Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Summary
The rapid development of the national economy and the rapid development of informatization mark the arrival of the information age. With the development of science and technology and the ubiquity of the Internet, users have higher and higher needs and requirements for the network. It is not only required that users can access the external network and share network resources, but also need to ensure the security of the network on the basis of achieving these. Stability and security. For some enterprises or users who are more sensitive to the network, they have higher requirements for the network, as well as the stability and security of the network.
This time, my graduation project is mainly about network planning and design. Taking the enterprise network as the background, I plan and design the network of a medium-sized enterprise. The enterprise is headquartered in Nanjing and has a branch in Changzhou. It needs to be accessible to the headquarters and branch. The external network allows users or hosts in the branch to access the resources of the headquarters server and ensures data security. The headquarters may have multiple departments, and it is necessary to prevent some departments from accessing some important departments and limit the connectivity between some departments. The network topology design uses the classic access layer and core layer. The access layer connects user terminal PCs, printers and servers; the internal user gateway of the headquarters is configured on the core layer switch. Two core switches are deployed and virtualized into one through clustering technology. The layer switch is connected to the egress router, and dynamic OSPF routing is configured between the router and the router to achieve network connectivity. The branch network topology design uses a two-layer structure (access layer, core layer). The access layer connects user terminals, and the core layer configures user gateways. Deploy a VPN between the headquarters and branches, and configure IPsec VPN to achieve mutual access between the headquarters and branches based on the public Internet network.
Network design simulation is simulated through Huawei ensp simulator, and some network equipment, layer 2 switches, layer 3 switches, routers, PCs and servers are added for network connection. Achieve network connectivity through relevant configurations and conduct network-related tests.
Keywords: enterprise network; network planning; IPsec VPN
ABSTRACT
The rapid development of national economy and informatization marks the arrival of the information age. With the development of science and technology and the widespread existence of the network, the demand and requirements of users for the network are more and more high, not only to meet the requirements of users can be on the external network, to share network resources, in order to achieve these on the basis of the need to ensure the stability and security of the network. For some enterprises or users who are more sensitive to the network, the requirements for the network are higher, and the stability and security of the network are also higher.
This time my graduation design is mainly for network planning and design, its background of enterprise network, for a medium-sized enterprise network planning and design, the company is headquartered in nanjing, in changzhou has a branch, the need to implement headquarters and branch office to be able to access the network, can let users within the branch or host access to the headquarters of the server resources, and ensure the security of data. Headquarters may have multiple departments, and some need to be denied access to important departments and limited connectivity between some departments. The network topology design uses classical access layer and core layer. The access layer connects the user terminal PC, printer and server. The internal user gateway of the headquarters is configured on the core layer switch. Two core switches are deployed and virtualized into one by clustering technique. The core layer switch is connected with the export router and configured with dynamic OSPF routing between the router to achieve network connectivity. The branch network topology design uses two layer structure (access layer, core layer), the access layer connects the user terminal, the core layer configures the user gateway. VPN is deployed between the headquarter and the branch, and the mutual access between the headquarter and the branch is realized by configuring IPSec VPN on the basis of Internet public network.
Through the simulation of Huawei ENSP simulator, some network equipment are added to make network connection with Layer 2 switch, Layer 3 switch, router, PC and server. Through the relevant configuration to achieve network connectivity, and network related tests.
Key words: Enterprise Network; Network planning; IPsec VPN
1. Introduction
1.1 . Background
This topic uses the network construction of medium-sized enterprises as the background to realize network planning, design and simulation. The enterprise has a head office and a branch. The head office has a human resources department, a marketing department, a scientific research department, an information department, an administrative department, etc. The branch company has an administrative department, a scientific research department and a marketing department. Different departments are divided into different VLANs, and different IP address segments are allocated between different VLANs. Mutual access is required between the headquarters and branches.
1.2 . Development trend
The rapid development of market economy and the popularization of computer networks have made the Internet more and more closely related to people's daily lives. In our daily lives, networks can be seen everywhere, including mobile networks, wired networks, wireless networks, video surveillance and electronic eyes, etc. There is no doubt that the popularity of the Internet has brought great convenience to our lives, and at the same time, our life safety has been virtually guaranteed. For example: the emergence of electronic eyes not only ensures traffic safety, but also ensures the safety of our lives. Secondly, the popularity of wireless networks has also brought many conveniences to our lives. It allows us to access the Internet no longer restricted by wired networks. People can enjoy surfing the Internet anytime and anywhere with an IPAD and mobile phone. It is believed that in the near future, the popularity and development scale of computer networks will become larger and larger. At the same time, the development of wireless networks is an inevitable trend. Current wireless networks still have some flaws, such as the security of wireless networks. And the stability of wireless network signals has always been a concern for us.
