Small and medium-sized enterprise network network construction ensp simulation

Enterprise 2023-07-02 00:12:37 views: null

This issue simulates the universal networking of small and medium-sized enterprises. This scenario is the cross-operator mutual access between the headquarters and the branch. If it is disassembled, it is the internal network environment of a small enterprise, and the technology can be matched arbitrarily.

Scenario 1: The headquarters deploys STP\RSTP\VRRP\OSPF\static, firewall-based GRE VPN\IPSEC VPN, NAT

Scenario 2: The headquarters deploys STP\MSTP\VRRP load\OSPF\static, firewall-based GRE VPN\IPSEC VPN, NAT

Scenario 3: Only the headquarters, no branches, deploy STP\MSTP\VRRP load\OSPF\static, firewall-based NAT

This issue is simulating Scenario 2. The GRE tunnel is selected to achieve access between the headquarters and branches. The gray area is the access layer device, and the orange area is the core layer device, which can be directly configured.

Headquarters access layer configuration

sysname sw1
#
vlan batch 10
#
stp region-configuration
 region-name huawei
 instance 1 vlan 10 20 
 instance 2 vlan 30 40 
 active region-configuration
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 10

Headquarters core switch 1


#
sysname HX-1
#
vlan batch 10 20 30 40 100
#
stp instance 1 root primary
stp instance 2 root secondary
#
dhcp enable
#
stp region-configuration
 region-name huawei
 instance 1 vlan 10 20 
 instance 2 vlan 30 40 
 active region-configuration
#
interface Vlanif10
 ip address 192.168.10.252 255.255.255.0 
 vrrp vrid 10 virtual-ip 192.168.10.254
 vrrp vrid 10 priority 120
 vrrp vrid 10 track interface GigabitEthernet0/0/7 reduced 30
 dhcp select interface
#
interface Vlanif20
 ip address 192.168.20.252 255.255.255.0 
 vrrp vrid 20 virtual-ip 192.168.20.254
 vrrp vrid 20 priority 120
 vrrp vrid 20 track interface GigabitEthernet0/0/7 reduced 30
 dhcp select interface
#
interface Vlanif30
 ip address 192.168.30.252 255.255.255.0 
 vrrp vrid 30 virtual-ip 192.168.30.254
 dhcp select interface
#
interface Vlanif40
 ip address 192.168.40.252 255.255.255.0 
 vrrp vrid 40 virtual-ip 192.168.40.254
 dhcp select interface
#
interface Vlanif100
 ip address 192.168.1.1 255.255.255.252 
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 20 30 40
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/5
 eth-trunk 1
#
interface GigabitEthernet0/0/6
 eth-trunk 1
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 100
#
ospf 1 
 area 0.0.0.0 
  network 192.168.1.1 0.0.0.0 
 area 0.0.0.1 
  network 192.168.10.0 0.0.0.255 
  network 192.168.20.0 0.0.0.255 
  network 192.168.30.0 0.0.0.255 
  network 192.168.40.0 0.0.0.255 
 

Headquarters core switch 2

sysname HX-2
#
vlan batch 10 20 30 40 100
#
stp instance 1 root secondary
stp instance 2 root primary
#
dhcp enable
#
stp region-configuration
 region-name huawei
 instance 1 vlan 10 20 
 instance 2 vlan 30 40 
 active region-configuration
#
interface Vlanif10
 ip address 192.168.10.253 255.255.255.0 
 vrrp vrid 10 virtual-ip 192.168.10.254
 dhcp select interface
#
interface Vlanif20
 ip address 192.168.20.253 255.255.255.0 
 vrrp vrid 20 virtual-ip 192.168.20.254
 dhcp select interface
#
interface Vlanif30
 ip address 192.168.30.253 255.255.255.0 
 vrrp vrid 30 virtual-ip 192.168.30.254
 vrrp vrid 30 priority 120
 vrrp vrid 30 track interface GigabitEthernet0/0/7 reduced 30
 dhcp select interface
#
interface Vlanif40
 ip address 192.168.40.253 255.255.255.0 
 vrrp vrid 40 virtual-ip 192.168.40.254
 vrrp vrid 40 priority 120
 vrrp vrid 40 track interface GigabitEthernet0/0/7 reduced 30
 dhcp select interface
#
interface Vlanif100
 ip address 192.168.1.5 255.255.255.252 
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 20 30 40
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/5
 eth-trunk 1
#
interface GigabitEthernet0/0/6
 eth-trunk 1
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 100
#
ospf 1 
 area 0.0.0.0 
  network 192.168.1.5 0.0.0.0 
 area 0.0.0.1 
  network 192.168.10.0 0.0.0.255 
  network 192.168.20.0 0.0.0.255 
  network 192.168.30.0 0.0.0.255 
  network 192.168.40.0 0.0.0.255 

