写了不少文章讲解不同厂商设备的配置,很多小伙伴希望我给讲讲如何构建一个大型企业网,这里我借一个实例讲讲中大型企业网络如何搭建。所有实验配置我全部无偿奉献给各位小伙伴,该网络涉及到防火墙的配置、无线网络组网、VRRP、mstp、OSPF及认证、BGP、DHCP中继、nat技术、路由选路,欢迎有兴趣的小伙伴收藏加关注。
需求如下:
1.做必要隔离,且放环;
2.终端接口接入网络后无延迟转发;
3.汇聚后交换机之间要增加带宽;
4.网关配置在汇聚层上,要保证网关冗余;
5.内部使用可靠的IGP进行路由学习和发布,并保证设备身份的合法性;
6.通过BGP协议跟总部进行路由学习,实现互访,要求缺省互访流量都经过AR1访问总部,当AR1出现故障能自动切换至AR2;
7.要求园区网内所有PC终端都通过公司统一的DHCP服务器完成地址分发;
8.使用AC+瘦AP进行无线网络组网;
9.出口防火墙需要做必要的安全策略,只能内网主动发起访问外网;
10.出口防火墙要配置必要的NAT技术使得内网能够访问ISP或者互联网。
具体配置如下:
AR1配置:
interface Ethe.NET3/0/0
ip address 10.1.14.1 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.1.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.103.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.12.1 255.255.255.0
#
interface Pos5/0/0
link-protocol ppp
ip address 10.1.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface Ethernet3/0/1
ip address 10.1.15.1 255.255.255.0
#
ospf 1 router-id 1.1.1.1
area 0
network 10.1.14.1 0.0.0.0
network 10.1.15.1 0.0.0.0
network 10.1.100.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.103.1 0.0.0.0
network 10.1.13.1 0.0.0.0
network 10.1.1.1 0.0.0.0
authentication-mode md5 1 cipher huawei@123
AR2配置:
interface GigabitEthernet0/0/0
ip address 10.1.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.104.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.12.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 10.1.23.2 255.255.255.0
#
interface LoopBack0
ip address 10.1.2.2 255.255.255.255
#
ospf 1 router-id 2.2.2.2
area 0
network 10.1.2.2 0.0.0.0
network 10.1.12.2 0.0.0.0
network 10.1.23.2 0.0.0.0
network 10.1.102.2 0.0.0.0
network 10.1.104.2 0.0.0.0
authentication-mode md5 1 cipher huawei@123
AR3配置:
interface Pos2/0/0
ip address 10.1.23.3 255.255.255.0
#
interface Pos5/0/0
ip address 10.1.13.3 255.255.255.0
#
interface LoopBack0
ip address 200.200.200.200 255.255.255.255
AR4配置:
#
interface GigabitEthernet0/0/0
ip address 10.1.14.4 255.255.255.0
#
interface LoopBack0
ip address 10.1.4.4 255.255.255.0
#
dhcp enable
#
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.251 192.168.10.253
DNS-list 114.114.114.114
domAIn-name hcie
#
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.251 192.168.20.253
dns-list 114.114.114.114
domain-name hcie
#
#
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.251 192.168.30.253
dns-list 114.114.114.114
domain-name hcie
#
#
ip pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.251 192.168.40.253
dns-list 114.114.114.114
domain-name hcie
#
ip route-static 0.0.0.0 0.0.0.0 10.1.14.1
FW配置:
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.15.11 255.255.255.0
service-manage ping permit
#
firewall zone tRust
add interface GigabitEthernet1/0/2
#
inter gig 1/0/1
ip addre 202.1.10.1 24
#
firewall zone untrust
add interface GigabitEthernet1/0/1
#
ospf 1 router-id 33.33.33.33
area 0
network 10.1.15.11 0.0.0.0
authentication-mode md5 1 cipher huawei@123
quit
#
security-policy
rule name permit_local_trust_ospf
source-zone local
destination-zone trust
action permit
quit
#
security-policy
rule name permit_trust_untrust_all
source-zone trust
destination-zone untrust
action permit
quit
#
ip route-static 0.0.0.0 0.0.0.0 202.1.10.254
#
ospf 1
default-route-advertise
#
nat-policy
rule name EASYIP
source-zone trust
destination-zone untrust
action source-nat easy-ip
quit
ISP配置:
sysname ISP
#
interface GigabitEthernet0/0/1
ip address 202.1.10.254 255.255.255.0
#
interface LoopBack0
ip address 114.114.114.114 255.255.255.255
AC配置:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
vlan 101
interface vlan101
ip addre 192.168.101.254 24
dhcp select interface
quit
#
wlan
ap-group name ap-group1
quit
regulatory-domain-profile name default
country-code CN
quit
ap-group name ap-group1
regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
quit
quit
#
capwap source interface vlan101
#
ap-id 0
ap-name SZ1
ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6605-wlan-ap-0]ap-id 1
ap-name SZ2
ap-group ap-group1
ap-id 2
ap-name SZ3
ap-group ap-group1
ap-id 3
ap-name SZ4
ap-group ap-group1
quit
ap auth-mode mac-auth
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase a1234567 aes
quit
#
[AC6605-wlan-view]ssid-profile name wlan-net
[AC6605-wlan-ssid-prof-wlan-net]ssid hcie2022
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-ssid-prof-wlan-net]quit
[AC6605-wlan-view]vap-profile name wlan-net
[AC6605-wlan-vap-prof-wlan-net]forward-mode direct-forward
[AC6605-wlan-vap-prof-wlan-net]service-vlan vlan-pool hcie2022
Error: The VLAN pool does not exist. Please create it first.
