eNSP毕业设计系列-《大型企业网》-BGP网络无nat

客户主要需求：需要有三栋楼，每栋楼有三个业务。

又新增了要求，要双核心、双防火墙。

所以我根据客户的需求，完成了如下组网设计。

主要技术，MSTP+VRRP+链路聚合+OSPF传统纵网，（万金油组合）

防火墙技术：HRP+IP-LINK（主要做远端探测，上下链路接口联动，实现主备切换）+OSPF

路由器：BGP将企业网内网路由传递至骨干网中（骨干网不是重点忽略即可）

我们在做毕设的时候可以用万金油组合来套用各种实验，但又时可以做点这种稍微大型的，放弃nat，用bgp来做，显得大气些

分享主要配置

汇聚交换机

#
sysname HJ-1
#
vlan batch 10 20 30 100
#
stp instance 1 root primary
stp instance 2 root primary
stp instance 3 root primary
#
dhcp enable
#
stp region-configuration
 region-name huawei
 instance 1 vlan 10 
 instance 2 vlan 20 
 instance 3 vlan 30 
 active region-configuration
#
ip pool vlan10
 gateway-list 10.1.10.254 
 network 10.1.10.0 mask 255.255.255.0 
#
ip pool vlan20
 gateway-list 10.1.20.254 
 network 10.1.20.0 mask 255.255.255.0 
#
ip pool vlan30
 gateway-list 10.1.30.254 
 network 10.1.30.0 mask 255.255.255.0 
#
interface Vlanif10
 ip address 10.1.10.252 255.255.255.0 
 vrrp vrid 10 virtual-ip 10.1.10.254
 vrrp vrid 10 priority 120
 vrrp vrid 10 track interface GigabitEthernet0/0/1 reduced 30
 dhcp select global
#
interface Vlanif20
 ip address 10.1.20.252 255.255.255.0 
 vrrp vrid 20 virtual-ip 10.1.20.254
 vrrp vrid 20 priority 120
 vrrp vrid 20 track interface GigabitEthernet0/0/1 reduced 30
 dhcp select global
#
interface Vlanif30
 ip address 10.1.30.252 255.255.255.0 
 vrrp vrid 30 virtual-ip 10.1.30.254
 vrrp vrid 30 priority 120
 vrrp vrid 30 track interface GigabitEthernet0/0/1 reduced 30
 dhcp select global
#
interface Vlanif100
 ip address 10.1.1.2 255.255.255.252 
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 100
 stp edged-port enable
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/3
 eth-trunk 1
#
interface GigabitEthernet0/0/4
 eth-trunk 1
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/6
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
ospf 1 router-id 1.1.1.1 
 area 0.0.0.0 
  network 10.1.1.0 0.0.0.3 
 area 0.0.0.1 
  network 10.1.10.0 0.0.0.255 
  network 10.1.20.0 0.0.0.255 
  network 10.1.30.0 0.0.0.255 


#
sysname HJ-2
#
vlan batch 10 20 30 100
#
stp instance 1 root secondary
stp instance 2 root secondary
stp instance 3 root secondary
#
dhcp enable
#
stp region-configuration
 region-name huawei
 instance 1 vlan 10 
 instance 2 vlan 20 
 instance 3 vlan 30 
 active region-configuration
#
ip pool vlan10
 gateway-list 10.1.10.254 
 network 10.1.10.0 mask 255.255.255.0 
#
ip pool vlan20
 gateway-list 10.1.20.254 
 network 10.1.20.0 mask 255.255.255.0 
#
ip pool vlan30
 gateway-list 10.1.30.254 
 network 10.1.30.0 mask 255.255.255.0 
#
interface Vlanif10
 ip address 10.1.10.253 255.255.255.0 
 vrrp vrid 10 virtual-ip 10.1.10.254
 dhcp select global
#
interface Vlanif20
 ip address 10.1.20.253 255.255.255.0 
 vrrp vrid 20 virtual-ip 10.1.20.254
 dhcp select global
#
interface Vlanif30
 ip address 10.1.30.253 255.255.255.0 
 vrrp vrid 30 virtual-ip 10.1.30.254
 dhcp select global
#
interface Vlanif100
 ip address 10.1.1.6 255.255.255.252 
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 100
 stp edged-port enable
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/3
 eth-trunk 1
#
interface GigabitEthernet0/0/4
 eth-trunk 1
#
interface GigabitEthernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/6
 port link-type trunk
 port trunk allow-pass vlan 10 20 30

