Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Summary
With the continuous improvement of informatization in the 21st century, the form of education needs to be reformed and innovated, and there is an urgent need to improve the utilization of educational resources. As an infrastructure that satisfies the information-based teaching environment, the campus network is an important part of the construction of educational information and has become an important foundation for information-based education, networked teaching and management in colleges and universities. It provides an important platform for teachers and students to obtain more educational resources and enrich educational means, and is an important means to comprehensively realize quality education. The campus network composed of computers, network equipment and software is an integrated application system that serves school education, teaching and management. It is a network where all computers and ancillary equipment on campus are interconnected and operated. Information exchange and resource sharing are realized through the interconnection of the wide area network and the science and education network. .
This project is based on the network construction of Yucai High School in Fumeng County, and studies the use of network-related technologies to build a network platform with superior performance, high stability, and security. Plan and design from hierarchical structure design, exit design, address design, and security design. Routing technology is used in this article, VLAN technology for virtual LAN, address translation technology for address hiding, topology technology for network structure planning, and network security technology. Build an efficient and stable network platform. Through the division of VLAN by port address, the configuration of aggregation layer switches and core layer switches, firewall policy configuration, the use of address translation, the configuration of egress routers, the planning and configuration of wireless networks, and through the test plan, the designed and implemented network is displayed The platform achieved the expected results.
Keywords: campus network; network planning; network technology
With the continuous improvement of information level in the 21st century, the form of education needs to be reformed and innovated, and the utilization of educational resources needs to be improved. Campus network, as an infrastructure to meet the information-based teaching environment, is an important part of the education information construction and an important foundation for the information-based education, network-based teaching and management in Colleges and universities. It provides an important platform for teachers and students to obtain more educational resources and enrich educational means, and it is an important means to realize quality education in an all-round way. The campus network, which is composed of computer, network equipment and software, is an integrated application system for school education, teaching and management. It is a network in which all computers and auxiliary equipment on campus are interconnected and run. Information exchange and resource sharing are realized through the interconnection between the WAN and the science and education network.
This project is based on the network construction of Yucai high school in Fumeng County, and studies the use of network related technologies to build a network platform with superior performance, high stability and security. From the hierarchical structure design, export design, address design, security design planning and design. In this paper, we use routing technology, VLAN technology for VLAN, address translation technology for address hiding, topology technology for network structure planning, network security technology. Build an efficient and stable network platform. According to the division of port address VLAN, the configuration of convergence layer switch, core layer switch, firewall policy configuration, the use of address conversion, the configuration of exit router, the planning and configuration of wireless network, the test scheme shows that the designed and implemented network platform achieves the expected effect.
Key words:Campus network, Network planning, Network techniqu
Table of contents
1 Overview of campus network. 1
1.1 Introduction to the school. 1
1.3 Research purpose and significance. 1
1.4.1 Current status of foreign research. 2
1.4.2 Domestic research status. 2
2 Network requirements analysis. 4
2.1 Network requirement function analysis. 4
2.2 Principles of network construction. 4
2.3 Network construction goals. 5
3.1.1 LAN network technology selection. 6
3.2 Campus network level design. 7
3.2.2 Core layer structure design. 8
3.2.3 Aggregation layer design. 8
3.3 Network IP address planning and design. 9
3.3.1 Network IP address planning. 9
3.3.2 Goals and principles of network IP address planning. 9
3.3.3 Network IP address design. 10
4.1 Goals and principles of cyber physical design. 11
4.2.1 Core switch selection. 11
4.2.2 Aggregation layer switch selection. 12
4.2.3 Access switch selection. 13
4.3 Network comprehensive wiring design. 14
4.3.1 Design principles of integrated wiring. 14
4.3.3 Horizontal trunk subsystem. 15
4.3.4 Vertical trunk subsystem. 16
4.3.6 Management room subsystem. 16
5.1 Goals and principles of network security design. 17
5.2 Prevention of basic network attacks. 18
Fumeng County Yucai Senior High School is located at No. 106, Wenhua Road, Fuxin City, Liaoning Province. The overall area of the school is 143,368.32 square meters, the building area is 57,861.29 square meters, and the garden area is more than 20,000 square meters. The classrooms are standardized, the dormitories are apartments, and there are standard gymnasiums, large swimming pools and libraries newly built in recent years. There are complete computer rooms, laboratories, electronic classrooms, lecture rooms, art rooms, teaching tools, experimental instruments and equipment, medical drugs, sports and art equipment, books, newspapers and magazines, all of which meet the standard. All of these require a fast and convenient network platform to promote the transfer of information and the sharing of resources. The campus network is the only way for a strong school to progress and develop. It can not only improve the teaching level, but also provide convenience to teachers and students. It is also an important criterion and indicator for school evaluation.
The development of the Internet has completely changed the traditional model of life and the way everyone communicates with each other. WeChat, QQ, DingTalk, instant messaging, etc. have changed communication across time and regions. The purpose of commerce is more powerful and transactions are simpler. The emergence of all kinds of online shopping, online payment and online booking has changed the business form. The business form has now changed. The emergence of online games, e-books and music has changed almost everyone's leisure lifestyle. The upgrading of campus networks has greatly improved the quality of teaching and the speed of life. With the rapid development of network information, information sharing, teaching resources and files can be shared anytime and anywhere as long as there is a network. The campus network can bring courses online, allowing students to learn and obtain more information at any time. Compared with previous classroom teaching, online teaching can improve the teaching level, realize the disclosure of campus tasks, and create a better environment. Teachers can deliver students' school information to parents through the Internet, allowing parents to pay attention to students' learning and life on their mobile phones and computers.
Teaching resources on the Internet can be effectively shared with everyone. Let everyone share data and resources through the campus network. It can make school learning and communication more convenient without spending more time and money. Campus network can reflect high efficiency. Campus management includes administrative management, teaching management, and human resources management. The network has realized information transmission, resource sharing, and facilitated teaching. Through network information sharing, the transmission, reception and sharing of school teachers and students' resources are realized, efficient teaching is provided, and students are provided with a better teaching environment and more convenient learning. Improve the quality of teaching. The advancement of the Internet not only breaks the previous desk classroom teaching methods, but also replaces traditional teaching methods. Teachers can better transfer knowledge and resources. Teaching must be student-centered and focus on students' quality and performance. We devote ourselves wholeheartedly to making students become talents and giving them a better life.
