→b站直通车,感谢大佬←
→eNSP中小型园区网络拓扑搭建(下)←
不带配置命令的拓扑图已上传~
项目背景:
- 某公司准备新建一张网络供企业办公使用。写字楼共3层,一层会客大厅、二层行政部及市场部、三层研发部。一层设有核心机房,其他各楼层均有一个小房间放置网络设备。
- 在网络中终端分部量如下:一层:10台有线终端。二层和三层:均有200台有线终端。在企业网络内,主要流量为内部流量,保证有线终端至少百兆接入。
- 在网络设计时,二三层网络都需要有一定的冗余与故障切换能力,保证业务不会因故障而中断。出于安全性需求,需要对网络流量做一定程度的管控。在园区出口处,采用静态ip方式接入互联网。
会客大厅、行政部及市场部、研发部、FTP服务器、外网
基础需求:
- 仅允许访客区可以访问internet,不允许访问其他部门
- 市场部与行政部之间可以相互访问,但不允许访问研发部
- .研发部作为公司核心部门,掌握公司核心数据,仅允许其访问ftp服务器,不允许其访问其他部门和访问internet
安全调优:
- 二层安全
- 在二层网络中确保根桥位置不被抢占(根防护)
- 确保连接终端接口不能接受处理budu(bpdu防护)
- 连接终端的接口要快速进入转发状态(边缘端口)
- 为抵御mac范洪攻击,需要在交换机上限制学习mac地址的数量(端口安全)
- 三层安全
-
仅允许访客区可以访问Internet,不允许访问其他任何部门
-
市场部与行政部之间可以互相访问,但不允许访问研发部
-
研发部作为公司核心部门,掌握公司核心数据,仅允许其访问FTP服务器,不允许其 访问其他部门和访问Internet
vlan设计
- 核心机房的接入交换机直接连接服务器,所有服务器属于同一个vlan
- 一层访客大厅规划单独的vlan
- 二楼行政部和市场部属于不同的vlan
- 三楼研发部规划到不同的vlan
- 交换机所有互联接口需要明确放行所需vlan(不能放行all)
- 另外注意预留设备互联vlan,设备管理vlan,每台交换设备需要配置一个管理vlan,方便后期进行监控管理
SW1~4,SW7
#
vlan batch 10 20 30 40 100 200
#
SW1
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 10
#
SW2
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 20
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 20
#
SW3
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 30
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 30
#
SW4
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 40
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 40
#
SW7
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 200
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 200
#
SW5
#
vlan batch 10 20 30 40 51 52 61 62 100 200
#//链路聚合
[SW5]int Eth-Trunk 1
[SW5-Eth-Trunk1]trunkport g0/0/11
[SW5-Eth-Trunk1]trunkport g0/0/12#
interface GigabitEthernet0/0/1port link-type trunkport trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4port link-type trunkport trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/5port link-type trunkport trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/6port link-type accessport default vlan 51
#
interface GigabitEthernet0/0/7port link-type accessport default vlan 52
#
SW6
#
vlan batch 10 20 30 40 51 52 61 62 100 200
#//链路聚合
[SW6]int Eth-Trunk 1
[SW6-Eth-Trunk1]trunkport g0/0/11
[SW6-Eth-Trunk1]trunkport g0/0/12#
interface GigabitEthernet0/0/1port link-type trunkport trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4port link-type trunkport trunk allow-pass vlan 40
#
interface GigabitEthernet0/0/5port link-type trunkport trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/6port link-type accessport default vlan 62
#
interface GigabitEthernet0/0/7port link-type accessport default vlan 61
#
SW8
[SW8]v b 18 28 100
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 100
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 18
#
interface GigabitEthernet0/0/3port link-type accessport default vlan 28
#
二层环路消除
- 使用mstp防环,所有交换机网络处于相同mstp域,域名为tjise
- 要求生成树的根桥集中在汇聚层,并且考虑未来部署vrrp时,为避免次优路径,vrrp的master与mstp根桥保持一致。
- 对于设备间互联的多条链路,使用链路聚合来消除环路
SW1~7
#
stp region-configurationregion-name tjiseinstance 1 vlan 10instance 2 vlan 20 30instance 4 vlan 40instance 5 vlan 200active region-configuration
#
SW5
[SW5]stp instance 1 root primary
[SW5]stp instance 2 root primary
[SW5]stp instance 4 root secondary
[SW5]stp instance 5 root secondary
SW6
[SW6]stp instance 1 root secondary
[SW6]stp instance 2 root secondary
[SW6]stp instance 4 root primary
[SW6]stp instance 5 root primary
三层网络设计
- 网络地址层规划
- ip地址设计要与vlan编号形成对应关系
- 除设备互联vlan、管理vlan以及服务器ip地址外,其他终端的ip地址均用dhcp动态分配
SW5
