去评论
海欣资源

中小型企业网络配置教程

Spring
2022/06/12 21:44:20
一、需求分析
本次论文设计为实现中小型企业的网络规划与实施,可以从系统的完整性、安全性、高效性等几个方面来分析:
某企业总公司在广州,分公司设在深圳。总部有六个部门如下:管理、财务、后勤、销售、研发、生产。分公司主要负责开拓新市场。
项目要求:
(1)为保证内网运行性能,每一个部门单独一个VLAN,进行合理规划IP地址;
(2)为各设备做基础配置,完成路由配置,实现内外网的基本连通;
(3)为了保证网络的可用性和可靠性,对核心层设备配置冗余技术,起到热备及负载均衡作用。
(4)配置出口策略路由,使得不同内网流量分别通过联通、电信两条ISP线路访问Internet,从而起到负载均衡的作用;
(5)由于公网IP地址有限,尽可能节约IP地址的损耗。
(6)总公司有多个部门,要求财务部不允许其他部门访问,其他部门都可以互相访问,各部门都允许访问互联网。(具体内容自己规划)。
(7)总公司拥有自己的WEB,内外网均可访问;
(8) 实现公司总部与分公司通信。
(9) 保证内网安全,监视内网资源与访问走向,限制内网用户的网络资源访问权限,并采用防火墙设备来保证外网到内网间的安全。

二、拓扑图与ip规划


三、实现
1、 防火墙FW1的配置

基本配置
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.10.7 255.255.255.0
gateway 192.168.10.1
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.20.7 255.255.255.0
gateway 192.168.20.1
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet1/0/3
undo shutdown
ip address 192.168.90.7 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet1/0/4
undo shutdown
ip address 10.93.93.7 255.255.255.0
gateway 10.93.93.2
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit

配置VPN接口
interface Tunnel1
ip address 192.168.93.1 255.255.255.0
tunnel-protocol gre
source 10.93.93.7
destination 3.3.3.93
gre key cipher 123

添加端口
firewall zone trust
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface Tunnel1
firewall zone untrust
add interface GigabitEthernet1/0/4
firewall zone dmz
add interface GigabitEthernet1/0/3

配置ospf
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.90.0 0.0.0.255

配置静态路由
ip route-static 0.0.0.0 0.0.0.0 10.93.93.2
ip route-static 192.168.100.0 255.255.255.0 Tunnel1
ip route-static 192.168.110.0 255.255.255.0 Tunnel1

配置静态pat
nat server web_server protocol tcp global 10.93.93.7 8000 inside 192.168.90.93 www
nat server ftp_server protocol tcp global 10.93.93.7 2100 inside 192.168.90.93 ftp
配置自定义防火墙域间策略
security-policy
rule name local_to_dmz
source-zone dmz
source-zone local
destination-zone dmz
destination-zone local
action permit
rule name local_to_trust
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name local_to_untrust
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name trust_to_dmz
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
action permit
rule name trust_to_untrust
source-zone trust
destination-zone untrust
action permit
rule name untrust_to_dmz
source-zone dmz
source-zone untrust
destination-zone dmz
destination-zone untrust
action permit
rule name untrust_to_trust
source-zone untrust
destination-zone trust
service gre
action permit

配置动态nat
nat-policy
rule name trust_to_untrust_nat
source-zone trust
egress-interface GigabitEthernet1/0/4
source-address 192.168.10.0 mask 255.255.255.0
source-address 192.168.20.0 mask 255.255.255.0
source-address 192.168.30.0 mask 255.255.255.0
source-address 192.168.40.0 mask 255.255.255.0
source-address 192.168.50.0 mask 255.255.255.0
source-address 192.168.60.0 mask 255.255.255.0
source-address 192.168.70.0 mask 255.255.255.0
source-address 192.168.80.0 mask 255.255.255.0
action source-nat easy-ip
2、防火墙fw2配置

基本配置
interface GigabitEthernet1/0/1
undo shutdown
ip address 3.3.3.93 255.255.255.0
gateway 3.3.3.254
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.100.93 255.255.255.0
gateway 192.168.100.4
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit

配置VPN接口
interface Tunnel1
ip address 192.168.93.2 255.255.255.0
tunnel-protocol gre
source 3.3.3.93
destination 10.93.93.7
gre key cipher 123

添加端口
firewall zone trust
add interface GigabitEthernet1/0/2
add interface Tunnel1
firewall zone untrust
add interface GigabitEthernet1/0/1

