中小园区网规划和配置

网络拓扑

image

项目概述

构建一个分层、冗余、安全的企业网络。网络核心由两台防火墙和两台核心交换机组成,汇聚层按功能区域(办公、视频、服务器)进行划分,接入层为终端用户和设备提供接入。网络采用OSPF作为动态路由协议,并部署了VRRP、双机热备、WLAN等功能以实现高可用性和无线覆盖。

网络拓扑与架构

  • 核心层: FW1/FW2(防火墙双机热备)、CORE-SW1/CORE-SW2(核心交换)
  • 汇聚层: OFFICE-AGG-SW1/2(办公)、VIDEO-AGG-SW1/2(视频)、SERVER-AGG-SW1/2(服务器/DMZ)
  • 接入层: OFFICE-ACC-SW、AP-ACC-SW、VIDEO-ACC-SW1/2、SERVER-ACC-SW1/2
  • 无线控制器: AC1/AC2(主备模式)
  • 路由协议: OSPF,分为Area 0(骨干)、Area 1(办公)、Area 2(视频)、Area 3(服务器)

IP地址与VLAN规划

业务VLAN
VLAN ID 网络名称 子网 网关 用途说明
10 Office_User 172.16.16.0/20 172.16.16.1 办公用户终端
20 Video_Surveillance 172.16.32.0/20 172.16.32.1 视频监控终端
30 Server 172.16.48.0/20 172.16.48.1 服务器区域
91 Office_Management 172.31.2.0/23 172.31.2.1 办公接入交换机管理
92 Video_Management 172.31.4.0/23 172.31.4.1 视频接入交换机管理
93 Server_Management 172.31.6.0/23 172.31.6.1 服务器接入交换机管理
94 AP_Management 172.31.8.0/23 172.31.8.1 无线AP管理
设备管理地址(Loopback 0)
设备类型 设备名称 管理地址
防火墙 FW1 172.31.0.1/32
防火墙 FW2 172.31.0.2/32
核心交换机 CORE-SW1 172.31.0.3/32
核心交换机 CORE-SW2 172.31.0.4/32
AC控制器 AC1 172.31.0.5/32
AC控制器 AC2 172.31.0.6/32
汇聚交换机 OFFICE-AGG-SW1 172.31.0.7/32
汇聚交换机 OFFICE-AGG-SW2 172.31.0.8/32
汇聚交换机 VIDEO-AGG-SW1 172.31.0.9/32
汇聚交换机 VIDEO-AGG-SW2 172.31.0.10/32
汇聚交换机 DMZ-AGG-SW1 172.31.0.11/32
汇聚交换机 DMZ-AGG-SW2 172.31.0.12/32
路由区域划分
区域 类型 描述
Area 0 主干区域 包含核心网络设备
Area 1 Stub 区域 办公网络区域
Area 2 Stub 区域 视频监控网络区域
Area 3 Stub 区域 服务器区域
设备互联地址
  • 核心设备间互联全部使用 /31 地址。

设备配置详情

防火墙 (FW1 & FW2)

  • 系统与高可用:
    • 系统名称:FW1 / FW2
    • 双机热备:hrp enable, 心跳线通过 Eth-Trunk1 (192.168.0.0/31192.168.0.1/31)。
    • 跟踪上行接口:GigabitEthernet1/0/0
  • 接口与安全域:
    • GigabitEthernet1/0/0: Untrust 域, IP 100.1.1.1/24 (FW1), 200.1.1.1/24 (FW2)。
    • GigabitEthernet1/0/11/0/2: Trust 域, 与核心交换机互联。
    • GigabitEthernet1/0/31/0/4: DMZ 域, 与服务器汇聚交换机互联。
    • Eth-Trunk1: Heartbeat 域, 用于HRP心跳。
  • 路由:
    • OSPF进程1,发布默认路由 (default-route-advertise) 及所有互联、管理网段。
    • 静态默认路由指向运营商网关,并绑定NQA检测。
  • 安全策略:
    • 规则 trust_to_untrust: 允许Trust域到Untrust域的流量。
    • 规则 ha_local_to_heartbeat: 允许HRP心跳通信。
    • 规则 nqa_local_to_untrust: 允许NQA探测报文。
  • NAT策略:
    • 规则 to_internet: 对从Trust到Untrust的流量进行源NAT(Easy-IP)。