1.3 . Meaning
In today's information age, the Internet can be seen everywhere in our lives. The development of computer networks makes the traditional network architecture model unable to meet the needs of existing enterprise users. The popularization of computer networks has also brought a lot of convenience to our daily lives and work. It not only greatly improves our work efficiency, but also enriches our leisure entertainment activities. At the same time, the rapid development of the network has also driven the development of social economy.
2. Enterprise needs analysis
2.1 . Project Overview
This design is mainly for medium-sized enterprises, which have two-story office buildings. The enterprise has a headquarters and a branch. There are mainly personnel department, marketing department, scientific research department, information department, administrative department, etc. The branch company has administrative department, scientific research department and marketing department. The core computer room is deployed on the first floor, and there is a small computer room on the second floor. The first floor mainly includes the Human Resources Department, Marketing Department, and Scientific Research Department. There are about 4 people in the HR department, 40 people in the marketing department and the scientific research department, and a total of 45 PCs. The second floor mainly houses the Information Department and the Administration Department, with a total of 60 people and 60 PCs.
2.2 . User demand analysis
(1) The corporate headquarters and branches have multiple departments, and each department is required to be divided into a VLAN separately. The VLAN ID can be planned by yourself.
(2) Corporate headquarters departments are required to be able to share internal resources, and some resources and data between departments can access each other.
(3) Deploy 2 core equipment
(4) The resources of the headquarters’ internal servers need to be secured to minimize unnecessary attacks.
(5) Considering the company's funds, the company's headquarters applied for an address in the 200.200.200.0/29 network segment from the ISP network operator. There are only 6 public network addresses. If you want internal users to access the external network, you need to use network address translation. Based on port translation, it is converted into the outbound interface address of the enterprise's egress device.
(6) The enterprise has its own branches, and the headquarters and branches need to visit each other. In order to save costs and ensure secure transmission of network data, an IPsec VPN needs to be established between the headquarters and branches.
(7) The head office is divided into personnel department, marketing department, scientific research department, information department and administration department. Divide different departments into different VLANs to achieve intercommunication between networks. The branch administration department, scientific research department, and marketing department realize interoperability between networks.
2.3 . Server demand analysis
(1) WEB server: Almost every company has its own website, which can promote its company to the outside world and greatly increase the company's visibility and attention. The WEB server can be accessed and browsed by internal users of the corporate headquarters, internal users of branches, and external network users. If you need to achieve external network user access, you need to perform static address translation on the WEB server.
(2) FTP server: FTP file transfer server can save some main information and videos of internal users of the enterprise, as well as some commonly used software and tools. The FTP server requires sufficient disk or storage space to be able to save and share internal user data. You can set permissions for some important files and related materials. For access to FTP servers, you can set user names and passwords. You can also set read and write permissions for files or shared materials to ensure security.
(3) DHCP server: There are many users in the headquarters, and not all employees know about IP address settings and related configurations. In order to reduce the workload of network administrators and users, generally enterprises dynamically allocate IP addresses through DHCP. way to assign IP addresses to users. The DHCP server can be configured on network devices such as Layer 3 switches and routers, or a dedicated server can be used to configure the DHCP Server. The deployment of a DHCP server avoids user configuration IP address conflicts and reduces the workload of network administrators.
(4) DNS server: DNS domain name server facilitates users' access to some websites by configuring the corresponding mapping between domain names and IP addresses. The average user's memory for IP addresses is not very strong and it is difficult to remember them when there are many IP addresses. Nowadays, there are many websites, and it is very troublesome to remember those IP addresses. The DNS domain name server configures the corresponding mapping between the domain name and the IP address, and enters the corresponding domain name in the browser. After finding the corresponding IP address, access is transparent to the user.
2.4 . Network security needs analysis
(1) Prevent external IP address spoofing
(2) Control illegal IP addresses from the internal network from entering the external network. The company plans to use IP internally and connect to the external network through the address translation protocol to prevent external network users from intruding into the company.
(3) Access control to intranet resource hosts
(4) Prevent external ICMP redirect spoofing
(5) Prevent external resource routing deception
(6) Control of internal network traffic
2.5 . Analysis of network equipment requirements
The rapid development of the network has led to an increase in the number of network equipment manufacturers. However, there is a gap between equipment manufacturers in terms of equipment performance and price. Cisco's network equipment prices are relatively high, and h3c and Huawei's network equipment are much cheaper than Cisco. However, Cisco equipment has great advantages in terms of stability and performance. The enterprise's needs for network equipment should try to consider the following aspects:
(1) Performance: Network equipment needs to have high forwarding performance, so that data packets can be forwarded quickly in the network and avoid excessive data packet traffic and traffic congestion.