配置ospf
ospf 1
area 0.0.0.0
network 192.168.100.0 0.0.0.255

配置静态路由
ip route-static 0.0.0.0 0.0.0.0 3.3.3.254
ip route-static 192.168.10.0 255.255.255.0 Tunnel1
ip route-static 192.168.20.0 255.255.255.0 Tunnel1
ip route-static 192.168.30.0 255.255.255.0 Tunnel1
ip route-static 192.168.40.0 255.255.255.0 Tunnel1
ip route-static 192.168.50.0 255.255.255.0 Tunnel1
ip route-static 192.168.60.0 255.255.255.0 Tunnel1
ip route-static 192.168.70.0 255.255.255.0 Tunnel1
ip route-static 192.168.80.0 255.255.255.0 Tunnel1

配置自定义防火墙域间策略
security-policy
rule name trust_to_local
source-zone trust
destination-zone local
action permit
rule name local_to_trust
source-zone local
destination-zone trust
action permit
rule name trust_to_dmz
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
action permit
rule name local_to_untrust
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name trust_to_untrust
source-zone trust
destination-zone untrust
action permit
rule name untrust_to_truse
source-zone untrust
destination-zone trust
service gre
action permit
配置动态nat
nat-policy
rule name trust_to_untrust_nat
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.100.0 mask 255.255.255.0
source-address 192.168.110.0 mask 255.255.255.0
action source-nat easy-ip
3、 核心交换机LSW1基本配置

sysname LSW1
undo info-center enable
vlan batch 30 40 50 60 70 80 1000
配置MSTP
stp region-configuration
region-name HUAWEI
instance 1 vlan 30 to 50
instance 2 vlan 60 to 80
active region-configuration

stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy

配置acl
acl number 2001
rule 5 deny source 192.168.40.0 0.0.0.255
rule 10 deny source 192.168.50.0 0.0.0.255
rule 15 deny source 192.168.60.0 0.0.0.255
rule 20 deny source 192.168.70.0 0.0.0.255
rule 25 deny source 192.168.80.0 0.0.0.255

配置vlan,vrrp,链路聚合,端口
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 150
vrrp vrid 30 track interface GigabitEthernet0/0/1
vrrp vrid 30 track interface GigabitEthernet0/0/3
interface Vlanif40
ip address 192.168.40.1 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 150
vrrp vrid 40 track interface GigabitEthernet0/0/4
vrrp vrid 40 track interface GigabitEthernet0/0/1
interface Vlanif50
ip address 192.168.50.1 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.254
vrrp vrid 50 priority 150
vrrp vrid 50 track interface GigabitEthernet0/0/5
vrrp vrid 50 track interface GigabitEthernet0/0/1
interface Vlanif60
ip address 192.168.60.1 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
interface Vlanif70
ip address 192.168.70.1 255.255.255.0
vrrp vrid 70 virtual-ip 192.168.70.254
interface Vlanif80
ip address 192.168.80.1 255.255.255.0
vrrp vrid 80 virtual-ip 192.168.80.254
interface Vlanif1000
ip address 192.168.10.1 255.255.255.0

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/1
port link-type access
port default vlan 1000
interface GigabitEthernet0/0/2
eth-trunk 1
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
traffic-filter outbound acl 2001
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/24
eth-trunk 1

配置ospf
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.70.0 0.0.0.255
network 192.168.80.0 0.0.0.255

ip route-static 0.0.0.0 0.0.0.0 192.168.10.7
4 、核心交换机LSW2基本配置

sysname LSW2
undo info-center enable
vlan batch 30 40 50 60 70 80 1000
配置MSTP
stp region-configuration
region-name HUAWEI
instance 1 vlan 30 to 50
instance 2 vlan 60 to 80
active region-configuration

stp instance 1 root secondary
stp instance 2 root primary
stp pathcost-standard legacy

配置acl
acl number 2001
rule 5 deny source 192.168.40.0 0.0.0.255
rule 10 deny source 192.168.50.0 0.0.0.255
rule 15 deny source 192.168.60.0 0.0.0.255
rule 20 deny source 192.168.70.0 0.0.0.255
rule 25 deny source 192.168.80.0 0.0.0.255

