小型企业网络设计与规划
《計算機網絡》課程設計報告
1 前言
隨著現代科學技術和互聯網的迅猛發展,以計算機和通訊技術為基礎的管理系統正處于高速發展的時期。同時,伴隨著經濟文化水平的顯著提高,人們對生活質量的要求也在不斷提升,對工作的環境以及要求也日益提高。一個園區內進行辦公的人們之間需要相互的通信,同時在相互通信的過程中又能確保信息通暢與保密,于是對此園區的一個網絡規劃與設計應運而生。
本課題簡要地討論了企業網絡規劃設計中涉及到的網絡技術、規劃設計方法、等問題﹐為企業網絡的規劃、設計和升級改造等方面在技術及應用上提供參考,以使在建或規劃中的園區網絡具備較高的整體性能。通過eNSP模擬企業園區網中的接入交換機、匯聚交換機等網絡設備,并在網絡設備上采用VLAN虛擬局域網、MSTP多生成樹協議、[1]?LACP鏈路聚合和VLAN聚合等多種協議配置,使構建的網絡不僅具有較高的通信可靠性,并且能夠滿足企業的多業務需求,時也要實現高利用率高可靠性,從一些閑置的設備中提高資源的利用率,不同的流量在不同的鏈路上傳輸,鏈路得到充分利用,實現[3]?流量的負載分擔。
通過對園區網絡的分析,從性能和價值上滿足園區網絡的需求﹐然后對企業園區網絡進行劃分vlan、設置管理域等配置,不斷的優化企業的網絡,從而達到企業安全、快速訪問網絡資源的目的。
2 園區網項目背景和需求分析
2.1項目背景
某公司因業務發展需要,在園區A申請了一棟樓作為公司總部,準備創建一張全新的園區網絡,考慮到公司可持續發展,決定也在建立園區B建立分部,公司園區A總部設有研發部、市場部、行政部、信息中心、網絡管理組和訪客接待中心。而訪客接待中心提供Wi-Fi服務供訪客使用。公司園區B分部,設有銷售部。為方便公司開展業務,需要自動獲取公司DNS服務器IP地址。公司已經申請了一條互聯網專線并配有一個公網IP,希望所有員工都能訪問Internet。后期規劃所有設備可由網絡管理員進行遠程管理。建立IPV4與IPV6的雙棧網絡。
2.2項目需求分析
1.總部園區A和園區B要求網絡拓撲簡單,維護方便,網絡具有擴展性和冗余性。
2.總部園區A提供有線接入供員工辦公使用,分別為市場部、研發部、行政部、信息中心、網絡管理組。而訪客接待中心提供Wi-Fi服務供訪客使用,做到簡單的網絡流量管理,提供一定的安全性
3.園區A和園區B為方便員工獲取DNS服務器IP地址,可以采用DHCP方式為該局域網自動分配IP及DNS地址。
4.園區A要求核心交換機具有冗余性,高可靠性,擴展性。配置資源服務器。
5.公司有兩個公網IP,園區A和園區B各部門所有員工都有訪問Internet的需求,可以在出口路由器上配置網絡地址轉換。
6.為方便網絡管理員對設備進行遠程管理,需要啟用所有設備的SSH服務。
7.為了公司發展園區A和園區B之間還需要采用IPV4和IPV6的雙棧技術。
8.園區A和園區B之間的IPV4通信采用VPN的方案。
??
3 項目設計規劃
3.1 項目設計方案
3.1.1 公司內網設計
采用三層結構組網,接入層,核心層,出口層。[4].使用MSTP+VRRP實現網關冗余,流量的負載均衡。[5].開啟DHCP功能,DHCP也做成冗余備份,防止單臺設備故障,造成DHCP故障,提高網絡的可靠性。核心層之間的交換機配置鏈路聚合,實現鏈路的冗余性。VRRP6和DHCPV6同理做成以上配置需求。將這些服務都放在三層核心交換機,這樣可以減輕出口路由器的負擔,因為出口路由器將要承載大量的路由。在三層核心交換機上,旁掛資源服務器,方便公司方員工訪問和上傳公司的內部資源;旁掛無線AC控制器,方便網絡管理員維護無線網絡,也為公司的后續發展提供擴展性。內網IPV4網絡使用OSPFV2協議,聯通內網,IPV6網絡使用OSPFV3協議聯通內網;[6].NAT出口網關設置,使用靜態路由,用 Easy IP 直接使用接口的公網地址作為私網轉換后訪問公網的地址,不需要配置 NAT 地址池。分部園區B也是采用相同的組網方式。
3.1.2?園區A和園區B之間通信設計
由于運營商網絡沒有IPV6網絡,因此園區A和園區B均采用了IPV4和IPV6的雙棧設計,IPV4之間的通信配置為GRE over IPsec VPN;IPV6之間的通信設計為IPv6 over IPv4 GRE隧道。
3.1.3 項目拓撲設計
圖3-1 網絡拓撲圖
3.2 子網劃分及IP地址
3.2.1 子網劃分
園區A:
| 設備名稱 | 端口 | 鏈路類型 | VLAN參數 |
| LSW1 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/3 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/4 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/5 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/6 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/10 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/11 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/20 | Access | PVID:100 | |
| GE0/0/24 | Access | PVID:106 | |
| LSW2 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/3 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/4 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/5 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/6 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/10 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/11 | Trunk | Allow pass: 11 to 16 | |
| GE0/0/20 | Access | PVID:200 | |
| GE0/0/24 | Access | PVID:201 | |
| LSW3 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| ET0/0/11 | Access | PVID:11 | |
| LSW4 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| ET0/0/11 | Access | PVID:12 | |
