Huawei ensp simulates campus network/enterprise network instance (intra-city disaster recovery and remote backup center to ensure network security)

Enterprise 2023-06-05 03:34:22 views: null

Introduction to the article: This article uses Huawei ensp to plan and simulate the enterprise network, which is also applicable to campuses, hospitals and other scenarios. If necessary, you can contact the author, and you can make modifications according to customized requirements. About the author: Network engineer, I hope to meet more friends to communicate with, private messages will be answered.

1. Background of business needs

The enterprise is a small and medium-sized enterprise based on cloud computing, and currently has about 200 employees. The current buildings and computer equipment of the enterprise are distributed as follows: The enterprise has 4 buildings, namely Building 1, Building 2, Building 3, and Building 4 , the distance between each building is 100 meters. Among them, Building No. 1 is the administrative building of the enterprise, which is divided into three floors. Computers are distributed in various offices, with about 40 sets. Building No. 2 is the product sales department and business department of the enterprise. The building is the research and development department of enterprise cloud computing products. It is divided into three floors. It has the business network of the R&D department, the laboratory network of the R&D department, and the server network of the R&D department. The product production workshop is divided into four floors, with a total of more than 20 computers. In addition, in order to facilitate the management of the overall network and provide security for intranet devices, a dedicated operation and maintenance network is planned. Finally, there is a data center built in the enterprise to provide internal business services. In order to ensure the data disaster recovery of the enterprise, the enterprise has built an intra-city disaster recovery and remote backup center to enhance the availability of business application systems and important data so as to ensure business continuity.

Two, vlan division and IP address

The topology is as follows:

Master data center business address planning

department

address space

Belongs to vlan

Vlan gateway

Administration Building

10.0.10.0/24

Vlan10

10.0.10.254/24

Sales

10.0.20.0/24

vlan20

10.0.20.254/24

Division

10.0.30.0/24

Vlan30

10.0.30.254/24

R&D Department Business Network

10.0.40.0/24

VLAN40

10.0.40.254/24

R & D laboratory

10.0.50.0/24

VLAN50

10.0.50.254/24

R&D server

10.0.60.0/24

Vlan60

10.0.60.254/24

Device Management Network

10.0.100.0/24

Vlan100

10.0.100.254/24

研发部设备管理

10.0.150.0/24

Vlan150

10.0.150.254/24

运维网络

10.0.254.0/24

N/A

10.0.254.254/24

数据中心

10.0.200.0/24

N/A

10.0.200.254/24

同城异地数据中心业务地址规划

部门

地址空间

所属vlan

Vlan网关

异地数据中心

10.1.10.0/24

Vlan10

10.1.10.1/24

三、网络配置实施

1接入层配置

1.1接入划分vlan、以及接口配置vlan

以S1为例:

[S1]vlan batch 10 20 30 40 50 60 100

interface Ethernet0/0/1

port link-type trunk //上行链路放行VLAN

port trunk allow-pass vlan 2 to 4094

interface Ethernet0/0/2

port link-type trunk

port trunk allow-pass vlan 2 to 4094 //上行链路放行VLAN

interface Ethernet0/0/3

port link-type access

port default vlan 10 //接入 对应vlan

1.2接入层设备管理地址配置

interface Vlanif100

ip address 10.0.100.11 255.255.255.0

1.3 接入交换机配置管理员账号密码

aaa

domain default_admin

local-user admin password cipher admin@123

local-user admin privilege level 15

local-user admin service-type telnet

1.4接入交换机配置访问权限

acl number 2000

rule 5 permit source 10.0.100.0 0.0.0.255

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

protocol inbound all

2、核心层配置

2.1SIV接口配置及路由器物理接口以及VRRP配置

以外网区核心为例:

