园区网扩展方案
项目背景:
由于公司进一步壮大,现有办公区域需要扩租,而恰好新办公区域就在现办公大楼园区的另一座大楼;
现网络由1台出口路由AR2240C-S、三层交换S5720S-52P-EI-AC、若干二层交换S5720S-52P-LI-AC组成;
新办公区域通过光纤从现机房AR2240C-S出口路由的光模块(SDP-GE-LX-SM1310)接到新办公区域机房的三层交换S5720S-52P-EI-AC的光模块(SDP-GE-LX-SM1310),三层下接入若干二层设备,实现网络扩展。
说明:
如图
R5为企业总部
R4模拟Internet
R2、R3分别模拟运营商电信(telecom)、联通ISP(unicom)
R1为现机房出口路由器
LSW1为现机房三层交换
LSW2、LSW3为现机房二层交换、
PC1、PC2属于vlan 108 (vlanif108:10.180.108.0/24);PC3、PC4属于vlan 109(vlanif 109:10.180.109.0/24)
LSW4为新办公楼机房三层交换
PC5、PC6属于vlan 110 (vlanif110:10.180.110.0/24);PC7、PC8属于vlan 111(vlanif 111:10.180.109.0/24)
项目目标:
需要一个稳定安全的网络环境来保证公司员工的Internet访问需求,研发和测试需求。
1、PC1~PC8之间可以互访;
2、PC1~PC8均可以访问Internet,
PC1、PC3、PC5、PC7正常情况下通过R2(telecom)访问R4(internet),当R1-R2-R4之间链路出现故障时自动切换到R1-R3-R4访问Internet;
PC2、PC4、PC6、PC8正常情况下通过R3(unicom)访问R4(internet),当R1-R3-R4之间链路出现故障时自动切换到R1-R2-R4访问Internet;
3、PC1~PC8均可以访问企业总部;
组网思路:
R5(总部)与R4(internet)之间运行ospf,区域area 2,实现连通性;配置GRE over IPsec实现与R1互通的v*n;
R4(internet)、R3(unicom)、R2(telecom)、R1(出口路由)模拟企业出口运营商网络及Internet,它们之间运行ospf,区域area 1,实现连通性;
R1上配置NAT(Easy-IP)、配置PBR(策略路由)实现分流及出口网冗余、配置GRE over IPsec实现与R5互通的v*n、配置与LSW1、LSW4之间的ospf实现IGP自动更新路由信息;
LSW1、LSW4通过vlanif 300与R1连接,ge0/0/2和ge0/0/3接口配置trunk口,与二层交换连接,允许vlan108、vlan109、vlan110、vlan111通过;
配置vlanif 108-109 vlanif 110-111,充当接入PC的网关;
配置dhcp,并IP/MAC绑定,实现固定的设备获取固定的IP;
LSW2、LSW3、LSW5、LSW6代表接入层交换机,分别属于vlan108、vlan109、vlan110、vlan111
配置:
一、先配置模拟internet
配置接口IP:
配置OSPF
R1:
[Huawei]ospf 1 router-id 1.1.1.1
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 10.1.1.0 0.0.0.255 --------------宣告的的路由器自己直连的网段
[Huawei-ospf-1-area-0.0.0.1]network 20.1.1.0 0.0.0.255
R2:
[Huawei]ospf 1 router-id 2.2.2.2
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 10.1.1.0 0.0.0.255
R3:
[Huawei]ospf 1 router-id 3.3.3.3
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 200.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 20.1.1.0 0.0.0.255
R4:
[Huawei]ospf 1 router-id 4.4.4.4
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 200.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 114.114.114.114 0.0.0.0
二、配置企业总部与internet的OSPF(配置失败)
R4:
由于不能把模拟的internet进一步引入ospf的另一个区域area 2,所以用静态路由来设置总部与internet的连通性;
R5
三、配置出口路由与三层交换之间的OSPF
R1配置:
[Huawei]int gi 0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 192.168.200.1 30
[Huawei-GigabitEthernet0/0/0]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 192.168.200.5 30
[Huawei]ospf
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.3
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.4 0.0.0.3
LSW1配置:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]vlan batch 108 109 110 111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan 300
[Huawei-vlan300]int vlanif 300
[Huawei-Vlanif300]ip addr 192.168.200.2 30
[Huawei-Vlanif300]q
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 300
[Huawei-GigabitEthernet0/0/1]q
[Huawei]int vlanif 108
[Huawei-Vlanif108]ip addr 10.180.108.1 24
[Huawei-Vlanif108]int vlanif 109
[Huawei-Vlanif109]ip addr 10.180.109.1 24
[Huawei]ospf 1 router-id 6.6.6.6
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 10.180.108.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 10.180.109.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.3
LSW4配置:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]vlan batch 110 111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan 300
[Huawei]int vlanif 300
[Huawei-Vlanif300]ip addr 192.168.200.6 30
[Huawei]un in en
Info: Information center is disabled.