(2) Security: Network security is crucial in current network design. In terms of device security, the device itself needs to support some basic security protocols to protect the security of the network, or by purchasing special security equipment. network security
(3) Management: All network devices need to support configurable management and support some common telnet, SSH, SNMP and other related protocols to enable network administrators to remotely manage and configure network devices.
(4) Reliability: Users need to achieve link redundancy and user gateway backup. The selection of switches at the aggregation layer needs to support the corresponding STP spanning tree, HSRP and VRRP gateway backup redundancy protocols to ensure the reliability of the user network.
2.6 . Information point demand analysis
Based on the number of people in different departments and the number of PCs, the information points of the enterprise can be counted. When counting information points, count not only based on the number of PCs.
Table-1 Information point statistics
| floor |
department |
Information point |
| 1F |
Personnel Department |
4 |
| 1F |
Marketing Department |
20 |
| 1F |
Research Department |
20 |
| 2F |
Information Department |
35 |
| 2F |
Administration Department |
25 |
3. Outline design of the network
3.1 . Network design principles
3.1.1、Advancedness
Today's information technology is developing very rapidly, and the cycle of network upgrades is getting shorter and shorter. At the same time, the rapid development and continuous updates of information technology have also caused different network manufacturers to constantly update. Therefore, when purchasing equipment, we must pay full attention to the advanced nature of the product, not only to meet immediate needs, but also to keep pace with the times and take into account the development of the times. When choosing hardware, we need to predict the future development direction. When choosing software, we should pay attention to its openness, toolability, and software integration advantages. At the same time, network design must also consider the requirements of communication development.
3.1.2 . Reliability
For some important enterprises, the reliability of network operations plays a very important role. Enterprises do not allow large-scale turmoil in the network, which will not only affect the company's operations, but also have a certain impact on the corporate image. Therefore, when designing an enterprise, we should consider the reliability of network design. The system can run relatively stably and reliably for a long time, and its system security is guaranteed to prevent illegal access by illegal users. The system does not allow failures, or even if there is a device failure, corresponding backup solutions are required. If it does not pose a major threat to the network and data on the Internet, there must be equipment to back up the data accordingly.
3.1.3 . Practicality
The design of the system needs to meet the needs of existing users, enable users to use the network, and satisfy the experience of users within the enterprise. The design of the network does not need to be too complicated. It must be based on the actual situation and must meet some basic requirements of users, such as user Able to access the external network and realize resource sharing among internal users.
3.1.4 . Security
When designing this enterprise, we should focus on the security of the system network. Security needs to be considered both physically and in network design. When installing network equipment or in the place where network equipment is installed, we need to ensure that all persons entering the computer room are legal, and not everyone is allowed to enter the computer room. When designing the network, we can set passwords on the network devices and deploy firewalls in the server area. In order to ensure the security of the network, we must avoid illegal attacks and illegal operations by personnel.
4. Detailed design of the network
4.1 . Network architecture
4.1.1 . Headquarters network architecture planning
The headquarters network has corresponding requirements in terms of stability and security. The access layer to the aggregation layer avoids single point failure of the line. At the same time, user gateway equipment is required to be active and backup. Enable internal users in the headquarters to access the external network, and enable mutual access between the headquarters and branches. The headquarters network planning and design ideas are as follows:
1. Core layer (aggregation layer)
The core layer is the most important layer in the entire network structure. All internal user traffic needs to be forwarded through the core layer switches. It is the core part of the three-layer network architecture and an indispensable layer. In this headquarters enterprise network design, considering the issue of funds, two core three-layer switches were deployed at the core layer to forward the traffic of internal users in the headquarters and serve as internal user gateways, enabling communication between users in different internal network segments. Connectivity. Dynamic routing protocols are used between the core layer and egress routers, and network connectivity and scalability are ensured through OSPF dynamic protocols. Server area switches are also connected to the core switches.
2. Access layer
The access layer generally connects user terminals, such as PCs, printers, wireless access points, and servers. The default port type of the access layer switch is access. If multiple vlans need to be divided internally, the port connected to the user terminal needs to be divided into a corresponding VLAN, and the interconnection interface with the switch needs to be configured as TRUNK.
The corporate headquarters has multiple departments and needs to plan and create multiple VLANs. The ports connected to access layer switches and terminals in different departments must be assigned to corresponding VLANs. The ports on the uplink core layer switches need to be configured as TRUNK and configured with corresponding VLANs to pass through. The STP protocol is enabled on the access switch at the corporate headquarters. Because the access layer switch is dual-connected, it prevents loops.
3. Service system
The corporate headquarters deploys office systems and business systems, and the server uses a layer 3 switch as the server access to achieve high data forwarding and large interface bandwidth. The office system deploys some commonly used FTP, DHCP and WEB servers; the business system deploys multiple servers and deploys cluster technology to ensure the stability of the business system.
