1. Demand background
The specific background of the company's departments: The company has four departments: Human Resources Department, Finance Department, Sales Department, and Marketing Department, as well as an employee dormitory building. The company needs to provide external Internet services. Important departments within the company need to protect data security and access control.
(1) Divide vlans and subnets according to customer needs, departments, and topology
(2) Use reasonable routing protocol planning
(3) Private network users access the public network
(4) Core layer redundancy and load balancing. By deploying MSTP and VRRP on three-layer switches, traffic in office areas and apartment buildings can be separated to achieve redundancy and load balancing.
(5) Isolate the intranet and public network
(6) Firewall dual-machine hot backup and dual exits ensure reliability
2. Address planning
Head office address planning
department |
address space |
Belongs to vlan |
gateway |
Finance Department |
10.0.10.0/24 |
Vlan10 |
10.0.10.254/24 |
Sales |
10.0.20.0/24 |
Vlan20 |
10.0.20.254/24 |
Personnel Department |
10.0.30.0/24 |
Vlan30 |
10.0.30.254/24 |
Marketing Department |
10.0.40.0/24 |
Vlan40 |
10.0.40.254/24 |
staff dorm |
10.0.50.0/24 |
Vlan50 |
10.0.50.254/24 |
internal server |
10.0.100.0/24 |
Vlan100 |
10.0.100.254/24 |
3. Configuration process
1. Access layer implementation
For the access layer, set them to vlan10, vlan20, vlan30, vlan40, and vlan50 respectively according to the plan.
The port accessing the user is added to the relevant VLAN, and the upstream port is opened to the trunk port to allow the relevant VLAN to pass. The same applies to the branch access layer. In addition, configure MSTP multi-instance spanning tree on the access layer switch and add relevant VLANs to different instances.
stp region-configuration //Enter MSTP mode
region-name huawei //Configure the domain name to huawei
instance 1 vlan 10 20 //Add vlan10 and vlan20 to instance 1
instance 2 vlan 30 40 //Add vlan30 and vlan40 to instance 2
active region-configuration //activate configuration
2. Core layer implementation
(1) DHCP implementation
Deploy DHCP on core switches
Configure DHCP:
dhcp enable //Enable DHCP function
ip pool vlan10 //Create an IP address pool named vlan10
network 10.0.10.0 mask 255.255.255.0 //Configure the address pool network segment
gateway-list 10.0.10.1 //Configure the gateway address of this address pool address
excluded-ip-address 10.0.10.2 10.0.10.3 //Configure excluded addresses
dhcp select global //Define dhcp as global mode
(2)MSTP+VRRP:
stp instance 1 root primary //Specify this switch as the primary root bridge
stp instance 2 root secondary //Specify this switch as the backup root bridge
2) VRRP key code, the same applies to other gateway configurations:
interface Vlanif10
ip address 10.0.10.2 255.255.255.0
//Create VRRP backup group 10 and configure the virtual IP address of VRRP backup group 10.0.10.1
vrrp vrid 10 virtual-ip 10.0.10.1
//Set the priority of switch A in VRRP backup group 10 to 120, which is higher than the priority of switch B, 100
vrrp vrid 10 priority 120
(3) Link aggregation
Set up link aggregation between the two core switches. The key code is as follows:
interface eth-trunk 1 //Create an Eth-Trunk interface with ID 1
mode lacp //Configure the link aggregation mode to LACP mode
interface g0/0/6
eth-trunk 1 //Add the interface to Eth-Trunk 1
//Set the interface link type to trunk
interface eth-trunk 1
port link-type trunk
3. Network export implementation
(1) Deploy NAT:
The NAT key code is as follows:
//Create a security policy from the source address of the internal network that needs to be connected to the external network:
security-policy
rule name nat
source-zone trust
destination-zone untrust
action permit
//Create a secure NAT policy for the source address that needs to be connected to the Internet:
nat-policy
rule name nat
source-zone trust
destination-zone untrust
action source-nat easy-ip
4. Routing protocol implementation
The core switch is connected to the egress device through dual uplinks and uses Layer 3 OSPF routing technology.
//This configuration is the same for other devices to declare their directly connected network segments.
[Core-A-ospf-1]area 0
[Core-A-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
5. Implementation of dual-machine hot standby function
# Configure a VGMP group on the FW to monitor uplink and downlink service interfaces.
[FW_A] hrp track interface GigabitEthernet 1/0/0
[FW_A] hrp track interface GigabitEthernet 1/0/1
[FW_A] hrp adjust ospf-cost enable //Adjust OSPF Cost value function according to VGMP status
# Specify the heartbeat port on the FW and enable the dual-machine hot backup function.
[FW_A] hrp interface GigabitEthernet 0/0/6 remote 10.10.10.1
[FW_A] hrp enable
[FW_B] hrp standby-device
[FW_B] hrp enable
6. Intranet security configuration
Access control, access to the Finance Department is denied
[SW-A]acl 3000
[SW-A-acl-adv-3000]description deny_cw
[SW-A-acl-adv-3000]rule deny ip source 10.0.0.0 0.0.255.255 destination 10.0.10.0 0.0.0.255 //deny other networks to access finance
[SW-A]traffic-filter inbound acl 3000 //Global call
For DHCP security control, configure the upstream interface to trust DHCP messages, that is, only receiving DHCP response messages from the upstream interface is normal behavior.
interface Ethernet0/0/1
dhcp snooping enable
dhcp snooping trusted
#
return
[SW1-Ethernet0/0/1]int e0/0/2
[SW1-Ethernet0/0/2] dhcp snooping enable
[SW1-Ethernet0/0/2] dhcp snooping trusted
Enable access security configuration for the financial department:
[SW1-Ethernet0/0/3]port-security enable //Enable interface security
[SW1-Ethernet0/0/3]port-security protect-action shutdown //Trigger security protection action to close the port
[SW1-Ethernet0/0/3]port-security max-mac-num 1 //A port allows at most one user to access
Firewall egress security configuration
Configure DDOS attack check
Configure security policies to bind anti-virus, APT and other security configurations
4. Test
1.DHCP test
All departments obtain addresses normally
2. VRRP test
VRRP status works fine
3. Routing and user Internet access testing
4. Firewall dual-machine hot standby test
In active and standby state - normal state
5. Access internal server testing and external access
Public network access:
Intranet access control: no access to finance and other normal access is allowed