综合网络拓扑实验

1. 网络拓扑

aaa

2. 网络规划

2.1. VLAN 网络划分

VLAN 网络名称 子网 网关 广播地址 可用地址总数
10 Office 172.16.16.0/20 172.16.16.1 172.16.31.255 4096
20 Video 172.16.32.0/20 172.16.32.1 172.16.47.255 4096
30 Server 172.16.0.0/20 172.16.0.1 172.16.15.255 4096
970 AP 管理地址 10.97.0.0/24 10.97.0.1 10.97.0.255 254
980 Office 接入交换机地址 10.98.0.0/24 10.98.0.1 10.98.0.255 254
981 Video 接入交换机地址 10.98.1.0/24 10.98.1.1 10.98.1.255 254
982 DMZ 接入交换机地址 10.98.2.0/24 10.98.2.1 10.98.2.255 254

2.2. 管理网络划分

设备类型 设备名称 管理地址 接口 OSPF 区域
防火墙 FW 10.99.0.1/32 Loopback 0 Area 0
核心交换机 CORE-SW 10.99.0.2/32 Loopback 0 Area 0
AC 控制器 AC 10.99.0.5/32 Loopback 0 Area 1
汇聚交换机 OFFICE-AGG-SW 10.99.0.3/32
10.98.0.1/24		 Loopback 0
Vlanif 980		 Area 0
Area 2
汇聚交换机 VIDEO-AGG-SW 10.99.0.4/32
10.98.1.1/24		 Loopback 0
Vlanif 981		 Area 0
Area 3
汇聚交换机 DMZ-AGG-SW 10.99.0.6/32
10.98.2.1/24		 Loopback 0
Vlanif 982		 Area 0
Area 4
接入交换机 AP-ACC-SW 10.98.0.2/24 Vlanif 980 Area 2
接入交换机 OFFICE-ACC-SW 10.98.0.3/24 Vlanif 980 Area 2
接入交换机 VIDEO-ACC-SW 10.98.1.2/24 Vlanif 981 Area 3
接入交换机 DMZ-ACC-SW 10.98.2.2/24 Vlanif 982 Area 4

3. 配置步骤

3.1. 接入交换机配置

3.1.1. AP-ACC-SW

sysname AP-ACC-SW

vlan batch 10 970 980

interface Vlanif 980
    ip address 10.98.0.2 24

interface GigabitEthernet 0/0/1
    port link-type trunk
    port trunk allow-pass vlan 10 970
    port trunk pvid vlan 970

interface GigabitEthernet 0/0/24
    port link-type trunk
    port trunk allow-pass vlan 10 970 980

ospf 1 router-id 10.98.0.2
    area 0.0.0.2
        stub
        network 10.98.0.0 0.0.0.255

return

3.1.2. OFFICE-ACC-SW

sysname OFFICE-ACC-SW

vlan batch 10 980

interface Vlanif 980
    ip address 10.98.0.3 24

interface GigabitEthernet 0/0/1
    port link-type access
    port default vlan 10

interface GigabitEthernet 0/0/2
    port link-type access
    port default vlan 10

interface GigabitEthernet 0/0/24
    port link-type trunk
    port trunk allow-pass vlan 10 980

ospf 1 router-id 10.98.0.3
    area 0.0.0.2
        stub
        network 10.98.0.0 0.0.0.255

return

3.1.3. VIDEO-ACC-SW

sysname VIDEO-ACC-SW

vlan batch 20 981

interface Vlanif 981
    ip address 10.98.1.2 24

interface GigabitEthernet 0/0/1
    port link-type access
    port default vlan 20

interface GigabitEthernet 0/0/2
    port link-type access
    port default vlan 20

interface GigabitEthernet 0/0/24
    port link-type trunk
    port trunk allow-pass vlan 20 981

ospf 1 router-id 10.98.1.2
    area 0.0.0.3
        stub
        network 10.98.1.0 0.0.0.255

3.1.4. DMZ-ACC-SW

sysname DMZ-ACC-SW

vlan batch 30 982

interface Vlanif 982
    ip address 10.98.2.2 24

interface GigabitEthernet 0/0/1
    port link-type access
    port default vlan 30

interface GigabitEthernet 0/0/24
    port link-type trunk
    port trunk allow-pass vlan 30 982

ospf 1 router-id 10.98.2.2
    area 0.0.0.4
        stub
        network 10.98.2.0 0.0.0.255