| LSW5 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| ET0/0/11 | Access | PVID:13 | |
| LSW6 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| ET0/0/11 | Access | PVID:14 | |
| LSW7 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| ET0/0/11 | Access | PVID:15 | |
| LSW8 | GE0/0/1 | Trunk | Allow pass: 11 to 16 |
| GE0/0/2 | Trunk | Allow pass: 11 to 16 | |
| ET0/0/1 | Access | PVID:16 | |
| ET0/0/11 | Trunk | PVID:10 Allow pass: 10 to 16 | |
| AC1 | GE0/0/1 | Trunk | Allow pass: 201 |
園區B
| 設備名稱 | 端口 | 鏈路類型 | VLAN參數 |
| LSW9 | GE0/0/1 | Access | PVID:300 |
| GE0/0/2 | Trunk | Allow pass: 17 | |
| LSW10 | GE0/0/2 | Trunk | Allow pass: 10 to 16 |
| ET0/0/1 | Access | PVID:17 |
3.2.2 IP地址
IPV4地址規劃
園區A
| 設備名稱 | 接口 | IP地址 |
| AR1 | GE0/0/1 | 10.1.1.1/30 |
| GE0/0/2 | 10.2.1.1/30 | |
| GE0/0/3 | 200.1.1.1/29 | |
| LoopBack0 ?? | 172.16.1.11/32 | |
| Tunnel 0/0/1 | 100.1.1.1/30 | |
| LSW1 | Vlanif 11 | 192.168.11.251/24 |
| Vlanif 12 | 192.168.12.251/24 | |
| Vlanif 13 | 192.168.13.251/24 | |
| Vlanif 14 | 192.168.14.251/24 | |
| Vlanif 15 | 192.168.15.251/24 | |
| Vlanif 16 | 192.168.16.251/24 | |
| Vlanif 100 | 10.1.1.2/30 | |
| Vlanif 106 | 10.6.6.5/30 | |
| LoopBack0 ?? | 172.16.1.1/32 | |
| LSW2 | Vlanif 10 | 10.23.10.1/24 |
| Vlanif 11 | 192.168.11.252/24 | |
| Vlanif 12 | 192.168.12.252/24 | |
| Vlanif 13 | 192.168.13.252/24 | |
| Vlanif 14 | 192.168.14.252/24 | |
| Vlanif 15 | 192.168.15.252/24 | |
| Vlanif 16 | 192.168.16.252/24 | |
| Vlanif 200 | 10.2.1.2/30 | |
| Vlanif 201 | 10.23.100.2/24 | |
| LoopBack0 ?? | 172.16.1.2/32 | |
| Server1 | ET0/0/0 | 10.6.6.6/30 |
| AC1 | Vlanif 201 | 10.23.100.1/24 |
| LoopBack0 ?? | 172.16.1.100/32 |
園區B:
| 設備名稱 | 接口 | IP地址 |
| AR3 | GE0/0/0 | 200.2.1.1/29 |
| GE0/0/1 | 10.3.1.1/30 | |
| LoopBack0 ? | 172.16.1.33/32 | |
| Tunnel 0/0/1 | 100.1.1.2/30 | |
| LSW9 | LoopBack0 | 172.16.1.9/32 |
| Vlanif 17 | 192.168.17.254/24 | |
| Vlanif 300 | 10.3.1.2/30 |
運營商:
| 設備名稱 | 接口 | IP地址 |
| AR3 | GE0/0/0 | 200.1.1.2/29 |
| GE0/0/1 | 200.2.1.2/29 | |
| LoopBack0 ? | 1.1.1.1/32 |
IPV6地址規劃
園區A:
| 設備名稱 | 接口 | IP地址 |
| AR1 | GE0/0/1 | 2001:10:1:1::1/64 |
| GE0/0/2 | 2001:10:2:1::1/64 | |
| Tunnel 0/0/2 | 2001:1313::1/64 | |
| LSW1 | Vlanif 11 | 2001:192:168:11::251/64 |
| Vlanif 12 | 2001:192:168:12::251/64 | |
| Vlanif 13 | 2001:192:168:13::251/64 | |
| Vlanif 14 | 2001:192:168:14::251/64 | |
| Vlanif 15 | 2001:192:168:15::251/64 | |
| Vlanif 16 | 2001:192:168:16::251/64 | |
| Vlanif 100 | 2001:10:1:1::2/64 | |
| LSW2 | Vlanif 11 | 2001:192:168:11::252/64 |
| Vlanif 12 | 2001:192:168:12::252/64 | |
| Vlanif 13 | 2001:192:168:13::252/64 | |
| Vlanif 14 | 2001:192:168:14::252/64 | |
| Vlanif 15 | 2001:192:168:15::252/64 | |
| Vlanif 16 | 2001:192:168:16::252/64 | |
| Vlanif 200 | 2001:10:2:1::2/64 |
園區B:
| 設備名稱 | 接口 | IP地址 |
| AR3 | GE0/0/1 | 2001:10:3:1::1/64 |
| Tunnel 0/0/2 | 2001:1313::3/64 | |
| LSW9 | Vlanif 17 | 2001:192:168:17::254/64 |
| Vlanif 300 | 2001:10:3:1::2/64 |
4 設備配置
4.1?園區A
4.1.1?AR1配置
配置NAT,BFD,SSH,IPv6 over IPv4 GRE隧道,GRE over IPsec VPN,OSPFV2 和 OSPFV3路由協議。
#
ipv6 ??
