Campus Network Based on eNSP

 The complete project topology is as follows:

https://download.csdn.net/download/xiaolong1155/87794750?spm=1001.2014.3001.5503

a foreword

1.1 Purpose and significance of topic selection

In a traditional campus network, the network is usually a three-tier structure. The three-tier network structure is a three-tier network with a hierarchical architecture. There are three layers: the core layer (the high-speed switching backbone of the network), the aggregation layer (providing policy-based connections), and the access layer (connecting workstations to the network). The network structure is relatively complex, and the network management personnel are more fortunate, and need to configure each network device. Therefore, this design introduces the campus network on the second floor of the university.

All users of the large second-tier campus network are authenticated on the core switch. The aggregation and access devices do not need to maintain complex network protocols. The layers are clear, the structure is stable, and it is easy to manage, easy to expand and maintain.

1.2 Main research contents

The campus network usually includes: campus card, educational affairs management system, student management system, office automation system, etc., as well as the campus community and other parts closely related to student life. It can be said that on the one hand, the campus network provides information resources, knowledge sharing, etc., and on the other hand, it also serves students' daily life. With the development of wireless network technology, these applications are not limited to computer operations, but are also changing to mobile phone users. The campus network undertakes the important mission of campus life, and its construction goals are functional requirements on the one hand, and security guarantee on the other. In terms of functions, the campus network should be a network system that integrates data, voice, and video into office, study, and life. Therefore, its design and construction should be based on a high starting point and economical and practical standards. Specifically, apply the large second-tier campus network to build an easy-to-manage, easy-to-deploy, and easy-to-maintain campus network.

2 Project Feasibility and Demand Analysis

2.1 The Necessity of Campus Network Construction

With the development of Internet technology, people are encouraged to study computer network from various angles, so that it can be widely and successfully applied in various fields. The concept of campus network refers to the network of large, middle and primary education units. It is a collection of computer networks based on Internet technology, its users and related rules and regulations for the purpose of application. Campus network is the use of network equipment, communication media, appropriate networking technology and protocols, and various system management software and application software to organically integrate computers, computer classrooms and various terminal devices on campus, and is used for teaching, teaching and learning. Computer local area network system for scientific research, school management, information resource sharing and distance teaching. The campus network is a broadband multimedia network that provides teaching, scientific research and comprehensive information services for teachers and students. 

In our country, schools are at the center of profound changes affecting the entire society, so whether to adopt the most advanced information and communication technologies in schools is a decisive question. With the continuous development and popularization of computer multimedia and network technology, the construction of campus network information system is very necessary and feasible.

Mainly manifested in:

First, the current campus network information system has developed to the stage of inter-school interconnection, international interconnection, static resource sharing, dynamic information release, distance teaching and collaborative work, and the development has put forward higher and higher requirements for the modernization of school education .

Second, the continuous increase in the amount of educational information has made schools at all levels, families and educational management departments increasingly demanding educational information computer management and educational information services. Whether an individual has the ability to obtain information and process information is a decisive factor for successfully entering the professional world and integrating into society. Therefore, schools should train all students to have the ability to control and master this technology. On the other hand, information technology, while serving as an educational tool for young people, also provides young people with unprecedented opportunities. The opportunities offered by new technologies are numerous as well as the advantages they have in teaching, especially the use of computers and multimedia systems facilitates a personalized path where each student develops at his own pace on an individual learning path .

Thirdly, education and research departments at all levels, software development units, teaching equipment suppliers and schools at all levels in our country have continuously developed and provided various software and multimedia systems running on the network, which are becoming more and more visualized and practical. Web environment.

Fourth, the needs of modern education reform.

The introduction of computers into every aspect of teaching in the campus network has led to major innovations in teaching methods, teaching methods, and teaching tools. It plays an immeasurable role in improving the quality of teaching and promoting the development of my country's educational modernization.

The network also provides an effective way for school administrators and teachers to obtain resources and work together. There is no doubt that campus network is a powerful means for schools to improve management level, work efficiency and teaching quality, and it is a basic tool to solve educational problems in the information age.