3.2. 汇聚交换机配置

3.2.1. OFFICE-AGG-SW

sysname OFFICE-AGG-SW

vlan batch 10 970 980 1024

dhcp enable

interface Vlanif 10
    ip address 172.16.16.1 20
    dhcp select interface
    dhcp server dns-list 223.5.5.5
    ospf network-type p2p

interface Vlanif 970
    ip address 10.97.0.1 24
    dhcp select relay
    dhcp relay server-ip 192.168.0.5

interface Vlanif 980
    ip address 10.98.0.1 24

interface Vlanif 1024
    ip address 192.168.0.7 31
    ospf network-type p2p

interface GigabitEthernet0/0/1
    port link-type trunk
    port trunk allow-pass vlan 10 970 980

interface GigabitEthernet0/0/2
    port link-type trunk
    port trunk allow-pass vlan 10 980

interface GigabitEthernet0/0/24
    port link-type access
    port default vlan 1024

interface LoopBack0
    ip address 10.99.0.3 32

ospf 1 router-id 10.99.0.3
    area 0.0.0.0
        network 10.99.0.3 0.0.0.0
        network 172.16.16.0 0.0.15.255
        network 192.168.0.6 0.0.0.1
        network 10.97.0.0 0.0.0.255
    area 0.0.0.2
        stub no-summary
        network 10.98.0.0 0.0.0.255

3.2.2. VIDEO-AGG-SW

sysname VIDEO-AGG-SW

vlan batch 20 981 1024

dhcp enable

interface Vlanif 20
    ip address 172.16.32.1 20
    dhcp select interface
    dhcp server dns-list 223.5.5.5
    ospf network-type p2p

interface Vlanif 981
    ip address 10.98.1.1 24

interface Vlanif 1024
    ip address 192.168.0.9 31
    ospf network-type p2p

interface GigabitEthernet0/0/1
    port link-type trunk
    port trunk allow-pass vlan 20 981

interface GigabitEthernet0/0/24
    port link-type access
    port default vlan 1024

interface LoopBack0
    ip address 10.99.0.4 32

ospf 1 router-id 10.99.0.4
    area 0.0.0.0
        network 10.99.0.4 0.0.0.0
        network 172.16.32.0 0.0.15.255
        network 192.168.0.8 0.0.0.1
    area 0.0.0.3
        stub no-summary
        network 10.98.1.0 0.0.0.255

3.2.3. DMZ-AGG-SW

sysname DMZ-AGG-SW

vlan batch 30 982 1024

interface Vlanif 30
    ip address 172.16.0.1 20
    ospf network-type p2p

interface Vlanif 982
    ip address 10.98.2.1 24

interface Vlanif 1024
    ip address 192.168.0.3 31
    ospf network-type p2p

interface GigabitEthernet0/0/1
    port link-type trunk
    port trunk allow-pass vlan 30 982 

interface GigabitEthernet0/0/24
    port link-type access
    port default vlan 1024

interface LoopBack0
    ip address 10.99.0.6 32

ospf 1 router-id 10.99.0.6
    area 0.0.0.0
        network 10.99.0.6 0.0.0.0
        network 172.16.0.0 0.0.15.255
        network 192.168.0.2 0.0.0.1
    area 0.0.0.4
        stub no-summary
        network 10.98.2.0 0.0.0.255

3.3. 核心交换机配置

3.3.1. CORE-SW

sysname CORE-SW

vlan batch 1001 to 1002 1023 to 1024

interface Vlanif 1001
    ip address 192.168.0.6 31
    ospf network-type p2p

interface Vlanif 1002
    ip address 192.168.0.8 31
    ospf network-type p2p

interface Vlanif 1023
    ip address 192.168.0.4 31
    ospf network-type p2p

interface Vlanif 1024
    ip address 192.168.0.1 31
    ospf network-type p2p

interface GigabitEthernet0/0/1
    port link-type access
    port default vlan 1001

interface GigabitEthernet0/0/2
    port link-type access
    port default vlan 1002

interface GigabitEthernet0/0/23
    port link-type access
    port default vlan 1023

interface GigabitEthernet0/0/24
    port link-type access
    port default vlan 1024

interface LoopBack0
    ip address 10.99.0.2 32

ospf 1 router-id 10.99.0.2
    area 0.0.0.0
        network 10.99.0.2 0.0.0.0
        network 192.168.0.0 0.0.0.1
        network 192.168.0.6 0.0.0.1
        network 192.168.0.8 0.0.0.1
    area 0.0.0.1
        network 192.168.0.4 0.0.0.1
        stub no-summary