#
dhcp enable ??
#
stelnet server enable ??????
rsa local-key-pair create ??
Input the bits in the modulus[default = 512]:1024
#
aaa
?local-user user-ssh password cipher huawei
?local-user user-ssh privilege level 15
?local-user user-ssh service-type ssh ?
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh ???
quit
ssh user user-ssh authentication-type all
#
bfd
#
acl number 2001 ????????????????????????
?rule 5 permit source 192.168.11.0 0.0.0.255
?rule 10 permit source 192.168.12.0 0.0.0.255
?rule 15 permit source 192.168.13.0 0.0.0.255
?rule 20 permit source 192.168.14.0 0.0.0.255
?rule 25 permit source 192.168.15.0 0.0.0.255
?rule 30 permit source 192.168.16.0 0.0.0.255
#
acl number 3000 ?
?rule 5 permit ip source 200.1.1.1 0 destination 200.2.1.1 0
#
ipsec proposal 1
?encapsulation-mode transport
?esp authentication-algorithm sha2-256
?esp encryption-algorithm aes-192
#
ike proposal 1
?encryption-algorithm aes-cbc-128
?dh group14
#
ike peer 1 v1
?pre-shared-key cipher huawei
?ike-proposal 1
?remote-address 200.2.1.1
#
ipsec policy ATOB 1 isakmp
?security acl 3000
?ike-peer 1
?proposal 1
#
dhcpv6 pool 11
?address prefix 2001:192:168:11::/64
?excluded-address 2001:192:168:11::254
?dns-server 3000:8:8:8::8
?dns-domain-name hauwei.com
#
dhcpv6 pool 12
?address prefix 2001:192:168:12::/64
?excluded-address 2001:192:168:12::254
?dns-server 3000:8:8:8::8
?dns-domain-name hauwei.com
#
dhcpv6 pool 13
?address prefix 2001:192:168:13::/64
?excluded-address 2001:192:168:13::254
?dns-server 3000:8:8:8::8
?dns-domain-name hauwei.com
#
dhcpv6 pool 14
?address prefix 2001:192:168:14::/64
?excluded-address 2001:192:168:14::254
?dns-server 3000:8:8:8::8
?dns-domain-name hauwei.com
#
dhcpv6 pool 15
?address prefix 2001:192:168:15::/64
?excluded-address 2001:192:168:15::254
?dns-server 3000:8:8:8::8
?dns-domain-name hauwei.com
#
dhcpv6 pool 16
?address prefix 2001:192:168:16::/64
?excluded-address 2001:192:168:16::254
?dns-server 3000:8:8:8::8
?dns-domain-name hauwei.com
#
ospfv3 32
?router-id 172.16.1.11
?import-route static
#
interface GigabitEthernet0/0/0
?ip address 200.1.1.1 255.255.255.248
?ipsec policy ATOB
?nat outbound 2001
#
interface GigabitEthernet0/0/1
?ipv6 enable
?ip address 10.1.1.1 255.255.255.252
?ipv6 address 2001:10:1:1::1/64
?ospfv3 32 area 0.0.0.0
#
interface GigabitEthernet0/0/2
?ipv6 enable
?ip address 10.2.1.1 255.255.255.252
?ipv6 address 2001:10:2:1::1/64
?ospfv3 32 area 0.0.0.0
#
interface LoopBack0
?ipv6 enable
?ip address 172.16.1.11 255.255.255.255
?ipv6 address 2001:172:16:1::11/64
?ospfv3 32 area 0.0.0.0
#
interface Tunnel0/0/1
?ip address 100.1.1.1 255.255.255.252
?tunnel-protocol gre
?source 200.1.1.1
?destination 200.2.1.1
#
interface Tunnel0/0/2
?ipv6 enable
?ipv6 address 2001:1313::1/64
?tunnel-protocol ipv6-ipv4
?source 200.1.1.1
?destination 200.2.1.1
#
bfd 1 bind peer-ip 10.1.1.2 source-ip 10.1.1.1 auto
?commit
#
bfd 2 bind peer-ip 10.2.1.2 source-ip 10.2.1.1 auto
?commit
#
ospf 32 router-id 172.16.1.11
?default-route-advertise
?area 0.0.0.0
??network 10.1.1.0 0.0.0.3
??network 10.2.1.0 0.0.0.3
??network 172.16.1.11 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
ip route-static 192.168.17.0 255.255.255.0 Tunnel0/0/1
#
ipv6 route-static 2001:192:168:17:: 64 Tunnel0/0/2
#
4.1.2?LSW1配置
配置MSTP,VRRP,SSH,DHCP,VRRP6,DHCPV6,Eth-Trunk,BFD;vlan11,vlan13,vlan15在此設備作為MSTP的根橋。同樣也是VRRP和VRRP6的Master端,配置聯動BFD配置追蹤上行鏈路。也是DHCP和DHCPV6的主服務器。vlan12,vlan14,vlan16均作為備份根橋,備份VRRP和VRRP6,備份DHCP和DHCPV6服務器。配置OSPFV2和OSPFV3聯通內網。
sysname LSW1
#
ipv6
#
stelnet server enable ??????
