计科高可用服务器架构实训(防火墙、双机热备,VRRP、MSTP、DHCP、OSPF)
一、项目介绍需求分析: (1)总部和分部要求网络拓扑简单,方便维护,网络有扩展和冗余性; (2)总部分财务部,人事部,工程部,技术部,提供有一定的安全性; (3)总部要求核心交换机具有冗余性,可靠性; (4)总部的数据有一定的私密性,不允许外部网络及分公司访问,采用防火墙配置DMZ区域; (5)外部网络有两条运营商线路互为备份,流量主走电信,联通为备用。 二、设计方案及规划1.相关规划说明(包括DHCP、WWW、HTTP等服务相关的参数配置说明) (1)该企业网采用三层架构; (2)终端层8台PC机,两两划分为一个部门,分别为财务部,人事部,工程部,技术部,并划分各自的vlan,分别是vlan10,vlan20,vlan30,vlan40; (3)接入层,使用4台二层交换机,用于用户终端的接入,设计其与终端层各PC机间的端口类型为access类型; (4)汇聚层,使用4台三层交换机,设计其与接入层各交换机间的端口类型为trunk类型。该层采用的技术有:OSPF,VLAN划分,MSTP,VRRP等技术; (5)核心层,使用2个路由器,用于连接让其内网实现互通,采用的技术有:OSPF等技术。 (6)防火墙区,分三个区域DMZ区域(数据中心)、Trust区域(内网)、Untrust区域(外网)。 1.1网络IP地址规划 交换机lsw1,2,3,4,9,10使用交换机S3700,交换机lsw5,6,7,8,11使用交换机S5700,路由器整体使用AR1220与AR2220,防火墙USG600V.
1.2网络管理设计 (1)内部员工都需要访问外网; (2)不同部门之间能够实现相互通信; (3)总部可以访问到外网及分部的部门,但是外网不能访问到内网。 三、设计内容及步骤三个防火墙,3台台服务器,三台S5700交换机,五台S700交换机,六台路由器,十二台PC 基本配置: LSW2如LSW1配置相同 例: LSW1 sys undo info en sys LSW1 vlan batch 10 20 30 40 88 int g 0/0/1 p l a p d v 10 int g 0/0/2 p l a p d v 20 int g 0/0/3 p l a p d v 30 int g 0/0/4 p l a p d v 40 int g 0/0/6 p l a p d v 88 int g 0/0/5 p l tr p tr a v all int g 0/0/7 p l tr p tr a v all int g 0/0/8 p l tr p tr a v all 配置MSTP S1配置: stp region-configuration region-name STP instance 1 vlan 10 20 instance 2 vlan 30 40 revision-level 1 active region-configuration stp instance 1 root primary stp instance 2 root secondary S2配置: stp region-configuration region-name STP instance 1 vlan 10 20 instance 2 vlan 30 40 revision-level 1 active region-configuration stp instance 2 root primary stp instance 1 root secondary 基本配置: LSW9如LSW10配置相同 例: LSW10 int g 0/0/1 p l tr p tr a v all int g 0/0/2 p l tr p tr a v all int g 0/0/3 p l tr p tr a v all 配置vrrp+mstp: LSW9: sys sysname LSW9 undo info enable vlan batch 10 20 30 40 88 66 15 16 interface vlanif 10 ip address 192.168.10.1 24 vrrp vrid 10 virtual-ip 192.168.10.254 vrrp vrid 10 priority 150 vrrp vrid 10 preempt-mode timer delay 1 vrrp vrid 10 timer advertise 1 vrrp vrid 10 track interface g 0/0/1 reduced 70 interface vlanif 20 ip address 192.168.20.1 24 vrrp vrid 20 virtual-ip 192.168.20.254 vrrp vrid 20 priority 110 vrrp vrid 20 preempt-mode timer delay 1 vrrp vrid 20 timer advertise 1 interface vlanif 30 ip address 192.168.30.1 24 vrrp vrid 30 virtual-ip 192.168.30.254 vrrp vrid 30 priority 110 vrrp vrid 30 preempt-mode timer delay 1 vrrp vrid 30 timer advertise 1 interface vlanif 40 ip address 192.168.40.1 24 vrrp vrid 40 virtual-ip 192.168.40.254 vrrp vrid 40 priority 110 vrrp vrid 40 preempt-mode timer delay 1 vrrp vrid 40 timer advertise 1 q interface vlanif 88 ip address 192.168.88.1 24 vrrp vrid 88 virtual-ip 192.168.88.254 vrrp vrid 88 priority 110 vrrp vrid 88 preempt-mode timer delay 1 vrrp vrid 88 timer advertise 1 q interface vlanif 66 ip address 192.168.66.1 24 vrrp vrid 66 virtual-ip 192.168.66.254 vrrp vrid 66 priority 110 vrrp vrid 66 preempt-mode timer delay 1 vrrp vrid 66 timer advertise 1 q LSW10: sys sysname LSWS10 undo info enable vlan batch 10 20 30 40 88 66 15 16 interface vlanif 10 ip address 192.168.10.2 24 vrrp vrid 10 virtual-ip 192.168.10.254 vrrp vrid 10 priority 