#
interface Vlanif10ip address 192.168.10.5 255.255.255.0vrrp vrid 10 virtual-ip 192.168.10.254vrrp vrid 10 priority 120
#
interface Vlanif20ip address 192.168.20.5 255.255.255.0vrrp vrid 20 virtual-ip 192.168.20.254vrrp vrid 20 priority 120
#
interface Vlanif30ip address 192.168.30.5 255.255.255.0vrrp vrid 30 virtual-ip 192.168.30.254vrrp vrid 30 priority 120
#
interface Vlanif40ip address 192.168.40.5 255.255.255.0vrrp vrid 40 virtual-ip 192.168.40.254
#
interface Vlanif51ip address 192.168.51.5 255.255.255.0
#
interface Vlanif52ip address 192.168.52.5 255.255.255.0
#
interface Vlanif200ip address 192.168.200.5 255.255.255.0vrrp vrid 200 virtual-ip 192.168.200.254
#
SW6
#
interface Vlanif10ip address 192.168.10.6 255.255.255.0vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlanif20ip address 192.168.20.6 255.255.255.0vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif30ip address 192.168.30.6 255.255.255.0vrrp vrid 30 virtual-ip 192.168.30.254
#
interface Vlanif40ip address 192.168.40.6 255.255.255.0vrrp vrid 40 virtual-ip 192.168.40.254vrrp vrid 40 priority 120
#
interface Vlanif61ip address 192.168.61.6 255.255.255.0
#
interface Vlanif62ip address 192.168.62.6 255.255.255.0
#
interface Vlanif200ip address 192.168.200.6 255.255.255.0vrrp vrid 200 virtual-ip 192.168.200.254vrrp vrid 200 priority 120
#
SW8
#
interface Vlanif18ip address 192.168.18.8 255.255.255.0
#
interface Vlanif28ip address 192.168.28.8 255.255.255.0
#
interface Vlanif100ip address 192.168.100.8 255.255.255.0
#
Server-ftp
AR1
#
interface GigabitEthernet0/0/0ip address 192.168.51.1 255.255.255.0
#
interface GigabitEthernet0/0/1ip address 192.168.52.1 255.255.255.0
#
interface GigabitEthernet0/0/2ip address 192.168.13.1 255.255.255.0
#
interface GigabitEthernet3/0/0ip address 192.168.18.1 255.255.255.0
#
interface GigabitEthernet4/0/0ip address 192.168.12.1 255.255.255.0
#
AR2
#
interface GigabitEthernet0/0/0ip address 192.168.62.2 255.255.255.0
#
interface GigabitEthernet0/0/1ip address 192.168.61.2 255.255.255.0
#
interface GigabitEthernet0/0/2ip address 192.168.23.2 255.255.255.0
#
interface GigabitEthernet3/0/0ip address 192.168.28.2 255.255.255.0
#
interface GigabitEthernet4/0/0ip address 192.168.12.2 255.255.255.0
#
AR3
#
interface GigabitEthernet0/0/0ip address 123.123.123.3 255.255.255.0
#
interface GigabitEthernet0/0/1ip address 192.168.13.3 255.255.255.0
#
interface GigabitEthernet0/0/2ip address 192.168.23.3 255.255.255.0
#
interface GigabitEthernet4/0/0ip address 123.123.124.3 255.255.255.0
#
Server2
配置DHCP
AR-DHCP
#
ip pool vlan10gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 excluded-ip-address 192.168.10.5 192.168.10.6
#
ip pool vlan20gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 excluded-ip-address 192.168.20.5 192.168.20.6
#
ip pool vlan30gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 excluded-ip-address 192.168.30.5 192.168.30.6
#
ip pool vlan40gateway-list 192.168.40.254 network 192.168.40.0 mask 255.255.255.0 excluded-ip-address 192.168.40.5 192.168.40.6
#[AR-DHCP]dhcp en#
interface GigabitEthernet0/0/0ip address 192.168.200.1 255.255.255.0 dhcp select global
#
SW5 SW6
[SW5]dhcp en
[SW5]int vlan 10
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1[SW5]int vlan 20
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1[SW5]int vlan 30
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1[SW5]int vlan 40
[SW5-Vlanif10]dhcp select relay
[SW5-Vlanif10]dhcp relay server-ip 192.168.200.1
PC成功获取到ip地址