核心交换机 (CORE-SW1 & CORE-SW2)

  • 系统与接口:
    • 系统名称:CORE-SW1 / CORE-SW2
    • 所有互联接口运行OSPF,网络类型为 p2p
  • 路由:
    • OSPF进程1,Router-ID为各自Loopback0地址。
    • 所有互联地址和管理地址均宣告在Area 0。

办公汇聚交换机 (OFFICE-AGG-SW1 & OFFICE-AGG-SW2)

  • VRRP配置:
    • VLANif10 (办公用户): SW1优先级120(Master),SW2为缺省(Backup)。
    • VLANif91 (管理): SW2优先级120(Master),SW1为缺省(Backup)。
    • VLANif94 (AP管理): SW2优先级120(Master),SW1为缺省(Backup)。
  • DHCP服务:
    • 为VLAN 10和VLAN 94分配IP地址,并指定DNS 223.5.5.5
    • VLAN 94的DHCP Option 43指向AC1和AC2的管理地址 (192.168.0.29, 192.168.0.39),用于AP发现。
  • 路由:
    • OSPF进程1,上行接口在Area 0,业务网段在Area 1(Stub区域)。

无线控制器 (AC1 & AC2)

  • 系统与高可用:
    • 系统名称:AC1 / AC2
    • 通过 hsb-service 建立AC间热备通道。
    • ac protect enable 指定对端为备份AC。
  • WLAN业务:
    • 创建SSID demo,采用WPA2-PSK认证。
    • 业务VLAN为10,与管理VLAN 94分离。
    • capwap source interface 指定为 Vlanif1024

其他区域汇聚与接入交换机

  • 视频汇聚 (VIDEO-AGG-SW1/2): 配置与办公汇聚类似,使用VLAN 20和92,区域为Area 2。
  • 服务器汇聚 (SERVER-AGG-SW1/2): 配置与办公汇聚类似,使用VLAN 30和93,区域为Area 3。未启用DHCP。
  • 接入交换机 (OFFICE-ACC-SW, VIDEO-ACC-SW1/2, etc.): 端口为Access或Trunk模式,上联口允许相应业务和管理VLAN通过。OSPF运行在Stub区域,dr-priority 0 确保不参与DR选举。

路由与冗余设计

  • OSPF: 整个网络运行OSPF,核心和互联部分在Area 0,各业务区域配置为Stub区域,减少路由表大小并提高稳定性。
  • VRRP: 在所有汇聚层的业务网关上部署VRRP,实现网关冗余。
  • Eth-Trunk: 在关键链路上(如FW-CORE, CORE-AGG, AGG-ACC)使用LACP模式的Eth-Trunk,提供链路级冗余和负载分担。
  • HRP: 防火墙之间启用双机热备,实现状态化故障切换。

安全配置摘要

  • 防火墙安全域: 严格划分Trust、Untrust、DMZ、Heartbeat域。
  • 状态化安全策略: 基于源/目的安全域、IP、服务进行精细化的流量控制。
  • 源NAT: 内网用户访问互联网时进行地址转换。

