经典园区网架构规划与部署(三) - 详解
全局拓扑
业务地址配置
在核心上配置业务网段、AP管理网段的网关
[CORE]interface Vlanif 1610
[CORE-Vlanif1610]ip address 172.16.10.1 23
[CORE]interface Vlanif 1620
[CORE-Vlanif1620]ip address 172.16.20.1 24
[CORE]interface Vlanif 1650
[CORE-Vlanif1650]ip address 172.16.50.1 24
[CORE]interface Vlanif 1660
[CORE-Vlanif1660]ip address 172.16.60.1 23
[CORE]interface Vlanif 162
[CORE-Vlanif162]ip address 172.16.2.1 24LLDP
LLDP(Link Layer Discovery Protocol),链路层发现协议,可展示物理端口连接的设备信息。前提是两端都开启协议,并能互相解析
配置
#所有AC、SW、FW上开启 [CORE]lldp enable验证
display lldp neighbor brief Local Intf Neighbor Dev Neighbor Intf Exptime GE0/0/1 FW-1 GE1/0/0 101 GE0/0/3 AGG-1 GE0/0/23 118 GE0/0/4 AGG-1 GE0/0/24 118 GE0/0/5 AGG-2 GE0/0/23 101 GE0/0/6 AGG-2 GE0/0/24 101
下游接口配置
按规划配置接入交换机对接主机的端口,对接AP的配置在后续无线部分说明
[ACC-1]interface GigabitEthernet 0/0/2
[ACC-1-GigabitEthernet0/0/2]port link-type access
[ACC-1-GigabitEthernet0/0/2]port default vlan 1610
[ACC-2]interface GigabitEthernet 0/0/2
[ACC-2-GigabitEthernet0/0/2]port link-type access
[ACC-2-GigabitEthernet0/0/2]port default vlan 1610
[ACC-3]interface GigabitEthernet 0/0/2
[ACC-3-GigabitEthernet0/0/2]port link-type access
[ACC-3-GigabitEthernet0/0/2]port default vlan 1620
[ACC-4]interface GigabitEthernet 0/0/2
[ACC-4-GigabitEthernet0/0/2]port link-type access
[ACC-4-GigabitEthernet0/0/2]port default vlan 1620DHCP
核心作为DHCP服务器
业务地址、AP管理地址均通过DHCP获取。其中AP获取的IP需与MAC绑定,以便分辨AP
| AP | MAC | IP |
|---|---|---|
| AP-1 | 00e0-fc04-0e80 | 172.16.2.101 |
| AP-2 | 00e0-fc0d-4170 | 172.16.2.102 |
| AP-3 | 00e0-fc74-6a10 | 172.16.2.201 |
| AP-4 | 00e0-fc22-2520 | 172.16.2.202 |
新建dhcp地址池
[CORE]ip pool vlan1610
[CORE-ip-pool-vlan1610]network 172.16.10.0 mask 23
[CORE-ip-pool-vlan1610]gateway-list 172.16.10.1
[CORE-ip-pool-vlan1610]dns-list 8.8.8.8
[CORE]ip pool vlan1620
[CORE-ip-pool-vlan1620]network 172.16.20.0 mask 24
[CORE-ip-pool-vlan1620]gateway-list 172.16.20.1
[CORE-ip-pool-vlan1620]dns-list 8.8.8.8
[CORE]ip pool vlan1650
[CORE-ip-pool-vlan1650]network 172.16.50.0 mask 24
[CORE-ip-pool-vlan1650]gateway-list 172.16.50.1
[CORE-ip-pool-vlan1650]dns-list 8.8.8.8
[CORE]ip pool vlan1660
[CORE-ip-pool-vlan1660]network 172.16.60.0 mask 23
[CORE-ip-pool-vlan1660]gateway-list 172.16.60.1
[CORE-ip-pool-vlan1660]dns-list 8.8.8.8
[CORE]ip pool vlan162
[CORE-ip-pool-vlan162]network 172.16.2.0 mask 24
[CORE-ip-pool-vlan162]gateway-list 172.16.2.1
[CORE-ip-pool-vlan162]dns-list 8.8.8.8
[CORE-ip-pool-vlan162]static-bind ip-address 172.16.2.101 mac-address 00e0-fc04-0e80
[CORE-ip-pool-vlan162]static-bind ip-address 172.16.2.102 mac-address 00e0-fc0d-4170
[CORE-ip-pool-vlan162]static-bind ip-address 172.16.2.201 mac-address 00e0-fc74-6a10
[CORE-ip-pool-vlan162]static-bind ip-address 172.16.2.202 mac-address 00e0-fc22-2520使能dhcp
[CORE]dhcp enable [CORE]interface Vlanif 1610 [CORE-Vlanif1610]dhcp select global [CORE]interface Vlanif 1620 [CORE-Vlanif1620]dhcp select global [CORE]interface Vlanif 1650 [CORE-Vlanif1650]dhcp select global [CORE]interface Vlanif 1660 [CORE-Vlanif1660]dhcp select global [CORE]interface Vlanif 162 [CORE-Vlanif162]dhcp select global配置dhcp防护
汇聚/接入交换机对接上游的接口配置为dhcp trust
#所有交换机 [SW]dhcp enable [SW]dhcp snooping enable #汇聚/接入上游接口(即对接核心端口)配置trust,按规划均为eth-trunk 1 [AGG-1]interface Eth-Trunk 1 [AGG-1-Eth-Trunk1]dhcp snooping trusted验证
有线客户端可正常获取地址