rsa local-key-pair create ??
Input the bits in the modulus[default = 512]:1024
#
aaa
?local-user user-ssh password cipher huawei
?local-user user-ssh privilege level 15
?local-user user-ssh service-type ssh ?
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh ???
quit
ssh user user-ssh authentication-type all
#
vlan batch 11 to 16 100 106
#
stp instance 11 root primary
stp instance 12 root secondary
stp instance 13 root primary
stp instance 14 root secondary
stp instance 15 root primary
stp instance 16 root secondary
#
dhcp enable
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
bfd
#
ip pool 11
?gateway-list 192.168.11.254
?network 192.168.11.0 mask 255.255.255.0
?excluded-ip-address 192.168.11.128 192.168.11.253
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 12
?gateway-list 192.168.12.254
?network 192.168.12.0 mask 255.255.255.0
?excluded-ip-address 192.168.12.128 192.168.12.253
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 13
?gateway-list 192.168.13.254
?network 192.168.13.0 mask 255.255.255.0
?excluded-ip-address 192.168.13.128 192.168.13.253
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 14
?gateway-list 192.168.14.254
?network 192.168.14.0 mask 255.255.255.0
?excluded-ip-address 192.168.14.128 192.168.14.253
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 15
?gateway-list 192.168.15.254
?network 192.168.15.0 mask 255.255.255.0
?excluded-ip-address 192.168.15.128 192.168.15.253
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 16
?gateway-list 192.168.16.254
?network 192.168.16.0 mask 255.255.255.0
?excluded-ip-address 192.168.16.128 192.168.16.253
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ospfv3 32
?router-id 172.16.1.1
#
interface Vlanif1
#
interface Vlanif11
?ipv6 enable
?ip address 192.168.11.251 255.255.255.0
?ipv6 address 2001:192:168:11::251/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 11 virtual-ip 192.168.11.254
?vrrp vrid 11 priority 105
?vrrp vrid 11 preempt-mode timer delay 60
?vrrp vrid 11 track bfd-session session-name 1 reduced 20
?vrrp6 vrid 11 virtual-ip FE80::11 link-local
?vrrp6 vrid 11 virtual-ip 2001:192:168:11::254
?vrrp6 vrid 11 priority 105
?vrrp6 vrid 11 preempt-mode timer delay 60
?dhcp select global
#
interface Vlanif12
?ipv6 enable
?ip address 192.168.12.251 255.255.255.0
?ipv6 address 2001:192:168:12::251/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 12 virtual-ip 192.168.12.254
?vrrp6 vrid 12 virtual-ip FE80::12 link-local
?vrrp6 vrid 12 virtual-ip 2001:192:168:12::254
?dhcp select global
#
interface Vlanif13
?ipv6 enable
?ip address 192.168.13.251 255.255.255.0
?ipv6 address 2001:192:168:13::251/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 13 virtual-ip 192.168.13.254
?vrrp vrid 13 priority 105
?vrrp vrid 13 preempt-mode timer delay 60
?vrrp vrid 13 track bfd-session session-name 1 reduced 20
?vrrp6 vrid 13 virtual-ip FE80::13 link-local
?vrrp6 vrid 13 virtual-ip 2001:192:168:13::254
?vrrp6 vrid 13 priority 105
?vrrp6 vrid 13 preempt-mode timer delay 60
?dhcp select global
#
interface Vlanif14
?ipv6 enable
?ip address 192.168.14.251 255.255.255.0
?ipv6 address 2001:192:168:14::251/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 14 virtual-ip 192.168.14.254
?vrrp6 vrid 14 virtual-ip FE80::14 link-local
?vrrp6 vrid 14 virtual-ip 2001:192:168:14::254
?dhcp select global
#
interface Vlanif15
?ipv6 enable
?ip address 192.168.15.251 255.255.255.0
?ipv6 address 2001:192:168:15::251/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 15 virtual-ip 192.168.15.254
?vrrp vrid 15 priority 105
?vrrp vrid 15 preempt-mode timer delay 60
?vrrp vrid 15 track bfd-session session-name 1 reduced 20
?vrrp6 vrid 15 virtual-ip FE80::15 link-local
?vrrp6 vrid 15 virtual-ip 2001:192:168:15::254
?vrrp6 vrid 15 priority 105
?vrrp6 vrid 15 preempt-mode timer delay 60
?dhcp select global
#
interface Vlanif16
?ipv6 enable
?ip address 192.168.16.251 255.255.255.0
?ipv6 address 2001:192:168:16::251/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 16 virtual-ip 192.168.16.254
?vrrp6 vrid 16 virtual-ip FE80::16 link-local
