ENSP综合实验(中小型网络)
一、实验背景
在当今数字化的企业环境中,一个稳定、高效且安全的网络架构对于业务的持续运营和发展至关重要。随着企业内部各部门业务的不断拓展,如财务部门对数据保密性要求极高,访客区域的网络接入需求逐渐增多,以及对外提供特定服务器服务的需求增长,构建一个既能满足日常办公和业务运营,又能保障信息安全和资源合理分配的园区网络迫在眉睫。
为了实现这些目标,本实验来模仿中型企业网路环境,通过一系列技术要求和配置。企业内部拥有多个不同的业务部门,各部门之间的网络流量需要合理规划和隔离,以避免相互干扰和数据泄露风险。同时,随着移动办公设备的普及,无线网络的覆盖和优化也成为提升员工工作效率的关键因素。此外,为了与外部网络进行安全、可靠的通信并对外提供部分服务,如FTP 服务,以及保障内部用户对外部网络和特定内部资源(如DNS服务器)的访问,需要精心设计和配置网络的各个层面,包括交换机、路由器和防火墙等设备,以适应复杂多变的网络环境和业务需求。
二、拓扑图规划
三、实验需求
1、所有主机通过DHCP获取地址(包括DNS地址)。
2、LSW1为默认STP域的根桥。
3、LSW1为VLAN10、30、100、101的根桥。
4、LSW2为VLAN20、40、102的根桥。
5、 LSW1与LSW2之间为配置Eth-Trunk,模式为LACP。
6、LSW1为VLAN10、30、100、101的网关。
7、 LSW2为VLAN20、40、102的网关。
8、AR1、AR2、LSW1、LSW2使用OSPF。
9、配置OSPF使得内部默认从AR1访问外网。
10、防火墙外部流量访问内部时默认先走R1、SW1
11、配置AC、AP。
12、内部可以访问DMZ服务器。
13、DMZ区域FTP服务器为Internet用户提供FTP服务。
14、DMZ区域DNS服务器为内部用户提供服务。
15.FW上配置Easy IP,使内部用户可以访问外网。
16.限制其它部门访问财务部。
17.访客区只可以访问服务器以及外网。
18.设置边缘端口。
19.设置访客区不可以互相访问。
四、配置思路
4-1、创建vlan和划分vlan
4-1-1在接入层需要进行VLAN划分、设置端口类型
LSW3
[LSW3]vlan batch 10 to 11 20 30 40 100 to 102
[LSW3]int e0/0/1
[LSW3-Ethernet0/0/1]port link-type trunk
[LSW3-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW3-Ethernet0/0/1]port trunk pvid vlan 100
[LSW3-Ethernet0/0/1]q
[LSW3]int e0/0/2
[LSW3-Ethernet0/0/2]port link-type trunk
[LSW3-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW3-Ethernet0/0/2]port trunk pvid vlan 100
[LSW3-Ethernet0/0/2]q
[LSW3]int e0/0/3
[LSW3-Ethernet0/0/3]port link-type access
[LSW3-Ethernet0/0/3]port default vlan 10
[LSW3-Ethernet0/0/3]q
[LSW3]int e0/0/3
[LSW3-Ethernet0/0/4]port link-type access
[LSW3-Ethernet0/0/4]port default vlan 10
[LSW3-Ethernet0/0/4]q
[LSW3]int g0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW3-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW3-GigabitEthernet0/0/1]q
[LSW3]LSW4
[LSW4]vlan batch 10 to 11 20 30 40 100 to 102
[LSW4]int e0/0/1
[LSW4-Ethernet0/0/1]port link-type trunk
[LSW4-Ethernet0/0/1]port trunk allow-pass vlan 20
[LSW4-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW4-Ethernet0/0/1]q
[LSW4]int e0/0/2
[LSW4-Ethernet0/0/2]port link-type trunk
[LSW4-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW4-Ethernet0/0/2]port trunk pvid vlan 100
[LSW4-Ethernet0/0/2]q
[LSW4]int e0/0/1
[LSW4-Ethernet0/0/1]port trunk pvid vlan 100
[LSW4-Ethernet0/0/1]q
[LSW4]int e0/0/3
[LSW4-Ethernet0/0/3]port link-type access
[LSW4-Ethernet0/0/3]port default vlan 20
[LSW4-Ethernet0/0/3]q
[LSW4]int e0/0/4
[LSW4-Ethernet0/0/4]port link-type access
[LSW4-Ethernet0/0/4]port default vlan 20
[LSW4-Ethernet0/0/4]qLSW5
[LSW5]vlan batch 10 to 11 20 30 40 100 to 102
[LSW5]int e0/0/1
[LSW5-Ethernet0/0/1]port link-type trunk
[LSW5-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW5-Ethernet0/0/1]port trunk pvid vlan 100
[LSW5-Ethernet0/0/1]q
[LSW5]int e0/0/2
[LSW5-Ethernet0/0/2]port link-type trunk
[LSW5-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW5-Ethernet0/0/2]port trunk pvid vlan 100
[LSW5-Ethernet0/0/2]q
[LSW5]int e0/0/3
[LSW5-Ethernet0/0/3]port link-type access