In the United States, the construction of campus networks began in the 1980s. After about thirty years of development, with the support and attention of the national government, the development of campus networks has progressed rapidly. The functions that the campus network can realize are very large. There are no computers in many foreign universities that are not connected to the Internet. Everyone has an Internet account, which shows that their network information resources are very rich. Taking Harvard University as an example, the number of students, faculty and staff and Internet users and the number of computers connected to the network are very large, surpassing the number of domestic universities several times. It can be seen that the campus network has spread all over the campus, affecting the work, study and life of every student and every teacher. At present, the development direction of campus networks in American universities is mainly to increase artificial intelligence. By adding artificial intelligence, campus networks can provide unprecedented convenience for teaching, deepen research, and provide strong protection for campus management.
Due to the slow development of domestic information and the short construction time of campus network, the foundation is relatively poor, and the development speed and scale are worse than those in the United States. However, the construction of domestic university campus networks is accelerating. The scale and technology of campus network construction of well-known domestic universities have reached the world's advanced level. After nearly two decades of development, Tsinghua University’s campus network has covered all corners of the campus, allowing teachers and students to feel the presence of the campus network everywhere. There are nearly 10,000 registered users and 10,000 to 13,000 people online. Peking University’s campus network is currently the largest among universities. There are 47,000 computers connected to the Internet and 25,000 online users. The rapid development of the Internet has caused all domestic universities to build their own campus networks, just to facilitate everyone's work and study environment. Students can make rapid progress with better education. Campus networks have truly changed the domestic education environment. With the country's emphasis on and support for education, the Ministry of Education will invest 900 million yuan to build the Northwest Campus Network.
2Network requirements analysis
2.1 Network requirement function analysis
(1) Implement access control between the internal network and the external network, control all incoming and outgoing channels, not only filter information on the external network, but also filter requests and various data that internal users continue to send. He is only allowed to send or Receive information consistent with security policy.
(2) Establish an analysis of network vulnerabilities, user behavior needs to be monitored and analyzed, and warned of possible attacks.
(3) The confidentiality of different resources is also different. Confidential documents must be classified to form hierarchical protection. It is especially important to adopt high-level protection and management.
(4) Since students are unable to operate more software applications correctly, a large amount of bandwidth is used in an uncontrolled manner. Bandwidth must be managed in a systematic manner to ensure proper use by critical applications.
(5) The access layer is the interface that connects with users. The selected access layer switch should have relatively complete functions, such as certain security control functions, supporting technologies, port isolation and attack prevention.
(6) The core layer must meet the data transmission requirements of the access layer switches.
(7) The wireless network fully covers school teaching buildings, libraries, stadiums and cafeterias.
(8) Only authorized logins can use network resources. Campus networks should be equipped with online anti-virus systems.
2.2 Network construction principles
(1) The principle of “overall planning and step-by-step implementation”. In the construction of campus network, there should be an overall concept, starting from the overall design, planning every detail, fully considering the overall needs according to the school's current situation and actual application needs, first clarifying the needs analysis, and based on the actual application needs of the school, before meeting the actual needs. Under the current situation, in order to meet the demand, we should also consider the actual increase in the number of application nodes in the future, increase the number of nodes, network upgrades, etc., and strive to increase the number of applications without wasting original resources. Nodes are easy to add, simple to upgrade and maintain, and low in construction and maintenance costs. In the step-by-step implementation, the principle from the center to the branch points is adhered to, the implementation process of the local area network is completed on the basis of the overall design, and the same principles as the local overall planning and principles are adhered to. design. Implementation process.
(2) The principle of progress. During the planning and design process, we must ensure that the technology is advanced and forward-looking and that the technology will remain competitive for years or more than a decade to come. The network technology used in the future will maintain the leading position or promote the future development of the technology, so the advanced network technology used has the potential for future development, and the park network needs long-term consideration to avoid repeated use. invest.
(3) Principle of scalability. Campus network planning and design should establish a platform with complete integration, flexible networking and flexible networking. This level should be flexible when planning and designing. When selecting equipment, you must choose network equipment with good compatibility and scalability. Be fully prepared for future network upgrades or expansions.
(4) Principle of unity. Adhere to unified design, unified standards, and unified implementation in network planning and design, adhere to unified design from the whole to parts, adhere to unified standards in equipment selection, and adhere to unified implementation of partial unification during the implementation process.
(5) Maturity principle. Regardless of whether software or hardware is used, the technical standards used by the network equipment used must be mature. Please keep technical defects or defects in use to ensure network maturity.
(6) Open principle. Openness to equipment and technology should be considered in campus design. The selection of equipment can be compatible with different topologies and standards of different manufacturers to achieve unified management of equipment.
2.3 Environmental analysis
As various business applications on campus gradually move to computer networks, the uninterrupted operation of network communications has become
The key to ensuring the normal production and operation of enterprises. Modern enterprise networks should focus on testing from three aspects of reliability design: First, device-level reliability design, which not only checks whether the network equipment has achieved redundancy of key components, but also the overall design architecture of the network equipment, the type of processing engine, etc. Copy; secondly, when designing the reliability of the business, attention should be paid to whether the network equipment has an impact on the normal operation of the business during the failover process; again, link reliability design, the security of the Ethernet link comes from its multi-path Therefore, when building an enterprise network, you should consider whether the network equipment can provide effective link self-healing methods and fast rerouting protocol support.
In the campus network, there are various network equipment and system application environments, and considering the scalability of network equipment, it is necessary to consider the rapid growth of today's users. Ensure that the network can still remain open in a network with diverse network devices and an increasing number of users. Therefore, the 10 Gb backbone network platform should have good compatibility and scalability, and can be seamlessly connected with the current campus network. At the same time, the reserved space can meet the needs of current and future information construction, and has enough room for upgrades. There are multiple users and multiple services in the construction of campus network. Bring high efficiency to network system requirements to ensure effective processing capabilities under large data volume access. Devices need to be able to perform distributed processing of data on demand. Such distributed processing can save the consumption of the main switching engine. The data can be identified on a separate board, which is much faster than a central processing unit. And in large-scale data applications, during the data transmission process, it must be ensured that all hardware devices can forward quickly, must have high backplane bandwidth (switching capability), and all ports can guarantee line-speed forwarding. This distributed processing can greatly improve overall processing capabilities and ensure smooth network flow.