?vrrp6 vrid 16 virtual-ip 2001:192:168:16::254
?dhcp select global
#
interface Vlanif100
?ipv6 enable
?ip address 10.1.1.2 255.255.255.252
?ipv6 address 2001:10:1:1::2/64
?ospfv3 32 area 0.0.0.0
#
interface Vlanif106
?ip address 10.6.6.5 255.255.255.252
#
interface Eth-Trunk12
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/3
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/4
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/5
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/6
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/10
?eth-trunk 12
#
interface GigabitEthernet0/0/11
?eth-trunk 12
#
interface GigabitEthernet0/0/20
?port link-type access
?port default vlan 100
#
interface GigabitEthernet0/0/24
?port link-type access
?port default vlan 106
#
interface LoopBack0
?ip address 172.16.1.1 255.255.255.255
#
bfd 1 bind peer-ip 10.1.1.1 source-ip 10.1.1.2 auto
?commit
#
ospf 32 router-id 172.16.1.1
?area 0.0.0.0
??network 192.168.11.0 0.0.0.255
??network 192.168.13.0 0.0.0.255
??network 192.168.15.0 0.0.0.255
??network 10.1.1.0 0.0.0.3
??network 10.6.6.4 0.0.0.3
??network 172.16.1.1 0.0.0.0
??network 192.168.12.0 0.0.0.255
??network 192.168.14.0 0.0.0.255
??network 192.168.16.0 0.0.0.255
#
return
4.1.3 LSW2配置
配置MSTP,VRRP,SSH,DHCP,VRRP6,DHCPV6,Eth-Trunk;vlan12,vlan14,vlan16在此設備作為MSTP的根橋。同樣也是VRRP和VRRP6的Master端,配置聯動BFD配置追蹤上行鏈路。也是DHCP和DHCPV6的主服務器。vlan11,vlan13,vlan15均作為備份根橋,備份VRRP和VRRP6,備份DHCP和DHCPV6服務器。配置OSPFV2和OSPFV3聯通內網。
#
ipv6
#
stelnet server enable ??????
rsa local-key-pair create ??
Input the bits in the modulus[default = 512]:1024
#
aaa
?local-user user-ssh password cipher huawei
?local-user user-ssh privilege level 15
?local-user user-ssh service-type ssh ?
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh ???
quit
ssh user user-ssh authentication-type all
#
vlan batch 10 to 16 200 to 201
#
stp instance 11 root secondary
stp instance 12 root primary
stp instance 13 root secondary
stp instance 14 root primary
stp instance 15 root secondary
stp instance 16 root primary
#
dhcp enable
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
bfd
#
ip pool 11
?gateway-list 192.168.11.254
?network 192.168.11.0 mask 255.255.255.0
?excluded-ip-address 192.168.11.1 192.168.11.127
?dns-list 8.8.8.8
#
ip pool 12
?gateway-list 192.168.12.254
?network 192.168.12.0 mask 255.255.255.0
?excluded-ip-address 192.168.12.1 192.168.12.127
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 13
?gateway-list 192.168.13.254
?network 192.168.13.0 mask 255.255.255.0
?excluded-ip-address 192.168.13.1 192.168.13.127
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 14
?gateway-list 192.168.14.254
?network 192.168.14.0 mask 255.255.255.0
?excluded-ip-address 192.168.14.1 192.168.14.127
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 15
?gateway-list 192.168.15.254
?network 192.168.15.0 mask 255.255.255.0
?excluded-ip-address 192.168.15.1 192.168.15.127
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ip pool 16
?gateway-list 192.168.16.254
?network 192.168.16.0 mask 255.255.255.0
?excluded-ip-address 192.168.16.1 192.168.16.127
?lease day 3 hour 0 minute 0
?dns-list 8.8.8.8
#
ospfv3 32
?router-id 172.16.1.2
#
interface Vlanif10
?ip address 10.23.10.1 255.255.255.0
?dhcp select relay
?dhcp relay server-ip 10.23.100.1
#
interface Vlanif11
?ipv6 enable
?ip address 192.168.11.252 255.255.255.0
?ipv6 address 2001:192:168:11::252/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 11 virtual-ip 192.168.11.254
?vrrp6 vrid 11 virtual-ip FE80::11 link-local
?vrrp6 vrid 11 virtual-ip 2001:192:168:11::254
?dhcp select global
#
interface Vlanif12
?ipv6 enable
?ip address 192.168.12.252 255.255.255.0
?ipv6 address 2001:192:168:12::252/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 12 virtual-ip 192.168.12.254
?vrrp vrid 12 priority 105
?vrrp vrid 12 preempt-mode timer delay 60
?vrrp vrid 12 track bfd-session session-name 1 reduced 20
?vrrp6 vrid 12 virtual-ip FE80::12 link-local
?vrrp6 vrid 12 virtual-ip 2001:192:168:12::254
?vrrp6 vrid 12 priority 105