[LSW5-Ethernet0/0/3]port default vlan 30
[LSW5-Ethernet0/0/3]q
[LSW5]int e0/0/4
[LSW5-Ethernet0/0/4]port link-type access
[LSW5-Ethernet0/0/4]port default vlan 30
[LSW5-Ethernet0/0/4]qLSW6
[LSW6][LSW5]vlan batch 10 to 11 20 30 40 100 to 102
[LSW6]int e0/0/1
[LSW6-Ethernet0/0/1]port link-type trunk
[LSW6-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW6-Ethernet0/0/1]port trunk pvid vlan 100
[LSW6-Ethernet0/0/1]q
[LSW6]int e0/0/2
[LSW6-Ethernet0/0/2]port link-type trunk
[LSW6-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW6-Ethernet0/0/2]port trunk pvid vlan 100
[LSW6-Ethernet0/0/2]q
[LSW6]int e0/0/3
[LSW6-Ethernet0/0/3]port link-type access
[LSW6-Ethernet0/0/3]port default vlan 40
[LSW6-Ethernet0/0/3]q
[LSW6]int e0/0/4
[LSW6-Ethernet0/0/4]port link-type access
[LSW6-Ethernet0/0/4]port default vlan 40
[LSW6-Ethernet0/0/4]q
[LSW6]int g0/0/1
[LSW6-GigabitEthernet0/0/1]port link-type trunk
[LSW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW6-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW6-GigabitEthernet0/0/1]q4-1-2在接入层需要进行VLAN划分、设置端口类型 。
LSW1
[LSW1]vlan batch 10 20 30 40 11 31 32 100 101 102
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/1]q
[LSW1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/2]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/2]q
[LSW1]int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/3]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/3]q
[LSW1]int g0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/4]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/4]q
[LSW1]int g0/0/11
[LSW1-GigabitEthernet0/0/11]port link-type access
[LSW1-GigabitEthernet0/0/11]port default vlan 11
[LSW1-GigabitEthernet0/0/11]q
[LSW1]int g0/0/12
[LSW1-GigabitEthernet0/0/12]port link-type access
[LSW1-GigabitEthernet0/0/12]port default vlan 31
[LSW1-GigabitEthernet0/0/12]q
[LSW1]int g0/0/13
[LSW1-GigabitEthernet0/0/13]port link-type access
[LSW1-GigabitEthernet0/0/13]port default vlan 32
[LSW1-GigabitEthernet0/0/13]q
LSW2
[LSW2]vlan batch 10 20 30 40 34 33 22 100 101 102
[LSW2]int g0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/1]q
[LSW2]int g0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type trunk
[LSW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/2]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/2]q
[LSW2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/3]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/3]q
[LSW2]int g0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/4]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/4]q
[LSW2]int g0/0/12
[LSW2-GigabitEthernet0/0/12]port link-type access
[LSW2-GigabitEthernet0/0/12]port default vlan 34
[LSW2-GigabitEthernet0/0/12]q
[LSW2]int g0/0/13
[LSW2-GigabitEthernet0/0/13]port link-type access
[LSW2-GigabitEthernet0/0/13]port default vlan 33
[LSW2-GigabitEthernet0/0/13]q
[LSW2]int g0/0/22
[LSW2-GigabitEthernet0/0/22]port link-type access
[LSW2-GigabitEthernet0/0/22]port default vlan 22
