Planning and Design Description
The network topology design is divided into three parts: the main campus network, the carrier backbone network, and the sub-campus network.
Head office network design:
Division: teaching building area, dormitory area, office building area, administrative building area, library area, data center. And there is a web server. The export is equipped with dual-machine hot backup technology, connected to the Internet, and NAT is set.
Operator Design:
The underlying routing adopts OSPF multi-area design, and BGP implements AS routing interconnection. Internet access is provided.
Branch network design:
Functional area division: teaching building, library. The outlet is connected to the Internet. Set NAT to provide Internet service.
The main campus and branch campuses use MPLS VPN tunnels to cross the Internet for mutual visits.
Department VLAN division and IP address
Internet users |
IP segment |
gateway |
Belonging VLAN |
office building |
192.168.10.0/24 |
192.168.10.254 |
Vlan10 |
Administration Building |
192.168.20.0/24 |
192.168.20.254 |
VLAN20 |
teaching building |
192.168.30.0/24 |
192.168.30.254 |
VLAN30 |
library |
192.168.40.0/24 |
192.168.40.254 |
VLAN40 |
dormitory |
192.168.50.0/24 |
192.168.50.254 |
VLAN50 |
server |
192.168.60.0/24 |
192.168.60.254 |
VLAN60 |
Campus planning |
|||
teaching building |
192.168.70.0/24 |
192.168.70.254 |
VLAN70 |
library |
192.168.80.0/24 |
192.168.80.254 |
VLAN80 |
Network topology
Network Configuration Implementation
Access layer configuration:
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/3
port link-type access
port default vlan 10
The configuration of other access switches is the same
Aggregation Layer 3 Configuration
interface Vlanif50
ip address 192.168.50.254 255.255.255.0
dhcp select interface
VRRP配置
以一个汇聚层为例:
汇聚A:
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
汇聚B:
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 120
MSTP配置
stp region-configuration
region-name huawei
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
[Huawei]stp instance 1 root primary
[Huawei]stp instance 2 root secondary
核心汇聚路由配置
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.255.255
出口防火墙配置
hrp interface GigabitEthernet1/0/6 remote 10.1.1.1
hrp mirror session enable
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 100.1.1.100 active
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 100.1.1.100 standby
安全策略
security-policy
rule name ISP
source-zone trust
destination-zone untrust
action permit
rule name Server
source-zone trust
destination-zone dmz
action permit
#
NAT配置
rule name ISP
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
公网及MPLS vpn 配置
底层IGP路由OSPF
ospf 1
area 0.0.0.0
network 12.1.1.1 0.0.0.0
network 14.1.1.1 0.0.0.0
公网MPLS 建立LSP
[Huawei]mpls lsr-id 1.1.1.1
[Huawei-mpls]mpls ldp
配置VPN实例
[Huawei]ip vpn-instance vpn1
[Huawei-vpn-instance-vpn1]route-distinguisher 100:1
[Huawei-vpn-instance-vpn1-af-ipv4]vpn-target 100:200
[Huawei-GigabitEthernet0/0/0]ip binding vpn-instance vpn1
[Huawei-GigabitEthernet0/0/0]ip add 100.1.1.254 24
建立BGP vpnv4邻居
[Huawei]bgp 100
[Huawei-bgp]undo default ipv4-unicast
[Huawei-bgp]peer 5.5.5.5 as 100
[Huawei-bgp]peer 5.5.5.5 connect-interface lo0
[Huawei-bgp]ipv4-family vpnv4
[Huawei-bgp-af-vpnv4]peer 5.5.5.5 enable
对端PE同理配置
PE与CE的路由配置
ospf 2 vpn-instance vpn1
area 0.0.0.1
network 100.1.1.254 0.0.0.0
分部侧使用静态路由来形成
[Huawei]ip route-static vpn-instance vpn2 192.168.70.0 24 200.1.1.1
[Huawei]ip route-static vpn-instance vpn2 192.168.80.0 24 200.1.1.1
在BGP中引入VPN 实例的路由
[Huawei-bgp-vpn1]import-route ospf 2 route-policy p1
route-policy 用于过滤不需要的路由
acl number 2000
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 permit source 192.168.20.0 0.0.0.255
rule 15 permit source 192.168.30.0 0.0.0.255
rule 20 permit source 192.168.40.0 0.0.0.255
rule 25 permit source 192.168.50.0 0.0.0.255
rule 30 permit source 192.168.60.0 0.0.0.255
rule 35 permit source 192.168.70.0 0.0.0.255
rule 40 permit source 192.168.80.0 0.0.0.255
route-policy p1 permit node 10
if-match acl 2000
网络测试
DHCP服务测试
内网互联互通测试
MPLS VPN 进行访问测试
数据抓包
测试截图联系作者获取