华为eNSP实现企业内网双出接口访问外网(VRRP、MSTP、DHCP、NAT-easy IP、nat server、ACL)
一、背景介绍
Xan20公司新建了一栋办公大楼作为分公司,为了满足日常的办公需求,公司决定为财务部、项目管理部、技术部、行政部和服务器群建立互联互通的有线网络。其中,为方便各部门开展业务,需要自动获取公司DHCP服务器的IP地址;公司内部需要一台服务器,满足各部门上传下载文件;总部可以通过外网访问公司分部的WEB服务器,并且总部的网络管理员可以远程登录管理分公司网络设备;公司已经申请了两条不同运营商互联网专线并配有公网IP地址,希望除财务部不能访问Internet外,其他部门都能访问Internet;后期规划所有设备由网络管理员进行远程管理。
二、项目需求分析
DHCP服务器通过接入交换机连接到核心交换机上采用一条链路互连。服务器群连接到核心交换机,两台核心交换机配置端口聚合,以防止单链路出现故障。财务部、项目管理部、技术部、行政部和服务器群处于不同区域,各部门的接入交换机连接到两台核心交换机,当上行链路出现故障时,可以通过另一条链路到达核心交换机区域。核心交换机区域上做两台核心冗余备份,以防止其中一台核心交换机出现故障,可以通过另一台核心交换机转发数据连接外网。采用以上连接方式时,多台交换机会形成环路,可以采用生成树技术解决该问题。
为方便员工获取DHCP服务器的IP地址,财务部、项目管理部、技术部和行政部可以采用DHCP方式配置IP地址池自动分配IP地址及DNS地址。
服务器群交换机、核心交换机和出口路由器均采用三层互连,可以配置动态路由协议自动学习路由,实现全网互连互通。
Xan20的分公司配有两个不同运营商的公网IP地址,除财务部以为,其他部门的所有员工都有访问Internet的需求,可以在出口路由器上配置NAT。
为方便网络管理员对设备进行远程管理,需要启用所有设备的Telnet服务。
综上所述,本项目的实施具体分为以下工作任务。
1.根据网络拓扑及项目需求分析,对本项目进行详细规划设计。
(1)实现PC通过DHCP动态获取地址参数
(2)实现PC访问服务器
(3)核心层交换机做链路聚合
(4)网关冗余方案实施
(5)实现二层线路冗余备份
(6)实现内网访问外网
(7)外网访问内网WEB服务器
(8)实现外网远程登录管理
2.根据规划完成设备的调试。
3.测试项目能否达到预期效果
三、项目要求
1. 公司不同部门的PC属于不同的网段
2. 实现各部门PC通过DHCP地址获取参数
3. 实现各部门PC能够访问WEB服务器
4. 冗余网关备份(VRRP)
5. 实现二层网络链路冗余备份
6. 核心层交换机做链路聚合
7. 实现公司内网访问外网
8. 实现外网设备访问内网服务器
9.实现远程访问telnet技术
四、拓扑搭建
五、项目实施步骤
步骤一:
(一)实现PC通过DHCP动态获取地址参数;实现PC访问WEB服务器
为方便各部门开展业务,需要自动获取公司DHCP服务器的IP地址,由于DHCP服务器和DHCP客户端不在同一网段,需要在核心交换机上开启DHCP中继功能;为提高链路可靠性,在核心交换机配置链路聚合。
- 搭建拓扑图
- 交换机配置
(1)所有交换机创建VLAN10、20、30、40、66、88
[SW1]vlan batch 10 20 30 40 66、88
[SW2]vlan batch 10 20 30 40 66、88
[SW3]vlan batch 10 20 30 40 66、88
[SW4]vlan batch 10 20 30 40 66、88
[SW5]vlan batch 10 20 30 40 66、88
[SW6]vlan batch 10 20 30 40 66、88
[SW10]vlan batch 10 20 30 40 66、88
(2)配置access和trunk端口
1)在SW1的GE0/0/1和GE0/0/2接口配置Access端口,允许VLAN10通过;GE0/0/5和GE0/0/6接口配置Trunk端口,允许所有VLAN通过。
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 10
[SW1-GigabitEthernet0/0/2]int g0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/5]int g0/0/6
[SW1-GigabitEthernet0/0/6]port link-type trunk
[SW1-GigabitEthernet0/0/6]port trunk allow-pass vlan all
2)在SW2的GE0/0/1和GE0/0/2接口配置Access端口,允许VLAN20通过;GE0/0/5和GE0/0/6接口配置Trunk端口,允许所有VLAN通过。
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 20
[SW2-GigabitEthernet0/0/1]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type access
[SW2-GigabitEthernet0/0/2]port default vlan 20
[SW2-GigabitEthernet0/0/2]int g0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/5]int g0/0/6
[SW2-GigabitEthernet0/0/6]port link-type trunk
[SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan all
3)在SW3的GE0/0/1和GE0/0/2接口配置Access端口,允许VLAN30通过;GE0/0/5和GE0/0/6接口配置Trunk端口,允许所有VLAN通过。
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]int g0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 30
[SW3-GigabitEthernet0/0/2]int g0/0/5
[SW3-GigabitEthernet0/0/5]port link-type trunk
[SW3-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[SW3-GigabitEthernet0/0/5]int g0/0/6
[SW3-GigabitEthernet0/0/6]port link-type trunk
[SW3-GigabitEthernet0/0/6]port trunk allow-pass vlan all
4)在SW4的GE0/0/1和GE0/0/2接口配置Access端口,允许VLAN40通过;GE0/0/3、GE0/0/5和GE0/0/6接口配置Trunk端口,允许所有VLAN通过。
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 40
[SW4-GigabitEthernet0/0/1]int g0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 40
[SW4-GigabitEthernet0/0/2]int g0/0/3
