Introduction to the article: This article uses Huawei ensp to plan and simulate the enterprise network, which is also applicable to campuses, hospitals and other scenarios. If necessary, you can contact the author, and you can make modifications according to customized requirements. About the author: Network engineer, I hope to meet more friends to communicate with, private messages will be answered.
1. Background of business needs
The enterprise is a small and medium-sized enterprise based on cloud computing, and currently has about 200 employees. The current buildings and computer equipment of the enterprise are distributed as follows: The enterprise has 4 buildings, namely Building 1, Building 2, Building 3, and Building 4 , the distance between each building is 100 meters. Among them, Building No. 1 is the administrative building of the enterprise, which is divided into three floors. Computers are distributed in various offices, with about 40 sets. Building No. 2 is the product sales department and business department of the enterprise. The building is the research and development department of enterprise cloud computing products. It is divided into three floors. It has the business network of the R&D department, the laboratory network of the R&D department, and the server network of the R&D department. The product production workshop is divided into four floors, with a total of more than 20 computers. In addition, in order to facilitate the management of the overall network and provide security for intranet devices, a dedicated operation and maintenance network is planned. Finally, there is a data center built in the enterprise to provide internal business services. In order to ensure the data disaster recovery of the enterprise, the enterprise has built an intra-city disaster recovery and remote backup center to enhance the availability of business application systems and important data so as to ensure business continuity.
Two, vlan division and IP address
The topology is as follows:
Master data center business address planning
department |
address space |
Belongs to vlan |
Vlan gateway |
Administration Building |
10.0.10.0/24 |
Vlan10 |
10.0.10.254/24 |
Sales |
10.0.20.0/24 |
vlan20 |
10.0.20.254/24 |
Division |
10.0.30.0/24 |
Vlan30 |
10.0.30.254/24 |
R&D Department Business Network |
10.0.40.0/24 |
VLAN40 |
10.0.40.254/24 |
R & D laboratory |
10.0.50.0/24 |
VLAN50 |
10.0.50.254/24 |
R&D server |
10.0.60.0/24 |
Vlan60 |
10.0.60.254/24 |
Device Management Network |
10.0.100.0/24 |
Vlan100 |
10.0.100.254/24 |
研发部设备管理 |
10.0.150.0/24 |
Vlan150 |
10.0.150.254/24 |
运维网络 |
10.0.254.0/24 |
N/A |
10.0.254.254/24 |
数据中心 |
10.0.200.0/24 |
N/A |
10.0.200.254/24 |
同城异地数据中心业务地址规划
部门 |
地址空间 |
所属vlan |
Vlan网关 |
异地数据中心 |
10.1.10.0/24 |
Vlan10 |
10.1.10.1/24 |
三、网络配置实施
1接入层配置
1.1接入划分vlan、以及接口配置vlan
以S1为例:
[S1]vlan batch 10 20 30 40 50 60 100
interface Ethernet0/0/1
port link-type trunk //上行链路放行VLAN
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094 //上行链路放行VLAN
interface Ethernet0/0/3
port link-type access
port default vlan 10 //接入 对应vlan
1.2接入层设备管理地址配置
interface Vlanif100
ip address 10.0.100.11 255.255.255.0
1.3 接入交换机配置管理员账号密码
aaa
domain default_admin
local-user admin password cipher admin@123
local-user admin privilege level 15
local-user admin service-type telnet
1.4接入交换机配置访问权限
acl number 2000
rule 5 permit source 10.0.100.0 0.0.0.255
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
protocol inbound all
2、核心层配置
2.1SIV接口配置及路由器物理接口以及VRRP配置
以外网区核心为例:
[HX-1]interface Vlanif10
[HX-1-Vlanif10] ip address 10.0.10.1 255.255.255.0
[HX-1-Vlanif10] vrrp vrid 10 virtual-ip 10.0.10.254 //配置虚拟网关
[HX-1-Vlanif10] vrrp vrid 10 priority 120 //配置优先级
[HX-1-Vlanif10] dhcp select global //DHCP为全局模式
[HX-2-Vlanif10]interface Vlanif10
[HX-2-Vlanif20] ip address 10.0.10.2 255.255.255.0
[HX-2-Vlanif20] vrrp vrid 10 virtual-ip 10.0.10.254 //配置虚拟网关
2.2核心层配置MSTP映射实例
[HX-1-mst-region]stp region-configuration
[HX-1-mst-region] region-name huawei
[HX-1-mst-region] instance 1 vlan 10 20 //将VLAN10 20 100 映射为实例1进行STP计算
[HX-1-mst-region] instance 2 vlan 30 100 //将VLAN30 40 映射为实例2进行STP计算