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 300
[Huawei-GigabitEthernet0/0/1]
[Huawei-GigabitEthernet0/0/1]q
[Huawei]int vlanif 110
[Huawei-Vlanif110]ip addr 10.180.110.1 24
[Huawei-Vlanif110]int vlanif 111
[Huawei-Vlanif111]ip addr 10.180.111.1 24
[Huawei-Vlanif111]q
[Huawei]ospf 1 router-id 7.7.7.7
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.6 0.0.0.3
[Huawei-ospf-1-area-0.0.0.0]network 10.180.110.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 10.180.111.0 0.0.0.255
配置完成后,可以看到三层交换已经有到达internet的路由了
四、配置vlan
LSW1:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 108 109 300
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan 108 109 300
LSW2/LSW3:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]vlan batch 108 109
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 108 109 300
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 108/109
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 108/109
LSW4:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 110 111 300
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan 110 111 300
LSW5/LSW6:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]vlan batch 110 111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 110 111 300
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 110/111
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 110/111
五、配置DHCP 及IP POOL(配置完成,发现PC并不能获取到IP,是不是eNSP不支持)
因为在步骤三中已经配置了vlanif,所以直接配置dhcp及ip pool即可
LWS1:
[Huawei]dhcp enable
[Huawei]ip pool 108
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-108]gateway-list 10.180.108.1
[Huawei-ip-pool-108]network 10.180.108.0 mask 255.255.255.0
[Huawei-ip-pool-108]excluded-ip-address 10.180.108.10 10.180.108.254
[Huawei-ip-pool-108]static-bind ip-address 10.180.108.2 mac-address 5489-9819-741f (PC1的mac地址)
[Huawei-ip-pool-108]static-bind ip-address 10.180.108.3 mac-address 5489-98ca-3928 (PC2的mac地址)
[Huawei-ip-pool-108]ip pool 109
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-109]gateway-list 10.180.109.1
[Huawei-ip-pool-109]network 10.180.109.0 mask 255.255.255.0
[Huawei-ip-pool-109]excluded-ip-address 10.180.109.10 10.180.109.254
[Huawei-ip-pool-109]static-bind ip-address 10.180.10.2 mac-address 5489-982d-79b7 (PC3的mac地址)
[Huawei-ip-pool-109]static-bind ip-address 10.180.109.3 mac-address 5489-98f4-6304 (PC4的mac地址)
由于在eNSP上配置DHCP后PC并不能获取到IP,所以还是手动配置吧
配置完成后,每个PC都可以访问Internet(114.114.114.114)
并且每个PC之间都互通:
到此,连通性配置完成!!!
七、配置NAT(easy-ip)
在eNSP中,联通性可以这样完成,但是现实中,必须配置NAT
在出口路由器上配置NAT,实现局域网网段(10.180.108.0/22)与外网IP10.1.1.1和20.1.1.1的动态映射;
[Huawei]acl 2001
[Huawei-acl-basic-2001]dis th
[Huawei-acl-basic-2001]rule permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2001]rule permit source 192.168.2.0 0.0.0.255
[Huawei-acl-basic-2001]q
[Huawei]int gi 0/0/0
[Huawei-GigabitEthernet0/0/0]nat outbound 2001
[Huawei-GigabitEthernet0/0/0]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]nat outbound 2001
八、配置策略路由(未完待续)
出口路由配置:
1、配置acl
<Huawei>sys
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.1.1 0.0.0.0
[Huawei-acl-adv-3001]rule permit ip source 192.168.2.1 0.0.0.0
[Huawei-acl-adv-3001]acl 3002
[Huawei-acl-adv-3002]rule permit ip source 192.168.1.2 0.0.0.0
[Huawei-acl-adv-3002]rule permit ip source 192.168.2.2 0.0.0.0
[Huawei-acl-adv-3002]q
[Huawei]acl 3003
[Huawei-acl-adv-3003]rule permit ip source 192.168.1.0 0.0.0.255 destination 192
.168.1.254 0
[Huawei-acl-adv-3003]rule permit ip source 192.168.2.0 0.0.0.255 destination 19
2.168.2.254 0
[Huawei-acl-adv-3003]q
2、配置流匹配
[Huawei]traffic classifier c1
[Huawei-classifier-c1]if-match acl 3001
[Huawei-classifier-c1]traffic classifier c2
[Huawei-classifier-c2]if-match acl 3002
[Huawei-classifier-c2]traffic classifier c3
[Huawei-classifier-c3]if-match acl 3003
[Huawei-classifier-c3]q
3、配置流行为
[Huawei]traffic behavior b1
[Huawei-behavior-b1]redirect ip-nexthop 10.1.1.2
[Huawei-behavior-b1]traffic behavior b2
[Huawei-behavior-b2]redirect ip-nexthop 20.1.1.2
[Huawei-behavior-b2]traffic behavior b3
[Huawei-behavior-b3]permit
[Huawei-behavior-b3]q
4、配置流策略
[Huawei]traffic policy p1
[Huawei-trafficpolicy-p1]classifier c3 behavior b3
[Huawei-trafficpolicy-p1]classifier c1 behavior b1
[Huawei-trafficpolicy-p1]classifier c2 behavior b2
[Huawei-trafficpolicy-p1]q
5、配置流应用
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-policy p1 inbound
[Huawei-GigabitEthernet0/0/2]q