[SW4-GigabitEthernet0/0/3]port link-type trunk
[SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[SW4-GigabitEthernet0/0/3]int g0/0/5
[SW4-GigabitEthernet0/0/5]port link-type trunk
[SW4-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[SW4-GigabitEthernet0/0/5]int g0/0/6
[SW4-GigabitEthernet0/0/6]port link-type trunk
[SW4-GigabitEthernet0/0/6]port trunk allow-pass vlan all
5)在SW5的GE0/0/8接口配置Access端口,允许VLAN88通过;GE0/0/1 to GE0/0/4配置Trunk端口,允许所有VLAN通过。
[SW5]int g0/0/8
[SW5-GigabitEthernet0/0/8]port link-type access
[SW5-GigabitEthernet0/0/8]port default vlan 88
[SW5-GigabitEthernet0/0/8]port-group 1
[SW5-port-group-1]group-member g0/0/1 to g0/0/4
[SW5-port-group-1]port link-type trunk
[SW5-GigabitEthernet0/0/1]port link-type trunk
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/3]port link-type trunk
[SW5-GigabitEthernet0/0/4]port link-type trunk
[SW5-port-group-1]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/4]port trunk allow-pass vlan all
6)在SW6的GE0/0/1 to GE0/0/5配置Trunk端口,允许所有VLAN通过。
[SW6]port-group 1
[SW6-port-group-1]group-member g0/0/1 to g0/0/5
[SW6-port-group-1]port link-type trunk
[SW6-port-group-1]port trunk allow-pass vlan all
7)在SW10的GE0/0/1接口配置Access端口,允许VLAN66通过;GE0/0/6和GE0/0/10接口配置Trunk端口,允许所有VLAN通过。
[SW10]int g0/0/1
[SW10-GigabitEthernet0/0/1]port link-type access
[SW10-GigabitEthernet0/0/1]port default vlan 66
[SW10-GigabitEthernet0/0/1]int g0/0/6
[SW10-GigabitEthernet0/0/6]port link-type trunk
[SW10-GigabitEthernet0/0/6]port trunk allow-pass vlan all
[SW10-GigabitEthernet0/0/6]int g0/0/10
[SW10-GigabitEthernet0/0/10]port link-type trunk
[SW10-GigabitEthernet0/0/10]port trunk allow-pass vlan all
(3)LACP配置链路聚合
1)在核心交换机SW5和SW6的GE0/0/22~0/0/24接口上配置Eth-Trunk,允许所有VLAN通过。
[SW5]interface eth-trunk 1
[SW5-Eth-Trunk1]mode lacp-static
[SW5-Eth-Trunk1]trunkport GigabitEthernet 0/0/22 to 0/0/24
[SW5-Eth-Trunk1]port link-type trunk
[SW5-Eth-Trunk1]port trunk allow-pass vlan all
[SW6]interface eth-trunk 1
[SW6-Eth-Trunk1]mode lacp-static
[SW6-Eth-Trunk1]trunkport GigabitEthernet 0/0/22 to 0/0/24
[SW6-Eth-Trunk1]port link-type trunk
[SW6-Eth-Trunk1]port trunk allow-pass vlan all
2)在核心交换机SW5上设置LACP系统优先级,优先级值设置为3000。
[SW5]lacp priority 3000
3)在核心交换机SW5上设置LACP端口优先级,GE0/0/22~0/0/24优先级值分别设置为1000、2000、3000。
[SW5]int g0/0/22
[SW5-GigabitEthernet0/0/22]lacp priority 1000
[SW5-GigabitEthernet0/0/22]int g0/0/23
[SW5-GigabitEthernet0/0/23]lacp priority 2000
[SW5-GigabitEthernet0/0/23]int g0/0/24
[SW5-GigabitEthernet0/0/24]lacp priority 3000
4)在核心交换机SW5上配置LACP抢占功能
[SW5]interface eth-trunk 1
[SW5-Eth-Trunk1]lacp preempt enable
[SW5-Eth-Trunk1]lacp preempt delay 10
3.配置路由
(1)配置DHCP设备GE0/0/0接口IP地址。
<Huawei>sys
[Huawei]un in en
[Huawei]sysname DHCP
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0] ip address 192.168.66.1 24
(2)核心交换机SW5、SW6配置三层接口IP地址。
[SW5]int vlanif10
[SW5-Vlanif10]ip address 192.168.10.251 24
[SW5-Vlanif10]int vlanif20
[SW5-Vlanif20]ip address 192.168.20.251 24
[SW5-Vlanif20]int vlanif30
[SW5-Vlanif30]ip address 192.168.30.251 24
[SW5-Vlanif30]int vlanif40
[SW5-Vlanif40]ip address 192.168.40.251 24
[SW5-Vlanif40]int vlanif66
[SW5-Vlanif66]ip address 192.168.66.251 24
[SW5-Vlanif66]int vlanif88
[SW5-Vlanif88]ip address 192.168.88.254 24
