寫了不少文章講解不同廠商設備的配置,很多小伙伴希望我給講講如何構建一個大型企業網,這里我借一個實例講講中大型企業網絡如何搭建。所有實驗配置我全部無償奉獻給各位小伙伴,該網絡涉及到防火墻的配置、無線網絡組網、VRRP、mstp、OSPF及認證、BGP、DHCP中繼、nat技術、路由選路,歡迎有興趣的小伙伴收藏加關注。
需求如下:
1.做必要隔離,且放環;
2.終端接口接入網絡后無延遲轉發;
3.匯聚后交換機之間要增加帶寬;
4.網關配置在匯聚層上,要保證網關冗余;
5.內部使用可靠的IGP進行路由學習和發布,并保證設備身份的合法性;
6.通過BGP協議跟總部進行路由學習,實現互訪,要求缺省互訪流量都經過AR1訪問總部,當AR1出現故障能自動切換至AR2;
7.要求園區網內所有PC終端都通過公司統一的DHCP服務器完成地址分發;
8.使用AC+瘦AP進行無線網絡組網;
9.出口防火墻需要做必要的安全策略,只能內網主動發起訪問外網;
10.出口防火墻要配置必要的NAT技術使得內網能夠訪問ISP或者互聯網。
具體配置如下:
AR1配置:
interface Ethe.NET3/0/0
ip address 10.1.14.1 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.1.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.103.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.12.1 255.255.255.0
#
interface Pos5/0/0
link-protocol ppp
ip address 10.1.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
interface Ethernet3/0/1
ip address 10.1.15.1 255.255.255.0
#
ospf 1 router-id 1.1.1.1
area 0
network 10.1.14.1 0.0.0.0
network 10.1.15.1 0.0.0.0
network 10.1.100.1 0.0.0.0
network 10.1.12.1 0.0.0.0
network 10.1.103.1 0.0.0.0
network 10.1.13.1 0.0.0.0
network 10.1.1.1 0.0.0.0
authentication-mode md5 1 cipher huawei@123
AR2配置:
interface GigabitEthernet0/0/0
ip address 10.1.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.104.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.12.2 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
ip address 10.1.23.2 255.255.255.0
#
interface LoopBack0
ip address 10.1.2.2 255.255.255.255
#
ospf 1 router-id 2.2.2.2
area 0
network 10.1.2.2 0.0.0.0
network 10.1.12.2 0.0.0.0
network 10.1.23.2 0.0.0.0
network 10.1.102.2 0.0.0.0
network 10.1.104.2 0.0.0.0
authentication-mode md5 1 cipher huawei@123
AR3配置:
interface Pos2/0/0
ip address 10.1.23.3 255.255.255.0
#
interface Pos5/0/0
ip address 10.1.13.3 255.255.255.0
#
interface LoopBack0
ip address 200.200.200.200 255.255.255.255
AR4配置:
#
interface GigabitEthernet0/0/0
ip address 10.1.14.4 255.255.255.0
#
interface LoopBack0
ip address 10.1.4.4 255.255.255.0
#
dhcp enable
#
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.251 192.168.10.253
DNS-list 114.114.114.114
domain-name hcie
#
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.251 192.168.20.253
dns-list 114.114.114.114
domain-name hcie
#
#
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.251 192.168.30.253
dns-list 114.114.114.114
domain-name hcie
#
#
ip pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.251 192.168.40.253
dns-list 114.114.114.114
domain-name hcie
#
ip route-static 0.0.0.0 0.0.0.0 10.1.14.1
FW配置:
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.15.11 255.255.255.0
service-manage ping permit
#
firewall zone trust
add interface GigabitEthernet1/0/2
#
inter gig 1/0/1
ip addre 202.1.10.1 24
#
firewall zone untrust
add interface GigabitEthernet1/0/1
#
ospf 1 router-id 33.33.33.33
area 0
network 10.1.15.11 0.0.0.0
authentication-mode md5 1 cipher huawei@123
quit
#
security-policy
rule name permit_local_trust_ospf
source-zone local
destination-zone trust
action permit
quit
#
security-policy
rule name permit_trust_untrust_all
source-zone trust
destination-zone untrust
action permit
quit
#
ip route-static 0.0.0.0 0.0.0.0 202.1.10.254
#
ospf 1
default-route-advertise
#
nat-policy
rule name EASYIP
source-zone trust
destination-zone untrust
action source-nat easy-ip
quit
ISP配置:
sysname ISP
#
interface GigabitEthernet0/0/1
ip address 202.1.10.254 255.255.255.0
#
interface LoopBack0
ip address 114.114.114.114 255.255.255.255
AC配置:
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
vlan 101
interface vlan101
ip addre 192.168.101.254 24
dhcp select interface
quit
#
wlan
ap-group name ap-group1
quit
regulatory-domain-profile name default
country-code CN
quit
ap-group name ap-group1
regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
quit
quit
#
capwap source interface vlan101
#
ap-id 0
ap-name SZ1
ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6605-wlan-ap-0]ap-id 1
ap-name SZ2
ap-group ap-group1
ap-id 2
ap-name SZ3
ap-group ap-group1
ap-id 3
ap-name SZ4
ap-group ap-group1
quit
ap auth-mode mac-auth
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase a1234567 aes
quit
#
[AC6605-wlan-view]ssid-profile name wlan-net
[AC6605-wlan-ssid-prof-wlan-net]ssid hcie2022
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-ssid-prof-wlan-net]quit
[AC6605-wlan-view]vap-profile name wlan-net
[AC6605-wlan-vap-prof-wlan-net]forward-mode direct-forward
[AC6605-wlan-vap-prof-wlan-net]service-vlan vlan-pool hcie2022
Error: The VLAN pool does not exist. Please create it first.