[LSW2-GigabitEthernet0/0/22]q
[LSW2] 
AC
[AC1]vlan batch 22
[AC1]int g0/0/2
[AC1-GigabitEthernet0/0/2]port link-type access
[AC1-GigabitEthernet0/0/2]port default vlan 22
[AC1-GigabitEthernet0/0/2]q
[AC1]q4-2、配置各个设备的IP地址
LSW1
LSW2
AR1
AR2
AR3
DHCP-Server
[DHCP]int g0/0/1
[DHCP-GigabitEthernet0/0/1]ip add 192.168.11.11 24
AC1
[AC1]int vlanif 22
[AC1-Vlanif22]ip add 192.168.22.22 24
FW
4-3、配置静态路由
#
[FW]ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
[FW]ip route-static 192.168.0.0 255.255.192.0 10.1.1.1 preference 10
[FW]ip route-static 192.168.0.0 255.255.192.0 10.2.2.1
[FW]ip route-static 192.168.100.0 255.255.252.0 10.1.1.1 preference 10
[FW]ip route-static 192.168.100.0 255.255.252.0 10.2.2.1
[FW]q
#
AR1
[AR1]ip route-ststic 0.0.0.0 0.0.0.0 10.1.1.2
#
AR2
[AR2]ip route-ststic 0.0.0.0 0.0.0.0 10.2.2.2
#
LSW3-LSW6
[LSW3]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
[LSW4]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
[LSW5]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
[LSW6]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
#
DHCP
[DHCP]ip route-static 0.0.0.0 0.0.0.0 192.168.11.254
#
AC
[AC1]ip route-static 0.0.0.0 0.0.0.0 192.168.22.254
#4-4、在LAW1-LSW2配置链路聚合,模式为LACP
LSW1
[LSW1]int eth-trunk 1
[LSW1-Eth-Trunk1]mode lacp-static
[LSW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/10 0/0/20
[LSW1-Eth-Trunk1]port link-type trunk
[LSW1-Eth-Trunk1]port trunk allow-pass vlan all
[LSW1-Eth-Trunk1]port trunk pvid vlan 100
[LSW1-Eth-Trunk1]q
[LSW1]lacp priority 4096
[LSW1]int eth-trunk 1
[LSW1-Eth-Trunk1]lacp preempt enable
[LSW1-Eth-Trunk1]q
查看链路聚合
LSW2
#
[LSW2]int eth-trunk 1
[LSW2-Eth-Trunk1]mode lacp-st
[LSW2-Eth-Trunk1]mode lacp-static
[LSW2-Eth-Trunk1]trunkport g
[LSW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10 0/0/20
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2-Eth-Trunk1]port link-type trunk
[LSW2-Eth-Trunk1]port trunk allow-pass vlan all
[LSW2-Eth-Trunk1]port trunk pvid vlan 100
[LSW2-Eth-Trunk1]q
#
4-5、在DHCP_Server上配置DHCP
#
[DHCP]dhcp enable
[DHCP]int g0/0/1
[DHCP-GigabitEthernet0/0/1]dhcp select global
[DHCP-GigabitEthernet0/0/1]q
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 255.255.255.0
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.246 192.168.10.253
[DHCP-ip-pool-vlan10]dns-list 172.16.1.200
[DHCP-ip-pool-vlan10]q
[DHCP]ip pool vlan20
[DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 255.255.255.0
[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.246 192.168.20.253
[DHCP-ip-pool-vlan20]dns-list 172.16.1.200
[DHCP-ip-pool-vlan20]q
[DHCP]ip pool vlan30
[DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 255.255.255.0
[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.246 192.168.30.253
[DHCP-ip-pool-vlan30]dns-list 172.16.1.200
[DHCP-ip-pool-vlan30]q
[DHCP]ip pool vlan40
[DHCP-ip-pool-vlan40]gateway-list 192.168.40.254
[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 255.255.255.0