2.4 Security analysis
In a campus network, the security of the campus network is very important: the information points of the campus network are widely distributed. Compared with general enterprise networks, campus network users are highly mobile, and information points have problems with random access and use. Students and external unidentified users can find any information point on the campus network, and then they can enter the campus network, which may disrupt and disrupt the normal operation of campus network platforms and application systems. In addition, the network security of the campus network also needs to consider the security access control between different application systems in the external network and internal network. In order to be able to handle incidents quickly and effectively after a security incident, it is necessary to use online auditing. Since viruses like "blast wave, blast wave" are currently as rampant, a strong network should provide the necessary means to prevent the spread of specific viruses and traffic congestion caused by viruses.
2.5 Network construction goals
(1) The backbone network of the campus network adopts 10 Gigabit, and all office areas and teaching areas are connected to the campus network, achieving full coverage of the campus network. Interconnect computers scattered in different areas of the campus to form a unified network, and implement a 10G core network and a 100G desktop network.
(2) Build a digital campus to provide convenient and efficient information services and good communication guarantee for the teaching management work of various school departments, teaching departments, party and mass departments, and administrative departments.
(3) Teaching and research services. It has the characteristics of large network scale, large number of users, complex network structure, and diverse business types. Network construction requires the construction of network security systems to ensure the security of public resources and school basic data resources.
(4) The selection of network equipment requires the support of protocols and protocol standards, which can be interconnected with the network or network, prepare for a smooth transition to the network, and maintain the school's advancement in teaching and application. Future network technology.
(5) Considering network compatibility, network equipment from different manufacturers will appear in future network expansion. To ensure the smoothness of the network, please choose network equipment with good compatibility.
3 Network logic design
3.1 Technology selection
3.1.1 LAN network technology selection
Ethernet has the characteristics of simple networking, cheap equipment, large bandwidth and high throughput. It is the most widely used LAN technology. Compared with other LAN technologies, Ethernet has the following advantages: Simplicity: Compared with FDDI and ATM technologies, Ethernet is relatively simple from technical principles, installation and construction to management and maintenance. The addition, reduction and movement of network nodes is very simple and flexible. Reliability: Ethernet uses a star topology, and network nodes are aggregated into the network through access switches. The failure of each node does not affect the operation of the network. The failure of the data link only affects a small part of the network nodes and does not affect the entire network. The reliability is high. Scalability: The school's existing network uses an Ethernet fabric and continues to use some current network cabling and network equipment. Moreover, upgrading Ethernet from 100 Mbytes to Gigabit requires almost only upgrading Gigabit to 10 Mbit network equipment, making network upgrades very easy. Economic: Due to the widespread application of Ethernet, all network manufacturers are rushing to produce Ethernet products. Compared with FDDI and ATM network equipment, the price advantage of Ethernet network equipment is very obvious. And all PCs and laptops use Ethernet cards as the default configuration, and the economics of Ethernet technology are self-evident. Manageability: Compared with other LAN technologies, Ethernet technology is easier to understand and learn, and technicians are easier to train. In addition, there are many management software for Ethernet on the market, which also provides convenient conditions for the management and maintenance of Ethernet. All in all, Ethernet technology can provide a relatively economical, simple, scalable and maintainable solution. As a campus network solution, it is very cost-effective. At present, Fast Ethernet can reach a transmission rate of 100Mbps, which can fully meet customers' requirements for access speed and can be used as an access layer solution. Gigabit Ethernet can reach a transmission rate of 1000Mbps, which can meet the data transmission rate requirements of the backbone network and can be used as a convergence layer solution. In addition, 10 Gb Ethernet technology is relatively mature, but has not yet been widely used due to cost reasons. If network bandwidth is insufficient in the future, the campus network can be upgraded to 10 Gb Ethernet locally or globally by upgrading network equipment.
3.1.2 Topology selection
The topology map selected is
3.2 Campus network level design
The campus network of Fumeng County Yucai Senior High School is based on the principle of building an efficient and highly stable digital campus to serve teaching and teachers and students. Considering the subsequent construction and development in equipment selection, to avoid wasted duplication of investment in the future, the equipment needs to be able to support future access needs when the network elasticity grows. At the same time, the exit equipment can meet the online requirements of the famous school's operating environment and use wireless coverage in special areas of the school. The school campus network adopts a three-layer network architecture design. Access layer switches are responsible for user access. User data is aggregated through the building aggregation layer and forwarded through the core layer.
3.2.1 Access layer design
Provide user access and integrate switching, security and functionality in the access layer. Gigabit switches are used in the access layer equipment of campus networks to meet performance requirements and prevent interference with other large-scale viruses. The access layer has a huge demand for dense ports. There are two main ways to connect switches, one is stacking and the other is cascading. Cascade uses ordinary twisted pairs to connect the cascade ports or ordinary ports of two switches to achieve expansion. Stacking uses dedicated stacking cables or stacking modules to implement switch connections. The access layer switch uses S5120 intelligent switch, which supports a transmission rate of 100/1000Mbps and a backplane bandwidth of 192Gbps, meeting the access layer bandwidth requirements. Supports VLAN division and multiple authentication methods.
3.2.2 Core layer structure design
The aggregation switch uses S5800 aggregation layer switch, which can support the transmission capacity of 10 Gigabit ports. The S5800 is a 10 Gb Ethernet switch. The exchange method is store and forward. The transmission rate is 10Mbps/100Mbps/1000Mbps. The main function of data packet forwarding is to route data packets from the aggregation layer to achieve high-speed switching of data packets. In the core layer design, high-speed data exchange technology, weakened routing technology, and network control strategies such as data filtering and QQS processing are implemented in the aggregation layer and access layer. In order to ensure the high-speed switching capability of the core layer, the complexity of the core layer should be reduced and the switching delay time should be reduced. In network planning and design, the core layer is the main part. When selecting equipment, equipment with high reliability and stability should be used to ensure its high-speed forwarding capabilities. Therefore, taking into account the high degree of flexibility and scalability in the future, 10 Gigabit core devices will be used in the school's network.
The main function of the core layer is to route packets from the aggregation layer and enable high-speed packet switching. High-speed switching in the campus network is the main task of the core backbone network, and routing is relatively simple. In order to avoid the complexity of core layer routing configuration, the core layer should choose a network architecture of "strong switching and weak routing" and try to put other tasks (such as packet filtering) into other layers. The core layer of the network is the core of the entire campus network of Fumeng County Yucai Senior High School. This is the basis of school work. Finally, the equipment in each area is connected to the core equipment, and the downstream gigabit fiber is used to connect the aggregation switch to form a 10-gigabit non-blocking high-speed forwarding backbone network.