4.1.2 . Branch network architecture planning
The network architecture of the branch is relatively simple compared to the headquarters. The branch uses a core switch as the user's gateway. For egress, a router is deployed, and several Layer 2 switches are deployed at the access layer. The stability and security of the network are not as thorough as those of the headquarters, because the branches are smaller and have more careful consideration of funding issues. However, it is possible for users to access external networks and headquarters resources.
- core layer
The core layer is the most important layer in the entire network structure. All internal user traffic needs to be forwarded through the core layer switches. It is the core part of the three-layer network architecture and an indispensable layer. In this branch network design, considering the issue of funds, a core three-layer switch was deployed at the core layer. The core switch connects down to the access layer switch, uplinks to the egress router, and implements user gateway configuration by configuring IP addresses through the VLAN interface. Interoperability with the router is still achieved by configuring OSPF dynamic routing.
- access layer
The access layer generally connects user terminals, such as PCs, printers, wireless access points, and servers. The default port type of the access layer switch is access. If multiple vlans need to be divided internally, the port connected to the user terminal needs to be divided into a corresponding VLAN, and the interconnection interface with the switch needs to be configured as TRUNK.
The branch has three departments and multiple VLANs need to be planned and created. The ports connected to access layer switches and terminals in different departments must be assigned to corresponding VLANs. The ports on the uplink aggregation layer switches need to be configured as TRUNK and configured with corresponding VLANs.
4.2 . Network topology
4.2.1 . Network description
The company is headquartered in Nanjing and has a branch in Changzhou. It needs to enable the headquarters and branch to access the external network, enable users or hosts in the branch to access the resources of the headquarters server, and ensure data security. The headquarters may consist of multiple departments, and it is necessary to prevent some departments from accessing some important departments and limit the connectivity between some departments. The network topology design uses a classic three-layer architecture (access layer, aggregation layer, core layer). The access layer connects user terminal PCs, printers and servers; the aggregation layer connects access layer switches and core switches. The internal user gateway of the headquarters is configured in On the aggregation layer switches, the processing of data traffic by the core is reduced; the core layer switches connect egress routers, aggregation switches, and server area firewalls, and configure static routing and dynamic OSPF routing to achieve network connectivity. The branch network topology design uses a two-layer structure (access layer, core layer). The access layer connects user terminals, and the core layer configures user gateways. Deploy a VPN between the headquarters and branches, and configure IPsec VPN to achieve mutual access between the headquarters and branches based on the public Internet network.
