记一次网项目（一）

现状：公司通过10Mpppoe拨号上网，各部都在一个大局域网，ip电话已经和局域网混合在一起了，给上网带来不便，特别部门对通讯速度不理想。
需求：ip电话网段需要独立；各部门需要分不同的网段地址，特殊部门默认走专线，其他部门走拨号上网；专线和拨号相互备用。
改造：
根据需求新购H3C交换机和cisco路由器各一台，专线一条，具体如下拓扑：

此次改造重点在于三层交接机的配置

H3C配置
##ssh 配置##

dhcp enable
dhcp-snooping
int LoopBack0
ip add 1.1.1.1 32
undo telnet server enable
public-key local create rsa
ssh server enable
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
ssh user gaby service-type stelnet authentication-type password
user privilege level 3
ssh client source interface loopback0
local-user gaby
password cipher gabylinux
service-type ssh
authorization-attribute level 3

##vlan ip，dhcp和接口关联配置##

dhcp server ip-pool vlan2
network 192.168.2.0 mask 255.255.255.0
gateway-list 192.168.2.254
dns-list 202.96.134.133 202.96.128.68 8.8.8.8
dhcp server ip-pool vlan3
network 192.168.2.0 mask 255.255.255.0
gateway-list 192.168.2.254
dns-list 202.96.134.133 202.96.128.68 8.8.8.8
vlan 1 to 3
vlan 10
vlan 20
int vlan 1
ip address 192.168.1.254 255.255.255.0
undo    shutdown
int vlan 2
ip address 192.168.2.254 255.255.255.0
undo    shutdown
dhcp select server global-pool
dhcp server forbidden-ip 192.168.2.1 192.168.2.10
int vlan 3
ip address 192.168.3.254 255.255.255.0
undo    shutdown
dhcp select server global-pool
dhcp server forbidden-ip 192.168.3.1 192.168.3.10
int vlan 10
ip add 192.168.10.254 255.255.255.0
undo shut
int vlan 20
ip add 192.168.20.254 255.255.255.0
undo shut
int GigabitEthernet 1/0/1
port link-type trunk
port trunk permit vlan all
int GigabitEthernet 1/0/2
port link-type trunk
port trunk permit vlan all
int GigabitEthernet 1/0/3
port link-type access
port access vlan 2
dhcp-snooping trust
int GigabitEthernet 1/0/4
port link-type access
port access vlan 2
dhcp-snooping trust
int g1/0/5
port link-type access
port access vlan 3
dhcp-snooping trust
int g1/0/6
port link-type access
port access vlan 3
dhcp-snooping trust
int GigabitEthernet 1/0/10
port access vlan 10
int GigabitEthernet 1/0/20
port access vlan 20

##特殊部门走专线##

acl number 3000
rule 0 permit ip source 192.168.3.0 0.0.0.255
traffic classifier 1 gabyqos and
if-match acl 3000
traffic behavior 1
redirect next-hop 192.168.40.254
qos policy 1
classifier 1 behavior 1
int int GigabitEthernet 1/0/5
qos apply policy 1 inbound
int int GigabitEthernet 1/0/6
qos apply policy 1 inbound

##全网互通##
因为我的关联ip电话的防火墙支持ospf，就起ospf路由器协议，但是老拨号路由器不支持动态路由器ospf，所有在老路由器上起静态路由。具体配置如下：

ospf 10
area 0.0.0.0
network 192.168.20.240 0.0.0.255
network 192.168.10.240 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
ip route-static 0.0.0.0 0.0.0.0 192.168.1.1

ps：ip route-static 0.0.0.0 0.0.0.0 192.168.1.1静态路由器是为了满足默认走拨号网络。根据实际情况，有几个vlan就写几个network，同时也需要在拨号路由器上回指几条静态路由。如下

ip route-static 192.168.2.0 255.255.255.0 192.168.1.254
ip route-static 192.168.3.0 255.255.255.0 192.168.1.254

电话防火墙的ospf就很简单了，图形界面配置一个网段192.168.10.0，这样就能够实现在ip电话可以在不同网段使用，还能接受ip电话服务器的管理。新购的cisco路由器也起ospf，具体配置如下：

router ospf 10
network 192.168.20.0 0.0.0.255 area 0
 

外加一条出口静态路由。

至此全部改造完毕。