AP地址获取在无线配置部分说明
互联网配置
一般来说,互联网无需我们自行配置,各公网IP自身已具备了对应路由,内网出口(防火墙)仅需使用pppoe或dhcp等方式获取到公网地址即可
此处我们简化处理,直接在WAN路由器配置公网地址
内访外有SNAT,故路由器无需配置任何路由,在实际网络中也是如此,我们并不用关心互联网的网络节点
WAN测试主机充当互联网中的其他节点,用于测试
WAN路由器配置
#对接防火墙 [WAN]interface GigabitEthernet 0/0/1 [WAN-GigabitEthernet0/0/1]IP address 200.1.1.1 30 #对接WAN测试机,模拟对接其他网络节点 [WAN]int g0/0/0 [WAN-GigabitEthernet0/0/0]ip address 200.200.1.1 30WAN测试机配置
防火墙地址/区域配置
配置
#为方便测试,我们在所有用到的接口都开启ping #对接DMZ区(即服务器),网关起在防火墙上,区域设置DMZ [FW-1]interface GigabitEthernet 1/0/1 [FW-1-GigabitEthernet1/0/1]ip address 172.17.10.1 24 [FW-1-GigabitEthernet1/0/1]service-manage ping permit [FW-1]firewall zone dmz [FW-1-zone-dmz]add interface GigabitEthernet 1/0/1 #对接互联网区 [FW-1]interface GigabitEthernet 1/0/6 [FW-1-GigabitEthernet1/0/6]ip address 200.1.1.2 30 [FW-1-GigabitEthernet1/0/6]service-manage ping permit [FW-1]firewall zone untrust [FW-1-zone-untrust]add interface GigabitEthernet 1/0/6 #对接内网(防火墙)前面文章已配置,不作赘述注:防火墙接口如设置为二层(即起vlanif,绑定接口),在区域划分时仅需将vlanif接口加入区域,而无需加入对应的物理端口
路由配置
静态路由
核心交换机与防火墙间使用静态路由,核心将默认出口指向防火墙,防火墙将内网地址端回指给核心。实现内网访互联网。
防火墙
#因内网使用的全在172.16.0.0/16的地址段中,此处直接回指16位大段 #也可以指明细段 [FW-1]ip route-static 172.16.0.0 16 1.1.1.1 #默认路由指向WAN路由器 [FW-1]ip route-static 0.0.0.0 0 200.1.1.1核心交换机
#默认路由指向防火墙 [CORE]ip route-static 0.0.0.0 0 1.1.1.2
动态路由
内网交换机部署OSPF协议,主要作用是使得各交换机/AC环回口地址可互通,后续与外部对接可通过宣告/引入的方式将路由通告到其他网络节点。
此处我们仅介绍核心、汇聚的配置,其余交换机/AC的配置均可参考示例的汇聚交换机配置
核心
[CORE]ospf 1 router-id 172.16.3.1 [CORE-ospf-1]area 0 [CORE-ospf-1-area-0.0.0.0]network 172.16.1.1 0.0.0.0 [CORE-ospf-1-area-0.0.0.0]network 172.16.3.1 0.0.0.0 #注意在此处在OSPF宣告默认路由,使得其他OSPF邻居可学习到默认路由指向CORE #建议使用always参数,always含义:宣告默认路由时,不管核心默认路由下一跳可不可达都进行引入,不加always则不引入 [CORE-ospf-1]default-route-advertise always汇聚
[AGG-1]ospf 1 router-id 172.16.3.2 [AGG-1-ospf-1]area 0 [AGG-1-ospf-1-area-0.0.0.0]network 172.16.3.2 0.0.0.0 [AGG-1-ospf-1-area-0.0.0.0]network 172.16.1.2 0.0.0.0验证
#核心与汇聚1应当已正常建立OSPF邻居,且AGG-1可学习到默认路由指向CORE [AGG-1]display ospf peer OSPF Process 1 with Router ID 172.16.3.2 Neighbors Area 0.0.0.0 interface 172.16.1.2(Vlanif161)'s neighbors Router ID: 172.16.3.1 Address: 172.16.1.1 State: Full Mode:Nbr is Slave Priority: 1 DR: 172.16.1.1 BDR: 172.16.1.2 MTU: 0 Dead timer due in 40 sec Retrans timer interval: 5 Neighbor is up for 00:01:06 Authentication Sequence: [ 0 ] [AGG-1]display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 7 Routes : 7 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 O_ASE 150 1 D 172.16.1.1 Vlanif161 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.16.1.0/24 Direct 0 0 D 172.16.1.2 Vlanif161 172.16.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif161 172.16.3.1/32 OSPF 10 1 D 172.16.1.1 Vlanif161 172.16.3.2/32 Direct 0 0 D 127.0.0.1 LoopBack0 #全部节点配置完,核心上应有7个邻居dis ospf peer brief OSPF Process 1 with Router ID 172.16.3.1 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.0 Vlanif161 172.16.3.2 Full 0.0.0.0 Vlanif161 172.16.3.3 Full 0.0.0.0 Vlanif161 172.16.3.11 Full 0.0.0.0 Vlanif161 172.16.3.12 Full 0.0.0.0 Vlanif161 172.16.3.13 Full 0.0.0.0 Vlanif161 172.16.3.14 Full 0.0.0.0 Vlanif161 172.16.3.31 Full ----------------------------------------------------------------------------
总结
本章已完成
内网之间、内访外所需的路由配置
有线客户端的DHCP配置
接入交换机对接有线客户端的端口配置
下章将完成
内网访问WAN测试机器(防火墙SNAT与安全策略)
服务器www服务配置
WAN测试机器访问内网服务器(防火墙DNAT与安全策略)
浙公网安备 33010602011771号