The network design simulation is simulated through the huawei ensp simulator, and some network devices, layer 2 switches, layer 3 switches, routers, PCs and servers are added for network connection. Achieve network connectivity through relevant configurations and conduct network-related tests.
Figure-2 Network topology diagram
4.3 . IP address planning and VLAN division
4.3.1 , VLAN division
Table 2 VLAN division
| VLAN |
VLAN description |
Remark |
| VLAN 101 |
Personnel Department |
Headquarters |
| VLAN 102 |
Marketing Department |
Headquarters |
| VLAN 103 |
Research Department |
Headquarters |
| VLAN 104 |
Information Department |
Headquarters |
| VLAN 105 |
Administration Department |
Headquarters |
| VLAN 101 |
Administration Department |
branch |
| VLAN 102 |
Research Department |
branch |
| VLAN 103 |
Marketing Department |
branch |
4.3.2 , IP address planning
Table 3 IP address planning
| VLAN |
VLAN description |
IP address |
subnet mask |
gateway |
Remark |
| VLAN 101 |
Personnel Department |
192.168.101.0 |
255.255.255.0 |
192.168.101.254 |
Headquarters |
| VLAN 102 |
Marketing Department |
192.168.102.0 |
255.255.255.0 |
192.168.102.254 |
Headquarters |
| VLAN 103 |
Research Department |
192.168.103.0 |
255.255.255.0 |
192.168.103.254 |
Headquarters |
| VLAN 104 |
Information Department |
192.168.104.0 |
255.255.255.0 |
192.168.104.254 |
Headquarters |
| VLAN 105 |
Administration Department |
192.168.105.0 |
255.255.255.0 |
192.168.105.254 |
Headquarters |
| VLAN 101 |
Administration Department |
172.16.10.0 |
255.255.255.0 |
172.16.10.254 |
branch |
| VLAN 102 |
Research Department |
172.16.20.0 |
255.255.255.0 |
172.16.20.254 |
branch |
| VLAN 103 |
Marketing Department |
172.16.30.0 |
255.255.255.0 |
172.16.30.254 |
branch |
| equipment |
interface |
IP address |
| Headquarters core switch 1 |
Vlanif 101 |
192.168.101.252 |
| Vlanif 102 |
192.168.102.252 |
|
| Vlanif 103 |
192.168.103.252 |
|
| Vlanif 104 |
192.168.104.252 |
|
| Vlanif 105 |
192.168.105.252 |
|
| Vlanif 200 |
10.0.0.1 |
|
| Headquarters core switch 2 |
Vlanif 101 |
192.168.101.253 |
| Vlanif 102 |
192.168.102.253 |
|
| Vlanif 103 |
192.168.103.253 |
|
| Vlanif 104 |
192.168.104.253 |
|
| Vlanif 105 |
192.168.105.253 |
|
| Vlanif 200 |
10.0.0.5 |
|
| Headquarters egress router |
Eth0/0/0 |
10.0.0.2 |
| Eth0/0/1 |
10.0.0.6 |
|
| Gi0/0/0 |
10.10.10.1 |
|
| S 0/0/0 |
200.200.200.1 |
|
| 总部防火墙 |
Gi0/0/0 |
10.10.10.2 |
| Gi0/0/1 |
192.168.100.254 |
|
| 分部核心交换机1 |
Vlanif 101 |
172.16.10.254 |
| Vlanif 102 |
172.16.20.254 |
|
| Vlanif 103 |
172.16.30.254 |
|
| Vlanif 200 |
10.0.0.1 |
|
| 分部出口路由器 |
Eth0/0/0 |
10.0.0.2 |
| S 0/0/0 |
100.100.100.1 |
|
| ISP路由器 |
S 0/0/0 |
200.200.200.6 |
| S 0/0/1 |
100.100.100.6 |
4.4、网络实施
4.4.1、接入层实施
接入层交换机上主要配置相应的用户VLAN,连接终端的设备和用户的接口划分为access接口,与交换机互联的接口配置为trunk。已人事部接入层交换机为例。
4.4.2、核心层实施
核心层交换机上主要配置相应的用户VLAN,与交换机互联的接口配置为trunk。
核心层交换机之间配置端口聚合,配置用户网关,通过VRRP和MSTP协议实现用户网关主备和链路冗余。