[SW6]int vlanif10
[SW6-Vlanif10]ip address 192.168.10.252 24
[SW6-Vlanif10]int vlanif20
[SW6-Vlanif20]ip address 192.168.20.252 24
[SW6-Vlanif20]int vlanif30
[SW6-Vlanif30]ip address 192.168.30.252 24
[SW6-Vlanif30]int vlanif40
[SW6-Vlanif40]ip address 192.168.40.252 24
[SW6-Vlanif40]int vlanif66
[SW6-Vlanif66]ip address 192.168.66.254 24
[SW6-Vlanif66]int vlanif88
[SW6-Vlanif88]ip address 192.168.88.251 24
(3)在DHCP设备上配置默认路由
[DHCP]ip route-static 0.0.0.0 0.0.0.0 192.168.66.254
4.配置DHCP服务器
(1)在DHCP设备上启动DHCP服务,并配置DHCP地址池(网段、网关、DNS、租期)。
[DHCP]dhcp enable
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 255.255.255.0
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[DHCP-ip-pool-vlan10]dns-list 114.114.114.114 8.8.8.8
[DHCP-ip-pool-vlan10]lease day 1
[DHCP-ip-pool-vlan10]quit
[DHCP-ip-pool-vlan20] ip pool vlan20
[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 255.255.255.0
[DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
[DHCP-ip-pool-vlan20]dns-list 114.114.114.114 8.8.8.8
[DHCP-ip-pool-vlan20]lease day 2
[DHCP-ip-pool-vlan20]quit
[DHCP-ip-pool-vlan30]ip pool vlan30
[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 255.255.255.0
[DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
[DHCP-ip-pool-vlan30]dns-list 114.114.114.114 8.8.8.8
[DHCP-ip-pool-vlan30]lease day 3
[DHCP-ip-pool-vlan30]quit
[DHCP-ip-pool-vlan40]ip pool vlan40
[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 255.255.255.0
[DHCP-ip-pool-vlan40]gateway-list 192.168.40.254
[DHCP-ip-pool-vlan40]dns-list 114.114.114.114 8.8.8.8
[DHCP-ip-pool-vlan40]lease day 4
[DHCP-ip-pool-vlan40]quit
(2)DHCP设备的GE0/0/0接口下开启DHCP功能
[DHCP]interface GigabitEthernet 0/0/0
[DHCP-GigabitEthernet0/0/0]dhcp select global
5. 在SW6配置DHCP中继
启动DHCP功能,与终端相连接口开启中继功能并指定服务器地址。
[SW6]dhcp enable
[SW6]int vlanif10
[SW6-Vlanif10]dhcp select relay
[SW6-Vlanif10]dhcp relay server-ip 192.168.66.1
[SW6-Vlanif10]int vlanif20
[SW6-Vlanif20]dhcp select relay
[SW6-Vlanif20]dhcp relay server-ip 192.168.66.1
[SW6-Vlanif20]int vlanif30
[SW6-Vlanif30]dhcp select relay
[SW6-Vlanif30]dhcp relay server-ip 192.168.66.1
[SW6-Vlanif30]int vlanif40
[SW6-Vlanif40]dhcp select relay
[SW6-Vlanif40]dhcp relay server-ip 192.168.66.1
步骤二:
(二)网关冗余方案实施
为了提高网络可靠性,在不改变组网的情况下,在核心交换机SW5和SW6上使用VRRP技术,实现网关冗余。
1. 搭建拓扑图
2.交换机配置
(1)把需求1配置SW6的vlan10、20、30、40网关地址192.168.XX.254替换为192.168.XX.252,保留192.168.XX.254作为虚拟网关。
[SW6]interface Vlanif10
[SW6-Vlanif10]ip address 192.168.10.252 24
[SW6-Vlanif10]interface Vlanif20
[SW6-Vlanif20]ip address 192.168.20.252 24
[SW6-Vlanif20]interface Vlanif30
[SW6-Vlanif30]ip address 192.168.30.252 24
[SW6-Vlanif30]interface Vlanif40
[SW6-Vlanif40]ip address 192.168.40.252 24
(2)配置虚拟IP地址
1)实现VLAN10、20转发数据的主设备为SW5,虚拟的vrid组分别为10 、20,虚拟的IP地址分别为192.168.10.254;192.168.20.254,并且设置优先级为200,在SW5的配置如下:
[SW5]interface Vlanif10
[SW5-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW5-Vlanif10]vrrp vrid 10 priority 200
[SW5-Vlanif10]interface Vlanif20
[SW5-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW5-Vlanif20]vrrp vrid 20 priority 200
2)实现VLAN10、20转发数据的SW6备份设备,虚拟的vrid组分别为10 、20,虚拟的IP地址分别为192.168.10.254;192.168.20.254,并且设置优先级为100(默认),在SW6的配置如下:
[SW6]interface Vlanif10