The core equipment adopts S7508E-X multi-layer and multi-plane switching architecture switch. The S7508E-X switch has good control capabilities to ensure stable and efficient operation of the equipment. The core switch business module uses LSQ1TGS8SC0 and has eight 10 Gigabit SPF optical fiber interfaces. The capacity of the entire machine is 3.84Tbps, the IPV4 packet forwarding rate is 1920Mbps, and the number of service slots is 8. Core switches are installed in the network configuration center, using dual engines, dual power supply configurations and aggregation layer devices connected to core layer devices with a market width of Gigabit/Ten. The core layer equipment mainly completes data forwarding, configures corresponding IP addresses in the core layer equipment, and divides VLANs. Connect each aggregation layer separately.
3.2.3 Aggregation layer design
The key equipment inherited from above, while ensuring that it can reliably carry access to lower-layer high-level burst information services, must also meet the requirements of core high-bandwidth links to ensure the high quality and efficiency of network switching. Processing of each teaching application. Control of intelligent identification is also added to the aggregation layer, allowing administrators to understand and understand the current network.
The aggregation switch uses S5800 aggregation layer switch, which can support the transmission capacity of 10 Gigabit ports. The S5800 is a 10 Gb Ethernet switch. The exchange method is store and forward. The transmission rate is 10Mbps/100Mbps/1000Mbps, the packet forwarding rate is 156Mpps, and the switching capacity is 360Gbps. , supports WEB management, supports SNMPv1/v2/v3, and supports IEEE802.3u network standard. Supports ports, protocols, MAC addresses, IP subnets and other VLAN division methods. Supports static routing, RIP, OSPFv2 and other routing protocols. Aggregation layer switches play a role in the inheritance of the three-tier architecture of the school campus network. While ensuring the high bandwidth of 10G uplink data, it also ensures the transmission of burst data traffic at the access layer when aggregating to ensure its reliability and availability.
3.3 Network IP address planning and design
3.3.1 Network IP address planning
Routers and core layers, aggregation layers and access layers all require support, which provides the conditions for the scalability and flexibility of the campus network. In the current planning and use of campus network construction, addresses are still used. When planning the address, it is divided according to the campus area. The campus network is divided into multiple areas by function or region, making it easier to implement and manage in terms of functionality and scalability during the address planning process. Depending on the capabilities of the online computers or the number and type of area computer addresses. Address allocation should be based on network topology and network flexibility. During address planning, relevant address segments and address ranges should be configured in conjunction with departments to facilitate management. During network maintenance and management, it is easy to manage and troubleshoot. Wireless network addresses use the proximity principle to implement address planning.
3.3.2 Goals and principles of network IP address planning
The goals of IP address planning are: to make full use of redundant IP address resources; to establish network routing with excellent efficiency; to promote network development.
The principles of IP address planning are:
- Simplicity: IP address allocation should be straightforward and avoid more complex masks on major networks.
- Continuity: Assigning a continuous series of addresses to a network area to increase the processing speed of the router.
- Scalability: The addresses allocated to a network area should have a certain capacity to ensure the continuity of addresses when the number of terminals further increases in the future.
- Manageability: Address planning should be prioritized, and changes in addresses in a certain area should not affect the overall situation.
- Security: Network addresses should be planned into different network segments according to work content for management.
3.3.3 Network IP address design
For campus wired networks, network administrators often use VLANs to divide broadcast domains and differentiate user groups.
The following is the IP address allocation and VLAN division of the school , as shown in Table 3-1 :
| VLAN number |
network address range |
subnet mask |
building |
| VLAN10 |
192.168.10.0~192.168.10.254 |
255.255.255.0 |
Comprehensive teaching building |
| VLAN20 |
192.168.20.0~192.168.20.254 |
255.255.255.0 |
Student Apartment 1 |
| VLAN30 |
192.168.30.0~192.168.30.254 |
255.255.255.0 |
Student Apartment 2 |
| VLAN40 |
192.168.40.0~192.168.40.254 |
255.255.255.0 |
Student Apartment 3 |
| VLAN50 |
192.168.50.0~192.168.50.254 |
255.255.255.0 |
Student Apartment 4 |
| VLAN60 |
192.168.60.0~192.168.60.254 |
255.255.255.0 |
Student Apartment 5 |
| VLAN70 |
192.168.70.0~192.168.70.254 |
255.255.255.0 |
Student Apartment 6 |
| VLAN80 |
192.168.80.0~192.168.80.254 |
255.255.255.0 |
Student Apartment 7 |
| VLAN90 |
192.168.90.0~192.168.90.254 |
255.255.255.0 |
Teachers Apartment 1 |
| VLAN100 |
192.168.100.0~192.168.100.254 |
255.255.255.0 |
Teachers Apartment 2 |
| VLAN110 |
192.168.110.0~192.168.110.254 |
255.255.255.0 |
Teachers Apartment 3 |
| VLAN120 |
192.168.120.0~192.168.120.254 |
255.255.255.0 |
canteen |
| VLAN130 |
192.168.130.0~192.168.130.254 |
255.255.255.0 |
Cultural and Sports Center |
| VLAN140 |
192.168.140.0~192.168.140.254 |
255.255.255.0 |
library |
| VLAN150 |
192.168.150.0~192.168.150.254 |
255.255.255.0 |
Art Building |
| VLAN160 |
192.168.160.0~192.168.160.254 |
255.255.255.0 |
server |
Table 3.1 School IP address allocation and VLAN division
4Cyberphysical design
4.1 Goals and principles of cyber physical design
In the physical design stage of the network, the selected hardware facilities must be able to meet the basic performance requirements of the logical design, and factors such as device scalability, redundancy, stability, and availability also need to be considered. The device also requires strong operability. a function. When planning the route layout, it is necessary to take into account the growing demand over the next 20 years and be able to fully adapt to development conditions in the coming period. If you are unsure about something, a full on-site inspection is necessary.
4.2 Equipment selection
4.2.1 Core switch selection
Core layer switches should mainly consider switching capabilities and reliability, so products with no single point of failure should be selected.