[AC6605]wlan
[AC6605-wlan-view]vap-profile name wlan-net
[AC6605-wlan-vap-prof-wlan-net]service-vlan vlan-pool hcie2022
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-wlan-net]security-profile wlan-net
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-wlan-net]ssid-profile wlan-net
[AC6605]wlan
[AC6605-wlan-view]ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 0
Info: This operation may take a few seconds, please wait...done.
[AC6605-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 1
Info: This operation may take a few seconds, please wait...done.
[AC6605-wlan-ap-group-ap-group1]quit
[AC6605-wlan-view]quit
[AC6605]dis vap ssid hcie2022
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
-----------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
-----------------------------------------------------------------------------
0 SZ1 0 1 00E0-FC43-22F0 ON WPA/WPA2-PSK 0 hcie2022
0 SZ1 1 1 00E0-FC43-2300 ON WPA/WPA2-PSK 0 hcie2022
1 SZ2 0 1 00E0-FC86-80D0 ON WPA/WPA2-PSK 0 hcie2022
1 SZ2 1 1 00E0-FC86-80E0 ON WPA/WPA2-PSK 0 hcie2022
2 SZ3 0 1 00E0-FC04-6A40 ON WPA/WPA2-PSK 0 hcie2022
2 SZ3 1 1 00E0-FC04-6A50 ON WPA/WPA2-PSK 0 hcie2022
3 SZ4 0 1 00E0-FC0E-0BC0 ON WPA/WPA2-PSK 0 hcie2022
3 SZ4 1 1 00E0-FC0E-0BD0 ON WPA/WPA2-PSK 0 hcie2022
-----------------------------------------------------------------------------
Total: 8
SW1配置:
#
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface eth-Trunk 12
mode lacp-static
trunkport gig 0/0/19 to 0/0/20
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
stp instance 1 root primary
stp instance 2 root secondary
#
#
interface Vlanif10
ip address 192.168.10.251 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.251 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.251 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.251 255.255.255.0
#
interface Vlanif10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
#
interface Vlanif30
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 120
#
interface Vlanif20
vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif40
vrrp vrid 40 virtual-ip 192.168.40.254
#
vlan batch 100 200
#
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 100
stp edged-port enable
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 200
stp edged-port enable
#
#
interface Vlanif100
ip address 10.1.100.10 255.255.255.0
#
interface Vlanif200
ip address 10.1.102.10 255.255.255.0
#
#
ospf 1 router-id 11.11.11.11
import-route direct
area 0
network 10.1.100.10 0.0.0.0
network 10.1.102.10 0.0.0.0
authentication-mode md5 1 cipher huawei@123
#
dhcp enable
#
interface vlan10
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan20
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan30
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan40
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
vlan 101
SW2配置:
#
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface eth-Trunk 12
mode lacp-static
trunkport gig 0/0/19 to 0/0/20
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
stp instance 1 root secondary
stp instance 2 root primary
#
interface Vlanif10
ip address 192.168.10.252255.255.255.0
#
interface Vlanif20
ip address 192.168.20.252 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.252 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.252 255.255.255.0
#
interface Vlanif10
vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlanif30
vrrp vrid 30 virtual-ip 192.168.30.254
#
interface Vlanif20
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 120
#
interface Vlanif40
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 120
#
#
vlan batch 300 400
#
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 400
stp edged-port enable
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 300
stp edged-port enable
#
#
interface Vlanif300
ip address 10.1.103.10 255.255.255.0
#
interface Vlanif400
ip address 10.1.104.10 255.255.255.0
#
ospf 1 router-id 22.22.22.22
import-route direct
area 0
network 10.1.103.10 0.0.0.0
network 10.1.104.10 0.0.0.0
authentication-mode md5 1 cipher huawei@123
#
dhcp enable
#
interface vlan10
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan20
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan30
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
interface vlan40
dhcp select relay
dhcp relay server-ip 10.1.14.4
#
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
vlan 101
SW3配置:
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
stp edged-port enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan all
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
vlan 101
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
SW4配置:
vlan batch 10 20 30 40
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
stp edged-port enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 40
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan all
#
stp region-configuration
region-name hcie
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#
vlan 101
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan all