配置vlan,vrrp,链路聚合,端口
interface Vlanif30
ip address 192.168.30.2 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
interface Vlanif40
ip address 192.168.40.2 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
interface Vlanif50
ip address 192.168.50.2 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.254
interface Vlanif60
ip address 192.168.60.2 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
vrrp vrid 60 priority 150
vrrp vrid 60 track interface GigabitEthernet0/0/1
vrrp vrid 60 track interface GigabitEthernet0/0/6
interface Vlanif70
ip address 192.168.70.2 255.255.255.0
vrrp vrid 70 virtual-ip 192.168.70.254
vrrp vrid 70 priority 150
vrrp vrid 70 track interface GigabitEthernet0/0/1
vrrp vrid 70 track interface GigabitEthernet0/0/7
interface Vlanif80
ip address 192.168.80.2 255.255.255.0
vrrp vrid 80 virtual-ip 192.168.80.254
vrrp vrid 80 priority 150
vrrp vrid 80 track interface GigabitEthernet0/0/1
vrrp vrid 80 track interface GigabitEthernet0/0/8
interface Vlanif1000
ip address 192.168.20.1 255.255.255.0

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/1
port link-type access
port default vlan 1000
interface GigabitEthernet0/0/2
eth-trunk 1
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
traffic-filter outbound acl 2001
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/24
eth-trunk 1

配置ospf
ospf 1
area 0.0.0.0
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.70.0 0.0.0.255
network 192.168.80.0 0.0.0.255

ip route-static 0.0.0.0 0.0.0.0 192.168.20.7
5、接入层交换机lsw3基本配置(lsw4~8类似)

vlan batch 30

配置mstp
stp region-configuration
region-name HUAWEI
instance 1 vlan 30 to 50
instance 2 vlan 60 to 80
active region-configuration

stp pathcost-standard legacy

配置接口
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface Ethernet0/0/2
port link-type trunk
stp instance 2 cost 20000
interface Ethernet0/0/3
port link-type access
port default vlan 30
stp edged-port enable
interface Ethernet0/0/4
port link-type access
port default vlan 30
stp edged-port enable
6 、路由器AR1基本配置

配置ip
interface GigabitEthernet0/0/0
ip address 10.93.93.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 2.2.2.2 255.255.255.0
interface GigabitEthernet0/0/2
ip address 1.1.1.2 255.255.255.0

配置ospf
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 10.93.93.0 0.0.0.255

静态路由配置
ip route-static 0.0.0.0 0.0.0.0 2.2.2.254
7、 路由器AR2基本配置

配置ip
interface GigabitEthernet0/0/0
ip address 3.3.3.254 255.255.255.0
interface GigabitEthernet0/0/1
ip address 2.2.2.254 255.255.255.0

配置ospf
ospf 1
area 0.0.0.0
network 3.3.3.0 0.0.0.255

静态路由配置
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
8 、路由器AR3基本配置

配置ip
interface GigabitEthernet0/0/0
ip address 192.168.100.4 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.110.4 255.255.255.0

配置ospf
ospf 1
area 0.0.0.0
network 192.168.100.0 0.0.0.255
network 192.168.110.0 0.0.0.255

静态路由配置
ip route-static 0.0.0.0 0.0.0.0 192.168.100.93

四、测试
1 、内网访问内网测试
其他部门不能访问财务部,其他部门可以相互访问。以财务部(VLAN30)和销售部(VLAN40)、生产部(VLAN60)为例,如图

图5-1 销售部ping生产部

图5-2 销售部无法ping通财务部

2 、冗余技术测试
实现总公司内网访问外网时,正常情况下WLAN30-50走交换机LSW1,WLAN60-80走交换机LSW2,当设备出现故障时,切换到备用设备正常访问,以财务部(WLAN30)和生产部(WLAN60)测试
设备正常情况下财务部到外网的走向如图


图5-3 财务部到外网的走向图
关闭核心交换机LSW1 g0/0/1口,追踪财务部走向,如图5-5


图5-5 追踪生产部到外网的走向
关闭核心交换机LS4g0/0/5口,追踪财务部走向,如图5-8

图5-6 设备故障时追踪生产部走向

3 、内外网访问服务器
实现校园内网均能访问防火墙DMZ区域中的服务器,这里以生产部为例


图5-7 财务部访问WEB服务器
实现公司外网能够通过公网IP地址访问到服务器。

图5-8 外网访问WEB
5.3 内网访问外网,nat
以销售部(WLAN40)去访问外网时如图5-12,在防火墙上查看状态会话表,可发现地址转换为了端口g1/0/4的IP地址如图5-13:


图5-9 销售部访问外网

图5-10在防火墙中查看状态会话表

4、 总部与分公司相互访问
以管理部(WLAN10)和销售部(WLAN40)测试如图5-16和5-17


图5-11 总公司ping分部

图5-12 在防火墙中查看状态会话表

图5-13分部ping总部

图5-14 在防火墙中查看状态会话表