Fifth, with the progress of the times and the development of science and technology, the school will face new challenges in the management of modern information technology. In order to improve the school's own modern management level, enrich teaching methods and means, improve work efficiency, grasp various relevant information in a timely manner, improve the ability to deal with various businesses and emergencies, strengthen management, have modern information technology means, use computer networks With communication technology, comprehensive, rapid and accurate grasp of information has become an urgent need for school internal and teaching business processing.

2.2 Problems in the traditional three-tier network

The network structure is also becoming more and more complex, and the difficulty of management and operation and maintenance is increasing. The construction of campus information is facing more and more challenges.

First of all, network management issues. Most of the campus networks currently have a traditional three-tier architecture, and the network structure is relatively complex. The aggregation layer device is used as a three-tier gateway, and the routing protocol is enabled to communicate with the core. At the same time, in order to avoid loops, the devices at the access layer and the aggregation layer need to enable the complex MSTP spanning tree protocol. It can quickly locate network problems when they occur.

Secondly, network operation issues. There are many different roles in the campus network, such as students and teachers. The billing methods for different roles are different, and the authentication methods are also different. In order to strengthen the management and control of students, traditional campus networks often use 802.1x authentication. After years of actual operation, network administrators have found that 802.1x authentication problems occur frequently. Not only is it enabled on the access switch, but the configuration of a large number of access devices is complicated, and the client is also prone to problems, and students complain constantly.

In addition, network maintenance issues, in the traditional network architecture, the energy of network operation and maintenance management personnel is mainly consumed in the function configuration of network equipment, technical details and tedious problem positioning, unable to focus on the work, and pay more attention to user experience and business. innovation.

2.3 Demand Analysis

The main network is a Gigabit-backbone, 100M-to-desktop wired network covering all buildings in the school. Two H3C S5700s are selected as core switches (active and standby) to carry high-speed forwarding of the entire campus network's internal and external network traffic. As a gateway for user services. Five H3C S5700s are forwarded as aggregation devices in each building. By establishing a dynamic address pool on the core switch, the IP address is issued through DHCP.

A firewall is set up between the core switch and the egress router to ensure the security of the intranet. In order to ensure that teachers and students use campus network resources safely and reasonably, security authentication is used to log in and authenticate users to the campus network.

Three major two-layer network structures

3.1 Design concept of large two-layer network structure

A campus network is a high-density user network that gathers a large number of terminals and users in a limited space. The design of the flat large Layer 2 network focuses on three "eases": easy management, easy deployment, and easy maintenance.

Easy to manage: The flat and large layer-2 network simplifies the network structure as a whole. A large number of access and aggregation in the network as logical layer-2 devices only need to do simple VLAN division and port isolation configuration without excessive management. The core device acts as a layer-3 gateway, enabling routing, authentication, and security-related functions. In daily maintenance, administrators only need to maintain the core device, which greatly reduces the difficulty of network operation and maintenance and simplifies the workload.

Easy to deploy: In a large Layer 2 network, whether it is a wired user or a wireless user, whether 802.1x authentication or portal authentication is adopted, the authentication points are centralized at the core, and the deployment is convenient and fast. At the same time, in the large second-tier environment, a large number of access and aggregation equipment configurations are basically similar. Some manufacturers focusing on the education industry have also launched quick configuration tools for quick configuration delivery when batch devices go online. Using configuration tools, The operation process is simple, and the deployment work that previously took several days can be completed within 2 hours.

Easy maintenance: The simplification of the network structure will simplify the maintenance work, and the simplification of equipment configuration will inevitably greatly reduce the probability of equipment failure. On the other hand, the maintenance of the campus network needs to be able to quickly locate problems in the network. On the network management level, it is necessary to associate users with ports and clarify which ports users access to the Internet. In the large two-tier architecture , making it easy to locate users to specific ports.

3.2 Design Features of Large Layer 2 Network

The campus network is divided into multiple logical areas. The overall design adopts a large two-tier structure. Multiple logical areas perform their duties. All users are authenticated on the core switch. The convergence and access devices do not need to maintain complex network protocols, and the hierarchy is clear. The structure is stable, easy to manage, easy to expand and maintain. Large Layer 2 networking has the following characteristics:

(1) Flat routing: the core equipment acts as a three-layer gateway, terminates ARP, and enables routing protocols. The core equipment has rich functions and powerful performance, which can better meet the development needs of the campus network. Access and aggregation are all purely Layer 2 configurations, responsible for Layer 2 forwarding, easy maintenance, and low procurement costs.

