1 Introduction
With the development of the information age, the world is entering a new era of information economy. Every day, there are
Countless amounts of information are transmitted through the network, and this information is also affecting and changing every enterprise with unprecedented depth and breadth. In people's daily lives, information resource sharing and information exchange have become an indispensable part, thus accelerating the emergence and rapid development of new network technologies. The emergence and use of computer networks have brought unprecedented changes to the development of the information age. There are some changes. The establishment and use of an enterprise network, for an enterprise, uses modern information means to establish a rapid feedback mechanism, efficient and high-quality exchange and sharing of internal information resources, online introduction of products, online sales, online technical services and After-sales services are all completed in the form of the Internet, which reflects the main advantages of the Internet: convenience, speed and low cost. Enterprise network construction mainly includes various LAN technical ideas, network design solutions, network topology, network security, network system maintenance, etc. How to build an enterprise campus network that not only meets the enterprise's network needs but also focuses on current and future network development is a problem that needs to be practiced and solved in this project.
2 Enterprise campus network project project
2.1Project background
A well-known technology group company is headquartered in Guangzhou. In order to achieve fast information exchange and resource sharing among various departments, it is necessary to build a group network. The head office has four departments: human resources, finance, sales, and production technology. The requirement for the group network is that the head office departments can not only quickly access the Internet, but also securely communicate on the internal network.
The group network of the head office adopts a dual-core network architecture to ensure the high availability of the group network backbone and ensure that the company can operate normally even if some network fails. At the same time, it uses a router + firewall to access the Internet, so that it can access the external network. , and can protect the intranet. In order to achieve fast information transfer and company business needs, users are required to access the head office intranet server group safely and efficiently. At the same time, the company's homepage server needs to be published on the Internet to provide external website platform services.
The plan takes into account the network development in the next 3-5 years. The company's group network also needs to keep up with the development of network technology. Therefore, IPv6 addresses are set for some devices. The group network also supports access to IPv6 addresses. The project focuses on the practicality of the network. , economy, reliability and scalability and other characteristics.
2.2 Technology deployment
2.2.1 Topology construction
Complete the construction of the topology and the correct connection of devices according to the designed project topology, and modify the names of all devices.
Chart 1 Complete topology diagram of enterprise network
2.2.2 vlan configuration
According to the VLAN planning table, divide VLANs reasonably to ensure correct interface allocation.
Table 1 vlan planning table
| Equipment name |
VLAN id |
interface |
| LSW3 |
VLAN 13 |
E0/0/13 |
| LSW4 |
VLAN 14 |
E0/0/14 |
| LSW5 |
VLAN 15 |
E0/0/15 |
| LSW6 |
VLAN 16 |
E0/0/16 |
| LSW13 |
VLAN 6 |
G0/0/2 |
| VLAN 7 |
G0/0/3 |
|
| VLAN 8 |
G0/0/1 |
|
| AC1 |
VLAN 4 (management) |
------- |
| AC2 |
VLAN 4 (management) |
------- |
| LSW1 |
VLAN 2-8 13-16 |
------- |
| LSW2 |
VLAN 2-8 13-16 |
------- |
2.2.3 IP address configuration
Complete the configuration of the IP address of the interface or VLAN according to the address planning table:
Table 2 Address planning table
| Device name |
Interface or VLAN |
Address planning |
| VLAN4 |
192.168.4.1/24 |
|
| VLAN6 |
192.168.6.1/24 |
|
| VLAN7 |
192.168.7.1/24 |
|
| VLAN8 |
192.168.8.1/24 |
|
| VLAN13 |
192.168.13.252/24 |
|
| VLAN14 |
192.168.14.252/24 |
|
| VLAN15 |
192.168.15.252/24 |
|
| VLAN16 |
192.168.16.252/24 |
|
| LSW2 |
VLAN4 |
192.168.4.2/24 |
| VLAN5 |
192.168.5.1/24 |
|
| VLAN6 |
192.168.6.2/24 |
|
| VLAN7 |
192.168.7.2/24 |
|
| VLAN8 |
192.168.8.2/24 |
|
| VLAN13 |
192.168.13.253/24 |
|
| VLAN14 |
192.168.14.253/24 |
|
| VLAN15 |
192.168.15.253/24 |
|
| VLAN16 |
192.168.16.253/24 |
|
| AC1 |
VLAN4 |
192.168.4.100/24 |
| AC2 |
VLAN4 |
192.168.4.200/24 |
| Server1 |
----- |
222.222.222.2/24 |
| Server2 |
----- |
60.60.60.2/24 |
2.2.4 Link aggregation technology
Configure link aggregation on the G0/0/23, G0/0/24, and G0/0/22 interfaces between LSW1 and LSW2.