?vrrp6 vrid 12 preempt-mode timer delay 60
?dhcp select global
#
interface Vlanif13
?ipv6 enable
?ip address 192.168.13.252 255.255.255.0
?ipv6 address 2001:192:168:13::252/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 13 virtual-ip 192.168.13.254
?vrrp6 vrid 13 virtual-ip FE80::13 link-local
?vrrp6 vrid 13 virtual-ip 2001:192:168:13::254
?dhcp select global
#
interface Vlanif14
?ipv6 enable
?ip address 192.168.14.252 255.255.255.0
?ipv6 address 2001:192:168:14::252/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 14 virtual-ip 192.168.14.254
?vrrp vrid 14 priority 105
?vrrp vrid 14 preempt-mode timer delay 60
?vrrp vrid 14 track bfd-session session-name 1 reduced 20
?vrrp6 vrid 14 virtual-ip FE80::14 link-local
?vrrp6 vrid 14 virtual-ip 2001:192:168:14::254
?vrrp6 vrid 14 priority 105
?vrrp6 vrid 14 preempt-mode timer delay 60
?dhcp select global
#
interface Vlanif15
?ipv6 enable
?ip address 192.168.15.252 255.255.255.0
?ipv6 address 2001:192:168:15::252/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 15 virtual-ip 192.168.15.254
?vrrp6 vrid 15 virtual-ip FE80::15 link-local
?vrrp6 vrid 15 virtual-ip 2001:192:168:15::254
?dhcp select global
#
interface Vlanif16
?ipv6 enable
?ip address 192.168.16.252 255.255.255.0
?ipv6 address 2001:192:168:16::252/64
?ospfv3 32 area 0.0.0.0
?vrrp vrid 16 virtual-ip 192.168.16.254
?vrrp vrid 16 priority 105
?vrrp vrid 16 preempt-mode timer delay 60
?vrrp vrid 16 track bfd-session session-name 1 reduced 20
?vrrp6 vrid 16 virtual-ip FE80::16 link-local
?vrrp6 vrid 16 virtual-ip 2001:192:168:16::254
?vrrp6 vrid 16 priority 105
?vrrp6 vrid 16 preempt-mode timer delay 60
?dhcp select global
#
interface Vlanif200
?ipv6 enable
?ip address 10.2.1.2 255.255.255.252
?ipv6 address 2001:10:2:1::2/64
?ospfv3 32 area 0.0.0.0
#
interface Vlanif201
?ip address 10.23.100.2 255.255.255.0
#
interface Eth-Trunk12
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/3
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/4
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/5
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/6
?port link-type trunk
?port trunk allow-pass vlan 10 to 16
#
interface GigabitEthernet0/0/10
?eth-trunk 12
#
interface GigabitEthernet0/0/11
?eth-trunk 12
#
interface GigabitEthernet0/0/20
?port link-type access
?port default vlan 200
#
interface GigabitEthernet0/0/24
?port link-type trunk
?port trunk allow-pass vlan 201
#
interface LoopBack0
?ip address 172.16.1.2 255.255.255.255
#
bfd 1 bind peer-ip 10.2.1.1 source-ip 10.2.1.2 auto
?commit
#
ospf 32 router-id 172.16.1.2
?import-route static
?area 0.0.0.0
??network 192.168.12.0 0.0.0.255
??network 192.168.14.0 0.0.0.255
??network 192.168.16.0 0.0.0.255
??network 10.2.1.0 0.0.0.3
??network 172.16.1.2 0.0.0.0
??network 192.168.11.0 0.0.0.255
??network 192.168.13.0 0.0.0.255
??network 192.168.15.0 0.0.0.255
??network 10.23.100.0 0.0.0.255
??network 10.23.10.0 0.0.0.255
#
ip route-static 172.16.1.100 255.255.255.255 10.23.100.1
#
return
4.1.4?LSW3配置
配置MSTP,設置接口類型。
sysname LSW3
#
vlan batch 11 to 16
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
interface Ethernet0/0/11
?port link-type access
?port default vlan 11
?stp edged-port enable
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
4.1.5 LSW4配置
配置MSTP,設置接口類型。
sysname LSW3
#
vlan batch 11 to 16
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
interface Ethernet0/0/11
?port link-type access
?port default vlan 12
?stp edged-port enable
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
4.1.6 LSW5配置
配置MSTP,設置接口類型。
sysname LSW3
#
vlan batch 11 to 16
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
interface Ethernet0/0/11
?port link-type access
?port default vlan 13
?stp edged-port enable
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
4.1.7 LSW6配置
配置MSTP,設置接口類型。
sysname LSW3
#
vlan batch 11 to 16
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
interface Ethernet0/0/11
?port link-type access
?port default vlan 14
?stp edged-port enable
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
4.1.8 LSW7配置
配置MSTP,設置接口類型。