核心层交换机与路由器之间运行OSPF动态路由协议,在核心层交换机开启ospf协议,宣告用户网段和路由器互联的接口地址
内部用户网段通过自动获取IP地址的方式获取IP地址,DHCP servr服务器配置在核心交换机上,动态为用户分配IP地址,避免用户手动配置IP地址出现地址冲突。
4.4.3、出口路由器实施
出口路由器上需要配置相应的静态路由和默认路由,配置相应的接口地址和NAT网络地址转换
总部和分公司间需要部署VPN,实现总部与分公司资源公司,同时还需要保证数据的安全性。
4.5、设备选型
表4 设备清单
| 品牌 |
设备型号 |
设备类型 |
数量 |
备注 |
| Huawei |
S3700-26C-HI |
接入层交换机 |
6 |
总部 |
| Huawei |
S5700-28C-HI |
核心层交换机 |
2 |
总部 |
| Huawei |
AR1220-S |
出口路由器 |
1 |
总部 |
| Huawei |
USG5500 |
防火墙 |
1 |
总部 |
| Huawei |
S3700-26C-HI |
接入层交换机 |
3 |
分公司 |
| Huawei |
S5700-28C-HI |
汇聚层交换机 |
1 |
分公司 |
| Huawei |
AR1220-S |
出口路由器 |
1 |
分公司 |
5、网络的实现
5.1、网络仿真配置
5.1.1、接入交换机配置
在接入层为了隔离广播域,防止广播风暴,将不同部门划分到不同的VLAN。在接入层交换机上创建了VLAN,然后基于端口的划分将用户加入到对应的VLAN中。接入层交换机与上联交换机互联端口配置为中继端口,允许所有的VLAN通过。
[Huawei]vlan 100 //创建相应的VLAN
[Huawei]interface eth0/0/1 //进入接口将接口配置为中继端口
[Huawei-Ethernet0/0/1] port link-type trunk
[Huawei-Ethernet0/0/1] port trunk allow-pass vlan 2 to 4094
[Huawei]interface Ethernet0/0/3 //将接口划分到VLAN101
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3] port default vlan 101
5.1.2、核心交换机配置
核心层交换机上创建相应的VLAN,与交换机互联的端口配置为中继,用户网关配置在核心交换机上。与路由器互联的接口配置IP地址,与路由器之间配置OSPF动态路由实现互通。
[Core-SW-1]vlan 100 //创建相应的VLAN
在接入交换机命令行的全局配置模式下创建用户vlan106
[Core-SW-1]vlan 101
在接入交换机命令行的全局配置模式下创建用户vlan101
[Core-SW-1]vlan 102
在接入交换机命令行的全局配置模式下创建用户vlan102
[Core-SW-1]vlan 103
在接入交换机命令行的全局配置模式下创建用户vlan103
[Core-SW-1]vlan 104
在接入交换机命令行的全局配置模式下创建用户vlan104
[Core-SW-1]vlan 105
在接入交换机命令行的全局配置模式下创建用户vlan105
[Core-SW-1]interface Ethernet0/0/1
[Core-SW-1-Ethernet0/0/1] port link-type trunk
[Core-SW-1-Ethernet0/0/1] port trunk allow-pass vlan 2 to 4094
[Core-SW-1-Ethernet0/0/1]#
[Core-SW-1-Ethernet0/0/1]interface Ethernet0/0/2
[Core-SW-1-Ethernet0/0/2] port link-type trunk
[Core-SW-1-Ethernet0/0/2] port trunk allow-pass vlan 2 to 4094
[Core-SW-1-Ethernet0/0/2]#
[Core-SW-1-Ethernet0/0/2]interface Ethernet0/0/3
[Core-SW-1-Ethernet0/0/3] port link-type trunk
[Core-SW-1-Ethernet0/0/3] port trunk allow-pass vlan 2 to 4094
[Core-SW-1-Ethernet0/0/3]#
[Core-SW-1-Ethernet0/0/3]interface Ethernet0/0/4
[Core-SW-1-Ethernet0/0/4] port link-type trunk
[Core-SW-1-Ethernet0/0/4] port trunk allow-pass vlan 2 to 4094
[Core-SW-1-Ethernet0/0/4]#
[Core-SW-1-Ethernet0/0/4]interface Ethernet0/0/5
[Core-SW-1-Ethernet0/0/5] port link-type trunk
[Core-SW-1-Ethernet0/0/5] port trunk allow-pass vlan 2 to 4094
[Core-SW-1-Ethernet0/0/5]#
[Core-SW-1-Ethernet0/0/5]interface Ethernet0/0/6
[Core-SW-1-Ethernet0/0/6] port link-type trunk
[Core-SW-1-Ethernet0/0/6] port trunk allow-pass vlan 2 to 4094
[Core-SW-1-Ethernet0/0/6]#
将接口Ethernet0/0/1 -6配置为中继端口
[Core-SW-1]interface Eth-Trunk0
[Core-SW-1-Eth-Trunk0] port link-type trunk
[Core-SW-1-Eth-Trunk0] port trunk allow-pass vlan 2 to 4094
[Core-SW-1-Eth-Trunk0]interface GigabitEthernet0/0/23
[Core-SW-1-GigabitEthernet0/0/23] eth-trunk 0
[Core-SW-1-GigabitEthernet0/0/23]interface GigabitEthernet0/0/24
[Core-SW-1-GigabitEthernet0/0/24] eth-trunk 0
配置端口聚合,增加链路带宽
[Core-SW-1]mstp mode mstp
[Core-SW-1]stp region-configuration
[Core-SW-1-mst-region] region-name Core-SW-1
[Core-SW-1-mst-region] instance 1 vlan 100 to 105
[Core-SW-1-mst-region] active region-configuration
配置stp生成树协议模式为多生成树协议
