1.网络需求分析
1.1 功能需求分析
1、校园网与Internet相连接,仅学生PC可以通过互联网获得公网资源
2、教务服务器仅允许教务专用电脑访问,学生1/2与PC4能实现互访
3、网络的规划设计上应该保证其冗余性、可靠性、保密性
1.2 技能需求分析
1、NAT(实现内网访问公网需求)、OSPF(根据SPF算法自动收敛路径 形成路由表)
2、MSTP(防止二层环路 提高链路利用率)、VRRP(实现网关的主备 防止出现单点故障)
3、链路聚合(将多条物理链路逻辑成一条链路)
2.校园局域网设计
2.1 拓扑图
2.2 核心层以及出口设备配置
1、配置设备的IP地址等基础配置
2、在设备上配置OSPF协议,并且开启区域认证
3、我们不将Core_3的相关网段宣告进OSPF,而是采用Export和Core_3互指静态路由的方式实现两台设备相关网段的互通,最后在Export上将这条默认路由引入进OSPF
[Huawei]sys Core_1
[Core_1]int g0/0/0
[Core_1-GigabitEthernet0/0/0]ip address 10.1.1.2 30
[Core_1-GigabitEthernet0/0/0]int g0/0/1
[Core_1-GigabitEthernet0/0/1]ip address 172.16.3.1 24
[Core_1-GigabitEthernet0/0/1]int g0/0/2
[Core_1-GigabitEthernet0/0/2]ip address 172.16.1.1 24
[Huawei]sys Core_2
[Core_2]int g0/0/1
[Core_2-GigabitEthernet0/0/1]ip address 172.16.3.2 24
[Core_2-GigabitEthernet0/0/1]int g0/0/0
[Core_2-GigabitEthernet0/0/0]ip address 20.1.1.2 30
[Core_2-GigabitEthernet0/0/0]int g0/0/2
[Core_2-GigabitEthernet0/0/2]ip address 172.16.2.1 24
[Huawei]sys Export
[Export]int g0/0/0
[Export-GigabitEthernet0/0/0]ip address 172.16.1.2 24
[Export-GigabitEthernet0/0/0]int g0/0/1
[Export-GigabitEthernet0/0/1]ip address 172.16.2.2 24
[Export-GigabitEthernet0/0/1]int g0/0/2
[Export-GigabitEthernet0/0/2]ip address 172.16.4.2 24
[Export]int Serial 4/0/0
[Export-Serial4/0/0]ip address 200.1.1.1 30
[Core_1-LoopBack0]ip address 3.3.3.3 32
[Core_1-LoopBack0]quit
[Core_1]ospf 1 router-id 3.3.3.3 ##将环回口地址设为Router ID
[Core_1-ospf-1]area 0
[Core_1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[Core_1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[Core_1-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[Core_1-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[Core_1-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher 123456
[Core_2]int LoopBack 0
[Core_2-LoopBack0]ip address 4.4.4.4 32
[Core_2-LoopBack0]quit
[Core_2]ospf 1 router-id 4.4.4.4
[Core_2-ospf-1]area 0
[Core_2-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255
[Core_2-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[Core_2-ospf-1-area-0.0.0.0]network 172.16.2.0 0.0.0.255
[Core_2-ospf-1-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[Core_2-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher 123456
[Export]int LoopBack 0
[Export-LoopBack0]ip address 5.5.5.5 32
[Export-LoopBack0]quit
[Export]ospf 1 router-id 5.5.5.5
[Export-ospf-1]area 0
[Export-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[Export-ospf-1-area-0.0.0.0]network 172.16.2.0 0.0.0.255
[Export-ospf-1-area-0.0.0.0]network 172.16.4.0 0.0.0.255
[Export-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[Export-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher 123456
[Export-ospf-1]default-route-advertise ##将缺省路由通告到OSPF的普通区域!由于学生PC与Export并不是直连,中间隔着有设备(Agg_1和Agg_2),中间设备的路由表并没有去往200.1.1.0网段的路由,所以会造成经典的路由黑洞现象,所以想去往200.1.1.0网段,需要让中间设备的路由表拥有去往这个网段的路由。我这里则选择对OSPF路由器下发一条缺省路由(也可以引入直连,但是有安全隐患,不介意)
## Core_1、Core_2以及Export三台的OSPF邻居关系已经建立成功
[Huawei]sys Core_3
[Core_3]int g0/0/0
[Core_3-GigabitEthernet0/0/0]ip address 172.16.4.1 24