[HX-1]interface Vlanif10

[HX-1-Vlanif10] ip address 10.0.10.1 255.255.255.0

[HX-1-Vlanif10] vrrp vrid 10 virtual-ip 10.0.10.254 //配置虚拟网关

[HX-1-Vlanif10] vrrp vrid 10 priority 120 //配置优先级

[HX-1-Vlanif10] dhcp select global //DHCP为全局模式

[HX-2-Vlanif10]interface Vlanif10

[HX-2-Vlanif20] ip address 10.0.10.2 255.255.255.0

[HX-2-Vlanif20] vrrp vrid 10 virtual-ip 10.0.10.254 //配置虚拟网关

2.2核心层配置MSTP映射实例

[HX-1-mst-region]stp region-configuration

[HX-1-mst-region] region-name huawei

[HX-1-mst-region] instance 1 vlan 10 20 //将VLAN10 20 100 映射为实例1进行STP计算

[HX-1-mst-region] instance 2 vlan 30 100 //将VLAN30 40 映射为实例2进行STP计算

[HX-1-mst-region] active region-configuration //激活配置

[HX-1]stp instance 1 root primary //修改实例1优先级

[HX-1]stp instance 2 root secondary //修改实例2优先级

[HX-2]stp instance 1 root secondary

[HX-2]stp instance 2 root primary

2.3核心层链路聚合配置

[HX-1]int Eth-Trunk 0 //链路聚合接口

[HX-1-Eth-Trunk0]port link-type trunk

[HX-1-Eth-Trunk0]port trunk allow-pass vlan all

[HX-1-Eth-Trunk0]trunkport GigabitEthernet 0/0/23 to 0/0/24

2.4核心DHCP配置

[HX-1]ip pool vlan10 //创建地址池

[HX-1-ip-pool-vlan10] gateway-list 10.0.10.254 //网关

[HX-1-ip-pool-vlan10] network 10.0.10.0 mask 255.255.255.0 //地址范围

[HX-1-ip-pool-vlan10]dns-list 114.114.114.114 //DNS地址

[HX-1-ip-pool-vlan10]lease day 3 //租期

其他地址池配置相同

3配置路由

OSPF实现全网互通、

//此配置 其他设备 均相同 宣告各自直连网段即可

[HX-1-ospf-1]area 0

[HX-1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

4防火墙配置

划分区域

[FW-A]firewall zone name MGT//管理区

[FW-A-zone-MGT]set priority 55

[FW-A-zone-MGT]add interface GigabitEthernet 1/0/3

[FW-A]firewall zone trust//外网区域

[FW-A-zone-trust] add interface GigabitEthernet1/0/1

[FW-A-zone-trust] add interface GigabitEthernet1/0/2

[FW-A]firewall zone dmz //数据中心区域

[FW-A-zone-dmz] add interface GigabitEthernet1/0/5

[FW-A]firewall zone untrust //互联网区域

[FW-A-zone-untrust]add interface g1/0/0

[FW-A]firewall zone name NW //研发内网区域

[FW-A-zone-NW]set priority 10

[FW-A-zone-NW]add interface g1/0/4

出口安全策略

security-policy

rule name deny_internet //拒绝内网访问互联网

source-zone NW

destination-zone untrust

action deny

rule name 0 //ipsec协商流量

source-zone local

source-zone untrust

destination-zone local

destination-zone untrust

action permit

rule name ISp //外网区域访问互联网

source-zone trust

destination-zone untrust

action permit

rule name vpn_data //数据中心vpn流量

source-zone trust

source-zone untrust

destination-zone trust

destination-zone untrust

source-address 10.0.0.0 mask 255.255.0.0

source-address 10.1.0.0 mask 255.255.0.0

destination-address 10.0.0.0 mask 255.255.0.0

destination-address 10.1.0.0 mask 255.255.0.0

action permit

rule name www //数据中心区域服务器端口映射

source-zone untrust

destination-zone dmz

destination-address 10.0.200.100 mask 255.255.255.255

action permit

rule name MGT //放行管理流量

source-zone MGT

destination-zone NW

destination-zone dmz

destination-zone trust

action permit

出口NAT配置

nat-policy

rule name no //拒绝NAT转换VPN流量

source-zone trust

destination-zone untrust

source-address 10.0.0.0 0.255.255.255

destination-address 10.1.0.0 0.0.255.255

rule name ISP

source-zone trust

destination-zone untrust

action source-nat easy-ip //NAT转换方式 = easy-IP

端口映射

[FW-A]nat server www zone untrust protocol tcp global 1.1.1.100 www inside

10.0.200.100 www

[FW-B]nat server zone untrust global interface g1/0/0 inside 10.1.10.1

ipsec配置

ike proposal 1 //配置IKE安全提议

ike peer fw //配置ike 对等体

pre-shared-key admin@123 //共享密钥

ike-proposal 1 //绑定安全提议

remote-address 4.4.4.2 //对端地址

ipsec proposal 1 //配置IPSEC 安全提议

esp authentication-algorithm sha2-256 //认证算法

esp encryption-algorithm aes-256 //加密算法

ipsec policy p1 1 isakmp //配置ipsec 安全策略

security acl 3000 //绑定感兴趣流量(需要加密的流量)

ike-peer fw2 //绑定 ike对等体

proposal 1 //绑定安全提议

tunnel local applied-interface //本端地址

interface GigabitEthernet1/0/0 //安全策略绑定到接口

ipsec policy p1

同城数据中心配置

核心层冗余配置

Vrrp冗余协议

interface Vlanif10

ip address 10.1.10.252 255.255.255.0

vrrp vrid 10 virtual-ip 10.1.10.254

vrrp vrid 10 priority 120

interface Vlanif10

ip address 10.1.10.253 255.255.255.0

vrrp vrid 10 virtual-ip 10.1.10.254

接口聚合

interface GigabitEthernet0/0/23

eth-trunk 0

#

interface GigabitEthernet0/0/24

eth-trunk 0

#

出口防火墙配置

安全策略配置

security-policy

rule name 0

source-zone local

source-zone untrust

destination-zone local

destination-zone untrust

action permit

rule name ISP

source-zone trust

destination-zone untrust

action permit

rule name vpn_data

source-zone trust

source-zone untrust

destination-zone trust

destination-zone untrust

source-address 10.0.0.0 mask 255.255.0.0

source-address 10.1.0.0 mask 255.255.0.0

destination-address 10.0.0.0 mask 255.255.0.0

destination-address 10.1.0.0 mask 255.255.0.0

action permit

rule name nat-server

source-zone untrust

destination-zone trust

destination-address 10.1.10.1 mask 255.255.255.255

action permit

VPN隧道配置

ike proposal 1

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

ike peer fw

pre-shared-key admin@123

ike-proposal 1

remote-address 1.1.1.2

#

ipsec policy p1 1 isakmp

security acl 3000

ike-peer fw

proposal 1

tunnel local applied-interface

sa trigger-mode auto

四、验证测试

本章内容请私信博主获取

Guess you like

Origin blog.csdn.net/m0_59193722/article/details/129070521
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com