(2) Collect Sinochem on authentication: the core device serves as the centralized authentication network management, terminates the authentication, and completes the unified distribution of policies. The access layer does not need to enable authentication, and the core device selects based on ports as needed.

(3) Wired and wireless integration: wired and wireless unified authentication, wireless authentication also ends at the core, AC only needs to manage APs, and does not need to perform authentication functions at the same time, which solves the problem of managing multiple sets of authentication and billing platforms in a heterogeneous network environment.

(4) Batch configuration automation: large two-tier architecture, a large number of access devices basically have the same configuration, combined with automatic configuration distribution tools, automatically complete the configuration distribution of access devices in a short time, greatly reducing the work of on-site implementation personnel quantity.

(5) Accurate user location: Unlike traditional solutions that can only locate access switches, the L2 solution can directly locate users to ports of access switches to meet the needs of precise location.

The design plan of the four major two-layer campus networks

4.1 Overall network design

The computer network system is based on the current internationally popular TCP/IP, adopts the OSI architecture and follows international standards, and the entire network system adopts a star network topology.

Generally, the information points in the campus network network buildings are relatively concentrated, involving many building department offices. The network as a whole adopts the routing method, and the broadcast is converged and terminated. The switched Ethernet network will not affect the overall efficiency and transmission speed of the network due to the contention of resources by network devices, thereby greatly improving the performance of the entire network and reducing the risk of network congestion. probability.

In this scheme, the network system is planned into two parts according to the system structure and function: LAN and WAN.

The WAN is mainly composed of routers with various functions, egress devices, application servers, and network security devices.

According to the network level, the LAN is divided into: core layer, large second layer (access aggregation layer, access layer)

4.2 Overall Network Structure Design

Due to the concentration of many information points in the school's buildings, the following network architecture is proposed according to this feature: the backbone network of the intranet is interconnected by 10 Gigabit Ethernet technology, and the Internet networking mode of all Gigabit to desktops is guaranteed. The core layer uses virtualization technology to virtualize multiple cores into one access network. Convergence is connected to the core equipment through 10 Gigabit optical fiber, which greatly increases the reliability of the network. The floor access switch reasonably selects the stack uplink or stand-alone uplink mode according to the number of physical units to ensure the reliability of the bottom users. The monitoring adopts the intelligent monitoring private network architecture to build, and also adopts the large two-layer architecture of the core layer and the large two-layer (access aggregation layer, access layer).

The core layer uses two switches to realize virtual redundancy and achieve disaster backup. In addition, VLANIF is configured at the core layer for routing, DHCP automatically assigns addresses, OSPF implements IGP intercommunication, and gateways are configured on core switches. Such a configuration enables data center administrators to create a centralized, more flexible resource pool that can be allocated on demand, and servers/virtual machines can be created and migrated anywhere without modifying the IP address or default gateway . The access aggregation and aggregation layer included in the large layer 2 network has the functions of dividing VLANs for transparent transmission between devices, allowing all VLANs to communicate and dividing VLANs for user access.     

4.3 Network Structure Topology

The solution design is based on Gigabit Ethernet technology, with 10 Gigabit Ethernet as the goal, adopting the design idea of ​​10 Gigabit backbone, Gigabit to buildings, and 100 Gigabit to desktops. It is divided into core layer, layer 2 aggregation and layer 2 access for short Large second floor. The core layer is designed with two high-performance 10G core routing switches to form a fully redundant 10G dual link, which ensures the high-speed data routing and exchange of the campus network, and has good scalability. The design topology diagram is shown in Figure 1 and Figure 2:

Figure 1  Wired network topology

 

Figure 2 Wireless network topology

4.4 IP address and VLAN division

According to the topology requirements, VLANs are divided into the major areas of the campus. See Table 1:

Table 1 VLAN division

VLAN	IP address	subnet mask	Remark
VLAN 10	10.0.10.0	255.255.255.0	teaching building
VLAN 11	10.0.11.0	255.255.255.0
VLAN 12	10.0.12.0	255.255.255.0	library
VLAN 13	10.0.13.0	255.255.255.0
VLAN 14	10.0.14.0	255.255.255.0	office building
VLAN 15	10.0.15.0	255.255.255.0
VLAN 16	10.0.16.0	255.255.225.0	teacher apartment
VLAN 17	10.0.17.0	255.255.225.0
VLAN 18	10.0.18.0	255.255.225.0	students apartment
VLAN 19	10.0.19.0	255.255.225.0

According to the topology requirements, set the IP addresses of the specific devices in each area of ​​the campus. See Table 2:

Table 2 Address planning

device name	IP address
public net	114.114.114.114
Campus network export	1.1.1.2
DNS	10.0.1.106
FTP	10.0.1.107
WEB	10.0.1.105
Intrusion Prevention 1	10.0.1.101
Intrusion Prevention 2	10.0.1.100
server 1	10.0.1.103
server 2	10.0.1.104
Wireless Network Management VLAN	10.0.1.102

4.5 Network Hierarchy Analysis

4.5.1 Core Layer Requirements Analysis

The equipment at the core layer of the campus network is responsible for connecting the aggregation equipment. At the same time, through the interconnection of the equipment, the regional networks distributed in various physical locations are connected together to form a complete network. The core layer device is responsible for the traffic of the entire network. The stability of backbone equipment and links will directly affect the reliable operation of the entire network. Since the backbone equipment is in the core layer of the network and requires high performance and redundant backup, link aggregation technology is used. Complete the high-speed data exchange, forwarding and stability requirements of the network backbone layer.

The performance of the backbone network is the basis for the good operation of the entire network. The design must ensure the high throughput of the network and equipment, and ensure the high-quality transmission of various services, so that the network will not become a bottleneck for service development.

4.5.2 Analysis of aggregation layer

(1) High-speed transport area traffic.

(2) High reliability.

(3) Provides fault isolation.

(4) Less delay and good manageability.

(5) Good routing and switching capabilities.

(6) Good regional convergence capabilities.

(7) Good 10 Gigabit capability.

It is required that the aggregation device must be a pure gigabit high-performance switch; in the campus network, the aggregation device is responsible for the connection between the network access layer and the backbone device, and the network aggregation layer has an important task of linking the past and the future.

The aggregation device not only completes link aggregation and traffic aggregation at the access layer, but also completes local data exchange and data forwarding between the access layer and the backbone. As the entrance of the backbone layer and the exit of the access layer, the identity of the convergence layer is like a checkpoint. In order to ensure the good operation of the entire network, features such as high performance and redundancy of key components are also required at the aggregation layer.

4.5.3 Access Layer Analysis

The access layer is at the edge of the entire network, and students access the network through access devices. In order to ensure the safe and efficient operation of the entire network, intelligent identification of access devices as network entrances is an important function.

4.6 Key technologies adopted

4.6.1 Main control redundancy of core switch

In the case of a device with only a single main control board, if the main control board fails, restarting the main control board requires operations such as loading the image file and initializing the configuration. The whole process takes about 5 minutes. For a node in a single point of failure in the network , the business is completely interrupted in the process. Configure two control boards on the core switch, one actually works and the other is standby. When the main control board fails, the main control board and the standby control board are reversed, the standby board becomes the main control board, and the original main control board becomes the standby board after restarting, ensuring the normal operation of the core switch.

4.6.2 Gateway-level redundancy of core layer network equipment

In order to improve the availability of the network and prevent single-point failures in the network structure, a redundant network node mode of dual-machine hot standby is adopted in the core layer network. Through redundant protocol configuration, the data of business applications can pass through two cores under normal circumstances. Device forwarding reduces the pressure of large traffic on a single core device; when a core device fails, the services of the aggregation layer device can be automatically switched to another core device for normal forwarding. In this network, VRRP technology is used to realize gateway-level redundancy, and the termination of VLAN is at the core layer. Since there are two core switches in this network, the traffic of multiple user VLANs is completed by two core switches. Two core switches A and B, assuming that there are M VLANs in the network, set up M VRRP backup groups on the core switches, that is, M virtual IPs. Some VRRP groups set core switch A as master, core switch B as slave, and other VRRP groups set core switch B as master and core switch A as slave. The specific planning can be considered according to the traffic limit or the number of terminals in the VLAN. Among the M VLANs, the host gateways of some VLANs are set to the VRRP group in which the core switch A is the Master, while the host gateways of the other VLANs are set to the VRRP group in which the core switch B is the Master.