[SW6-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW6-Vlanif10]vrrp vrid 10 priority 100
[SW6-Vlanif10]interface Vlanif20
[SW6-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW6-Vlanif20]vrrp vrid 20 priority 100
3)实现VLAN30、40转发数据的主设备为SW6,虚拟的vrid组分别为30 、40,虚拟的IP地址分别为192.168.30.254;192.168.40.254,并且设置优先级为200,在SW6的配置如下:SW6的配置如下:
[SW6]interface Vlanif30
[SW6-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW6-Vlanif30]vrrp vrid 30 priority 200
[SW6-Vlanif30]interface Vlanif40
[SW6-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[SW6-Vlanif40]vrrp vrid 40 priority 200
4)实现VLAN30、40转发数据的SW5备份设备,虚拟的vrid组分别为30 、40,虚拟的IP地址分别为192.168.30.254;192.168.40.254,并且设置优先级为100(默认),在SW5的配置如下:
[SW5]interface Vlanif30
[SW5-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW5-Vlanif30]vrrp vrid 30 priority 100
[SW5-Vlanif30]interface Vlanif40
[SW5-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[SW5-Vlanif40]vrrp vrid 40 priority 100
2.在DHCP设备上的地址池排除掉已存在的IP地址。
由于先建立的DHCP地址池,DHCP下发的地址使得SW5与SW6的251/252地址产生冲突,先收回地址池的地址,再排除已配置的IP地址。
(1)重启地址池,在用户视图下重启。
<DHCP>reset ip pool name vlan10 all
Warning: If the IP addresses that are being used are reclaimed, may influence normal user in the network. Are you sure to continue?[Y/N]:y
重复操作,对ip pool vlan20、30和40进行地址池重启。
(2)在系统视图下,进入对应地址池,进行已配置IP地址进行排除。
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.251 192.168.10.252
[DHCP-ip-pool-vlan10]quit
[DHCP]ip pool vlan20
[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.251 192.168.20.252
[DHCP-ip-pool-vlan20]quit
[DHCP]ip pool vlan30
[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.251 192.168.30.252
[DHCP-ip-pool-vlan30]quit
[DHCP]ip pool vlan40
[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.251 192.168.40.252
[DHCP-ip-pool-vlan40]quit
3. 在核心交换机SW5上开启DHCP服务并配置DHCP中继。
[SW5]dhcp enable
[SW5]interface Vlanif10
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.66.1
[SW5-Vlanif10]interface Vlanif20
[SW5-Vlanif20]dhcp select relay
[SW5-Vlanif20]dhcp relay server-ip 192.168.66.1
[SW5-Vlanif20]interface Vlanif30
[SW5-Vlanif30]dhcp select relay
[SW5-Vlanif30]dhcp relay server-ip 192.168.66.1
[SW5-Vlanif30]interface Vlanif40
[SW5-Vlanif40]dhcp select relay
[SW5-Vlanif40]dhcp relay server-ip 192.168.66.1
步骤三:
(三)实现二层线路冗余备份
为实现二层线路冗余备份,需要为所有交换机配置生成树协议,实现二层线路优先级的设置以及交换机根桥的选择。
1. 搭建拓扑图
2.交换机配置
(1)在所有交换机上配置STP协议,并且将vlan10映射到instance1内,将vlan20映射到instance2内,vlan30映射到instance3内,vlan40映射到instance4内。
[Huawei]stp enable
[Huawei]stp region-configuration
[Huawei-region-configuration]region-name zhaoqing
[Huawei-region-configuration] instance 1 vlan 10
[Huawei-region-configuration] instance 2 vlan 20
[Huawei-region-configuration] instance 3 vlan 30
[Huawei-region-configuration] instance 4 vlan 40
[Huawei-region-configuration] active region-configuration
(2)将核心交换机SW5设置为vlan10、20的主根桥以及vlan30、40的次根桥。
[SW5] stp instance 1 priority 4096
[SW5] stp instance 2 priority 4096
[SW5] stp instance 3 priority 8192
[SW5] stp instance 4 priority 8192
(3)将核心交换机SW6设置为vlan30、40的主根桥以及vlan10、20的次根桥。
[SW6] stp instance 1 priority 8192
[SW6] stp instance 2 priority 8192
[SW6] stp instance 3 priority 4096
[SW6] stp instance 4 priority 4096
步骤四:
(四)实现内网访问外网
为实现内网可以访问外网,需要将核心交换机SW5和核心交换机SW6以及核心设备R1所连接的网络进行OSPF划分区域。添加SW7实现核心冗余备份。
1.拓扑搭建
2.交换机配置
