1、需求:
某企业有总部与分部两个办公地点,要求完成网络设计,主要实现以下需求:1.总公司内部和分公司内部全部使用ospf协议通信。2.为了减少网络管理员工作量,方便管理,除服务器外,总部其它所有部门采用动态获取IP地址 ,要求总部配置一台DHCP服务器,为所有网段提供DHCP服务。3.各部门VLAN之间的通信采用三层通信技术实现。4.为了公司业务的安全,要求公司财务部不能访问互联网其它部门可以访问互联网,信息安全研发组不能访问国际市场部。5.VPN实现:总部的人工智能研发组可以与分公司人工智能研发组通信,总部国内市场部可以与分公司国内市场部通信。6.分公司的员工需要通过VPN访问信息中心的服务器。(涉及知识点:vlan、vlanif三层通信、DHCP、NAT、ACL、IPsec VPN、OSPF等)
2、网络拓扑图如下:
3、各设备的配置如下:
总部接入层交换机:
<cwb>dis current-configuration
#
sysname cwb
#
vlan batch 11 to 13
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 11
#
interface Ethernet0/0/3
port link-type access
port default vlan 12
#
interface Ethernet0/0/4
port link-type access
port default vlan 13
#
return
<cwb> [yf1]dis current-configuration
#
sysname yf1
#
vlan batch 21 to 23
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 21
#
interface Ethernet0/0/3
port link-type access
port default vlan 22
#
return
[yf1] [yf2]dis current-configuration
#
sysname yf2
#
vlan batch 23
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 23
#
return
[yf2] [scb]dis current-configuration
#
sysname scb
#
vlan batch 30 to 32
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 31
#
interface Ethernet0/0/3
port link-type access
port default vlan 32
#
return
[scb][rl]DIS current-configuration
#
sysname rl
#
vlan batch 41 to 43
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 41
#
interface Ethernet0/0/3
port link-type access
port default vlan 42
#
interface Ethernet0/0/4
port link-type access
port default vlan 43
#
return
[rl] [xxzx]dis current-configuration
#
sysname xxzx
#
vlan batch 50 to 51
#
interface Vlanif50
ip address 192.168.50.254 255.255.255.0
#
interface Vlanif51
ip address 192.168.100.2 255.255.255.252
#
interface Ethernet0/0/1
port link-type access
port default vlan 51
#
interface Ethernet0/0/2
port link-type access
port default vlan 50
#
interface Ethernet0/0/3
port link-type access
port default vlan 50
#
interface Ethernet0/0/4
port link-type access
port default vlan 50
#
ospf 1
area 0.0.0.0
network 192.168.100.0 0.0.0.3
network 192.168.50.0 0.0.0.255
#
return
[xxzx]汇聚交换机的配置如下:
<cwzb>dis current-configuration
#
sysname cwzb
#
vlan batch 10 to 13
#
dhcp enable
#
interface Vlanif10
ip address 192.168.100.6 255.255.255.252
#
interface Vlanif11
ip address 192.168.11.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif12
ip address 192.168.12.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif13
ip address 192.168.13.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
ospf 1
area 0.0.0.0
network 192.168.100.4 0.0.0.3
network 192.168.11.0 0.0.0.255
network 192.168.12.0 0.0.0.255
network 192.168.13.0 0.0.0.255
#
return
<cwzb> <yfzb>dis current-configuration
#
sysname yfzb
#
vlan batch 20 to 23
#
dhcp enable
#
interface Vlanif20
ip address 192.168.100.10 255.255.255.252
#
interface Vlanif21
ip address 192.168.21.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif22
ip address 192.168.22.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif23
ip address 192.168.23.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
#
ospf 1
area 0.0.0.0
network 192.168.100.8 0.0.0.3
network 192.168.21.0 0.0.0.255
network 192.168.22.0 0.0.0.255
network 192.168.23.0 0.0.0.255
#
return
<yfzb><scrlzb>dis current-configuration
#
sysname scrlzb
#
vlan batch 30 to 32 41 to 43
#
dhcp enable
#
interface Vlanif30
ip address 192.168.100.14 255.255.255.252
#
interface Vlanif31
ip address 192.168.31.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif32
ip address 192.168.32.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif41
ip address 192.168.41.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif42
ip address 192.168.42.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface Vlanif43
ip address 192.168.43.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.50.67
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
ospf 1
area 0.0.0.0
network 192.168.100.12 0.0.0.3
network 192.168.0.0 0.0.255.255
#
return
<scrlzb>总部路由器设置
<zgs-R>dis current-configuration
[V200R003C00]
#
sysname zgs-R
#
board add 0/4 4GET
#
acl number 3000
rule 10 permit ip source 192.168.21.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 15 permit ip source 192.168.22.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 20 permit ip source 192.168.23.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 25 permit ip source 192.168.31.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 30 permit ip source 192.168.32.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 35 permit ip source 192.168.41.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 40 permit ip source 192.168.42.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 45 permit ip source 192.168.43.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
rule 50 permit ip source 192.168.50.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
acl number 3001
rule 5 deny ip source 192.168.22.0 0.0.0.255 destination 192.168.32.0 0.0.0.255
acl number 3002
rule 5 permit ip source 192.168.23.0 0.0.0.255 destination 192.168.60.0 0.0.0.2
55
rule 10 permit ip source 192.168.31.0 0.0.0.255 destination 192.168.70.0 0.0.0.
255
rule 15 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.60.0 0.0.0.
255
rule 20 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.70.0 0.0.0.