4.7 Analysis of Network Stability and Reliability

There are many users and many services in the campus network construction. It brings high efficiency requirements to the network system to ensure effective processing capabilities under the access of large amounts of data. According to the requirements, the equipment must be able to perform distributed processing on the data. Such distributed processing can save the consumption of the main switching engine. The data can be identified on an independent board, which is much faster than the identification on the central processing unit. And in the process of a large amount of data application and data transmission, it is necessary to ensure that all hardware devices can perform fast forwarding, and must have high backplane bandwidth (switching capacity), and all ports can ensure wire-speed forwarding. This kind of distributed processing can greatly improve the overall processing capability and ensure the smooth flow of the network. Stability and reliability in the current network environment is a hot topic, because many important applications and services are running on the network, and it is necessary to ensure 7*24 hours of uninterrupted service. It is necessary to fully guarantee the availability of network equipment throughout the day. Even in the process of switching to the backup device when there is a problem with the device, it is necessary to ensure a small delay to meet the needs of effective smoothness in network applications. Utilize in such demand, redundancy of key components such as redundant management switching engine, redundant power supply, support (802.1D, 802.1W) 802.1S multi-VLAN spanning tree protocol to ensure link-level redundancy and load balancing , support VRRP, OSPF and other three-layer routing protocols to ensure routing-level redundancy, and support load balancing technology to achieve application-level redundant backup and load balancing. It fully guarantees the reliability of equipment, network and application system in all aspects.

4.8 Network Security Analysis

4.8.1 Internal misuse and abuse

Various surveys have shown that internal misuse (operation) and abuse have the most fatal impact on the school network and business, usually as high as 70%. In this way, the ability to effectively prevent misuse losses, prevent abuse, monitor the healthy operation of business networks, and successfully locate and forensically analyze after the actual occurrence is very important for a school.

4.8.2 Denial of service attack

It is worth noting that the threat of denial of service attacks on the current network is becoming more and more urgent. The solution to the denial of service attack has also attracted more and more attention. The ability to prevent, mitigate, and evade large-scale denial-of-service attacks is a sign of whether a school network can promise more robust and highly available services to users, and it is also an important sign that a school's network security level has entered a new realm .

4.8.3 External intrusion

Here is what is commonly referred to as a hacking threat. Judging from the network security management experience and penetration test results in the past few years, most of the current network devices and services have traces of intrusion, and even various backdoors. These are huge threats to the control of the autonomous operation of the network, causing customers to lose confidence in important and critical applications, loss of business, and even catastrophic consequences.

Five project implementation

firewall configuration

1. Change the device name

sysname FW

2. Configure the interface IP address

interface GigabitEthernet0/0/1

 ip address 192.168.2.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 ip address 1.1.1.2 255.255.255.0

#

3. Add the interface to the designated security domain

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/0

 add interface GigabitEthernet0/0/1

#

firewall zone untrust

 set priority 5

 add interface GigabitEthernet0/0/2

#

4. Configure OSPF

ospf 100 router-id 10.0.1.1 //Create an OSPF process      

 area 0.0.0.0 //Enter area 0

  network 192.168.2.0 0.0.0.255 //declare the network segment to which it belongs

5. Configure NAT policy

Configure NAT so that intranet users can access the public network more securely.

nat-policy interzone trust untrust outbound

 policy 1

  action source-nat

  easy-ip GigabitEthernet0/0/2

6. Configure inter-zone policies

Configure necessary interzone policies to allow traffic.

policy interzone local trust inbound

 policy 1

  action permit

#

policy interzone trust untrust outbound

 policy 1

  action permit

#

7. Configure the default route

#

 ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //Configure the default route to the public network