[Core_3-GigabitEthernet0/0/0]quit
[Core_3]int LoopBack 0
[Core_3-LoopBack0]ip address 6.6.6.6 32
[Core_3-LoopBack0]quit
[Core_3]int g0/0/1
[Core_3-GigabitEthernet0/0/1]ip address 192.168.10.1 24
[Core_3]ip route-static 0.0.0.0 0.0.0.0 172.16.4.2 ##由于网段太多,直接一条默认路由比较方便
[Export]ip route-static 192.168.11.0 24 172.16.4.1 ##配置去往PC4的静态路由
[Export]ospf 1
[Export-ospf-1]import-route static ##引入静态路由
## 在Core_1上可以看到有去往PC4的OSPF外部路由,协议优先级为150
## 在PC4上ping Core_1和Core_2的环回口,能显示正常通信,表示我们的配置没有问题
最后为了实现内访外的需求,需要在Export上配置NAT
[Huawei]sys ISP
[ISP]int Serial 4/0/0
[ISP-Serial4/0/0]ip address 200.1.1.2 30
[ISP-Serial4/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip address 192.168.12.1 24
[Export]acl 2000
[Export-acl-basic-2000]rule permit source 192.168.10.0 0.0.0.255
[Export]int Serial 4/0/0
[Export-Serial4/0/0]nat outbound 2000
2.3 汇聚层设备配置
1、相互之间的物理链路进行链路聚合,最大活跃链路数为2。
2、Agg_1和Agg_2作为终端以及教务服务器的网关,并允许相应的VLAN通过
3、使用VRRP实现网关冗余。其中Agg_1为vlan10的主网关,vlan20的备网关,Agg_2反之。
[Huawei]sys Agg_1
[Agg_1]int Eth-Trunk 1
[Agg_1-Eth-Trunk1]max active-linknumber 2
[Agg_1-Eth-Trunk1]mode lacp-static
[Agg_1-Eth-Trunk1]trunkport GigabitEthernet 0/0/3
[Agg_1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4
[Agg_1-Eth-Trunk1]trunkport GigabitEthernet 0/0/5
[Huawei]sys Agg_2
[Agg_1]int Eth-Trunk 1
[Agg_2-Eth-Trunk1]mode lacp-static
[Agg_2-Eth-Trunk1]trunkport GigabitEthernet 0/0/3
[Agg_2-Eth-Trunk1]trunkport GigabitEthernet 0/0/4
[Agg_2-Eth-Trunk1]trunkport GigabitEthernet 0/0/5
## 可以看出链路聚合需求已完成,活跃链路为两条
## 下面配置相应的VLAN通过,并且配置MSTP生成树
[Agg_1]int Eth-Trunk 1
[Agg_1-Eth-Trunk1]port link-type trunk
[Agg_1-Eth-Trunk1]port trunk allow-pass vlan 10 20
[Agg_1]vlan batch 10 20 100
[Agg_1]int g0/0/1
[Agg_1-GigabitEthernet0/0/1]port link-type access
[Agg_1-GigabitEthernet0/0/1]port default vlan 10
[Agg_1-GigabitEthernet0/0/1]int g0/0/2
[Agg_1-GigabitEthernet0/0/2]port link-type access
[Agg_1-GigabitEthernet0/0/2]port default vlan 20
[Agg_1-Vlanif100]ip address 10.1.1.1 30
[Agg_1-Vlanif100]int g0/0/6
[Agg_1-GigabitEthernet0/0/6]port link-type access
[Agg_1-GigabitEthernet0/0/6]port default vlan 100
[Agg_2]int Eth-Trunk 1
[Agg_2-Eth-Trunk1]port link-type trunk
[Agg_2-Eth-Trunk1]port trunk allow-pass vlan 10 20
[Agg_2]vlan batch 10 20 200
[Agg_2]int g0/0/1
[Agg_2-GigabitEthernet0/0/1]port link-type access
[Agg_2-GigabitEthernet0/0/1]port default vlan 20
[Agg_2-GigabitEthernet0/0/1]int g0/0/2
[Agg_2-GigabitEthernet0/0/2]port link-type access
[Agg_2-GigabitEthernet0/0/2]port default vlan 10
[Agg_2]vlan 200
[Agg_2]int Vlanif 200
[Agg_2-Vlanif200]ip address 20.1.1.1 30
[Agg_2]int g0/0/6
[Agg_2-GigabitEthernet0/0/6]port link-type access
[Agg_2-GigabitEthernet0/0/6]port default vlan 200
[Agg_1]stp mode mstp
[Agg_1]stp region-configuration
[Agg_1-mst-region]region-name test
[Agg_1-mst-region]revision-level 1
[Agg_1-mst-region]instance 1 vlan 10
[Agg_1-mst-region]instance 2 vlan 20
[Agg_1-mst-region]active region-configuration
## 以上的内容四台交换机都要配置,这里就省略另外三台了
配置VRRP
[Agg_1]interface Vlanif 10