[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.246 192.168.40.253
[DHCP-ip-pool-vlan40]dns-list 172.16.1.200
[DHCP-ip-pool-vlan40]q
[DHCP]ip pool vlan100
[DHCP-ip-pool-vlan100]gateway-list 192.168.100.254
[DHCP-ip-pool-vlan100]network 192.168.100.0 mask 255.255.255.0
[DHCP-ip-pool-vlan100]excluded-ip-address 192.168.100.1 192.168.100.10
[DHCP-ip-pool-vlan100]excluded-ip-address 192.168.100.246 192.168.100.253
[DHCP-ip-pool-vlan100]dns-list 172.16.1.200
[DHCP-ip-pool-vlan100]Option 43 sub-option 3 ascii 192.168.22.22
[DHCP-ip-pool-vlan100]q
[DHCP]ip pool vlan101
[DHCP-ip-pool-vlan101]gateway-list 192.168.101.254
[DHCP-ip-pool-vlan101]network 192.168.101.0 mask 255.255.255.0
[DHCP-ip-pool-vlan101]excluded-ip-address 192.168.101.246 192.168.101.253
[DHCP-ip-pool-vlan101]Lease day 0 hour 3 minute 0
[DHCP-ip-pool-vlan101]dns-list 172.16.1.200
[DHCP-ip-pool-vlan101]q
[DHCP]ip pool vlan102
[DHCP-ip-pool-vlan102]gateway-list 192.168.102.254
[DHCP-ip-pool-vlan102]network 192.168.102.0 mask 255.255.255.0
[DHCP-ip-pool-vlan102]excluded-ip-address 192.168.102.246 192.168.102.253
[DHCP-ip-pool-vlan102]Lease day 0 hour 3 minute 0
[DHCP-ip-pool-vlan102]q
#4-6、DHCP中继器
需要在LSW1和LSW2上的vlanif 10 20 30 40 100 101 102
注:LSW1和LSW2一样的配置,在这里LSW2略
#
[LSW1]dhcp enable
[LSW1]int vlanif 10
[LSW1-Vlanif10]dhcp select relay
[LSW1-Vlanif10]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif10]q
[LSW1]int vlanif 20
[LSW1-Vlanif20]dhcp select relay
[LSW1-Vlanif20]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif20]q
[LSW1]int vlanif 30
[LSW1-Vlanif30]dhcp select relay
[LSW1-Vlanif30]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif30]q
[LSW1]int vlanif 40
[LSW1-Vlanif40]dhcp select relay
[LSW1-Vlanif40]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif40]q
[LSW1]int vlanif 100
[LSW1-Vlanif100]dhcp select relay
[LSW1-Vlanif100]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif100]q
[LSW1]int vlanif 101
[LSW1-Vlanif101]dhcp select relay
[LSW1-Vlanif101]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif101]q
[LSW1]int vlanif 102
[LSW1-Vlanif102]dhcp select relay
[LSW1-Vlanif102]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif102]q
[LSW1]q
#4-7、配置STP
LSW1
#
[LSW1]stp enable
[LSW1]stp mode mstp
[LSW1]stp instance 1 priority 4096
[LSW1]stp instance 2 priority 8192
[LSW1]stp instance 3 priority 4096
[LSW1]stp instance 4 priority 8192
[LSW1]stp instance 10 priority 4096
[LSW1]stp instance 11 priority 4096
[LSW1]stp instance 12 priority 8192
[LSW1]stp instance 0 root primary
[LSW1]stp region-configuration
[LSW1-mst-region]region-name huawei
[LSW1-mst-region]instance 1 vlan 10
[LSW1-mst-region]instance 2 vlan 20
[LSW1-mst-region]instance 3 vlan 30
[LSW1-mst-region]instance 4 vlan 40
[LSW1-mst-region]instance 10 vlan 100
[LSW1-mst-region]instance 11 vlan 101
[LSW1-mst-region]instance 12 vlan 102
[LSW1-mst-region]active region-configuration
[LSW1-mst-region]q
#LSW2
[LSW2]stp enable
[LSW2]stp mode mstp
[LSW2]stp instance 1 priority 8192
