华为eNSP的企业网络规划设计--含防火墙和无线网络区域
- 前言
- 总体网络拓扑图
- 接口信息
- 一、项目概述
-
- 1.1 项目简介
- 1.2 项目总体功能设计
- 二、需求分析
-
- 2.1总体需求
- 2.2 具体需求
- 2.3 非功能性需求
- 2.4 网络架构技术需求
- 三、可行性分析
-
- 3.1技术可行性分析
- 3.2 经济效益分析
- 3.3 社会效益分析
- 3.4 项目风险分析
- 四、总体设计
-
- 4.1 企业总部
- 4.2 中间框架设计
- 4.3 企业外部
- 五、详细设计
-
- 5.1 总体拓补图
- 5.2 结构介绍
-
- 5.2.1 企业内部基础设计
- 5.2.2 企业核心层与防火墙设计
- 5.2.3 企业服务器集群设计
- 5.2.4 企业无线网络区域设计
- 5.2.5 企业外部网络设计
- 5.3 配置介绍
-
- 5.3.1 AR1
- 5.3.2 AR2
- 5.4.3 ISP
- 5.3.4 FW1
- 5.3.5 LSW1
- 5.3.6 LSW2
- 5.3.7 LSW3
- 5.3.8 LSW4
- 5.3.9 LSW5
- 5.3.10 LSW6
- 5.3.11 LSW7
- 5.3.12 LSW8
- 5.3.13 LSW9
- 5.3.14 LSW 10
- 5.3.15 LSW11
- 5.3.16 AC1
- 六、系统测试
-
- 公司内部DHCP自动获取IP地址
- 各部门之间相互访问
- 搭建防火墙以及防火墙策略
- 搭建DNS域名解析
- 搭建HTTP服务器
- 搭建FTP服务器
- 搭建部门客户端通过防火墙策略访问HTTP服务器,DNS服务器,FTP服务器
- 公司内部通过防火墙访问外网
- 公司内部通过防火墙访问外网HTTP
- 公司内部通过防火墙访问dmz(受保护区域的服务器集群)
- DNS服务器解析公司内部IP
- 无线网区域
- 设备连接无线网
- DHCP分配IP地址
- 无线区域访问企业外网
- 结束语
前言
作为通信网综合实践课程设计的总结与记录,本文将分享项目实践过程中的经验与心得。由于项目在不断优化与迭代,文中部分配置可能与最终方案存在差异。欢迎读者在评论区提出宝贵意见,共同探讨交流。本文主要面向已具备eNSP基础知识的读者。
该设计已经完全达到课设标准,如果想要做的更好可以根据配置自行更改
某个功能不起作用可能是型号或者版本不对, 欢迎评论区留言,会随时回复
另外附win10,安装链接
安装链接
此外也可以观看我的另一篇企业网络规划设计
基于华为eNSP的企业网络规划设计
基于ensp的IP企业网络规划
总体网络拓扑图
接口信息
一、项目概述
1.1 项目简介
完整设计和模拟中小型企业网络的规划与设施建设,包括企业内部各个部门的网络布局,无线网络覆盖的规划,服务器集群的架构设计,交换机的冗余防止与链路聚合设计,以及企业交换机在接入层、汇聚层和核心层的分层设计。
1.实现企业内部各部门和机构之间的高效网络互联互通。
2.构建安全、稳定、且高效的数据传输环境,确保网络运行可靠性。
3.评估并合理部署VPN技术,支持跨地域分支机构的安全通信需求。
4.规划与配置DNS服务,提高网络访问效率,优化用户体验。
5.设计并模拟企业防火墙策略,全面提升网络安全性,防御潜在威胁。
6.配置无线区域网络,供企业人员使用,并且能够使用DNS,通过防火墙访问外网
此网络设计方案需充分考虑企业实际业务需求、网络安全性、可扩展性以及后期运维成本等多个因素。
1.2 项目总体功能设计
整个网络设计采用分层架构,企业内部网络实现了各机构和部门之间的互联互通,并统一部署公共服务器供部门共享;外部网络通过运营商线路接入互联网,并通过设计防火墙技术防止外网用户攻击企业内网服务器,同时允许企业内部网络通过防火墙和DNS服务器获取外部资源,从而兼顾业务便利性与网络安全性;此外,还为企业内部员工设计了无线网络区域,以提升使用体验和便捷性。
二、需求分析
2.1总体需求
总部与互联网能够通过防火墙进行通信,企业内部规定部门能够进行服务器的访问,员工能相互访问,企业外网不能通过防火墙访问公司信息,公司内部部署DNS,HTTP,FTP服务器,禁我们用到的设计思想就是根据交换机的三层架构来设计,核心层进行高速转发、冗余、均衡;汇聚层进行策略控制 ACL、VLAN、Qos、分组过滤、路由选择、组播管理;最后的接入层给用户接入,多端口、用户访问控制。
2.2 具体需求
①信息中心配置Eth-trunk 实现链路冗余
②企业内网划分多个vlan ,减小广播域大小,提高网络稳定性
③核心交换机作为用户网关实现vlan 间路由
④所有用户均为自动获取ip 地址
⑤出口配置NAT 实现地址转换
⑥设计防火墙保护企业隐私性问题
⑦外部网络通过运营商线路接入互联网
⑧允许企业内部网络通过防火墙和DNS服务器获取外部资源
⑨设计企业无线区域网络,方便员工访问互联网
⑩设计防护墙和服务器集群功能,设计备用交换机和路由器防止突然瘫痪
2.3 非功能性需求
通过dns 实现域名转换,整体结构具有冗余,能够很好的及时处理需要传递的信息,以及防止设备突然瘫痪。
2.4 网络架构技术需求
1.部署Eth-trunk技术实现交换机间链路冗余
2.采用核心交换机作为网关,实现VLAN间智能路由
3.配置DHCP服务实现IP地址自动分配管理
4.在出口路由器部署NAT技术实现地址转换
5.支持防火墙,服务器集群,无线上网区域等需求设计
三、可行性分析
3.1技术可行性分析
在本次设计用到的技术有防火墙USG6000V配置,无线AC及AP配置,VRRP(虚拟路由冗余协议),OSPF(最短路径优先),NAT(网络地址转换),DHCP(动态主机配置协议),MSTP(多生成树协议),ACL(访问控制列表),VLAN规划与设计,IP地址规划与设计,静态默认路由协议,DNS(域名解析系统),链路聚合协议等实现各部门之间的功能并且各协议能够很好的运行,在仿真软件上可以达到想要的功能和需求,在运用到相关企业的时候,我们只需要做相应的配置即可达到相应的目的,各种协议的运作能够完美的搭配,所以在技术上,该项目的技术可行性没有问题
3.2 经济效益分析
本次项目构建用的较为普通的交换机和路由器,需要对其进行相关配置,实现相关功能,在经济方面,用较低的成本可以实现我们想要的功能,不是在使用高昂交换机和路由器,去实现我们想要的功能,所以在经济方面上是可行的。
3.3 社会效益分析
该项目的建立是在模拟企业网的基础上实现的,所以对于一个企业来说,应该是可以实现的,并且能够很好的模拟企业网的运作,可以做为社会企业的运作。能够很好的实现网络的交互和各种功能的实现。
3.4 项目风险分析
该项目设置了防火墙,可以实时防止外网对企业内部的攻击,同时设计无线上网区域,能够便捷快速的访问互联网,各部门和外网之间采用ospf 协议通信,还有些具体的防护协议没有实现到该项目中,整体上来说,项目可运用于小型企业,在安全防护上没有太多的考虑,只考虑了需要实现的相关功能,所以后期还需要考虑防护问题,最后才能将项目完美的运行到企业当中。
四、总体设计
这里都是简写不赘述了
4.1 企业总部
这里分了6个部门,销售部vlan10,市场部vlan20,财务部vlan30,会议室vlan40,研发部vlan50,生产部vlan60。还有一个公司内部无线上网区域和它的管理器,能够管理相关区域信号等无线区域的网络名是:Huawei,密码是:huawei@123,各部门之间能够相互访问。
4.2 中间框架设计
实现链路冗余和核心交换机的交互,设置网关等等一系列操作,以及核心层,并且设计服务器集群,具有dns域名解析功能,设计防火墙等措施防止收到互联网攻击,NAT路由器和外网等设计。
4.3 企业外部
采用简单的ospf和NAT转换设计,一些基础的互联网客户端,互联网PC,以及互联网HTTP等
五、详细设计
5.1 总体拓补图
5.2 结构介绍
5.2.1 企业内部基础设计
5.2.2 企业核心层与防火墙设计
5.2.3 企业服务器集群设计
5.2.4 企业无线网络区域设计
5.2.5 企业外部网络设计
5.3 配置介绍
内容和配置太多,如图
5.3.1 AR1
[V200R003C00]
#
sysname AR1