egress firewall


sysname FW1

interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.1.2 255.255.255.252
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.1.6 255.255.255.252
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 200.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 192.168.50.254 255.255.255.0
#
interface Tunnel0
 ip address 10.1.12.1 255.255.255.0
 tunnel-protocol gre
 source 200.1.1.1
 destination 210.1.1.2
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
 add interface Tunnel0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3
#
ospf 1
 default-route-advertise
 area 0.0.0.0
  network 192.168.1.0 0.0.0.3
  network 192.168.1.4 0.0.0.3
  network 192.168.50.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
ip route-static 172.16.10.0 255.255.255.0 Tunnel0
ip route-static 172.16.20.0 255.255.255.0 Tunnel0
#
security-policy
 rule name t-u
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  source-address 192.168.20.0 mask 255.255.255.0
  source-address 192.168.30.0 mask 255.255.255.0
  source-address 192.168.50.0 mask 255.255.255.0
  action permit
 rule name t-dmz
  source-zone trust
  destination-zone dmz
  source-address 192.168.10.0 mask 255.255.255.0
  source-address 192.168.20.0 mask 255.255.255.0
  source-address 192.168.30.0 mask 255.255.255.0
  destination-address 192.168.50.0 mask 255.255.255.0
  action permit
 rule name u-dmz
  source-zone untrust
  destination-zone dmz
  source-address 172.16.10.0 mask 255.255.255.0
  source-address 172.16.20.0 mask 255.255.255.0
  destination-address 192.168.50.0 mask 255.255.255.0
  action permit
 rule name l-u
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  action permit
 rule name gre
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  source-address 192.168.20.0 mask 255.255.255.0
  source-address 192.168.30.0 mask 255.255.255.0
  source-address 192.168.50.0 mask 255.255.255.0
  destination-address 172.16.10.0 mask 255.255.255.0
  destination-address 172.16.20.0 mask 255.255.255.0
  action permit
 rule name gre-
  source-zone untrust
  destination-zone trust
  source-address 172.16.10.0 mask 255.255.255.0
  source-address 172.16.20.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.30.0 mask 255.255.255.0
  destination-address 192.168.50.0 mask 255.255.255.0
  action permit
#
nat-policy
 rule name gre
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  source-address 192.168.20.0 mask 255.255.255.0
  source-address 192.168.30.0 mask 255.255.255.0
  source-address 192.168.50.0 mask 255.255.255.0
  destination-address 172.16.10.0 mask 255.255.255.0
  destination-address 172.16.20.0 mask 255.255.255.0
  action no-nat
 rule name t-u
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  source-address 192.168.20.0 mask 255.255.255.0
  source-address 192.168.30.0 mask 255.255.255.0
  action source-nat easy-ip
 

branch access switch

sysname xiaoshoubu
#
vlan batch 10 20
#
interface Ethernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 10
#
interface Ethernet0/0/3
 port link-type access
 port default vlan 20

Branch core switch

sysname hx
#
vlan batch 10 20 100
#
stp instance 0 root primary
#
interface Vlanif10
 ip address 172.16.10.254 255.255.255.0 
#
interface Vlanif20
 ip address 172.16.20.254 255.255.255.0 
#
interface Vlanif100
 ip address 192.168.1.9 255.255.255.252 
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
ospf 1 
 area 0.0.0.0 
  network 192.168.1.8 0.0.0.3 
  network 172.16.10.0 0.0.0.255 
  network 172.16.20.0 0.0.0.255 

Branch egress firewall


sysname FW2
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.1.10 255.255.255.252
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 210.1.1.2 255.255.255.252
#
interface Tunnel0
 ip address 10.1.12.2 255.255.255.0
 tunnel-protocol gre
 source 210.1.1.2
 destination 200.1.1.1
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface Tunnel0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
#
ospf 1
 default-route-advertise
 area 0.0.0.0
  network 192.168.1.8 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 210.1.1.1
ip route-static 192.168.10.0 255.255.255.0 Tunnel0
ip route-static 192.168.20.0 255.255.255.0 Tunnel0
ip route-static 192.168.30.0 255.255.255.0 Tunnel0
ip route-static 192.168.50.0 255.255.255.0 Tunnel0
#
security-policy
 rule name t-u
  source-zone trust
  destination-zone untrust
  source-address 172.16.10.0 mask 255.255.255.0
  source-address 172.16.20.0 mask 255.255.255.0
  action permit
 rule name l-u
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  action permit
 rule name gre
  source-zone untrust
  destination-zone trust
  source-address 192.168.10.0 mask 255.255.255.0
  source-address 192.168.20.0 mask 255.255.255.0
  source-address 192.168.30.0 mask 255.255.255.0
  source-address 192.168.50.0 mask 255.255.255.0
  destination-address 172.16.10.0 mask 255.255.255.0
  destination-address 172.16.20.0 mask 255.255.255.0
  action permit
 rule name gre-
  source-zone trust
  destination-zone untrust
  source-address 172.16.10.0 mask 255.255.255.0
  source-address 172.16.20.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.30.0 mask 255.255.255.0
  destination-address 192.168.50.0 mask 255.255.255.0
  action permit
#
nat-policy
 rule name gre
  source-zone trust
  destination-zone untrust
  source-address 172.16.10.0 mask 255.255.255.0
  destination-address 192.168.10.0 mask 255.255.255.0
  destination-address 192.168.20.0 mask 255.255.255.0
  destination-address 192.168.30.0 mask 255.255.255.0
  destination-address 192.168.50.0 mask 255.255.255.0
  action no-nat
 rule name isp
  source-zone trust
  destination-zone untrust
  source-address 172.16.10.0 mask 255.255.255.0
  source-address 172.16.20.0 mask 255.255.255.0
  action source-nat easy-ip

Experimental test verification

MSTP authentication

Vrrp verification

dhcp verification

Ospf verification

 

Nat verification

 

Connectivity test

 

 Note: The traffic entering the tunnel must be banned in the firewall nat policy or the advanced acl of the route, and then release the respective source ip to the external network policy

Guess you like

Origin blog.csdn.net/weixin_45650628/article/details/129173113
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com