Topology
The topology can be saved locally, and then enlarged to view, so that it can be seen more clearly.
IP address configuration , and test direct connection connectivity
4.1 About the configuration
instructions of the access layer switch: because the access layer switch belongs to the second layer switch, there is no need to configure the IP address, only the corresponding management address needs to be configured. The management address will be carried out in the follow-up.
4.2
Analysis of core switch IP configuration : In the IP address planning section, it has been planned that the gateways corresponding to PCs and servers are 192.168x.254. This gateway address can not be arbitrarily defined on which switch. It is recommended to split equally. Defined, of course, can not be defined. VRRP will be virtualized later. VRRP can directly use the interface address, so there is no need to waste an IP address as the interface address. So the scheme adopted here is to share, for example, the gateway of VLAN 19 is in the Core -A above, and VLAN 20 above Core-B, and so on. This result is to cooperate with VRRP technology to achieve load sharing, and cooperate with MSTP technology to achieve link sharing. The subsequent implementation will have a detailed analysis.
4.2.1 Core-A address configuration
[Core-A]interface vlan 19
[Core-A-Vlanif19]ip address 192.168.19.254 24
[Core-A]int vlan 20
[Core-A-Vlanif20]ip address 192.168.20.253 24
[Core-A-Vlanif20]int vlan 21
[Core-A-Vlanif21]ip address 192.168.21.254 24
[Core-A-Vlanif20]int vlan 88
[Core-A-Vlanif88]ip address 192.168.88.253 24
[Core-A]interface vlan 1
[Core-A-Vlanif1]ip address 192.168.1.254 24
[Core-A]interface vlan 100
[Core-A-Vlanif100]ip address 192.168.100.253 24
4.2.2 Core-B address configuration
[Core-B]interface vlan 19
[Core-B-Vlanif19]ip address 192.168.19.253 24
[Core-B-Vlanif19]int vlan 20
[Core-B-Vlanif20]ip address 192.168.20.254 24
[Core-B-Vlanif20]int vlan 21
[Core-B-Vlanif21]ip address 192.168.21.253 24
[Core-B-Vlanif21]int vlan 88
[Core-B-Vlanif88]ip address 192.168.88.254 24
[Core-B]interface vlan 1
[Core-B-Vlanif1]ip address 192.168.1.253 24
[Core-B]interface vlan 100
[Core-B-Vlanif100]ip address 192.168.100.254 24
Description: You can see that Core-A and B share each other. Here, for example, the gateway of VLAN 19 is above A, and B is the other one. In VLAN 20, B is the gateway and A is a common address. This is for the subsequent planning of VRRP.
4.3 Firewall interface configuration
analysis: Two addresses need to be defined in the firewall, one is connected to the core switch, that is, the address of VLAN 100, and the other is the outgoing interface address, which is configured as a public network address, which will provide internal network access to the external network. Services, and access to internal servers from the external network through mapping. It should be noted that there is the concept of zones in the firewall, and we must assign interfaces to the corresponding zones, and we will follow-up on these zones to make strategies.
[USG-GW]interface vlan 100
[USG-GW-Vlanif100]ip address 192.168.100.252 24
[USG-GW]interface g0/0/1
[USG-GW-GigabitEthernet0/0/1]ip address 202.100.1.2 24
[USG-GW]int g0/0/2
[USG-GW-GigabitEthernet0/0/2]ip address 61.128.1.2 24
[USG-GW]firewall zone trust
[USG-GW-zone-trust]add interface Vlanif 100
[USG-GW]firewall zone name ISP_DX
[USG-GW-zone-isp_dx]set priority 1
[USG-GW-zone-isp_dx]add interface g0/0/1
[USG-GW]firewall zone name ISP_LT
[USG-GW-zone-isp_lt] set priority 2
[USG-GW-zone-isp_lt] add interface g0/0/2
Description: This configuration is not only the corresponding IP address, but also Configured to add the corresponding interface to the corresponding zone, we generally add the internal network interface to the Trust, and the external network interface to Untrust, and the external service provider to the DMZ. It should be noted that Trust exists by default in the system, so you only need to add an interface, and the latter two are custom, you must first define the priority and then add the interface, because we are deploying dual outlets here. Of course, you can also join Untrust.
Test connectivity【Completed】
You can see that there is no problem with the access between the core switches, and all VLAN interfaces can be accessed
This is to test the connectivity with the firewall. The communication has been normal here. So far, the entire IP address configuration is complete.
Summary: It is not difficult to configure an IP address. It is necessary to consider some factors in conjunction with subsequent technologies. For example, to deploy VRRP in the future, we must make its gateway evenly distributed to the two core switches, so that they can share the traffic of the entire network. All ran to one switch, but the other one was not used, and this one was also under great pressure.
This article was first published on the public account: Network Road Blog