#
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.80.21 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 192.168.80.17 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 192.168.80.6 255.255.255.252
#
interface GigabitEthernet4/0/0
ip address 192.168.80.14 255.255.255.252
#
interface NULL0
#
ospf 30
area 0.0.0.0
network 192.168.80.4 0.0.0.3
network 192.168.80.12 0.0.0.3
network 192.168.80.16 0.0.0.3
network 192.168.80.20 0.0.0.3
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
5.3.2 AR2
[V200R003C00]
#
sysname AR2
#
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.80.25 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 192.168.80.18 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 192.168.80.2 255.255.255.252
#
interface GigabitEthernet4/0/0
ip address 192.168.80.10 255.255.255.252
#
interface NULL0
#
ospf 40
area 0.0.0.0
network 192.168.80.0 0.0.0.3
network 192.168.80.8 0.0.0.3
network 192.168.80.16 0.0.0.3
network 192.168.80.24 0.0.0.3
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
5.4.3 ISP
[V200R003C00]
#
sysname ISP
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 94.65.28.1 255.255.255.240
#
interface GigabitEthernet0/0/1
ip address 46.35.88.2 255.255.255.240
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
5.3.4 FW1
!Software Version V500R005C10SPC300
!Last configuration was saved at 2024-11-26 22:55:02 UTC
#
sysname FW1
#
l2tp domain suffix-separator @
#
undo info-center enable
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
update schedule location-sdb weekly Sun 23:54
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 05:37
update schedule av-sdb daily 05:37
update schedule sa-sdb daily 05:37
update schedule cnc daily 05:37
update schedule file-reputation daily 05:37
#
ip vpn-instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%L0,~O3:KVKNO]h/Cb!a<C{
Kw6GU8DttPcS0@Tc3Emm(T{
KzC@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%uJa|Tb9e7AK@sH-Gd_02o\>nzD)MJ*|ii*v@AtYo\l+R\>qo@%@%
level 15
manager-user admin
password cipher @%@%]Sp":!7&*~w0-U&q\6}.E.V!+h0}40lhvQfQRZ9\9WH<.V$E@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
alias GE0/METH
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 46.35.88.1 255.255.255.240
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.90.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.80.22 255.255.255.252
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 192.168.80.26 255.255.255.252
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ospf 50
default-route-advertise always
area 0.0.0.0
network 192.168.80.20 0.0.0.3
network 192.168.80.24 0.0.0.3
network 192.168.90.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 46.35.88.2
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name tr-untr
source-zone trust
destination-zone untrust
source-address 192.168.0.0 0.0.255.255
action permit
rule name tr-dmz
source-zone trust
destination-zone dmz
source-address 192.168.0.0 0.0.255.255
destination-address 192.168.90.0 0.0.0.255
action permit
rule name lo-untr
source-zone local
destination-zone untrust
action permit
rule name lo-dmz
source-zone local
destination-zone dmz
action permit
rule name lo-tr
source-zone local
destination-zone trust
action permit
rule name untr-tr
source-zone untrust
destination-zone trust
action permit
rule name untr-lo
source-zone untrust
destination-zone local
action permit
rule name un-dmz
source-zone untrust
destination-zone dmz
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name easy-ip
source-zone trust
source-address 192.168.0.0 0.0.255.255
action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
5.3.5 LSW1
#
sysname LSW1
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.6 LSW2