[Core-SW-1]interface Vlanif101
[Core-SW-1-Vlanif101] ip address 192.168.101.252 255.255.255.0
[Core-SW-1-Vlanif101] vrrp vrid 101 virtual-ip 192.168.101.254
[Core-SW-1-Vlanif101] vrrp vrid 101 priority 120
[Core-SW-1-Vlanif101]interface Vlanif102
[Core-SW-1-Vlanif102] ip address 192.168.102.252 255.255.255.0
[Core-SW-1-Vlanif102] vrrp vrid 102 virtual-ip 192.168.102.254
[Core-SW-1-Vlanif102] vrrp vrid 102 priority 120
[Core-SW-1-Vlanif102]interface Vlanif103
[Core-SW-1-Vlanif103] ip address 192.168.103.252 255.255.255.0
[Core-SW-1-Vlanif103] vrrp vrid 103 virtual-ip 192.168.103.254
[Core-SW-1-Vlanif103] vrrp vrid 103 priority 120
[Core-SW-1-Vlanif103]interface Vlanif104
[Core-SW-1-Vlanif104] ip address 192.168.104.252 255.255.255.0
[Core-SW-1-Vlanif104] vrrp vrid 104 virtual-ip 192.168.104.254
[Core-SW-1-Vlanif104] vrrp vrid 104 priority 120
[Core-SW-1-Vlanif104]interface Vlanif105
[Core-SW-1-Vlanif105] ip address 192.168.105.252 255.255.255.0
[Core-SW-1-Vlanif105] vrrp vrid 105 virtual-ip 192.168.105.254
[Core-SW-1-Vlanif105] vrrp vrid 105 priority 120
[Core-SW-1-Vlanif105]interface Vlanif100
[Core-SW-1-Vlanif106] ip address 192.168.100.252 255.255.255.0
[Core-SW-1-Vlanif106] vrrp vrid 100 virtual-ip 192.168.100.254
[Core-SW-1-Vlanif106] vrrp vrid 100 priority 120
配置VRRP协议,实现网关冗余备份
开启OSPF动态路由协议,进程100
[Core-SW-1]ospf 100
[Core-SW-1-ospf-100] silent-interface Vlanif101
[Core-SW-1-ospf-100] silent-interface Vlanif102
[Core-SW-1-ospf-100] silent-interface Vlanif103
[Core-SW-1-ospf-100] silent-interface Vlanif104
[Core-SW-1-ospf-100] silent-interface Vlanif105
[Core-SW-1-ospf-100] silent-interface Vlanif100
[Core-SW-1-ospf-100] area 0.0.0.0
[Core-SW-1-ospf-100-area-0.0.0.0] network 192.168.101.0 0.0.0.255
宣告用户vlan接口地址网络
[Core-SW-1-ospf-100-area-0.0.0.0] network 192.168.102.0 0.0.0.255
宣告用户vlan接口地址网络
[Core-SW-1-ospf-100-area-0.0.0.0] network 192.168.103.0 0.0.0.255
宣告用户vlan接口地址网络
[Core-SW-1-ospf-100-area-0.0.0.0] network 192.168.104.0 0.0.0.255
宣告用户vlan接口地址网络
[Core-SW-1-ospf-100-area-0.0.0.0] network 192.168.105.0 0.0.0.255
宣告用户vlan接口地址网络
[Core-SW-1-ospf-100-area-0.0.0.0] network 192.168.100.0 0.0.0.255
宣告用户vlan接口地址网络
[Core-SW-1-ospf-100-area-0.0.0.0] network 10.0.0.0 0.0.0.3
宣告互联接口地址
[Core-SW-1]ip pool vlan101
[Core-SW-1-ip-pool-vlan101] gateway-list 192.168.101.254
[Core-SW-1-ip-pool-vlan101] network 192.168.101.0 mask 255.255.255.0
[Core-SW-1-ip-pool-vlan101] dns-list 192.168.100.3
创建总部人事部用户地址池,地址池名称为vlan101,用户网段为192.168.101.0,子网掩码24为,用户网关为192.168.101.254
[Core-SW-1-ip-pool-vlan101]ip pool vlan102
[Core-SW-1-ip-pool-vlan102] gateway-list 192.168.102.254
[Core-SW-1-ip-pool-vlan102] network 192.168.102.0 mask 255.255.255.0
[Core-SW-1-ip-pool-vlan102] dns-list 192.168.100.3
创建总部市场部用户地址池,地址池名称为vlan102,用户网段为192.168.102.0,子网掩码24为,用户网关为192.168.102.254,dns服务器地址为192.168.100.3
[Core-SW-1-ip-pool-vlan102]ip pool vlan103
[Core-SW-1-ip-pool-vlan103] gateway-list 192.168.103.254
[Core-SW-1-ip-pool-vlan103] network 192.168.103.0 mask 255.255.255.0
[Core-SW-1-ip-pool-vlan103] dns-list 192.168.100.3
创建总部科研部用户地址池,地址池名称为vlan103,用户网段为192.168.103.0,子网掩码24为,用户网关为192.168.103.254 dns服务器地址为192.168.100.3
[Core-SW-1-ip-pool-vlan103]ip pool vlan104