sysname LSW3
#
vlan batch 11 to 16
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
interface Ethernet0/0/11
?port link-type access
?port default vlan 15
?stp edged-port enable
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 11 to 16
#
4.1.9 LSW8配置
配置MSTP,設置接口類型。
sysname LSW8
#
vlan batch 10 to 16
#
stp region-configuration
?region-name QYW
?revision-level 12
?instance 11 vlan 11
?instance 12 vlan 12
?instance 13 vlan 13
?instance 14 vlan 14
?instance 15 vlan 15
?instance 16 vlan 16
?active region-configuration
#
interface Ethernet0/0/1
?port link-type trunk
?port trunk pvid vlan 10
?port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/11
?port link-type access
?port default vlan 16
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk pvid vlan 10
?port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 10 to 16
#
4.1.10 AC1配置
配置AC無線。
vlan batch 16 201
#
vlan pool sta-pool
?vlan 16
#
dhcp enable
#
ip pool huawei
?gateway-list 10.23.10.1
?network 10.23.10.0 mask 255.255.255.0
?option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif201
?ip address 10.23.100.1 255.255.255.0
?dhcp select global
#
interface GigabitEthernet0/0/1
?port link-type trunk
?port trunk allow-pass vlan 201
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.2
#
capwap source interface vlanif201
#
wlan
?security-profile name visitors
??security wpa-wpa2 psk pass-phrase a1234567 aes
?ssid-profile name visitors
??ssid visitors
?vap-profile name visitors
??service-vlan vlan-pool sta-pool
??ssid-profile visitors
??security-profile visitors
?ap-group name ap-group1
??radio 0
???vap-profile visitors wlan 1
??radio 1
???vap-profile visitors wlan 1
?ap-id 0 type-id 35 ap-mac 00e0-fc1e-65b0 ap-sn 210235448310FF534D33
??ap-name area_1
??ap-group ap-group1
??radio 0
???channel 20mhz 6
???eirp 127
??radio 1
???channel 20mhz 149
???eirp 127
#
4.2 園區B配置
4.2.1?AR3配置
配置NAT,SSH,IPv6 over IPv4 GRE隧道,GRE over IPsec VPN,OSPFV2 和 OSPFV3路由協議。
#
?sysname AR3
#
stelnet server enable ??????
rsa local-key-pair create ??
Input the bits in the modulus[default = 512]:1024
#
aaa
?local-user user-ssh password cipher huawei
?local-user user-ssh privilege level 15
?local-user user-ssh service-type ssh ?
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh ???
quit
ssh user user-ssh authentication-type all
#
acl number 2001 ?
?rule 5 permit source 192.168.17.0 0.0.0.255
#
acl number 3000 ?
?rule 5 permit ip source 200.2.1.1 0 destination 200.1.1.1 0
acl number 3001 ?
#
ipsec proposal 1
?encapsulation-mode transport
?esp authentication-algorithm sha2-256
?esp encryption-algorithm aes-192
#
ike proposal 1
?encryption-algorithm aes-cbc-128
?dh group14
#
ike peer 1 v1
?pre-shared-key cipher huawei
?ike-proposal 1
?remote-address 200.1.1.1
#
ipsec policy BTOA 1 isakmp
?security acl 3000
?ike-peer 1
?proposal 1
#
ospfv3 32
?router-id 172.16.1.33
?import-route static
#
interface GigabitEthernet0/0/0
?ip address 200.2.1.1 255.255.255.248
?ipsec policy BTOA
?nat outbound 2001
#
interface GigabitEthernet0/0/1
?ipv6 enable
?ip address 10.3.1.1 255.255.255.252
?ipv6 address 2001:10:3:1::1/64
?ospfv3 32 area 0.0.0.0
#
interface LoopBack0
?ip address 172.16.1.33 255.255.255.255
#
interface Tunnel0/0/1
?ip address 100.1.1.2 255.255.255.252
?tunnel-protocol gre
?source 200.2.1.1
?destination 200.1.1.1
#
interface Tunnel0/0/2
?ipv6 enable
?ipv6 address 2001:1313::3/64
?tunnel-protocol ipv6-ipv4
?source 200.2.1.1
?destination 200.1.1.1
#
ospf 32
?default-route-advertise
?area 0.0.0.0
??network 10.3.1.0 0.0.0.3
??network 172.16.1.33 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 200.2.1.2
ip route-static 10.6.6.4 255.255.255.252 Tunnel0/0/1
ip route-static 192.168.0.0 255.255.0.0 Tunnel0/0/1
#
ipv6 route-static 2001:192:168:11:: 64 Tunnel0/0/2
ipv6 route-static 2001:192:168:12:: 64 Tunnel0/0/2
ipv6 route-static 2001:192:168:13:: 64 Tunnel0/0/2
ipv6 route-static 2001:192:168:14:: 64 Tunnel0/0/2
ipv6 route-static 2001:192:168:15:: 64 Tunnel0/0/2
#
4.2.9 LSW9配置
配置DHCP服務器,IPV6,OSPFV2 和 OSPFV3路由協議。
#
ipv6
#
vlan batch 17 300
#
stelnet server enable ??????