[Agg_1-Vlanif10]ip address 192.168.10.1 24
[Agg_1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[Agg_1-Vlanif10]vrrp vrid 10 priority 120
[Agg_1]int Vlanif 20
[Agg_1-Vlanif20]ip address 192.168.20.1 24
[Agg_1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[Agg_1-Vlanif20]vrrp vrid 20 priority 100
[Agg_2]int Vlanif 10
[Agg_2-Vlanif10]ip address 192.168.10.2 24
[Agg_2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[Agg_2-Vlanif10]vrrp vrid 10 priority 100
[Agg_2]int Vlanif 20
[Agg_2-Vlanif20]ip address 192.168.20.2 24
[Agg_2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[Agg_2-Vlanif20]vrrp vrid 20 priority 120
## VRRP主备需求已完成
在Agg设备上的网段宣告进OSPF
[Agg_1]int LoopBack 0
[Agg_1-LoopBack0]ip address 1.1.1.1 32
[Agg_1]ospf 1 router-id 1.1.1.1
[Agg_1-ospf-1]area 0
[Agg_1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[Agg_1-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[Agg_1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[Agg_1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[Agg_1-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher 123456
[Agg_2]int LoopBack 0
[Agg_2-LoopBack0]ip address 2.2.2.2 32
[Agg_2]ospf 1 router-id 2.2.2.2
[Agg_2-ospf-1]area 0
[Agg_2-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[Agg_2-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[Agg_2-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255
[Agg_2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[Agg_2-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher 123456
2.4 接入层设备配置
1、在Agg_1接口上配置access允许vlan10通过,而Agg_2接口上1、2口配置access允许vlan20通过,3、4口为了实现内网教务电脑仅可以访问教务服务器,则配置hybrid口,并使用untagged vlan 20 30
[Huawei]sys Access_1
[Access_1]vlan 10
[Access_1]int Ethernet 0/0/1
[Access_1-Ethernet0/0/1]port link-type access
[Access_1-Ethernet0/0/1]port default vlan 10
[Access_1]int Ethernet 0/0/2
[Access_1-Ethernet0/0/2]port link-type access
[Access_1-Ethernet0/0/2]port default vlan 10
[Access_1]int Ethernet 0/0/3
[Access_1-Ethernet0/0/3]port link-type access
[Access_1-Ethernet0/0/3]port default vlan 10
[Access_1]int Ethernet 0/0/4
[Access_1-Ethernet0/0/4]port link-type access
[Access_1-Ethernet0/0/4]port default vlan 10
[Huawei]sys Access_2
[Access_2]vlan 20
[Access_2]int Ethernet0/0/1
[Access_2-Ethernet0/0/1]port link-type access
[Access_2-Ethernet0/0/1]port default vlan 20
[Access_2-Ethernet0/0/1]int Ethernet0/0/2
[Access_2-Ethernet0/0/2]port default vlan 20
[Access_2-Ethernet0/0/2]port link-type access
[Access_2]int Ethernet0/0/3
[Access_2-Ethernet0/0/3]port link-type hybrid
[Access_2-Ethernet0/0/3]port hybrid untagged vlan 20 30
[Access_2]int Ethernet0/0/4
[Access_2-Ethernet0/0/3]port link-type hybrid
[Access_2-Ethernet0/0/4] port hybrid untagged vlan 20 30
## 学生PC与PC4需求可以互通,内网教务电脑则出不去网关,但是可以ping通教务服务器。但是为了保险起见,防止人员进行误操作,可以在Access_2上配置一条端口内基于MAC地址过滤的ACL访问控制
[Access_2]acl 4000
[Access_2-acl-L2-4000]rule permit source-mac 5489-98EC-1E8A ##内网教务电脑MAC
[Access_2]int Ethernet0/0/4
[Access_2-Ethernet0/0/4]traffic-filter outbound acl 4000
最后测试内访外需求
## 最后感谢大家的观看,若有错误之处还请不吝赐教。。。