2.2.5 MSTP technology
Create STP instance 1 and instance 2, and modify the instance priority.
2.2.6 VRRP technology
Configure VRRP between LSW1 and LSW2.
VRRP virtual IP planning:
Table 3 vrrp virtual IP address planning table
| equipment |
IP address |
| LSW1 |
vrrp virtual IP: 192.168.x.254 |
| LSW2 |
VRRP virtual IP: 192.168.x.254 |
2.2.7 Port security settings
Enable the access terminal interface port security sticky on the four switches LSW3 , LSW4, LSw5, and LSw6, and set the maximum number of secure MAC addresses to 1.
2.2.8 DHCP snooping technology
Configure DHCP Snooping technology on LSW3 and LSW4 switches.
2.2.9 ospf2 technology
Configure ospf2 on switches LSW1, LSW2, and firewalls FW5 and FW6.
Ospf2 configuration planning table:
Table 4 ospf configuration planning table
| Device name |
Loopback IP address |
Declare network segment |
| LSW1 |
1.1.1.1 |
192.168.2.0 |
| 192.168.4.0 |
||
| 192.168.13.0 |
||
| 192.168.14.0 |
||
| 192.168.15.0 |
||
| 192.168.16.0 |
||
| LSW2 |
2.2.2.2 |
192.168.3.0 |
| 192.168.5.0 |
||
| 192.168.13.0 |
||
| 192.168.14.0 |
||
| 192.168.15.0 |
||
| 192.168.16.0 |
||
| FW5 |
5.5.5.5 |
192.168.2.2 |
| FW6 |
6.6.6.6 |
192.168.3.2 |
2.2.10 IPv6 technology
Complete the configuration of the IPV6 address of the interface or VLAN according to the address planning table
Table 5 ipv6 address planning table
| equipment |
IP address |
equipment |
IP address |
| Lsw1 |
Vlan2:2002::1/24 |
LSW2 |
Vlan3:2003::1/24 |
| Lsw1 |
Vlan13:2013::1/24 |
LSW2 |
Vlan13:2013::2/24 |
| Lsw1 |
Vlan14:2014::1/24 |
LSW2 |
Vlan14:2014::2/24 |
| Lsw1 |
Vlan15:2015::1/24 |
LSW2 |
Vlan15:2015::2/24 |
| Lsw1 |
Vlan16:2016::1/24 |
LSW2 |
Vlan16:2016::2/24 |
| FW5 |
G0/0/3:2002::2(5)/24 |
FW6 |
G0/0/3:2003::2(6)/24 |
2.2.11 vrrp3 , ospf3 technology
After the ipv6 address configuration is completed, vrrp and ospf are upgraded to vrrp3 and ospf3.