(1)在交换机SW1~SW6、SW10系统视图下添加VLAN15。
[SW1]vlan 15 [SW2]vlan 15 [SW3]vlan 15 [SW4]vlan 15
[SW5]vlan 15 [SW6]vlan 15 [SW10]vlan 15
(2)在SW7上创建VLAN10、15、20、30、40、66、88
<Huawei>sys
[Huawei]sysname SW7
[SW7]undo info-center enable
[SW7]vlan batch 10 15 20 30 40 66 88
(3)SW5和SW6在GE0/0/7接口配置Trunk端口,允许所有的VLAN通过。
[SW5]interface GigabitEthernet0/0/7
[SW5-GigabitEthernet0/0/7]port link-type trunk
[SW5-GigabitEthernet0/0/7]port trunk allow-pass vlan all
[SW6]interface GigabitEthernet0/0/7
[SW6-GigabitEthernet0/0/7]port link-type trunk
[SW6-GigabitEthernet0/0/7]port trunk allow-pass vlan all
(4)SW7在GE0/0/5和GE0/0/6接口配置Trunk端口,允许所有的VLAN通过;在GE0/0/15配置Access端口,允许VLAN15通过。
[SW7]interface GigabitEthernet0/0/5
[SW7-GigabitEthernet0/0/5]port link-type trunk
[SW7-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[SW7-GigabitEthernet0/0/5]quit
[SW7]interface GigabitEthernet0/0/6
[SW7-GigabitEthernet0/0/6]port link-type trunk
[SW7-GigabitEthernet0/0/6]port trunk allow-pass vlan all
[SW7-GigabitEthernet0/0/6]quit
[SW7-GigabitEthernet0/0/15]interface GigabitEthernet0/0/15
[SW7-GigabitEthernet0/0/15]port link-type access
[SW7-GigabitEthernet0/0/15]port default vlan 15
(5) 在SW5、SW6上分别配置vlan15三层接口地址
[SW5]interface Vlanif15
[SW5-Vlanif15]ip address 192.168.15.5 255.255.255.0
[SW6]interface Vlanif15
[SW6-Vlanif15]ip address 192.168.15.6 255.255.255.0
(6) 在SW7上配置MSTP域,并且将vlan10映射到instance1内,将vlan20映射到instance2内,vlan30映射到instance3内,vlan15映射到instance15内,vlan40映射到instance4内。并将SW7设置为vlan15的主根桥, instance 15优先级设置为0。
[SW7]stp region-configuration
[SW7-mst-region]region-name zhaoqing
[SW7-mst-region]instance 1 vlan 10
[SW7-mst-region]instance 15 vlan 15
[SW7-mst-region]instance 2 vlan 20
[SW7-mst-region]instance 3 vlan 30
[SW7-mst-region]instance 4 vlan 40
[SW7-mst-region]active region-configuration
[SW7-mst-region]quit
[SW7]stp instance 15 priority 0
(7) 在SW5配置基本OSPF,划分多区域,手动指定Router ID,骨干区域为area 0,宣告网段192.168.15.0。
[SW5]ospf 1 router-id 5.5.5.5
[SW5-ospf-1]area 0
[SW5-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.0]quit
[SW5-ospf-1]area 10
[SW5-ospf-1-area-0.0.0.10]network 192.168.10.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.10]quit
[SW5-ospf-1]area 20
[SW5-ospf-1-area-0.0.0.20]network 192.168.20.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.20]quit
[SW5-ospf-1]area 30
[SW5-ospf-1-area-0.0.0.30]network 192.168.30.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.30]quit
[SW5-ospf-1]area 40
[SW5-ospf-1-area-0.0.0.40]network 192.168.40.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.40]quit
[SW5-ospf-1]area 66
[SW5-ospf-1-area-0.0.0.66]network 192.168.66.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.66]quit
[SW5-ospf-1]area 88
[SW5-ospf-1-area-0.0.0.88]network 192.168.88.0 0.0.0.255
[SW5-ospf-1-area-0.0.0.88]quit
(8) 在SW6配置基本OSPF,划分多区域,手动指定Router ID,骨干区域为area 0,宣告网段192.168.15.0。
[SW6]ospf 1 router-id 6.6.6.6
[SW6-ospf-1]area 0
[SW6-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.0]quit
[SW6-ospf-1]area 10
[SW6-ospf-1-area-0.0.0.10]network 192.168.10.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.10]quit
[SW6-ospf-1]area 20
[SW6-ospf-1-area-0.0.0.20]network 192.168.20.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.20]quit
[SW6-ospf-1]area 30