[HX-1-mst-region] active region-configuration //激活配置
[HX-1]stp instance 1 root primary //修改实例1优先级
[HX-1]stp instance 2 root secondary //修改实例2优先级
[HX-2]stp instance 1 root secondary
[HX-2]stp instance 2 root primary
2.3核心层链路聚合配置
[HX-1]int Eth-Trunk 0 //链路聚合接口
[HX-1-Eth-Trunk0]port link-type trunk
[HX-1-Eth-Trunk0]port trunk allow-pass vlan all
[HX-1-Eth-Trunk0]trunkport GigabitEthernet 0/0/23 to 0/0/24
2.4核心DHCP配置
[HX-1]ip pool vlan10 //创建地址池
[HX-1-ip-pool-vlan10] gateway-list 10.0.10.254 //网关
[HX-1-ip-pool-vlan10] network 10.0.10.0 mask 255.255.255.0 //地址范围
[HX-1-ip-pool-vlan10]dns-list 114.114.114.114 //DNS地址
[HX-1-ip-pool-vlan10]lease day 3 //租期
其他地址池配置相同
3配置路由
OSPF实现全网互通、
//此配置 其他设备 均相同 宣告各自直连网段即可
[HX-1-ospf-1]area 0
[HX-1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
4防火墙配置
划分区域
[FW-A]firewall zone name MGT//管理区
[FW-A-zone-MGT]set priority 55
[FW-A-zone-MGT]add interface GigabitEthernet 1/0/3
[FW-A]firewall zone trust//外网区域
[FW-A-zone-trust] add interface GigabitEthernet1/0/1
[FW-A-zone-trust] add interface GigabitEthernet1/0/2
[FW-A]firewall zone dmz //数据中心区域
[FW-A-zone-dmz] add interface GigabitEthernet1/0/5
[FW-A]firewall zone untrust //互联网区域
[FW-A-zone-untrust]add interface g1/0/0
[FW-A]firewall zone name NW //研发内网区域
[FW-A-zone-NW]set priority 10
[FW-A-zone-NW]add interface g1/0/4
出口安全策略
security-policy
rule name deny_internet //拒绝内网访问互联网
source-zone NW
destination-zone untrust
action deny
rule name 0 //ipsec协商流量
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name ISp //外网区域访问互联网
source-zone trust
destination-zone untrust
action permit
rule name vpn_data //数据中心vpn流量
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.0.0
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.0.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name www //数据中心区域服务器端口映射
source-zone untrust
destination-zone dmz
destination-address 10.0.200.100 mask 255.255.255.255
action permit
rule name MGT //放行管理流量
source-zone MGT
destination-zone NW
destination-zone dmz
destination-zone trust
action permit
出口NAT配置
nat-policy
rule name no //拒绝NAT转换VPN流量
source-zone trust
destination-zone untrust
source-address 10.0.0.0 0.255.255.255
destination-address 10.1.0.0 0.0.255.255
rule name ISP
source-zone trust
destination-zone untrust
action source-nat easy-ip //NAT转换方式 = easy-IP
端口映射
[FW-A]nat server www zone untrust protocol tcp global 1.1.1.100 www inside
10.0.200.100 www
[FW-B]nat server zone untrust global interface g1/0/0 inside 10.1.10.1
ipsec配置
ike proposal 1 //配置IKE安全提议
ike peer fw //配置ike 对等体
pre-shared-key admin@123 //共享密钥
ike-proposal 1 //绑定安全提议
remote-address 4.4.4.2 //对端地址
ipsec proposal 1 //配置IPSEC 安全提议
esp authentication-algorithm sha2-256 //认证算法
esp encryption-algorithm aes-256 //加密算法
ipsec policy p1 1 isakmp //配置ipsec 安全策略
security acl 3000 //绑定感兴趣流量(需要加密的流量)
ike-peer fw2 //绑定 ike对等体
proposal 1 //绑定安全提议
tunnel local applied-interface //本端地址
interface GigabitEthernet1/0/0 //安全策略绑定到接口
ipsec policy p1
同城数据中心配置
核心层冗余配置
Vrrp冗余协议
interface Vlanif10
ip address 10.1.10.252 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.10.254
vrrp vrid 10 priority 120
interface Vlanif10
ip address 10.1.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.10.254
接口聚合
interface GigabitEthernet0/0/23
eth-trunk 0
#
interface GigabitEthernet0/0/24
eth-trunk 0
#
出口防火墙配置
安全策略配置
security-policy
rule name 0
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name ISP
source-zone trust
destination-zone untrust
action permit
rule name vpn_data
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.0.0
source-address 10.1.0.0 mask 255.255.0.0
destination-address 10.0.0.0 mask 255.255.0.0
destination-address 10.1.0.0 mask 255.255.0.0
action permit
rule name nat-server
source-zone untrust
destination-zone trust
destination-address 10.1.10.1 mask 255.255.255.255
action permit
VPN隧道配置
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer fw
pre-shared-key admin@123
ike-proposal 1
remote-address 1.1.1.2
#
ipsec policy p1 1 isakmp
security acl 3000
ike-peer fw
proposal 1
tunnel local applied-interface
sa trigger-mode auto
四、验证测试
本章内容请私信博主获取