#
sysname LSW2
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
#
interface Ethernet0/0/3
port link-type access
port default vlan 20
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.7 LSW3
#
sysname LSW3
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 30
#
interface Ethernet0/0/3
port link-type access
port default vlan 30
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.8 LSW4
#
sysname LSW4
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 40
#
interface Ethernet0/0/3
port link-type access
port default vlan 40
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.9 LSW5
#
sysname LSW5
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 50
#
interface Ethernet0/0/3
port link-type access
port default vlan 50
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.10 LSW6
#
sysname LSW6
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
port link-type access
port default vlan 60
#
interface Ethernet0/0/3
port link-type access
port default vlan 60
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.11 LSW7
#
sysname LSW7
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 5
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.12 LSW8
#
sysname LSW8
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 5
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.13 LSW9
#
sysname LSW9
#
undo info-center enable
#
vlan batch 10 20 30 40 50 60 100 to 101
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 5
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.14 LSW 10
#
sysname LSW10
#
undo info-center enable
#
vlan batch 5 9 to 10 20 30 40 50 60 100 to 101
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 5
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif5
ip address 192.168.80.5 255.255.255.252
#
interface Vlanif9
ip address 192.168.80.9 255.255.255.252
#
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.252
vrrp vrid 10 priority 101
vrrp vrid 10 track interface GigabitEthernet0/0/1
vrrp vrid 10 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.252
vrrp vrid 20 priority 101
vrrp vrid 20 track interface GigabitEthernet0/0/1
vrrp vrid 20 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif30
ip address 192.168.30.254 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.252
vrrp vrid 30 priority 101
vrrp vrid 30 track interface GigabitEthernet0/0/1
vrrp vrid 30 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif40
ip address 192.168.40.254 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.252
vrrp vrid 40 track interface GigabitEthernet0/0/1
vrrp vrid 40 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif50
ip address 192.168.50.254 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.252
vrrp vrid 50 track interface GigabitEthernet0/0/1
vrrp vrid 50 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif60
ip address 192.168.60.254 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.252
vrrp vrid 60 track interface GigabitEthernet0/0/1
vrrp vrid 60 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 5
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 9
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 10
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.80.4 0.0.0.3
network 192.168.80.8 0.0.0.3
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.15 LSW11
#
sysname LSW11
#
undo info-center enable
#
vlan batch 10 to 11 13 20 30 40 50 60 100 to 101
#
stp instance 1 root secondary
stp instance 2 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 5
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.252
vrrp vrid 10 track interface GigabitEthernet0/0/1