[SW6-ospf-1-area-0.0.0.30]network 192.168.30.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.30]quit
[SW6-ospf-1]area 40
[SW6-ospf-1-area-0.0.0.40]network 192.168.40.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.40]quit
[SW6-ospf-1]area 66
[SW6-ospf-1-area-0.0.0.66]network 192.168.66.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.66]quit
[SW6-ospf-1]area 88
[SW6-ospf-1-area-0.0.0.88]network 192.168.88.0 0.0.0.255
[SW6-ospf-1-area-0.0.0.88]quit
3.路由器配置
(1)为R1的G0/0/0和G0/0/1接口配置IP地址。
<Huawei>sys
[Huawei]sysname R1
[R1]un in en
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.15.1 24
[R1-GigabitEthernet0/0/0]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1]ip address 100.1.1.1 24
(2) 在R3的GE0/0/0和GE0/0/1接口配置IP地址。
<Huawei>sys
[Huawei]sysname R3
[R3]un in en
[R3]interface GigabitEthernet0/0/0
[R3-GigabitEthernet0/0/0]ip address 200.1.1.254 24
[R3-GigabitEthernet0/0/0]interface GigabitEthernet0/0/1
[R3-GigabitEthernet0/0/1]ip address 100.1.1.6 24
(3)在R1配置OSPF,route-id为1.1.1.1,将其连接的vlan子网对应area区域号进行配置,并且配置OSPF动态默认路由。
[Huawei] ospf 1 router-id 1.1.1.1
[R1-ospf-1]default-route-advertise
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0] network 192.168.15.0 0.0.0.255
(4)在R1配置用于内网访问外网的访问控制链路ACL,并且在G0/0/1接口调用ACL,使内网除了财务部以外的网络均可访问外网。
[R1]acl 2000
[R1-acl-basic-2000] rule 5 deny source 192.168.10.0 0.0.0.255
[R1-acl-basic-2000] rule 10 permit source 192.168.20.0 0.0.0.255
[R1-acl-basic-2000] rule 15 permit source 192.168.30.0 0.0.0.255
[R1-acl-basic-2000] rule 20 permit source 192.168.40.0 0.0.0.255
[R1-acl-basic-2000] rule 25 permit source 192.168.15.0 0.0.0.255
[R1-acl-basic-2000] rule 30 permit source 192.168.66.0 0.0.0.255
[R1-acl-basic-2000] rule 35 permit source 192.168.88.0 0.0.0.255
[R1]interface GigabitEthernet0/0/1
[R1-GigabitEthernet0/0/1] nat outbound 2000
(5)在R1配置一条向外的默认路由,用于连接外网的网络。
[R1]ip route-static 0.0.0.0 0 100.1.1.6
步骤五:
(五)实现外网访问内网WEB服务器;实现外网远程登录管理
为实现总公司通过客户端从外网访问子公司内网WEB服务器,需要将公网IP地址映射到内网WEB服务器IP地址;为实现外网远程登录管理,总公司的网络管理员通过Telnet远程登录到核心交换机上,对子公司内网网络设备实现管理,内网的所有网络设备开启Telnet服务。
1.拓扑搭建
1. 配置交换机
(1)在所有交换机创建vlan 99,作为管理vlan。
[SW1]vlan 99 [SW2]vlan 99 [SW3]vlan 99 [SW4]vlan 99
[SW5]vlan 99 [SW6]vlan 99 [SW7]vlan 99 [SW10]vlan 99
(2)为所有交换机配置vlan99三层接口IP地址。
[SW1]int vlanif 99
[SW1-Vlanif99]ip address 192.168.99.1
[SW2]int vlanif 99
[SW2-Vlanif99]ip address 192.168.99.2
[SW3]int vlanif 99
[SW3-Vlanif99]ip address 192.168.99.3
[SW4]int vlanif 99
[SW4-Vlanif99]ip address 192.168.99.4
[SW5]int vlanif 99
[SW5-Vlanif99]ip address 192.168.99.5
[SW6]int vlanif 99
[SW6-Vlanif99]ip address 192.168.99.6
[SW7]int vlanif 99
[SW7-Vlanif99]ip address 192.168.99.7
[SW10]int vlanif 99
[SW10-Vlanif99]ip address 192.168.99.10
(3)在所有交换机上开启远程管理服务(真实的设备上,在用户接口视图上需配置protocol inbound all---支持所有协议入站,不然无法远程管理)。
[SWX]telnet server enable
[SWX]user-interface vty 0 4
[SWX-ui-vty0-4]authentication-mode aaa
[SWX-ui-vty0-4]protocol inbound all
[SWX]aaa
[SWX-aaa]local-user admin password cipher huawei@123
[SWX-aaa]local-user admin privilege level 15
[SWX-aaa]local-user admin service-type telnet
(4)在SW5、6上做vlan99的主从备份,设置优先级,虚拟IP为192.168.99.254。
[SW5]int Vlanif 99
[SW5-Vlanif99]vrrp vrid 99 virtual-ip 192.168.99.254
[SW5-Vlanif99]vrrp vrid 99 priority 200
[SW6]int Vlanif 99