rsa local-key-pair create ??
Input the bits in the modulus[default = 512]:1024
#
aaa
?local-user user-ssh password cipher huawei
?local-user user-ssh privilege level 15
?local-user user-ssh service-type ssh ?
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh ???
quit
ssh user user-ssh authentication-type all
#
ospfv3 32
?router-id 172.16.1.9
#
dhcp?enable
#
ip pool 17
?gateway-list 192.168.17.254
?network 192.168.17.0 mask 255.255.255.0
?dns-list 8.8.8.8
#
interface Vlanif17
?ipv6 enable
?ip address 192.168.17.254 255.255.255.0
?ipv6 address 2001:192:168:17::254/64
?ospfv3 32 area 0.0.0.0
?dhcp select global
#
interface Vlanif300
?ipv6 enable
?ip address 10.3.1.2 255.255.255.252
?ipv6 address 2001:10:3:1::2/64
?ospfv3 32 area 0.0.0.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
?port link-type access
?port default vlan 300
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 17
#
interface LoopBack0
?ip address 172.16.1.9 255.255.255.255
#
ospf 32
?area 0.0.0.0
??network 10.3.1.0 0.0.0.3
??network 192.168.17.0 0.0.0.255
??network 172.16.1.9 0.0.0.0
#
4.2.3?LSW10配置
配置MSTP,設置接口類型。
#
sysname LSW10
#
vlan batch 17
#
interface Ethernet0/0/1
?port link-type access
?port default vlan 17
#
interface Ethernet0/0/2
?port link-type trunk
#
interface GigabitEthernet0/0/2
?port link-type trunk
?port trunk allow-pass vlan 17
#
4.3 運營商配置
4.3.1?AR2配置?
配置靜態路由,設置環回口模擬外網,運營商。
interface GigabitEthernet0/0/0
?ip address 200.1.1.2 255.255.255.248
#
interface GigabitEthernet0/0/1
?ip address 200.2.1.2 255.255.255.248
#
interface LoopBack0
?ip address 1.1.1.1 255.255.255.255
#
5 驗證與測試
5.1結果測試
5.1.1主機通過DHCP獲取地址
?
?
?
5.1.2?AP無線WiFi獲取
訪問外網1.1.1.1。
訪問內網資源服務器 10.6.6.6;訪問內網市場部 192.168.11.127。
5.1.3?IPV4內網連通性測試
PC1為例訪問PC2、PC3、PC4、PC5、PC9。
?
5.1.4?IPV6內網連通性測試
PC1為例訪問PC2、PC3、PC4、PC5、PC9。
5.1.5?SSH驗證
以LSW1為例SSH登錄AR1
5.1.6?園區A和園區B通過NAT訪問外網測試
園區A以PC1為例訪問外網 1.1.1.1
園區B以PC6 訪問外網 1.1.1.1
5.1.7?園區A訪問園區B通過VPN和雙棧測試
園區A通過GRE over IPsec VPN訪問園區B
園區B通過GRE over IPsec VPN訪問園區A資源服務器
園區A通過IPv6 over IPv4 GRE隧道訪問園區B
5.2可靠性和冗余性測試
5.2.1?MSTP冗余性測試?
LSW1上,GE0/0/1 shutdown后用PC1訪問172.16.1.11,走LSW2
LSW2上,GE0/0/1 shutdown后用PC2訪問172.16.1.11,走LSW1
5.2.2 VRRP和VRRP6冗余性測試?
LSW1上,GE0/0/20用PC1訪問1.1.1.1,走LSW2
LSW2上,GE0/0/20用PC2訪問1.1.1.1,走LSW1
LSW1上,GE0/0/20用PC1訪問2001:172:16:1::1,走LSW2
LSW2上,GE0/0/20用PC2訪問2001:172:16:1::1,走LSW1
5.2.3 DHCP冗余性測試?
將LSW1關閉,模擬DHCP故障,LSW2將啟用備份DHCP服務器。
本文僅作為知識分享,不用于任何商業行為。
總結
以上是生活随笔為你收集整理的小型企业网络设计与规划的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Fragment重叠问题简单解决方案
- 下一篇: 【C++代码】区间重叠问题