[LSW2]stp instance 2 priority 4096
[LSW2]stp instance 3 priority 8192
[LSW2]stp instance 4 priority 4096
[LSW2]stp instance 10 priority 8192
[LSW2]stp instance 11 priority 8192
[LSW2]stp instance 12 priority 4096
[LSW2]stp instance 0 root secondary
[LSW2]stp region-configuration
[LSW2-mst-region]region-name huawei
[LSW2-mst-region]instance 1 vlan 10
[LSW2-mst-region]instance 2 vlan 20
[LSW2-mst-region]instance 3 vlan 30
[LSW2-mst-region]instance 4 vlan 40
[LSW2-mst-region]instance 10 vlan 100
[LSW2-mst-region]instance 11 vlan 101
[LSW2-mst-region]instance 12 vlan 102
[LSW2-mst-region]active region-configuration
[LSW2-mst-region]q
[LSW2]4-8、配置VRRP
LSW1作为vlan 10 30 100 101 的主网关,LSW2作为vlan20 40 102的主网关
LSW1
#
[LSW1]int vlanif 10
[LSW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW1-Vlanif10]vrrp vrid 10 priority 120
[LSW1-Vlanif10]vrrp vrid 10 preempt-mode timer delay 20
[LSW1-Vlanif10]q
[LSW1]int vlanif 20
[LSW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[LSW1]int vlanif 30
[LSW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[LSW1-Vlanif30]vrrp vrid 30 priority 140
[LSW1-Vlanif30]q
[LSW1]int vlan40
[LSW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[LSW1-Vlanif40]q
[LSW1]int vlanif 100
[LSW1-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[LSW1-Vlanif100]vrrp vrid 100 priority 160
[LSW1-Vlanif100]q
[LSW1]int vlanif 101
[LSW1-Vlanif101]vrrp vrid 101 virtual-ip 192.168.101.254
[LSW1-Vlanif101]vrrp vrid 101 priority 170
[LSW1-Vlanif101]q
[LSW1]int vlanif 102
[LSW1-Vlanif102]vrrp vrid 102 virtual-ip 192.168.102.254
[LSW1-Vlanif102]q
#
LSW2
#
[LSW2]int vlanif 10
[LSW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW2-Vlanif10]q
[LSW2]int vlanif 20
[LSW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[LSW2-Vlanif20]vrrp vrid 20 priority 130
[LSW2-Vlanif20]q
[LSW2]int vlanif 30
[LSW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[LSW2-Vlanif30]q
[LSW2]int vlanif 40
[LSW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[LSW2-Vlanif40]vrrp vrid 40 priority 150
[LSW2-Vlanif40]q
[LSW2]int vlanif 100
[LSW2-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[LSW2-Vlanif100]q
[LSW2]int vlanif 101
[LSW2-Vlanif101]vrrp vrid 101 virtual-ip 192.168.101.254
[LSW2-Vlanif101]q
[LSW2]int vlanif 102
[LSW2-Vlanif102]vrrp vrid 102 virtual-ip 192.168.102.254
[LSW2-Vlanif102]vrrp vrid 102 priority 180
[LSW2-Vlanif102]q
#
4-9、配置OSPF
LSW1、LSW2、AR1、AR2都要配置
#
[LSW1]ospf 10 router-id 3.3.3.3
[LSW1-ospf-10]area 0
[LSW1-ospf-10-area-0.0.0.0]network 10.11.11.0 0.0.0.3
[LSW1-ospf-10-area-0.0.0.0]network 10.12.12.0 0.0.0.3
[LSW1-ospf-10-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[LSW1-ospf-10-area-0.0.0.0]area 0.0.0.10
[LSW1-ospf-10-area-0.0.0.10]network 192.168.10.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.10]area 0.0.0.11
[LSW1-ospf-10-area-0.0.0.11]network 192.168.11.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.11]area 0.0.0.20
[LSW1-ospf-10-area-0.0.0.20]network 192.168.20.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.20]area 0.0.0.30