3.4. AC 配置

3.4.1. AC

sysname AC

vlan batch 1024

dhcp enable

ip pool ap-management
    network 10.97.0.0 mask 24
    gateway-list 10.97.0.1
    option 43 sub-option 3 ascii 192.168.0.5
    dns-list 223.5.5.5

interface Vlanif 1024
    ip address 192.168.0.5 31
    dhcp select global
    ospf network-type p2p

interface GigabitEthernet0/0/24
    port link-type access
    port default vlan 1024

interface LoopBack0
    ip address 10.99.0.5 32

ospf 1 router-id 10.99.0.5
    area 0.0.0.1
        stub
        network 10.99.0.5 0.0.0.0
        network 192.168.0.4 0.0.0.1

capwap source interface vlanif 1024

wlan
    security-profile name office
        security wpa-wpa2 psk pass-phrase Passw0rd aes
    ssid-profile name office
        ssid office
    vap-profile name office
        ssid-profile office
        security-profile office
        service-vlan vlan-id 10
        forward-mode direct-forward
    ap auth-mode no-auth
    ap-group name default
        vap-profile office wlan 1 radio 0
        vap-profile office wlan 1 radio 1

return

3.5. FW 配置

3.5.1. FW

sysname FW

interface GigabitEthernet 0/0/0
    undo ip binding vpn-instance default
    undo alias
    ip address 100.1.1.2 24

interface GigabitEthernet 1/0/0
    ip address 192.168.0.0 31
    ospf network-type p2p

interface GigabitEthernet 1/0/1
    ip address 192.168.0.2 31
    ospf network-type p2p

interface LoopBack0
    ip address 10.99.0.1 32

ospf 1 router-id 10.99.0.1
    default-route-advertise
    area 0.0.0.0
        network 10.99.0.1 0.0.0.0
        network 192.168.0.0 0.0.0.1
        network 192.168.0.2 0.0.0.1

firewall zone trust
    undo add interface GigabitEthernet 0/0/0
    add interface GigabitEthernet 1/0/0

firewall zone untrust
    add interface GigabitEthernet 0/0/0

firewall zone dmz
    add interface GigabitEthernet 1/0/1

security-policy
 rule name permit_ospf
  source-zone trust
  destination-zone local
  source-address 192.168.0.0 mask 255.255.255.254
  source-address 192.168.0.2 mask 255.255.255.254
  service ospf
  action permit
 rule name permit-office-to-untrust
  source-zone trust
  destination-zone untrust
  source-address 172.16.16.0 mask 255.255.240.0
  action permit
 rule name deny-office-to-dmz
  source-zone trust
  destination-zone dmz
  source-address 172.16.16.0 mask 255.255.240.0
  destination-address 172.16.0.0 mask 255.255.240.0
  action deny
 rule name permit-video-to-dmz
  source-zone trust
  destination-zone dmz
  source-address 172.16.32.0 mask 255.255.240.0
  destination-address 172.16.0.0 mask 255.255.240.0
  action permit
 rule name permit-office-to-video
  source-address 172.16.16.0 mask 255.255.240.0
  destination-address 172.16.32.0 mask 255.255.240.0
  action permit

nat-policy
    rule name nat-trust-to-untrust
        source-zone trust
        destination-zone untrust
        source-address 172.16.32.0 mask 255.255.240.0
        source-address 172.16.16.0 mask 255.255.240.0
        action source-nat easy-ip

return

3.6. ISP 配置

sysname ISP

interface GigabitEthernet0/0/0
    ip address 100.1.1.1 24
posted @ 2025-08-31 10:20  liy36  阅读(5)  评论(0)    收藏  举报