After comprehensive consideration, Huawei Quidway S9306 was selected as the core switch of the campus network of Yucai Middle School in Fumeng County. Quidway S9306 adopts a modular design, supports 6 service slots, has a backplane bandwidth of 6Tbps, a packet forwarding rate of 1152Mpps, and a single device supports 240 10 Gigabit ports, which will upgrade the core layer of the campus network to 10G in the future. Provide possibilities. Quidway S9300 series switches provide carrier-grade high reliability. The main controller, power supply and other key components are designed for redundancy, and all components support hot swapping. Therefore, when the network is congested, service interruptions can be reduced, lossless service upgrades can be performed, complete operation and maintenance detection and performance management can be supported, and data transmission delays, system jitters and other parameters can be collected statistically to monitor network traffic and faults in real time. Rapid positioning. In addition, S9306 also supports wireless controller (AC) cards, which support automatic selection of transmission channels and power sources when wireless access points (APs) are online, and automatically adjust channels or power sources when information conflicts. When roaming across point access, wireless devices switch quickly, and the wireless AC has one-to-one, one-to-many cold standby and balanced load to improve reliability. Huawei Quidway S9306 switch is shown in Figure 4.2.1
4.2.1 Huawei Quidway S9306 switch
4.2.2 Aggregation layer switch selection
Aggregation switches aggregate and forward traffic accessing the switch. In addition to the backplane bandwidth, the interface type should match the upstream interface of the access switch. Link aggregation, inter-VLAN routing and corresponding security policies should be supported.
Yucai Middle School in Fumeng County chose Huawei Quidway S5700-28C-EI-24S as its aggregation switch. This switch is a layer 3 switch. In terms of interfaces, this model provides 24 100/1000Base-X ports and 4 10/100/1000Base-T Gigabit combo ports to meet the uplink input requirements of aggregation switch multi-fiber links; in terms of VLAN support, It supports default VLAN, voice stream VLAN, MAC address-based VLAN segmentation, smart subnets, policies, ports, and one-to-one and one-to-many VLAN switching. It can meet the management needs of access switches such as VLAN aggregation and routing; in network management, it supports stacking, remote login configuration, simple network management protocols, cluster management, and port reception and transmission packet rate control. In terms of security management, it supports user role management and password protection, denial of service, address resolution, ICMP attack prevention, IP address, MAC address, port number, VLAN combination binding, port isolation and 802. Limiting the number of users on a single port fully meets the connection and management requirements of the convergence layer of Fumeng County Yucai High School.
Huawei Quidway S5700-28C-EI switch is shown in Figure 4.2.2.
Figure 4.2.2 Huawei Quidway S5700-28C-EI switch
4.2.3 Access switch selection
Layer switches are primarily concerned with access costs and should provide high port density and scalability. In addition, it should provide simple network management functions (for example: VLAN determination, MAC binding, flow control, etc.).
Taking into account a variety of factors, Huawei's Quidway S2700-EI (AC) switch was selected as the access switch for Yucai High School in Fumeng County. The switch provides 24 10/100Base-TX ports, 2 Gigabit combo ports, stackable, backplane bandwidth 3Gbps, packet forwarding rate 6.6Mpps, supports port-based and MAC address-based VLAN division, supports IP, MAC, port , VLAN combination binding, supports port speed limit and flow speed limit, supports port aggregation, supports Telnet, SSH, supports remote user dial-up authentication system Radius, supports network access control NAC, and limits the number of users who can access each port.
Huawei Quidway S2700-EI switch is shown in Figure 4.2.3.
Figure 4.2.3 Huawei Quidway S2700-EI switch
4.2.4 Firewall selection
The firewall is located at the entrance of the campus network and is used to control internal traffic access to the internal network and external traffic access to campus resources. The location and role of a firewall determines its importance. The selection of a firewall should fully consider its reliability, throughput, number of concurrent connections, number of new connections per second, access control functions, flow-based state detection, application software monitoring and attack prevention functions.
Taking various factors into consideration, the campus network firewall of Fumeng County Yucai High School adopts Huawei USG5150, which is a 3U rack-mounted device with a modular design. The standard configuration is 4GE Combo port, 4 MIC expansion slots, 2 FIC expansion slots and one DFIC expansion slot, which can flexibly adapt to changes in network structure. Using advanced multi-core processors and multi-threaded parallel processing mechanisms, the throughput is as high as 4Gbps, the maximum number of concurrent connections is 2 million, and the number of new connections is 40,000 per second, which can effectively reduce network latency and improve user experience. Supports various forms of VPN access and can easily achieve remote access. In addition, USG5150 integrates advanced Symantec and IPS and anti-virus technology to provide efficient and accurate network packet scanning capabilities. It also has efficient and accurate antivirus capabilities against viruses hidden in traffic. Application awareness ensures granular control of network traffic and ensures core and business bandwidth. URL filtering, search engine keyword filtering and page keyword filtering can standardize the Internet access behavior of the intranet and fully meet the requirements of campus network traffic management and protection.
Figure 4.2.1 shows the appearance of Huawei USG5150 firewall.
Figure 4.2.1USG5150 firewall
4.3 Network comprehensive wiring design
4.3.1 Design principles of integrated wiring
The laying of network lines is an important aspect that determines the normal operation of the network. It must comply with relevant industry standards, be standardized, standardized and scalable, and ensure the reliable operation of the campus network. The comprehensive wiring of Yucai High School in Fumeng County is divided into work area subsystem, horizontal subsystem, vertical subsystem, management subsystem and building subsystem.
4.3.2 Workspace subsystem
The workspace subsystem consists of a message socket and a jumper from the user terminal to the message socket. It includes a data module, an information panel, a network interface card and a jumper. That is to say, the information socket is installed on the wall or ground in the information point access area, and the telephone socket and network cable can be led out through the information socket. According to the number of information points in the area, the information sockets use 1/2/4 port wall panels, and the panels should be equipped with dust-proof devices. All messaging modules use six types of messaging modules that are compatible with Gigabit Ethernet. The wiring sequence of the information module follows the TIA/EIA 568B standard. Each outlet can be connected to computers and office equipment such as telephones, fax machines and printers. Each output interface of the information socket should be equipped with an obvious and easily replaceable label to number the information output port to facilitate maintenance. The color of the label distinguishes whether the information port is a voice port or a data port. Information sockets in the work area should be installed on the wall or workstation, and the lower edge of the information panel should be 30 cm from the ground. There should be a 220V power socket near the information socket for the use of information equipment. In order to prevent strong electromagnetic interference, according to ISO11801 regulations, the distance between information sockets and strong electric sockets should not be less than 20 cm.