[LSW1-ospf-10-area-0.0.0.30]network 192.168.30.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.30]area 0.0.0.40
[LSW1-ospf-10-area-0.0.0.40]network 192.168.40.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.40]area 0.0.0.100
[LSW1-ospf-10-area-0.0.0.100]network 192.168.100.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.100]area 0.0.0.101
[LSW1-ospf-10-area-0.0.0.101]network 192.168.101.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.101]area 0.0.0.102
[LSW1-ospf-10-area-0.0.0.102]network 192.168.102.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.102]q
[LSW1-ospf-10]q
#
LSW2
[LSW2]ospf 10 router-id 4.4.4.4
[LSW2-ospf-10]area 0
[LSW2-ospf-10-area-0.0.0.0]network 10.21.21.0 0.0.0.3
[LSW2-ospf-10-area-0.0.0.0]network 10.22.22.0 0.0.0.3
[LSW2-ospf-10-area-0.0.0.0] network 4.4.4.4 0.0.0.0
[LSW2-ospf-10-area-0.0.0.0] area 0.0.0.10
[LSW2-ospf-10-area-0.0.0.10] network 192.168.10.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.10] area 0.0.0.20
[LSW2-ospf-10-area-0.0.0.20] network 192.168.20.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.20] area 0.0.0.22
[LSW2-ospf-10-area-0.0.0.22] network 192.168.22.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.22] area 0.0.0.30
[LSW2-ospf-10-area-0.0.0.30] network 192.168.30.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.30] area 0.0.0.40
[LSW2-ospf-10-area-0.0.0.40] network 192.168.40.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.40] area 0.0.0.100
[LSW2-ospf-10-area-0.0.0.100] network 192.168.100.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.100] area 0.0.0.101
[LSW2-ospf-10-area-0.0.0.101] network 192.168.101.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.101] area 0.0.0.102
[LSW2-ospf-10-area-0.0.0.102] network 192.168.102.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.102]
#
AR1
[AR1]ospf 10 router-id 1.1.1.1
[AR1-ospf-10]default-route-advertise #下发一条缺省路由到普通ospf
[AR1-ospf-10]area 0
[AR1-ospf-10-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[AR1-ospf-10-area-0.0.0.0]network 10.11.11.0 0.0.0.3
[AR1-ospf-10-area-0.0.0.0]network 10.21.21.0 0.0.0.3
[AR1-ospf-10-area-0.0.0.0]q
[AR1-ospf-10]q
#
AR2
[AR2]ospf 10 router-id 2.2.2.2
[AR2-ospf-10]default-route-advertise cost 5
[AR2-ospf-10]area 0
[AR2-ospf-10-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[AR2-ospf-10-area-0.0.0.0]network 10.12.12.0 0.0.0.3
[AR2-ospf-10-area-0.0.0.0]network 10.22.22.0 0.0.0.3
[AR2-ospf-10-area-0.0.0.0]q
[AR2-ospf-10]q
4-10 配置AC
先查看AP1、AP2的地址获取情况
AP1
AP2
配置AC
#
[AC]vlan pool vlan101
[AC-ip-pool-vlan101]vlan 101
[AC-ip-pool-vlan101]vlan pool vlan102
[AC-ip-pool-vlan102]vlan 102
#
[AC]capwap source int vlanif 22 #配置信令源
#
创建域管理模板
#
[AC]wlan
[AC-wlan-view]regulatory-domain-profile name cfig
[AC-wlan-regulate-domain-cfig]country-code CN #配置国家代码
[AC-wlan-regulate-domain-cfig]q
[AC-wlan-view]ap-group name bg
[AC-wlan-ap-group-bg]regulatory-domain-profile cfig