vrrp vrid 10 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif11
ip address 192.168.80.1 255.255.255.252
#
interface Vlanif13
ip address 192.168.80.13 255.255.255.252
#
interface Vlanif20
ip address 192.168.20.253 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.252
vrrp vrid 20 track interface GigabitEthernet0/0/1
vrrp vrid 20 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif30
ip address 192.168.30.253 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.252
vrrp vrid 30 track interface GigabitEthernet0/0/1
vrrp vrid 30 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif40
ip address 192.168.40.253 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.252
vrrp vrid 40 priority 101
vrrp vrid 40 track interface GigabitEthernet0/0/1
vrrp vrid 40 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif50
ip address 192.168.50.253 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.252
vrrp vrid 50 priority 101
vrrp vrid 50 track interface GigabitEthernet0/0/1
vrrp vrid 50 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif60
ip address 192.168.60.253 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.252
vrrp vrid 60 priority 101
vrrp vrid 60 track interface GigabitEthernet0/0/1
vrrp vrid 60 track interface GigabitEthernet0/0/2
dhcp select interface
#
interface Vlanif100
ip address 192.168.100.254 255.255.255.0
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 13
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 11
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 20
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.80.0 0.0.0.3
network 192.168.80.12 0.0.0.3
network 192.168.100.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
#
return
5.3.16 AC1
[V200R007C10SPC300]
#
sysname AC1
#
set memory-usage threshold 0
#
ssl renegotiation-rate 1
#
vlan batch 100 to 101
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user admin password irreversible-cipher $1a$&yLp9%<W{
1$DmVx<tTL10yhw.=@uUo~;6NEKt8Q2UvbR9"KvI{
L$
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif100
ip address 192.168.100.3 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 192.168.101.1 255.255.255.0
dhcp select interface
#
interface MEth0/0/1
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/22
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/23
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/24
undo negotiation auto
duplex half
#
interface XGigabitEthernet0/0/1
#
interface XGigabitEthernet0/0/2
#
interface NULL0
#
undo info-center enable
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
capwap source interface vlanif101
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name sec
security wpa2 psk pass-phrase %^%#VwyvDRU2gY4{/`>o$YEK-Xn33WMC05!b8(WdJovD%^%# aes
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid-profile name ssid
ssid huawei
ssid-profile name default
vap-profile name vap
forward-mode tunnel
service-vlan vlan-id 100
ssid-profile ssid
security-profile sec
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name ap
regulatory-domain-profile domain1
radio 0
vap-profile vap wlan 1
radio 1
vap-profile vap wlan 1
radio 2
vap-profile vap wlan 1
ap-group name default
ap-id 0 type-id 56 ap-mac 00e0-fc5d-67d0 ap-sn 210235448310DF1C2420
ap-name area1
ap-group ap
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return
六、系统测试
公司内部DHCP自动获取IP地址
各部门之间相互访问
搭建防火墙以及防火墙策略
搭建DNS域名解析
搭建HTTP服务器
搭建FTP服务器
搭建部门客户端通过防火墙策略访问HTTP服务器,DNS服务器,FTP服务器
公司内部通过防火墙访问外网
公司内部通过防火墙访问外网HTTP
公司内部通过防火墙访问dmz(受保护区域的服务器集群)
DNS服务器解析公司内部IP
无线网区域
设备连接无线网
DHCP分配IP地址
无线区域访问企业外网
结束语
需要完整的项目,文档,配置等等,评论区留言