[Core-SW-1-ip-pool-vlan104] gateway-list 192.168.104.254
[Core-SW-1-ip-pool-vlan104] network 192.168.104.0 mask 255.255.255.0
[Core-SW-1-ip-pool-vlan104] dns-list 192.168.100.3
创建总部信息技术部用户地址池,地址池名称为vlan104,用户网段为192.168.104.0,子网掩码24为,用户网关为192.168.104.254 dns服务器地址为192.168.100.3
[Core-SW-1-ip-pool-vlan104]ip pool vlan105
[Core-SW-1-ip-pool-vlan105] gateway-list 192.168.105.254
[Core-SW-1-ip-pool-vlan105] network 192.168.105.0 mask 255.255.255.0
[Core-SW-1-ip-pool-vlan105] dns-list 192.168.100.3
创建总部行政部用户地址池,地址池名称为vlan105,用户网段为192.168.105.0,子网掩码24为,用户网关为192.168.105.254 dns服务器地址为192.168.100.3
5.1.3、出口路由器配置
配置路由器接口IP地址,并将接口接入相应的区域
[R1]interface Ethernet0/0/0
[R1-GigabitEthernet0/0/0] ip address 10.0.0.2 255.255.255.252
[R1-GigabitEthernet0/0/0]interface Ethernet0/0/1
[R1-GigabitEthernet0/0/1] ip address 10.0.0.6 255.255.255.252
[R1-GigabitEthernet0/0/1] ospf cost 100
[R1-GigabitEthernet0/0/1]interface se0/0/0
[R1-GigabitEthernet0/0/2] ip address 200.200.200.1 255.255.255.248
路由配置
开启动态OSPF路由,进程为100.配置静态默认路由
[R1]ospf 100
[R1-ospf-100] default-route-advertise always
[R1-ospf-100] area 0.0.0.0
[R1-ospf-100-area-0.0.0.0] network 10.0.0.0 0.0.0.3
[R1-ospf-100-area-0.0.0.0] network 10.0.0.4 0.0.0.3
[R1 ip route-static 0.0.0.0 0.0.0.0 200.200.200.6
NAT配置
配置地址转换,将内部私有地址转换为路由器出接口公网地址
[R1]acl number 2000
[R1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255
[R1-Serial0/0/0]nat outbound 2000
IPsec VPN配置
[R1]acl number 3000 //定义感兴趣流
[R1-acl-adv-3000] rule permit ip source 200.200.200.1 0 destination 100.100.100.1 0
[R1-acl-adv-3000]ipsec proposal vpn //配置默认的安全提议
[R1-ipsec-proposal-vpn] esp authentication-algorithm sha1
[R1-ipsec-proposal-vpn] esp encryption-algorithm aes-192
[R1-ipsec-proposal-vpn]ike proposal 10
[R1-ike-proposal-10]ike peer R3 v1 //配置到分公司的IKE peer
[R1-ike-peer-R3] pre-shared-key cipher Huawei //配置预共享密钥huawei
[R1-ike-peer-R3] ike-proposal 10
[R1-ike-peer-R3] remote-address 100.100.100.1
[R1-ike-peer-R3]ipsec policy map1 10 isakmp //配置IPsec策略
[R1-ipsec-policy-isakmp-map1-10] security acl 3000
[R1-ipsec-policy-isakmp-map1-10] ike-peer R3
[R1-ipsec-policy-isakmp-map1-10] proposal vpn
[R1-ipsec-policy-isakmp-map1-10]interface se0/0/0
[R1-Serial0/0/0] ipsec policy map1 //将安全策略调用在se0/0/0接口下
6、网络测试
6.1、测试分公司与总部之间的访问
总部与分公司间个别部门需要通过VPN访问,总部与分公司之间通信是VPN隧道来安全传输数据的。通过在分公司pc机上测试与总部服务器间连通性,在路由器上通过命令查看IKE二个阶段是否正常建立。
图-3总部FTP服务器地址信息
图-4分公司行政PC IP地址信息
图-5分公司行政部门与服务器连通性测试
图-6在路由器上查看VPN建立情况
6.2、测试总部与外网连通性
在总部人事部拿一台PC测试总部到外网的连通性,通过ping外网的公网地址为200.200.200.6。如果通的话,网络连通性就没有问题。
图-7 总部人事部PC IP地址信息
图-8总部人事部测试与外网的连通性
图-9 查看NAT配置信息
6.3、测试总部与服务器连通性
在总部科研部拿一台PC测试总部到服务器的连通性,通过ping服务器地址192.168.100.1。如果通的话,网络连通性就没有问题。
图-10 FTP服务器IP地址信息
图-11 总部FTP服务器配置
图-12 总部科研部PC地址信息
图-13测试总部内部部门与服务器的连通性
6.4、测试分公司与外网连通性
图-14 分公司行政部PC地址信息
图-15 测试分公司PC访问外网的连通性
6.5、测试telnet远程设备管理
测试用户远程管理网络设备,通过telent远程管理设备,因为PC不支持telnet客户端,所以在路由器上进行telnet测试。
图-16 测试网络设备telnet远程管理
6.6、查看VRRP状态信息
两台核心交换机之间通过VRRP协议实现网关备份,通过display vrrp brief命令可以查重vrrp主备状态信息。
图-17核心层主交换机VRRP状态信息
图-18核心层备交换机VRRP状态信
6.7、查看OSPF邻居建立和路由信息
核心交换机和路由器之间通过动态ospf路由实现全网互通,通display ospf peer brief命令查看ospf邻居状态信息;并通过display ip routing-table查看路由表。
图-19核心层交换机上查看OPSF邻居
图-20路由器上查看OSPF邻居
图-21核心层交换机上查看路由表
图-22出口路由器上查看路由表