[AC-wlan-ap-group-bg]ap-group name guest
[AC-wlan-ap-group-guest]regulatory-domain-profile cfig
[AC-wlan-ap-group-guest]q
[AC-wlan-view]q
[AC]
#
配置AP上线
#
[AC]WLAN
[AC-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fca1-3f10 #这里的mac地址要在AP上查看
[AC-wlan-ap-1]ap-name GUEST
[AC-wlan-ap-1]ap-group guest
[AC-wlan-ap-1]ap-id 2 ap-mac 00e0-fc60-5700
[AC-wlan-ap-2]
[AC-wlan-ap-2]ap-name BanGong
[AC-wlan-ap-2]ap-group bg
[AC-wlan-ap-2]
#
配置VLAN业务参数
#
创建安全模板
[AC]wlan
[AC-wlan-view]security-profile name bg #创建密码文件,用于办公区域
[AC-wlan-sec-prof-bg]security wpa2 psk pass-phrase 12345678 aes #wifi密码为:12345678
[AC-wlan-sec-prof-bg]security-profile name guest #创建密码文件,用于访客区
[AC-wlan-sec-prof-guest]security wpa2 psk pass-phrase 12345678 aes #wifi密码为:12345678
[AC-wlan-sec-prof-guest]q
[AC-wlan-view]q
#
创建SSID模板
#
[AC]wlan
[AC-wlan-view]ssid-profile name bg #创建wifi名称文件
[AC-wlan-ssid-prof-bg]ssid BanGong #办公区域wifi名称为BanGong
[AC-wlan-ssid-prof-bg]ssid-profile name guest
[AC-wlan-ssid-prof-guest]ssid guest
[AC-wlan-ssid-prof-guest]
#
创建VPA模板
#
[AC]wlan
[AC-wlan-view]vap-profile name bg
[AC-wlan-vap-prof-bg]forward-mode tunnel
[AC-wlan-vap-prof-bg]service-vlan vlan-id 102
[AC-wlan-vap-prof-bg]ssid-profile bg
[AC-wlan-vap-prof-bg]security-profile bg
[AC-wlan-vap-prof-bg]vap-profile name guest
[AC-wlan-vap-prof-guest]forward-mode tunnel
[AC-wlan-vap-prof-guest]service-vlan vlan-id 101
[AC-wlan-vap-prof-guest]ssid-profile guest
[AC-wlan-vap-prof-guest]security-profile guest
[AC-wlan-vap-prof-guest]q
[AC-wlan-view]q
[AC]
#
调用VAP模板
#
[AC]wlan
[AC-wlan-view]ap-group name bg
[AC-wlan-ap-group-bg]vap-profile bg wlan 1 radio 0 #配置P的组“bg”中的设备发射wifi信号
[AC-wlan-ap-group-bg]vap-profile bg wlan 1 radio 1
[AC-wlan-ap-group-bg]q
[AC-wlan-view]ap-group name guest
[AC-wlan-ap-group-guest]vap-profile bg wlan 1 radio 0 #配置P的组“guest”中的设备发射wifi信号
[AC-wlan-ap-group-guest]vap-profile bg wlan 1 radio 1
[AC-wlan-ap-group-guest]4-11、测试,无线设备连接WLAN 和获取IP
这里只演示STA1
4-12、配置防火墙
将接口加入对应的安全区域
#
[FW]firewall zone trust
[FW-zone-trust]add int g1/0/1
[FW-zone-trust]add int g1/0/2
[FW-zone-trust]q
[FW]firewall zone untrust
[FW-zone-untrust]add int g1/0/6
[FW-zone-untrust]q
[FW]firewall zone dmz
[FW-zone-dmz]add int g1/0/0
[FW-zone-dmz]q
[FW]quit
# 
配置NAT Server,使内部FTP为Internet用户提供FTP http服务:
#
FTP服务器公网地址为202.1.1.4,且外网用户必须使用2121端口才能访问企业内部服务器,不进行反向NAT。
#
[FW] nat server ut->d-ftp protocol tcp global 202.1.1.4 2121 inside 172.16.1.100 ftp no-reverse
#配置安全策略
#
[FW]security-policy #进入nat策略视图
[FW-policy-security]rule name t->d #允许trust区域流量到DMZ区域
[FW-policy-security-rule-t->d]source-zone trust #源区域
[FW-policy-security-rule-t->d]destination-zone dmz #目的区域
[FW-policy-security-rule-t->d]action permit #执行动作允许
[FW-policy-security-rule-t->d]q
[FW-policy-security]rule name t->ut #允许trust区域流量到untrust区域
[FW-policy-security-rule-t->ut]source-zone trust
[FW-policy-security-rule-t->ut]destination-zone untrust
[FW-policy-security-rule-t->ut]action permit
[FW-policy-security-rule-t->ut]rule name ut-d #允许trust区域流量到dmz区域