4.3.3 Horizontal trunk subsystem
The horizontal subsystem consists of wires running from the floor wiring closet to the work area subsystem. Horizontal subsystem wiring is heavy, cannot be easily upgraded and replaced, and is permanent. Therefore, excess and development should be considered. The design also takes into account factors such as short- and long-term equipment access needs, the number and location of information points on each floor and in each room, possible movement of information access points, and forecasts for modifications. The selection of the wiring room should be located in the center of the floor as much as possible, which not only saves cables, but also achieves better transmission effects. For floors with few information points or buildings with small spans, there is no need to install a wiring room on each floor. A room can be shared between two or three floors, but at least one wiring closet should be installed in each building. In certain areas (such as student dormitory corridors, teaching buildings, office building corridors, playgrounds or other outdoor open spaces), wireless network cables should be equipped in the wiring room on each floor and connected to wireless devices through patch panels. The maximum length of twisted pairs in horizontal subsystems cannot exceed 90 meters, and ensure that no less than 10 meters of cable length is allocated to work area jumpers and patch panels are allocated to switch jumpers. The horizontal subsystem engineering management of the Yucai High School campus network in Fumeng County is laid with PVC bridges and wire troughs, and the bridges are installed above the corridor ceiling.
4.3.4 Vertical trunk subsystem
The vertical subsystem is used to realize the connection between the main wiring room of the building and the ground wiring room. From the main wiring room to each floor wiring room, 6-core indoor multi-mode optical fiber is used to access the data link from the switch to the aggregation switch. The number of large pairs of cable cores is set according to the number of voice point access points in the floor wiring room, and an appropriate amount is left. Vertical subsystem cables are located in the weak current axis. To reduce electromagnetic interference and prevent cables from loosening, the wire trough should be a metal wire trough with a cover that can be tied to the wire rope. Slot fill rate should be controlled within 50% to allow for future expansion.
4.3.5 Building subsystem
Building subsystems are the wiring between computer rooms and buildings in the network. This section can be based on topography, such as overhead cables, directly buried cables, or cables within address conduits. Elevated construction is low cost but does not provide mechanical protection and affects the appearance of the building. It is not recommended to use a lot of tricks. The internal threading of the pipe provides the best mechanical protection, and the laying and extension of the cable is relatively easy, but if there is no existing pipe, the installation cost will be higher. Liaoning University of Technology can connect any two buildings through heating pipes on campus, so outdoor optical cables between buildings can be placed on the ground. Given the considerable cost of laying pipes in trenches, the pipes were laid and secured without being protected by lashings.
4.3.6 Management room subsystem
The management subsystem is located in the floor wiring closet of the computer room in the network, in the main wiring closet, and in the building's cabinets. The voice information point cable is connected to the type 6 RJ45 information module and installed on the information point distribution frame. The voice information point distribution frame is connected to the extension number distribution frame through jumpers. The extension patch panel is connected to a large number of cables through the 110 patch panel. The data information point cable can also be played on six RJ45 information modules and installed on the information point patch panel. The data information point distribution frame is connected to the access switch through jumpers, and then the access switch is connected to the aggregation switch through fiber uplinks. The optical fiber should be spliced to the fiber distribution frame and then connected to the upstream port of the switch through jumpers. All lines are connected to the corresponding information modules and installed on the corresponding distribution frames. Data distribution frames and optical fiber distribution frames are installed in cabinets. At the same time, there should be enough space in the machine to install network equipment.
5 Network Security Design
5.1 Goals and principles of network security design
Cybersecurity is the process of protecting against various external and internal threats to ensure network security. Goals of network security design: identify equipment and data resources to ensure integrity; conduct a threat assessment of the entire network to ensure data confidentiality, integrity, and availability; use data confidentiality, integrity, and availability to risk network assessment.
Principles of network security design:
(1) Barrel principle
The principle of buckets is to protect information uniformly and comprehensively. Since the maximum capacity of a gun barrel depends on the shortest piece of wood, an attacker will inevitably attack the weakest part of the system. Therefore, comprehensive, comprehensive and complete analysis, evaluation and detection of system security vulnerabilities and security threats are necessary conditions for network security design.
(2) Principle of integrity
When the network is attacked or damaged, the campus network needs to restore the services of the network information center as soon as possible to reduce losses. Therefore, the network should include security protection mechanisms, security monitoring mechanisms and security recovery mechanisms.
(3) Safety evaluation and balance principle
For any network, absolute security is difficult to achieve and unnecessary, so it is necessary to establish a reasonable and practical security and user needs assessment and balancing system. The design of security systems requires the correct handling of the relationship between requirements, risks and costs, as well as the integration of security and availability. Assessing whether information is secure can only depend on the user needs of the system and the specific application environment, which depends on the size and scope of the system, the nature of the system and the importance of the information.
(4) Principles of standardization and consistency
The construction of campus network is a relatively complex project. Its network security design must adhere to a set of standards to ensure consistency across subsystems so that the entire system can securely interconnect and share information.
(5) Principles of overall planning and step-by-step implementation
Under the influence of various factors, network security protection cannot be achieved in one step. Instead, a basic security system must first be established under a more comprehensive security plan based on the actual needs of the network to ensure basic and necessary security. As networks grow in size and number of applications, and as network applications and complexity change, the vulnerability of networks will continue to increase. Adjust or enhance security protection to ensure the most basic security requirements for the entire network.
5.2 Prevention of basic network attacks
There are many network viruses and network attacks in the network, which can cause unpredictable losses to the network, so we must guard against these potential dangers.
(1) Prevention of common network viruses
If you encounter network viruses that are very harmful to your network, you can deploy extended ACLs to prevent the TCP and UDP ports used by these viruses. If a user is accidentally infected with this virus, it will not affect other users on the network, thus ensuring the reasonable use of campus network bandwidth.
(2) Prevention of unknown network viruses
If you encounter an unrecognized network virus, you can deploy bandwidth control functions based on the type of data flow in the network to specify different network bandwidths for different network applications, thereby ensuring that some more critical applications have sufficient bandwidth. The emergence of viruses will not affect the operation of major network applications, thus ensuring high network availability.
(3) Prevention of IP address theft and ARP attacks
Please conduct an in-depth inspection of each ARP packet, that is, check whether the source IP address and MAC address in the ARP packet are the same as the port security rules. If they are not the same, the IP address is changed and all packets cannot enter the network. Using this method can effectively prevent ARP spoofing on secure ports and prevent illegal information points from impersonating the IP of key network devices, causing network communication chaos.