150 vrrp vrid 10 preempt-mode timer delay 1 vrrp vrid 10 timer advertise 1 vrrp vrid 10 track interface g 0/0/1 reduced 70 interface vlanif 20 ip address 192.168.20.2 24 vrrp vrid 20 virtual-ip 192.168.20.254 vrrp vrid 20 priority 110 vrrp vrid 20 preempt-mode timer delay 1 vrrp vrid 20 timer advertise 1 interface vlanif 30 ip address 192.168.30.2 24 vrrp vrid 30 virtual-ip 192.168.30.254 vrrp vrid 30 priority 110 vrrp vrid 30 preempt-mode timer delay 1 vrrp vrid 30 timer advertise 1 interface vlanif 40 ip address 192.168.40.2 24 vrrp vrid 40 virtual-ip 192.168.40.254 vrrp vrid 40 priority 110 vrrp vrid 40 preempt-mode timer delay 1 vrrp vrid 40 timer advertise 1 interface vlanif 88 ip address 192.168.88.1 24 vrrp vrid 88 virtual-ip 192.168.88.254 vrrp vrid 88 priority 110 vrrp vrid 88 preempt-mode timer delay 1 vrrp vrid 88 timer advertise 1 interface vlanif 66 ip address 192.168.66.1 24 vrrp vrid 66 virtual-ip 192.168.66.254 vrrp vrid 66 priority 110 vrrp vrid 66 preempt-mode timer delay 1 vrrp vrid 66 timer advertise 1 q S9配置: stp region-configuration region-name STP instance 1 vlan 10 20 instance 2 vlan 30 40 revision-level 1 active region-configuration stp root primary LSW S10配置: stp region-configuration region-name STP instance 1 vlan 10 20 instance 2 vlan 30 40 revision-level 1 active region-configuration stp root secondary LSW9: vlan batch 15 16 interface vlanif 15 ip address 192.168.15.2 24 interface GigabitEthernet 0/0/4 port link-type access port default vlan 15 interface vlanif 16 ip address 192.168.25.1 24 interface GigabitEthernet 0/0/5 port link-type access port default vlan 16 ospf 1 router-id 3.3.3.3 default-route-advertise area 0.0.0.0 network 192.168.15.0 0.0.0.255 network 192.168.25.0 0.0.0.255 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 network 192.168.30.0 0.0.0.255 network 192.168.40.0 0.0.0.255 LSW10 vlan batch 15 16 interface vlanif 15 ip address 192.168.16.2 24 interface GigabitEthernet 0/0/5 port link-type access port default vlan 15 interface vlanif 16 ip address 192.168.26.1 24 interface GigabitEthernet 0/0/4 port link-type access port default vlan 16 ospf 1 router-id 4.4.4.4 default-route-advertise area 0.0.0.0 network 192.168.16.0 0.0.0.255 network 192.168.26.0 0.0.0.255 基配+配置路由ospf AR1: sys undo info en sys AR1 int g 0/0/0 ip add 192.168.15.1 24 int g 0/0/1 ip add 192.168.16.1 24 int g0/0/2 ip add 192.168.102.2 24 int g4/0/0 ip add 192.168.104.2 24 int LoopBack 0 ip add 1.1.1.1 32 q ospf 1 router-id 1.1.1.1 default-route-advertise area 0.0.0.0 network 1.1.1.1 0.0.0.0 network 192.168.15.0 0.0.0.255 network 192.168.16.0 0.0.0.255 network 192.168.102.0 0.0.0.255 network 192.168.104.0 0.0.0.255 AR2: sys undo info en sys AR2 int g 0/0/0 ip add 192.168.26.2 24 int g 0/0/1 ip add 192.168.25.2 24 int g0/0/2 ip add 192.168.103.2 24 int g4/0/0 ip add 192.168.105.2 24 int LoopBack 0 ip add 2.2.2.2 32 ospf 1 router-id 2.2.2.2 default-route-advertise area 0.0.0.0 network 2.2.2.2 0.0.0.0 network 192.168.25.0 0.0.0.255 network 192.168.26.0 0.0.0.255 network 192.168.103.0 0.0.0.255 network 192.168.105.0 0.0.0.255 