[AC6605]wlan
[AC6605-wlan-view]vap-profile name wlan-net
[AC6605-wlan-vap-prof-wlan-net]service-vlan vlan-pool hcie2022
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-wlan-net]security-profile wlan-net
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-wlan-net]ssid-profile wlan-net
[AC6605]wlan
[AC6605-wlan-view]ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 0
Info: This operation may take a few seconds, please wait...done.
[AC6605-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 1
Info: This operation may take a few seconds, please wait...done.
[AC6605-wlan-ap-group-ap-group1]quit
[AC6605-wlan-view]quit
[AC6605]dis vap ssid hcie2022
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
-----------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
-----------------------------------------------------------------------------
0 SZ1 0 1 00E0-FC43-22F0 ON WPA/WPA2-PSK 0 hcie2022
0 SZ1 1 1 00E0-FC43-2300 ON WPA/WPA2-PSK 0 hcie2022
1 SZ2 0 1 00E0-FC86-80D0 ON WPA/WPA2-PSK 0 hcie2022
1 SZ2 1 1 00E0-FC86-80E0 ON WPA/WPA2-PSK 0 hcie2022
2 SZ3 0 1 00E0-FC04-6A40 ON WPA/WPA2-PSK 0 hcie2022
2 SZ3 1 1 00E0-FC04-6A50 ON WPA/WPA2-PSK 0 hcie2022
3 SZ4 0 1 00E0-FC0E-0BC0 ON WPA/WPA2-PSK 0 hcie2022
3 SZ4 1 1 00E0-FC0E-0BD0 ON WPA/WPA2-PSK 0 hcie2022
-----------------------------------------------------------------------------
Total: 8
SW1配置:
#
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface eth-Trunk 12
mode lacp-static
trunkport gig 0/0/19 to 0/0/20
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
stp instance 1 root primary
stp instance 2 root secondary
#
#
interface Vlanif10
ip address 192.168.10.251 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.251 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.251 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.251 255.255.255.0
#
interface Vlanif10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
#
interface Vlanif30
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 120
#
interface Vlanif20
vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif40
vrrp vrid 40 virtual-ip 192.168.40.254
#
vlan batch 100 200
#
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 100
stp edged-port enable
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 200
stp edged-port enable
#
#
interface Vlanif100
ip address 10.1.100.10 255.255.255.0
#
interface Vlanif200
ip address 10.1.102.10 255.255.255.0
#
#
ospf 1 router-id 11.11.11.11
import-route direct
area 0
network 10.1.100.10 0.0.0.0
network 10.1.102.10 0.0.0.0
authentication-mode md5 1 cipher huawei@123
#
dhcp enable
#
interface vlan10
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan20
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan30
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan40
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
vlan 101
SW2配置:
#
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface eth-Trunk 12
mode lacp-static
trunkport gig 0/0/19 to 0/0/20
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
stp instance 1 root secondary
stp instance 2 root primary
#
interface Vlanif10
ip address 192.168.10.252255.255.255.0
#
interface Vlanif20
ip address 192.168.20.252 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.252 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.252 255.255.255.0
#
interface Vlanif10
vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlanif30
vrrp vrid 30 virtual-ip 192.168.30.254
#
interface Vlanif20
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 120
#
interface Vlanif40
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 120
#
#
vlan batch 300 400
#
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 400
stp edged-port enable
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 300
stp edged-port enable
#
#
interface Vlanif300
ip address 10.1.103.10 255.255.255.0
#
interface Vlanif400
ip address 10.1.104.10 255.255.255.0
#
ospf 1 router-id 22.22.22.22
import-route direct
area 0
network 10.1.103.10 0.0.0.0
network 10.1.104.10 0.0.0.0
authentication-mode md5 1 cipher huawei@123
#
dhcp enable
#
interface vlan10
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan20
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan30
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan40
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
vlan 101
SW3配置:
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
stp edged-port enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan all
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
vlan 101
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
SW4配置:
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
stp edged-port enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 40
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan all
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
vlan 101
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
京公网安备 11010802035086号