[SW6-Vlanif99]vrrp vrid 99 virtual-ip 192.168.99.254
[SW6-Vlanif99]vrrp vrid 99 priority 100
(5)所有交换机添加MSTP配置vlan99的实例9。
[SWX]stp region-configuration
[SWX-mst-region]region-name zhaoqing
[SWX-mst-region]instance 9 vlan 99
[SWX-mst-region]active region-configuration
(6)SW5作为VLAN99根网桥,优先级为4096;SW6作为VLAN99次根网桥,优先级为8192。
[SW5]stp instance 9 priority 4096
[SW6]stp instance 9 priority 8192
(7)在SW5、6上进入OSPF进程1中创建area 99,宣告网络192.168.99.0 0.0.0.255
[SW5]ospf 1
[SW5-ospf-1]area 99
[SW5-ospf-1-area-0.0.0.99]network 192.168.99.0 0.0.0.255
[SW6]ospf 1
[SW6-ospf-1]area 99
[SW6-ospf-1-area-0.0.0.99]network 192.168.99.0 0.0.0.255
(8)在SW1~4上配置默认路由,下一条为192.168.99.254
[SWX]ip route-static 0.0.0.0 0 192.168.99.254
2.配置路由
(1)在R3的GE0/0/2接口上配置IP地址。
[R3]int g0/0/2
[R3-GigabitEthernet0/0/2]ip address 115.1.1.254 24
(2)在R1查看路由表(display ip routing-table),去往192.168.88.0和192.168.99.0网段存在两条路,为使路由是最优,在SW6进入vlanif88和vlanif99修改OSPF的cost值。
[SW6]int Vlanif 88
[SW6-Vlanif88]ospf cost 10
[SW6-Vlanif88]quit
[SW6]int Vlanif 99
[SW6-Vlanif99]ospf cost 10
(3)为使总公司外网客户端访问子公司内网WEB服务器,需要在边界路由R1配置nat server。
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]nat server protocol tcp global 100.1.1.2 80 inside 192.168.88.1 80
(4)为使总公司的网络管理员在外网远程管理子公司内网网络设备,需要在边界路由R1配置nat server。
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1] nat server protocol tcp global 100.1.1.3 23 inside 192.168.99.254 23
步骤六:
(六)实现核心交换机网关冗余备份,内网的边界路由R1和R2接入不同的运营商网络,实现主备
为保证企业内网网络的可靠性,在核心交换机上做网关冗余备份,边界路由也做备份,当某一运营商的网络出现故障时,可以及时使用另一运营商的网络,保证公司网络可靠性。
1.拓扑搭建
2.交换机配置
(1)在SW8上创建vlan
<huawei>sys
[huawei]un in en
[huawei]sysn SW8
[SW8]vlan batch 10 15 16 20 30 40 66 88 99
(2)所有交换机在系统视图下创建VLAN16
[SWX]vlan 16
(3)在SW5的GE0/0/5接口,配置trunk端口,允许所有的vlan通过
[SW5]int g0/0/5
[SW5-GigabitEthernet0/0/5]port link-type trunk
[SW5-GigabitEthernet0/0/5]port trunk allow-pass vlan all
(4)在SW6的GE0/0/8接口,配置trunk端口,允许所有的vlan通过
[SW8]int g0/0/8
[SW8-GigabitEthernet0/0/8]port link-type trunk
[SW8-GigabitEthernet0/0/8]port trunk allow-pass vlan all
(5)在SW8的GE0/0/5~7接口,配置trunk端口,允许所有的vlan通过;
GE0/0/15接口,配置access端口,允许vlan16通过
[SW8]int g0/0/5
[SW8-GigabitEthernet0/0/5]port link-type trunk
[SW8-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[SW8]int g0/0/6
[SW8-GigabitEthernet0/0/6]port link-type trunk
[SW8-GigabitEthernet0/0/6]port trunk allow-pass vlan all
[SW8]int g0/0/7
[SW8-GigabitEthernet0/0/7]port link-type trunk
[SW8-GigabitEthernet0/0/7]port trunk allow-pass vlan all
[SW8]int g0/0/15
[SW8-GigabitEthernet0/0/15]port link-type access
[SW8-GigabitEthernet0/0/15]port default vlan 16
(6)在SW7的GE0/0/8接口,配置trunk端口,允许所有的vlan通过
[SW7]int g0/0/8
[SW7-GigabitEthernet0/0/8]port link-type trunk
[SW7-GigabitEthernet0/0/8]port trunk allow-pass vlan all
(7)在SW5上配置三层接口IP地址
[SW5]int Vlanif 16
[SW5-Vlanif15]ip address 192.168.16.6 24
(8)在SW6上配置三层接口IP地址
[SW6]int vlanif 16
[SW6-Vlanif16]ip address 192.168.16.5 24
(9)在R1的GE0/0/2接口配置IP地址
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 192.168.16.2 24
(10)在SW5、6和R1上进入OSPF 1的area 0宣告192.168.16.0
[SW5]ospf 1
[SW5-ospf-1]area 0
[SW5-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
[SW6]ospf 1
[SW6-ospf-1]area 0
[SW6-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
(11)在SW8上做VLAN16的根网桥;SW7做VLAN16次根网桥;SW8作为vlan15的次根网桥