[FW-policy-security-rule-ut-d]source-zone untrust
[FW-policy-security-rule-ut-d]destination-zone dmz
[FW-policy-security-rule-ut-d]destination-address 172.16.1.0 mask 255.255.255.0 #源IP为172.16.1.0/24
[FW-policy-security-rule-ut-d]service ftp
[FW-policy-security-rule-ut-d]service http
[FW-policy-security-rule-ut-d]action permit
[FW-policy-security-rule-ut-d]q
[FW-policy-security]q
[FW]q
#配置easy-IP使得内部用户可以访问外网
#
[FW]nat-policy
[FW-policy-nat]rule name t->ut
[FW-policy-nat-rule-t->ut]source-zone trust
[FW-policy-nat-rule-t->ut]destination-zone untrust
[FW-policy-nat-rule-t->ut]action source-nat easy-ip
[FW-policy-nat-rule-t->ut]q
[FW-policy-nat]q
[FW-policy-security]rule name d->ut
[FW-policy-security-rule-t->ut]source-zone dmz
[FW-policy-security-rule-t->ut]destination-zone untrust
[FW-policy-security-rule-t->ut]action source-nat easy-ip
[FW-policy-security-rule-t->ut]q
[FW-policy-security]q
#4-13、查看全部PC是否获取IP,每台PC都可以访问得到外网,就是内网可以访问外网
PC1
PC2
其他PC都获取到IP和都可以访问外网和DMZ区域。
外网用户访问内部服务器
开启FTP服务
4-14、端口安全
限制其它部门访问财务部。
#
[LSW4]acl 3000
[LSW4-acl-adv-3001]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 #禁止财务部访问办公区
[LSW4-acl-adv-3000]rule 10 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 #禁止财务部访问人事部
[LSW4-acl-adv-3000]rule 15 deny ip source 192.168.40.0 0.0.0.255
[LSW4-acl-adv-3000]destination 192.168.40.0 0.0.0.255 #禁止财务部访问访客区
[LSW4-acl-adv-3000]q
[LSW4]int vlanif 40
[LSW4-Vlanif20]traffic-filter vlan 20 inbound acl 3000
#测试:PC2是不可以访问其它部门的
访客区只可以访问服务器以及外网。
#
[LSW6]acl 3001
[LSW6-acl-adv-3001]rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[LSW6-acl-adv-3001]rule 10 permit ip source 192.168.40.0 0.0.0.255 destination 20.20.20.0 0.0.0.255
[LSW6-acl-adv-3001]rule 15 deny ip source 192.1680.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW6-acl-adv-3001]rule deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[LSW6-acl-adv-3001]rule 25 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[LSW6-acl-adv-3001]q
[LSW6]int vlanif 40
[LSW6-Vlanif40]traffic-filter vlan 40 inbound acl 3001
#测试:访客区只可以访问外网和DMZ区的,不可可以访问其它部门的
4-15、LSW3-LSW6设置边缘端口
#
[LSW3]int e0/0/3
[LSW3-Ethernet0/0/3]stp edged-port enable
[LSW3-Ethernet0/0/3]q
[LSW3]int e0/0/4
[LSW3-Ethernet0/0/4]stp edged-port enable
[LSW3-Ethernet0/0/4]q
[LSW3]q
#
[LSW4]int e0/0/3
[LSW4-Ethernet0/0/3]stp edged-port enable
[LSW4-Ethernet0/0/3]q
[LSW4]int e0/0/4
[LSW4-Ethernet0/0/4]stp edged-port enable
[LSW4-Ethernet0/0/4]q
[LSW4]q
#
[LSW5]int e0/0/3
[LSW5-Ethernet0/0/3]stp edged-port enable
[LSW5-Ethernet0/0/3]q
[LSW5]int e0/0/4
[LSW5-Ethernet0/0/4]stp edged-port enable
[LSW5-Ethernet0/0/4]q
[LSW5]q
#
[LSW6]int e0/0/3
[LSW6-Ethernet0/0/3]stp edged-port enable
[LSW6-Ethernet0/0/3]q
[LSW6]int e0/0/4
[LSW6-Ethernet0/0/4]stp edged-port enable
[LSW6-Ethernet0/0/4]q
[LSW6]q
4-16、端口隔离
在访客区做端口隔离
[LSW6]int e0/0/3
[LSW6-Ethernet0/0/3]port-isolate enable group 1
[LSW6]int e0/0/4
[LSW6-Ethernet0/0/4]port-isolate enable group 1
测试:访客区之间不同通信的
以上就是本实验的大致情况,
非常感谢各位读者们阅读。