析功能

undo info-center enable

#

6.3.3、配置VLAN

#

vlan batch 2 to 100

#

6.3.4、开启DHCP功能

#

dhcp enable

#

6.3.5、开启BFD功能用以加快OSPF收敛速度

#

Bfd    //全局开启BFD进程

#

ospf 100 router-id 10.0.0.3     //创建OSPF进程

 bfd all-interfaces enable      //开启BFD

#

6.3.6、配置DHCP

ip pool 16

 gateway-list 10.0.16.1       //配置网关

 network 10.0.16.0 mask 255.255.255.0      //配置所属网段

 dns-list 10.0.10.101           //指定DNS

#

ip pool 17

 gateway-list 10.0.17.1

 network 10.0.17.0 mask 255.255.255.0

 dns-list 10.0.10.101

#

interface Vlanif16

 dhcp select global         //配置DHCP获取类型

#

interface Vlanif17

 dhcp select global

#

interface Vlanif18

 dhcp select global

#

6.3.7、配置SVI接口地址

interface Vlanif1

 ip address 10.0.0.3 255.255.255.0

#

interface Vlanif16

 ip address 10.0.16.2 255.255.255.0

#

interface Vlanif17

 ip address 10.0.17.2 255.255.255.0

#

interface Vlanif18

 ip address 10.0.18.2 255.255.255.0

#

6.3.8、配置VRRP

interface Vlanif16

 vrrp vrid 16 virtual-ip 10.0.16.1        //定义虚拟地址

 vrrp vrid 16 priority 120               //配置优先级

#

interface Vlanif17

 vrrp vrid 17 virtual-ip 10.0.17.1

 vrrp vrid 17 priority 120

#

interface Vlanif18

 vrrp vrid 18 virtual-ip 10.0.18.1

 vrrp vrid 18 priority 120

#

6.3.9、配置接口类型

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 Undo trunk allow-pass vlan 1

#

interface GigabitEthernet0/0/5

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 Undo trunk allow-pass vlan 1

#

6.3.10、配置OSPF

ospf 100 router-id 10.0.0.3       //创建OSPF进程

 silent-interface all             //配置静默接口

 undo silent-interface Vlanif1    //允许vlan1发送Hello报文

 area 0.0.0.0                 //进入区域0

  network 10.0.0.0 0.0.0.255     //宣告业务网段

 area 0.0.0.1

  network 10.0.16.0 0.0.0.255

  network 10.0.17.0 0.0.0.255

  network 10.0.18.0 0.0.0.255

  Stub                     //配置为末节区域

6.3.11、配置默认路由

#

ip route-static 0.0.0.0 0.0.0.0 10.0.0.1      //配置默认路由

ip route-static 0.0.0.0 0.0.0.0 10.0.0.2 preference 80   //配置备份默认路由

#

6.4接入交换机配置

6.4.1、更改设备命名

sysname SW1

#

6.4.2、关闭自动解析功能

#

undo info-center enable

#

6.4.3、创建VLAN

#

vlan batch 2 to 100

#

6.4.4、配置DHCP Snooping

#

dhcp enable         //开启DHCP 功能

#

dhcp snooping enable      //开启DHCP Snooping

#

interface GigabitEthernet0/0/1

 dhcp snooping trusted       //配置接口为可信端口

#

interface GigabitEthernet0/0/2

 dhcp snooping trusted

6.4.5、配置接口类型及端口安全

interface Ethernet0/0/1

 port link-type access

 port default vlan 16

 stp edged-port enable      //开启生成树边缘端口

 port-security enable          //开启端口安全

 port-security max-mac-num 2       //配置允学习的MAC地址数量

 arp anti-attack rate-limit enable   //开启ARP攻击检测

 arp anti-attack rate-limit 50 1     //配置ARP攻击判定速率

 broadcast-suppression 50        //开启广播风暴检测

 dhcp snooping enable          //开启dhcp snooping

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 16

 stp edged-port enable

 port-security enable

 port-security max-mac-num 2

 arp anti-attack rate-limit enable

 arp anti-attack rate-limit 50 1

 broadcast-suppression 50

 dhcp snooping enable

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 dhcp snooping trusted

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

 dhcp snooping trusted

#

interface GigabitEthernet0/0/3

 port link-type access

 port default vlan 2

 stp edged-port enable

#

interface GigabitEthernet0/0/4

 port link-type access

 port default vlan 3

 stp edged-port enable

#

6.5运营商路由器配置

6.5.1、更改设备命名

 sysname ISP-A

6.5.2、配置接口IP地址

interface GigabitEthernet0/0/0

 ip address 1.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0/1

 ip address 2.2.2.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 ip address 3.3.3.1 255.255.255.0

#

6.5.3、配置BGP进程

bgp 100

 peer 3.3.3.2 as-number 100

 #

 ipv4-family unicast

  undo synchronization

  import-route direct  //注入直连路由

  peer 3.3.3.2 enable