sys sys DHCP undo info en int g 0/0/1 p l tr p t a v a vlan batch 10 20 30 40 dhcp enable int g 0/0/1 dhcp select global ip pool 1 network 192.168.10.0 mask 24 gateway-list 192.168.10.254 dns-list 192.168.88.10 q ip pool 2 network 192.168.20.0 mask 24 gateway-list 192.168.20.254 dns-list 192.168.88.10 q ip pool 3 network 192.168.30.0 mask 24 gateway-list 192.168.30.254 dns-list 192.168.88.10 q ip pool 4 network 192.168.40.0 mask 24 gateway-list 192.168.40.254 dns-list 192.168.88.10 q interface vlanif 10 ip address 192.168.10.253 24 dhcp select global q interface vlanif 20 ip address 192.168.20.253 24 dhcp select global q interface vlanif 30 ip address 192.168.30.253 24 dhcp select global q interface vlanif 40 ip address 192.168.40.253 24 dhcp select global 2.6网络服务商区域配置 基础配置+ospf AR7 sys sys AR7 undo info en int g 0/0/1 ip add 192.168.93.1 24 int g 0/0/2 ip add 192.168.10.254 24 int g 0/0/0 ip add 192.168.94.1 24 int g 4/0/0 ip add 192.168.97.1 24 ospf 1 default-route-advertise area 1 network 192.168.97.0 0.0.0.255 network 192.168.94.0 0.0.0.255 network 192.168.93.0 0.0.0.255 network 192.168.10.0 0.0.0.255 AR5: sys sys AR5 undo info en int g0/0/1 ip add 192.168.94.2 24 int g0/0/0 ip add 192.168.95.2 24 ospf 1 default-route-advertise area 1 network 192.168.94.0 0.0.0.255 network 192.168.95.0 0.0.0.255 AR6: sys sys AR6 undo info en int g 0/0/1 ip add 192.168.96.2 24 int g 0/0/0 ip add 192.168.93.2 24 ospf 1 default-route-advertise area 1 network 192.168.93.0 0.0.0.255 network 192.168.96.0 0.0.0.255 AR4: sys sys AR4 undo info en int g 0/0/1 ip add 192.168.96.1 24 int g 0/0/2 ip add 100.1.1.10 24 int g 0/0/0 ip add 192.168.95.1 24 int g 3/0/0 ip add 100.1.10.11 24 ospf 1 default-route-advertise area 1 network 192.168.96.0 0.0.0.255 network 192.168.95.0 0.0.0.255 area 0 network 100.1.1.0 0.0.0.255 network 100.1.10.0 0.0.0.255 2.7分公司AR8配置 AR8: sys sys AR8 undo info en int g 0/0/1 ip add 192.168.91.1 24 int g 0/0/2 ip add 192.168.110.1 24 int g 0/0/0 ip add 192.168.100.1 24 q ospf 1 area 1 net 192.168.100.0 0.0.0.255 net 192.168.110.0 0.0.0.255 net 192.168.91.0 0.0.0.255 2.8防火墙FW4配置 FW4 sys sys FW4 undo info en int g 1/0/1 ip add 192.168.97.254 24 int g 1/0/0 ip add 192.168.91.2 24 q firewall zone trust add int g 1/0/0 firewall zone untrust add int g 1/0/1 q int g 1/0/0 service-manage ping permit int g 1/0/1 service-manage ping permit q 配置防火墙ospf: ospf 1 default-route-advertise area 0 network 192.168.97.0 0.0.0.255 area 1 network 192.168.91.0 0.0.0.255 安全策略: security-policy rule name ospf service ospf source-zone trust destination-zone untrust action permit dis th security-policy rule name TtoU source-zone trust destination-zone untrust action permit 2.9数据中心配置 AR9 sys sys AR9 undo info en int g 0/0/1 ip add 192.168.80.1 24 int g 0/0/0 ip add 192.168.90.1 24 int g 0/0/2 ip add 192.168.106.1 24 ospf 1 default-route-advertise area 0 network 192.168.106.0 0.0.0.255 network 192.168.90.0 0.0.0.255 network 192.168.80.0 0.0.0.255 2.10防火墙FW3、FW2配置 FW3: sys sys FW3 undo info en int g 1/0/1 ip add 192.168.90.2 24 int g 1/0/0 ip add 192.168.99.1 24 