255
#
ipsec proposal ipsp
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike peer fb v2
pre-shared-key simple huawei
ike-proposal 1
remote-address 200.200.200.2
#
ipsec policy ipspo 1 isakmp
security acl 3002
ike-peer fb
proposal ipsp
#
interface GigabitEthernet0/0/0
ip address 192.168.100.5 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 192.168.100.9 255.255.255.252
traffic-filter inbound acl 3001
#
interface GigabitEthernet0/0/2
ip address 192.168.100.13 255.255.255.252
#
interface GigabitEthernet4/0/0
ip address 192.168.100.1 255.255.255.252
#
interface GigabitEthernet4/0/1
ip address 100.100.100.2 255.255.255.252
ipsec policy ipspo
nat outbound 3000
#
ospf 1
default-route-advertise
area 0.0.0.0
network 192.168.100.0 0.0.0.3
network 192.168.100.4 0.0.0.3
network 192.168.100.8 0.0.0.3
network 192.168.100.12 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 100.100.100.1
#
return
<zgs-R><dhcp-server>dis current-configuration
[V200R003C00]
#
sysname dhcp-server
#
dhcp enable
#
ip pool v11
gateway-list 192.168.11.254
network 192.168.11.0 mask 255.255.255.0
dns-list 192.168.50.53
#
ip pool v21
gateway-list 192.168.21.254
network 192.168.21.0 mask 255.255.255.0
dns-list 192.168.50.53
#
ip pool v22
gateway-list 192.168.22.254
network 192.168.22.0 mask 255.255.255.0
dns-list 192.168.50.53
#
ip pool v23
gateway-list 192.168.23.254
network 192.168.23.0 mask 255.255.255.0
dns-list 192.168.50.53
#
ip pool v31
gateway-list 192.168.31.254
network 192.168.31.0 mask 255.255.255.0
#
ip pool v32
gateway-list 192.168.32.254
network 192.168.32.0 mask 255.255.255.0
#
ip pool v41
gateway-list 192.168.41.254
network 192.168.41.0 mask 255.255.255.0
#
ip pool v42
gateway-list 192.168.42.254
network 192.168.42.0 mask 255.255.255.0
#
ip pool v43
gateway-list 192.168.43.254
network 192.168.43.0 mask 255.255.255.0
#
ip pool v12
gateway-list 192.168.12.254
network 192.168.12.0 mask 255.255.255.0
#
ip pool v13
gateway-list 192.168.13.254
network 192.168.13.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 192.168.50.67 255.255.255.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0 192.168.50.254
#
return
<dhcp-server>分部的设置:
<yffb>dis current-configuration
#
sysname yffb
#
vlan batch 60 to 61
#
dhcp enable
#
interface Vlanif60
ip address 192.168.60.254 255.255.255.252
dhcp select relay
dhcp relay server-ip 192.168.100.17
#
interface Vlanif61
ip address 192.168.100.18 255.255.255.252
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 61
#
interface Ethernet0/0/2
port link-type access
port default vlan 60
#
interface Ethernet0/0/3
port link-type access
port default vlan 60
#
ospf 1
area 0.0.0.0
network 192.168.100.16 0.0.0.3
network 192.168.60.0 0.0.0.255
#
return
<yffb><scfb>dis current-configuration
#
sysname scfb
#
vlan batch 70 to 71
#
dhcp enable
#
interface Vlanif70
ip address 192.168.70.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.100.21
#
interface Vlanif71
ip address 192.168.100.22 255.255.255.252
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 71
#
interface Ethernet0/0/2
port link-type access
port default vlan 70
#
ospf 1
area 0.0.0.0
network 192.168.100.20 0.0.0.3
network 192.168.70.0 0.0.0.255
#
return
<scfb> <fgs-R>dis current-configuration
[V200R003C00]
#
sysname fgs-R
#
dhcp enable
#
acl number 3000
rule 5 permit ip source 192.168.60.0 0.0.0.255 destination 123.0.0.0 0.255.255.
255
rule 10 permit ip source 192.168.70.0 0.0.0.255 destination 123.0.0.0 0.255.255
.255
acl number 3002
rule 5 permit ip source 192.168.60.0 0.0.0.255 destination 192.168.50.0 0.0.0.2
55
rule 10 permit ip source 192.168.70.0 0.0.0.255 destination 192.168.50.0 0.0.0.
255
rule 20 permit ip source 192.168.70.0 0.0.0.255 destination 192.168.31.0 0.0.0.
255
rule 25 permit ip source 192.168.60.0 0.0.0.255 destination 192.168.23.0 0.0.0.
255
#
ipsec proposal ipsp
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike peer zb v2
pre-shared-key simple huawei
ike-proposal 1
remote-address 100.100.100.2
#
ipsec policy ipspo 1 isakmp
security acl 3002
ike-peer zb
proposal ipsp
#
ip pool v60
gateway-list 192.168.60.254
network 192.168.60.0 mask 255.255.255.0
#
ip pool v70
gateway-list 192.168.70.254
network 192.168.70.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 192.168.100.17 255.255.255.252
dhcp select global
#
interface GigabitEthernet0/0/1
ip address 192.168.100.21 255.255.255.252
dhcp select global
#
interface GigabitEthernet0/0/2
ip address 200.200.200.2 255.255.255.252
ipsec policy ipspo
nat outbound 3000
#
ospf 1
default-route-advertise
area 0.0.0.0
network 192.168.100.16 0.0.0.3
network 192.168.100.20 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 200.200.200.1
#
return
<fgs-R> ISP设置:
<ISP>dis current-configuration
[V200R003C00]
#
sysname ISP
#
interface GigabitEthernet0/0/0
ip address 100.100.100.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 200.200.200.1 255.255.255.252
#
interface LoopBack0
ip address 123.123.123.123 255.255.255.255
#
return
<ISP> 
Leave a Reply