#
ospf 1 router-id 1.1.1.2 
 area 0.0.0.0 
  network 10.1.1.4 0.0.0.3 
 area 0.0.0.1 
  network 10.1.10.0 0.0.0.255 
  network 10.1.20.0 0.0.0.255 
  network 10.1.30.0 0.0.0.255 

防火墙

sysname fw-1
#
 hrp enable
 hrp interface GigabitEthernet1/0/1 remote 1.1.1.2
 hrp standby config enable
 hrp track interface GigabitEthernet1/0/0
 hrp track interface GigabitEthernet1/0/2
#
ip-link check enable
ip-link name test
 destination 20.1.1.2 interface GigabitEthernet1/0/0 mode icmp
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.10 255.255.255.252
 link-group 1
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.252
 link-group 1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/1
#
ospf 1 router-id 1.1.1.3
 area 0.0.0.0
  network 10.1.1.0 0.0.0.3
  network 10.1.1.8 0.0.0.3
#
security-policy
 rule name L-U
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  action permit
 rule name sec
  source-zone trust
  destination-zone untrust
  source-address 10.1.10.0 mask 255.255.255.0
  source-address 10.1.20.0 mask 255.255.255.0
  source-address 10.1.30.0 mask 255.255.255.0
  action permit



sysname fw-2
#
 hrp enable
 hrp standby-device
 hrp interface GigabitEthernet1/0/1 remote 1.1.1.1
 hrp standby config enable
 hrp track interface GigabitEthernet1/0/0
 hrp track interface GigabitEthernet1/0/2
#
ip-link check enable
ip-link name test
 destination 20.1.1.6 interface GigabitEthernet1/0/0 mode icmp
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.14 255.255.255.252
 link-group 1
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 1.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.1.5 255.255.255.252
 link-group 1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/1
#
ospf 1 router-id 1.1.1.4
 area 0.0.0.0
  network 10.1.1.4 0.0.0.3
  network 10.1.1.12 0.0.0.3
#
security-policy
 rule name L-U
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  action permit
 rule name sec
  source-zone trust
  destination-zone untrust
  source-address 10.1.10.0 mask 255.255.255.0
  source-address 10.1.20.0 mask 255.255.255.0
  source-address 10.1.30.0 mask 255.255.255.0
  action permit

核心路由器

#
sysname Core-1
#
interface GigabitEthernet0/0/0
 ip address 10.1.1.17 255.255.255.252 
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.9 255.255.255.252 
#
interface GigabitEthernet0/0/2
 ip address 20.1.1.2 255.255.255.252 
#
bgp 65001
 peer 10.1.1.18 as-number 65001 
 peer 20.1.1.1 as-number 65002 
 #
 ipv4-family unicast
  undo synchronization
  network 10.1.10.0 255.255.255.0 
  network 10.1.20.0 255.255.255.0 
  network 10.1.30.0 255.255.255.0 
  peer 10.1.1.18 enable
  peer 10.1.1.18 next-hop-local 
  peer 20.1.1.1 enable
#
ospf 1 router-id 1.1.1.5 
 import-route bgp
 area 0.0.0.0 
  network 10.1.1.8 0.0.0.3 
  network 10.1.1.16 0.0.0.3 


#
sysname Core-2
#
interface GigabitEthernet0/0/0
 ip address 10.1.1.18 255.255.255.252 
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.13 255.255.255.252 
#
interface GigabitEthernet0/0/2
 ip address 20.1.1.6 255.255.255.252 
#
bgp 65001
 peer 10.1.1.17 as-number 65001 
 peer 20.1.1.5 as-number 65002 
 #
 ipv4-family unicast
  undo synchronization
  network 10.1.10.0 255.255.255.0 
  network 10.1.20.0 255.255.255.0 
  network 10.1.30.0 255.255.255.0 
  peer 10.1.1.17 enable
  peer 10.1.1.17 next-hop-local 
  peer 20.1.1.5 enable
#
ospf 1 router-id 1.1.1.6 
 import-route bgp
 area 0.0.0.0 
  network 10.1.1.12 0.0.0.3 
  network 10.1.1.16 0.0.0.3