int g 1/0/2 ip add 100.1.1.1 24 int g 1/0/3 ip add 192.168.102.1 24 int g 1/0/4 ip add 192.168.103.1 24 FW2 sys sys FW2 undo info en int g 1/0/1 ip add 100.1.10.2 24 int g 1/0/0 ip add 192.168.99.2 24 int g 1/0/3 ip add 192.168.105.1 24 int g 1/0/2 ip add 192.168.104.1 24 int g 1/0/4 ip add 192.168.106.2 24 int g0/0/0 service-manage all permit FW3: ####trust ###dmz ###untrust int g 1/0/3 vrrp vrid 1 virtual-ip 192.168.102.254 24 active int g 1/0/4 vrrp vrid 4 virtual-ip 192.168.103.254 24 active int g 1/0/1 vrrp vrid 8 virtual-ip 192.168.90.254 24 active int g 1/0/2 vrrp vrid 12 virtual-ip 100.1.1.254 24 active int g 1/0/0 vrrp vrid 16 virtual-ip 192.168.99.254 24 active ####双机热备 firewall zone name ha set priority 99 add interface g 1/0/0 firewall zone trust add int g 1/0/3 add int g 1/0/4 firewall zone untrust add int g 1/0/2 firewall zone dmz add int g 1/0/1 #防火墙双机热设备配置 hrp int g 1/0/0 remote 192.168.99.2 hrp enable #防火墙配置安全策略 FW3 security-policy rule name UtoD source-zone untrust destination-zone dmz action permit security-policy rule name TtoD source-zone trust destination-zone dmz action permit security-policy rule name DtoT source-zone dmz destination-zone trust action permit security-policy rule name TtoU source-zone trust destination-zone untrust action permit security-policy rule name UtoT source-zone untrust destination-zone trust action permit service-manage all permit 配置ospf ospf 1 router-id 13.13.13.13 default-route-advertise area 0 network 192.168.102.0 0.0.0.255 network 192.168.103.0 0.0.0.255 network 192.168.99.0 0.0.0.255 network 192.168.90.0 0.0.0.255 area 2 network 100.1.1.0 0.0.0.255 F2: ####trust ###untrust ###dmz int g 1/0/2 vrrp vrid 1 virtual-ip 192.168.104.254 24 standby int g 1/0/3 vrrp vrid 4 virtual-ip 192.168.105.254 24 standby int g 1/0/1 vrrp vrid 8 virtual-ip 100.1.10.254 24 standby int g 1/0/4 vrrp vrid 12 virtual-ip 192.168.106.254 24 standby #防火墙双机热设备配置 hrp int g 1/0/0 remote 192.168.99.1 hrp enable hrp standby-device firewall zone name ha set priority 99 add int g 1/0/0 firewall zone trust add int g 1/0/2 add int g 1/0/3 firewall zone untrust add int g 1/0/1 firewall zone dmz add int g 1/0/4 配置ospf: ospf 1 router-id 12.12.12.12 default-route-advertise area 0 network 192.168.105.0 0.0.0.255 network 192.168.104.0 0.0.0.255 network 192.168.99.0 0.0.0.255 network 192.168.106.0 0.0.0.255 network 100.1.10.0 0.0.0.255 2.11防火墙配置NAT 源地址转换: FW3: nat address-group 4 mode pat section 100.1.1.20 100.1.1.30 nat-policy rule name TtoU source-zone trust destination-zone untrust source-address 192.168.10.0 24 source-address 192.168.20.0 24 source-address 192.168.30.0 24 source-address 192.168.40.0 24 action source-nat address-group 4 nat-policy rule name UtoT source-zone untrust destination-zone trust action source-nat address-group 4 目的地址转换: nat server zone dmz protocol tcp global 100.1.1.5 80 inside 192.168.80.10 80 nat server zone dmz protocol tcp global 100.1.1.4 80 inside 192.168.80.20 80 security-policy rule name tohttp source-zone untrust destination-zone dmz action permit PC1ping PC2,PC4,PC6,PC8
DHCP动态地址分配
|