Core switch configuration

1. Change the device name

sysname CoreA

#

2. Configure vlan vlan batch 2 to 30

#

3. Configure spanning tree priority

stp instance 0 root primary

#

4. Configure the DHCP address pool

ip pool 10

 gateway-list 10.0.10.1

 network 10.0.10.0 mask 255.255.255.0

#

ip pool 11

 gateway-list 10.0.11.1

 network 10.0.11.0 mask 255.255.255.0

#

ip pool 12

 gateway-list 10.0.12.1

 network 10.0.12.0 mask 255.255.255.0

#

ip pool 13

 gateway-list 10.0.13.1

 network 10.0.13.0 mask 255.255.255.0

#

ip pool 14

 gateway-list 10.0.14.1

 network 10.0.14.0 mask 255.255.255.0

#

ip pool 15

 gateway-list 10.0.15.1

 network 10.0.15.0 mask 255.255.255.0

#

ip pool 16

 gateway-list 10.0.16.1

 network 10.0.16.0 mask 255.255.255.0

#

ip pool 17

 gateway-list 10.0.17.1

 network 10.0.17.0 mask 255.255.255.0

#

ip pool 18

 gateway-list 10.0.18.1

 network 10.0.18.0 mask 255.255.255.0

#

ip pool 19

 gateway-list 10.0.19.1

 network 10.0.19.0 mask 255.255.255.0

#

5. Configure the SVI interface

interface Vlanif1

 ip address 10.0.1.2 255.255.255.0

#

interface Vlanif3

 ip address 10.0.3.2 255.255.255.0

 vrrp vrid 3 virtual-ip 10.0.3.1 //Configure VRRP virtual gateway

 vrrp vrid 3 priority 120 //Configure virtual gateway address

#

interface Vlanif10

 ip address 10.0.10.2 255.255.255.0

 vrrp vrid 10 virtual-ip 10.0.10.1

 vrrp vrid 10 priority 120

 dhcp select global //Configure to obtain IP address dynamically

#

interface Vlanif11

 ip address 10.0.11.2 255.255.255.0

 vrrp vrid 11 virtual-ip 10.0.11.1

 vrrp vrid 11 priority 120

 dhcp select global

#

interface Vlanif12

 ip address 10.0.12.2 255.255.255.0

 vrrp vrid 12 virtual-ip 10.0.12.1

 vrrp vrid 12 priority 120

 dhcp select global

#

interface Vlanif13

 ip address 10.0.13.2 255.255.255.0

 vrrp vrid 13 virtual-ip 10.0.13.1

 vrrp vrid 13 priority 120

 dhcp select global

#

interface Vlanif14

 ip address 10.0.14.2 255.255.255.0

 vrrp vrid 14 virtual-ip 10.0.14.1

 vrrp vrid 14 priority 120

 dhcp select global

#

interface Vlanif15

 ip address 10.0.15.2 255.255.255.0

 vrrp vrid 15 virtual-ip 10.0.15.1

 vrrp vrid 15 priority 120

 dhcp select global

#

interface Vlanif16

 ip address 10.0.16.2 255.255.255.0

 vrrp vrid 16 virtual-ip 10.0.16.1

 vrrp vrid 16 priority 120

 dhcp select global

#

interface Vlanif17

 ip address 10.0.17.2 255.255.255.0

 vrrp vrid 17 virtual-ip 10.0.17.1

 vrrp vrid 17 priority 120

 dhcp select global

#

interface Vlanif18

 ip address 10.0.18.2 255.255.255.0

 vrrp vrid 18 virtual-ip 10.0.18.1

 vrrp vrid 18 priority 120

 dhcp select global

#

interface Vlanif19

 ip address 10.0.19.2 255.255.255.0

 vrrp vrid 19 virtual-ip 10.0.19.1

 vrrp vrid 19 priority 120

 dhcp select global

#

6. Configure the interface type

interface GigabitEthernet0/0/1

 port link-type access

 stp edged-port enable

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/5

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/6

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/7

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/8

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/9

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

1. Configure Link Aggregation Interface

interface Eth-Trunk1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/23

 eth-trunk 1

#

interface GigabitEthernet0/0/24

 eth-trunk 1

#

interface NULL0

#

8. Configure OSPF

ospf 100 router-id 10.0.1.2

 area 0.0.0.0

  network 10.0.0.0 0.0.255.255

#

9. Configure the default route

ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 80

#

Aggregation switch configuration

1. Change the device name

#

sysname SWA

#

2. Configure the interface type

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/3

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/4

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/5

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/6

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

Access switch configuration

1. Change device name

sysname SW1

#

2. Configure VLANs

vlan batch 2 to 30

#

3. Configure the interface type

interface Ethernet0/0/1

 port link-type access

 port default vlan 10

 stp edged-port enable