[SW8]stp region-configuration
[SW8-mst-region]region-name zhaoqing
[SW8-mst-region]instance 1 vlan 10
[SW8-mst-region]instance 2 vlan 20
[SW8-mst-region]instance 3 vlan 30
[SW8-mst-region]instance 4 vlan 40
[SW8-mst-region]instance 9 vlan 99
[SW8-mst-region]instance 15 vlan 15
[SW8-mst-region]instance 16 vlan 16
[SW8-mst-region]active region-configuration
[SW8-mst-region]q
[SW8]stp instance 16 priority 4096
[SW8]stp instance 15 priority 8192
[SW7]stp instance 16 priority 8192
(12)在所有交换机上加入实例16,然后重新激活
[SWX]stp region-configuration
[SWX-mst-region]region-name zhaoqing
[SWX-mst-region]instance 16 vlan 16
[SWX-mst-region]active region-configuration
(13)在边界路由R1上的GE0/0/2接口修改OSPF的开销为10,是路由最优,vlan16作为备份
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]ospf cost 10
3.配置路由
(1)在边界路由R2上配置GE0/0/0~1的IP地址
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.16.1 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 110.1.1.1 24
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip add 192.168.15.2 24
(2)在R3的GE4/0/1上配置IP地址
[R3]int g4/0/1
[R3-GigabitEthernet4/0/1]ip add 110.1.1.6 24
(3)在SW7的GE0/0/16接口配置access端口,允许vlan15通过
[SW7]int g0/0/16
[SW7-GigabitEthernet0/0/16]port link-type access
[SW7-GigabitEthernet0/0/16]port default vlan 15
(4)在SW8的GE0/0/16接口配置access端口,允许vlan16通过
[SW8]int g0/0/16
[SW8-GigabitEthernet0/0/16]port link-type access
[SW8-GigabitEthernet0/0/16]port default vlan 16
(5)在边界路由R2配置ACL
[R2]acl 2000
[R2-acl-2000]rule 5 deny source 192.168.10.0 0.0.0.255
[R2-acl-2000]rule 10 permit source 192.168.20.0 0.0.0.255
[R2-acl-2000]rule 15 permit source 192.168.30.0 0.0.0.255
[R2-acl-2000]rule 20 permit source 192.168.40.0 0.0.0.255
[R2-acl-2000]rule 25 permit source 192.168.15.0 0.0.0.255
[R2-acl-2000]rule 30 permit source 192.168.66.0 0.0.0.255
[R2-acl-2000]rule 35 permit source 192.168.88.0 0.0.0.255
(6)在边界路由R2的GE0/0/1接口配置,最节省IP(easyIP)nat转换
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]nat outbound 2000
(7)在边界路由R2实现内网访问外网一般都使用默认路由
[R2]ip route-static 0.0.0.0 0 110.1.1.6
(8)在边界路由R2上备份外网客户端访问内网的WEB服务器,在边界路由器R2的出接口GE0/0/1上
配置nat server,协议为http,采用TCP传输,端口为80,公网地址为110.1.1.2映射内网WEB服务器地址
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]nat server protocol tcp global 110.1.1.2 80 inside 192.168.88.1 80
(9)在边界路由R2上备份为使外网远程管理SW1,需要在边界路由R2备份配置nat server,
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]nat server protocol tcp global 110.1.1.3 23 inside 192.168.99.254 23
(10)在边界路由R2上配置ospf
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255
(11)在边界路由R2上引入默认路由
[R2]ospf 1
[R2-ospf-1]default-route-advertise
(12)把边界路由R2的GE0/0/0和GE0/0/2接口的开销分别改为10,3
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ospf cost 10
[R2]int g0/0/2
[R2-GigabitEthernet0/0/2]ospf cost 3
(13)在核心交换机做网关冗余
在SW5、6上做vlan15、16的主从备份,虚拟IP为192.168.XX.254
[SW5]int Vlanif 15
[SW5-Vlanif15]vrrp vrid 15 virtual-ip 192.168.15.254
[SW5-Vlanif15]vrrp vrid 15 priority 200
[SW5-Vlanif15]int Vlanif 16
[SW5-Vlanif16]vrrp vrid 16 virtual-ip 192.168.16.254
[SW5-Vlanif16]vrrp vrid 16 priority 100
[SW6]int Vlanif 15
[SW6-Vlanif15]vrrp vrid 15 virtual-ip 192.168.15.254
[SW6-Vlanif15]vrrp vrid 15 priority 100
[SW6-Vlanif15]int Vlanif 16
[SW6-Vlanif16]vrrp vrid 16 virtual-ip 192.168.16.254
[SW6-Vlanif16]vrrp vrid 16 priority 200