(4) Prevent attacks initiated by fake IP and MAC
IP, MAC, port binding and IP + MAC binding can be installed. And implement port anti-inspection function to track source IP, MAC access and malicious users. Effectively prevent network attacks by spoofing source IP/MAC addresses, further enhancing network security.
(5) Shield DOS attacks and scanning attacks
Anti-DOS attacks and scanning attacks can be carried out on campus networks, which can effectively avoid such attacks, save network bandwidth, and avoid network interruptions caused by such attacks on network devices and servers.
5.3 Firewall design
(1) Configure the interface and place the firewall at the exit. One side is connected to the core switch and the other side is connected to the external network to monitor the external network and protect the internal network.
[FW]interface loopback 0
[FW-LoopBack0]ip address 1.1.1.1 32
[FW-LoopBack0]quit
[FW]interface GigabitEthernet1/0/0
[FW-GigabitEthernet1/0/0]ip address 202.1.1.1 24 //Configure the IP address of the interface connected to the ISP1 external network
(2) Add the interface connecting to the internal network to the security zone, and add the interface connecting to the external network to the non-security zone.
[FW]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet0/0/0 //Add GigabitEthernet0/0/0 connected to the intranet to the security zone
[FW-zone-trust]quit
[FW]firewall zone untrust
[FW-zone-untrust]add interface gigabitethernet 1/0/0 //Add interface gigabitethernet 1/0/0 connected to ISP1 to the non-security zone
[FW-zone-untrust]quit
(3) Configure security policies to enable internal network users to access the external network and enable external network users to access the HTTP server.
[FW]security-policy
[FW]-policy-security]rule name trust_to_untrust //Allow internal network users to access the external network
[FW-police-security-rule-trust_to_untrust]source-zone trust
[FW-police-security-rule-trust_to_untrust]destination-zone untrust
[FW-police-security-rule-trust_to_untrust]source-address 192.168.58.0 24
[FW-police-security-rule-trust_to_untrust]source-address 192.168.24.0 24
[FW-police-security-rule-trust_to_untrust]source-address 192.168.21.0 24
[FW-police-security-rule-trust_to_untrust]source-address 192.168.6.0 24
[FW-police-security-rule-trust_to_untrust]source-address 192.168.16.0 24
[FW-police-security-rule-trust_to_untrust]action permit
[FW-police-security-rule-trust_to_untrust]quit
[FW-policy-security]rule name untrust_to_trust
[FW-police-security-rule-untrust_to_trust]source-zone untrust
[FW-police-security-rule-untrust_to_trust]destination-zone trust
[FW-police-security-rule-untrust_to_trust]destination-address 192.168.120.0 24
[FW-police-security-rule-untrust_to_trust]action permit
[FW-police-security-rule-untrust_to_trust]quit
6Network Simulation Test
6.1 Simulation test topology diagram
The simulation test based on the topic was built using Huawei ENSP simulator. The egress boundary is a firewall, and two core switches are connected downstream for VRRP gateway redundancy protocol configuration. At the same time, dual DHCP redundancy backup, a bypass server area, and an HTPP server and DNS are located in the area. The server and DNS server map external network domain name resolution; the aggregation switch and the core are cross-connected to achieve link redundancy. The access switch is allocated according to the floor, and the specific VLAN division of the terminal is performed on the access switch.
Figure 6-1 Simulation test topology diagram
6.2 Inter-VLAN communication test
VLAN division can simplify network management and isolate the role of the broadcast domain. Different VLANs cannot communicate with each other by default. If they need to communicate with each other, they must be forwarded through the gateway. The picture below shows the mutual communication test between different VLANs.
Figure 6-2 Communication test between VLANs
6.3DHCP test
Using DHCP can automatically assign IP addresses to terminals, making full use of IP addresses and avoiding waste of IP addresses.
Figure 6.2 DHCP configuration test
6.4 OSPF testing
OSPF establishes a link state database by advertising the status of network interfaces between routers and generates a shortest path tree. Each OSPF router uses these shortest paths to construct a routing table. Path: This campus network planning divides the egress firewall and core switches into backbone areas, divides each aggregation layer switch and the following terminals into Area 1, and then configures Area 1 as an NSSA area to reduce the propagation of LSAs between areas.
As shown in the figure below, the egress firewall and core switch are divided into backbone areas.
Figure 6-3 Firewall OSPF adjacency status
The OSPF routes learned on the firewall are shown in the figure below.
Figure 6-4 Firewall routing table
6.5 HTTP service and DNS testing
The server opens HTTP service and DNS domain name resolution. Both internal and external networks can access the http server through the domain name.
The following figure shows the internal and external network accessing the HTTP service through web access domain names:
Figure 6-5 Accessing the HTTP server through the domain name from the intranet
The following figure shows the public network using a DNS server to resolve domain names to access the HTTP server:
Figure 6-6 The public network accesses the intranet HTTP server through DNS domain name resolution
6.6 VRRP status and switching
VRRP allows two devices to jointly maintain a virtual gateway. The gateway address created on the existing network does not exist. When the main device goes down, the backup device can immediately switch to take over the gateway forwarding from the main device.
Figure 6-7 VRRP status
6.7 LAN access Internet connectivity test
The intranet accesses the public network through the border firewall source address translation policy. When the intranet terminal traffic data reaches the border firewall, the firewall converts the source address to its own outbound interface address for access. When the data is returned, the destination address is converted to the local terminal. .
Figure 6-8 Accessing the public network from the intranet
6.4 Summary
This article conducts a specific analysis and research on university campus networks and analyzes related issues. Then, the campus network of Yucai Senior High School in Fumeng County was specifically planned, which was divided into core layer, aggregation layer and access layer from a hierarchical perspective, and from a technical perspective, it was divided into routing technology, switching technology and border network. view. From these two main directions, we will first analyze the relevant technologies encountered in the campus network of Yucai Middle School and High School in Fumeng County, conduct design planning and equipment selection based on the third layer of the network, and finally carry out specific deployment. After deploying the network, simulation software was used to simulate the network and the first batch of data was obtained, proving that the design of the campus network of Yumeng Middle School in Fumeng County can ensure the basic stability of the network. The next step is to achieve the campus network security, high performance and scalability requirements through the overall design of Fumeng County Yucai Middle School. Although the network designed this time can meet the needs of Yumeng Senior High School in Fumeng County, with the development of science and technology, changes in the school's network needs, improvements in network hacking techniques, technology and other factors affecting the development of the network, we must always pay attention Adapt to the future development of large-scale networks. The next step is to build more application systems based on the campus network. Especially in the future development of science and technology, cloud platform technology will be greatly used. On the basis of the complete campus network construction, a cloud platform is built for the planning and design of the campus network data center to better realize the scheduling and integration of campus network resources. This kind of construction requires a huge amount of work, and it is also necessary to realize a network smart park.