2.2.12 Wireless network configuration
The wireless network is deployed on the LAN, and the networking method is bypass three-layer networking . The specific data planning is as follows:
Table 6 Wireless network configuration data table
| Domain management template: |
domain, country code: CN |
| AP authentication method: |
mac-auth |
| AP group: |
Name ap-group1 |
| AP management VLAN: |
vlan6 |
| AC的管理VLAN: |
vlan4 |
| SSID模板: |
模板名称:employees SSID名称:ZK-employees |
| 模板名称:guest SSID名称:ZK-guest |
|
| 安全模板: |
模板名称:employees 安全策略:WPA2 密码:zhongkai |
| 模板名称:guest 安全策略:open |
|
| VAP模板: |
名称:employees 转发模式:隧道转发 业务VLAN:7 引用模板:SSID模板employees、安全模板employees |
| 名称:guest 转发模式:直接转发 业务VLAN:8 引用模板:SSID模板guest 、安全模板guest |
IP地址规划:
表7 AC地址规划表
| 设备 |
IP地址 |
设备 |
IP地址 |
| LSW1 |
Vlan4:192.168.4.1 |
LSW2 |
Vlan4:192.168.4.2 |
| LSW1 |
Vlan6:192.168.6.1 |
LSW2 |
Vlan6:192.168.6.2 |
| LSW1 |
Vlan7:192.168.7.1 |
LSW2 |
Vlan7:192.168.7.2 |
| LSW1 |
Vlan8:192.168.8.1 |
LSW2 |
Vlan8:192.168.8.2 |
| AC1 |
Vlan4:192.168.4.100 |
AC2 |
Vlan4:192.168.4.200 |
2.2.13 防火墙策略
园区网出口处部署两台防火墙,同时接入两个运营商。在防火墙FW5,FW6,路由器AR1,AR2上使用区域间安全策略、NAT策略、IP-link联动默认路由。
表8 运营商地址规划表
| 运营商 |
NAT地址池 |
|
| 电信ISP: |
59.39.177.5-59.39.177.6 |
59.39.178.5-59.39.178.6 |
| 联通ISP: |
58.252.1.211-58.252.1.212 |
58.252.2.211-58.252.2.212 |
2.2.14 IPsec VPN
总部的vlan 16与分部的vlan 6用户通过ipsec VPN通信,保障通信的安全性。在FW6和FW3上完成源NAT的配置。受保护网络访问Internet的数据流都要经过NAT转换,而经过IPSec隧道的数据流不需要经过NAT转换。放行trust区域到untrust区域间IPsec VPN流量的安全策略,放行local区域到untrust区域的安全策略。Local和Untrust的域间策略用于控制IKE协商报文通过FW,该域间策略可以使用源地址和目的地址作为匹配条件,也可以在此基础上使用协议、端口作为匹配条件。
IKE协商策略如下:
表9 IKE策略规划表
| 认证: |
预共享密钥,key为huawei@123 |
| 加密: |
AES |
| 哈希: |
SHA2 |
| DH组: |
GROUP 15 |
2.3 项目实施目标
1. 在LSW1和LSW2之间配置链路聚合,增加设备之间的逻辑带宽,提高网络的可靠性。
2. 在LSW1和LSW2之间配置MSTP,实现网络拓扑快速收敛,提供数据转发的多个冗余路径,在数据转发过程中实现VLAN数据的负载均衡。
3. 在LSW1和LSW2之间配置VRRP,实现网关的备份,解决多个网关之间互相冲突的问题。
4. 在LSW3、LSW4、LSw5、LSw6四台交换机的接入终端接口上配置端口安全,阻止非法用户通过本接口和交换机通信,从而增强设备的安全性。
5. 在LSW3,LSW4两台交换机上配置DHCP Snooping 技术。保证DHCP客户端从合法的DHCP服务器获取IP地址,并记录DHCP客户端IP地址与MAC地址等参数的对应关系,防止网络上针对DHCP攻击。
6. 在交换机LSW1,LSW2,防火墙FW5,FW6上配置ospf2。,建立邻居关系,交换路由信息。
7. 配置ipv6,支持ipv6地址。
8. OSPFv3基于OSPFv2基本原理并增强,是一个独立的路由协议。对vrrp,ospf2进行升级,从而支持IPv6地址格式。
9. 配置无线网络,分别在LSW1、LSW2上开启DHCP服务,为AP和无线用户分配IP地址,实现AP上线、WLAN业务下发、WLAN客户端成功获取到IP地址等参数。
10. 正确配置防火墙策略后,网络正常下,FW5中的流量通过ISP1到达Internet,FW6的浏览通过ISP2到达Internet。当出口链路出现故障时,可切换到另外一条ISP链路。
11. 建立VPN来“保护”网络实体之间的通信。通过使用加密技术防止数据被窃听,而数据完整性验证防止数据被破坏、篡改,通过认证机制确认身份,防止数据被截获、回放。