#

interface Ethernet0/0/2

 port link-type access

 port default vlan 10

 stp edged-port enable

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094

#

Carrier configuration

1. Change device name

 sysname ISP

#

interface GigabitEthernet0/0/0

 ip address 1.1.1.1 255.255.255.0

#

interface LoopBack0

 ip address 114.114.114.114 255.255.255.0

AC configuration

1. Change the device name

 sysname AC

#

2. Configure user address pool

vlan batch 2 to 100

#

vlan pool community

 vlan 10

3. Configure the interface IP address

interface Vlanif1

 ip address 10.0.1.102 255.255.255.0

#

4. Configure the interface type

interface GigabitEthernet0/0/1

 port link-type access

 stp edged-port enable

5. Configure the default route

ip route-static 0.0.0.0 0.0.0.0 10.0.1.1

#

6. Configure CAPWAP tunnel

capwap source interface vlanif1

#

7. Configure security template

wlan

 security-profile name community

  security wpa2 psk pass-phrase 88888888 aes

8. Configure SSID template

 ssid-profile name community

  ssid community

9. Configure the VAP template

 vap-profile name community

  service-vlan vlan-pool community

  ssid-profile community

  security-profile community

10. Configure AP whitelist

 ap whitelist mac 00E0-FC81-3540

11. Online AP

 ap-id 0 type-id 35 ap-mac 00e0-fccb-0870 ap-sn 210235448310FB1C3405

  radio 0

   vap-profile community wlan 1

Seven conclusions

  The design and implementation of the campus network this time has enabled me to have a deeper understanding of the campus network, especially to have a new understanding of all aspects of the second-tier network. In the early stage of design, by comparing the large layer 2 network with the traditional network, we obtained the following advantages: the core device acts as a layer 3 gateway, terminates ARP, enables routing protocols, and the IP addresses of all bottom-end users The address pool gateway, etc. are all on the core switch, and the bottom IP address is issued to each device through DHCP. Access and aggregation are all pure Layer 2 configurations, which are responsible for Layer 2 forwarding and easy maintenance. The core layer equipment has rich functions and powerful performance, which can better meet the development needs of the campus network. Therefore, based on these advantages, I designed a flat large two-tier campus network. During the design process during this period, I have a more comprehensive consolidation of the knowledge I have learned before, and at the same time, I have developed a lot of knowledge that I did not understand and learned before, and I have a new understanding. In this design report, from being confused at the beginning, to absorbing this aspect of knowledge little by little, and expanding the knowledge I have learned, the project design of this time has been completed.

In this project design, the software used is Huawei's eNSP. eNSP is a very comprehensive simulator, which can perfectly present the real scene of real equipment, supports network simulation, and gives users the opportunity to simulate drills and learn network technology without real equipment. The configuration of many devices in the simulator is the same as that of the actual device, especially the configuration of the firewall and wireless AC device. The configuration commands used in the simulator are exactly the same as those in the actual environment. And for the AP, after the command is configured, it can present the channel range and wireless signal, which is more realistic. Although we do not have actual equipment labs in a professional environment, we can also have a good learning environment through simulations under eNSP.

The good application and development of the campus network depends to a large extent on whether the design and implementation of the design scheme (including networking technology, topology, IP and routing planning, security protection, etc.) are reasonable or not. A practical and reasonable campus network can better provide faster and more reliable network services for the work of teachers and students in the whole school.

The complete project topology is as follows:

https://download.csdn.net/download/xiaolong1155/87794750?spm=1001.2014.3001.5503