Appendix C Configuration Code
- Core switch code
Gateway address and VRRP configuration:
[HX-SW-1]int vlan 10
[HX-SW-1-Vlanif10]
[HX-SW-1-Vlanif10]ip address 192.168.10.2 255.255.255.0
[HX-SW-1-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.1
[HX-SW-1-Vlanif10]vrrp vrid 1 priority 150
[HX-SW-1-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20
[HX-SW-1-Vlanif10]dhcp select global
[HX-SW-1-Vlanif10]dhcp select relay
[HX-SW-1-Vlanif10]dhcp relay server-ip 192.168.160.10
#
[HX-SW-1]int vlan 20
[HX-SW-1-Vlanif20]ip address 192.168.20.2 255.255.255.0
[HX-SW-1-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.1
[HX-SW-1-Vlanif20]vrrp vrid 2 priority 150
[HX-SW-1-Vlanif20]vrrp vrid 2 preempt-mode timer delay 20
[HX-SW-1-Vlanif20]dhcp select global
#
[HX-SW-1]int vlan 30
[HX-SW-1-Vlanif30]ip address 192.168.30.2 255.255.255.0
[HX-SW-1-Vlanif30]vrrp vrid 3 virtual-ip 192.168.30.1
[HX-SW-1-Vlanif30]vrrp vrid 3 priority 150
[HX-SW-1-Vlanif30]vrrp vrid 3 preempt-mode timer delay 20
[HX-SW-1-Vlanif30]dhcp select global
#
[HX-SW-1]int vlan 40
[HX-SW-1-Vlanif40]ip address 192.168.40.2 255.255.255.0
[HX-SW-1-Vlanif40]vrrp vrid 4 virtual-ip 192.168.40.1
[HX-SW-1-Vlanif40]vrrp vrid 4 priority 150
[HX-SW-1-Vlanif40]vrrp vrid 4 preempt-mode timer delay 20
[HX-SW-1-Vlanif40]dhcp select global
#
[HX-SW-1]int vlan 50
[HX-SW-1-Vlanif50]ip address 192.168.50.2 255.255.255.0
[HX-SW-1-Vlanif50]vrrp vrid 5 virtual-ip 192.168.50.1
[HX-SW-1-Vlanif50]vrrp vrid 5 priority 150
[HX-SW-1-Vlanif50]vrrp vrid 5 preempt-mode timer delay 20
[HX-SW-1-Vlanif50]dhcp select global
DHCP configuration:
[HX-SW-1]ip pool 10
[HX-SW-1-ip-pool-10]gateway-list 192.168.10.1
[HX-SW-1-ip-pool-10]network 192.168.10.0 mask 255.255.255.0
[HX-SW-1-ip-pool-10]excluded-ip-address 192.168.10.100 192.168.10.254
[HX-SW-1-ip-pool-10]dns-list 192.168.160.254
[HX-SW-1]ip pool 20
[HX-SW-1-ip-pool-20] gateway-list 192.168.20.1
[HX-SW-1-ip-pool-20] network 192.168.20.0 mask 255.255.255.0
[HX-SW-1-ip-pool-20] excluded-ip-address 192.168.20.100 192.168.20.254
[HX-SW-1-ip-pool-20] dns-list 192.168.160.254
[HX-SW-1]ip pool 30
[HX-SW-1-ip-pool-30]gateway-list 192.168.30.1
[HX-SW-1-ip-pool-30]network 192.168.30.0 mask 255.255.255.0
[HX-SW-1-ip-pool-30]excluded-ip-address 192.168.30.100 192.168.30.254
[HX-SW-1-ip-pool-30]dns-list 192.168.160.254
Aggregation switch interface configuration:
[HJ-SW-1]interface GigabitEthernet 0/0/5
[HJ-SW-1-GigabitEthernet0/0/1]port link-type trunk
[HJ-SW-1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 4094
[HJ-SW-1]interface GigabitEthernet0/0/6
[HJ-SW-1-GigabitEthernet0/0/6]port link-type trunk
[HJ-SW-1-GigabitEthernet0/0/6]port trunk allow-pass vlan 2 to 4094
VLAN division of cultural and sports center access switch :
[WTZX]interface GigabitEthernet 0/0/1
[WTZX-GigabitEthernet0/0/1]port link-type trunk
[WTZX-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 4094
[WTZX]interface GigabitEthernet0/0/2
[WTZX-GigabitEthernet0/0/2]port link-type access
[WTZX-GigabitEthernet0/0/2]port default vlan 130
#
[WTZX]interface GigabitEthernet0/0/3
[WTZX-GigabitEthernet0/0/3]port link-type trunk
[WTZX-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 to 4094
Firewall configuration:
[USG6000V1] interface GigabitEthernet1/0/0
[USG6000V1-GigabitEthernet1/0/0]undo shutdown
[USG6000V1-GigabitEthernet1/0/0]ip address 11.1.1.1 255.255.255.0
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit
[USG6000V1]interface GigabitEthernet1/0/1
[USG6000V1-GigabitEthernet1/0/1]undo shutdown
[USG6000V1-GigabitEthernet1/0/1]ip address 145.1.1.2 255.255.255.0
[USG6000V1-GigabitEthernet1/0/1]gateway 145.1.1.1
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
OSPF configuration:
[USG6000V1] ospf 3 router-id 3.3.3.3
[USG6000V1-ospf-3]area 0.0.0.0
[USG6000V1-ospf-3-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[USG6000V1-ospf-3-area-0.0.0.0] network 11.1.1.0 0.0.0.255
NAT configuration:
[USG6000V1]nat-policy
[USG6000V1-policy-nat] rule name trustTo_untrust
[USG6000V1-policy-nat]source-zone trust
[USG6000V1-policy-nat]destination-zone untrust
[USG6000V1-policy-nat]action source-nat easy-ip