配置参考

防火墙配置

FW1
sysname FW1
#
undo info-center enable
#
 hrp enable
 hrp interface Eth-Trunk1 remote 192.168.0.1
 hrp mirror session enable
 hrp track interface GigabitEthernet1/0/0
#
interface Eth-Trunk1
 ip address 192.168.0.0 255.255.255.254
 mode lacp-static
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.0.2 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.0.4 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 192.168.0.6 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 192.168.0.8 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/5
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/6
 undo shutdown
 eth-trunk 1
#
interface LoopBack0
 ip address 172.31.0.1 255.255.255.255
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3
 add interface GigabitEthernet1/0/4
#
firewall zone name heartbeat id 4
 set priority 75
 add interface Eth-Trunk1
#
ospf 1 router-id 172.31.0.1
 default-route-advertise
 area 0.0.0.0
  network 172.31.0.1 0.0.0.0
  network 192.168.0.2 0.0.0.1
  network 192.168.0.4 0.0.0.1
  network 192.168.0.6 0.0.0.1
  network 192.168.0.8 0.0.0.1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.254 track nqa admin isp
#
nqa test-instance admin isp
 test-type icmp
 destination-address ipv4 100.1.1.254
 source-address ipv4 100.1.1.1
 frequency 15
 interval seconds 5
 probe-count 2
 start now
#
security-policy
 rule name ha_local_to_heartbeat
  source-zone heartbeat
  source-zone local
  destination-zone heartbeat
  destination-zone local
  service protocol udp destination-port 18514
  action permit
 rule name nqa_local_to_untrust
  source-zone local
  destination-zone untrust
  source-address 100.1.1.1 mask 255.255.255.255
  source-address 200.1.1.1 mask 255.255.255.255
  destination-address 100.1.1.254 mask 255.255.255.255
  destination-address 200.1.1.254 mask 255.255.255.255
  action permit
 rule name trust_to_untrust
  source-zone trust
  destination-zone untrust
  action permit
#
nat-policy
 rule name to_internet
  source-zone trust
  destination-zone untrust
  action source-nat easy-ip
#
return
FW2
sysname FW2
#
undo info-center enable
#
 hrp enable
 hrp interface Eth-Trunk1 remote 192.168.0.0
 hrp mirror session enable
 hrp track interface GigabitEthernet1/0/0
#
interface Eth-Trunk1
 ip address 192.168.0.1 255.255.255.254
 mode lacp-static
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 200.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.0.10 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.0.12 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 192.168.0.14 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 192.168.0.16 255.255.255.254
 ospf network-type p2p
#
interface GigabitEthernet1/0/5
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/6
 undo shutdown
 eth-trunk 1
#
interface LoopBack0
 ip address 172.31.0.2 255.255.255.255
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3
 add interface GigabitEthernet1/0/4
#
firewall zone name heartbeat id 4
 set priority 75
 add interface Eth-Trunk1
#
ospf 1 router-id 172.31.0.2
 default-route-advertise
 area 0.0.0.0
  network 172.31.0.2 0.0.0.0
  network 192.168.0.10 0.0.0.1
  network 192.168.0.12 0.0.0.1
  network 192.168.0.14 0.0.0.1
  network 192.168.0.16 0.0.0.1
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.254 track nqa admin isp
#
nqa test-instance admin isp
 test-type icmp
 destination-address ipv4 200.1.1.254
 source-address ipv4 200.1.1.1
 frequency 15
 interval seconds 5
 probe-count 2
 start now
#
security-policy
 rule name ha_local_to_heartbeat
  source-zone heartbeat
  source-zone local
  destination-zone heartbeat
  destination-zone local
  service protocol udp destination-port 18514
  action permit
 rule name nqa_local_to_untrust
  source-zone local
  destination-zone untrust
  source-address 100.1.1.1 mask 255.255.255.255
  source-address 200.1.1.1 mask 255.255.255.255
  destination-address 100.1.1.254 mask 255.255.255.255
  destination-address 200.1.1.254 mask 255.255.255.255
  action permit
 rule name trust_to_untrust
  source-zone trust
  destination-zone untrust
  action permit
#
nat-policy
 rule name to_internet
  source-zone trust
  destination-zone untrust
  action source-nat easy-ip
#
return

核心交换机配置

CORE-SW1
sysname CORE-SW1
#
interface Eth-Trunk1
 undo portswitch
 ip address 192.168.0.18 255.255.255.254 
 ospf network-type p2p
 mode lacp-static
#
interface Eth-Trunk2
 undo portswitch
 ip address 192.168.0.28 255.255.255.254 
 ospf network-type p2p
 mode lacp-static
#
interface GigabitEthernet0/0/1
 ip address 192.168.0.3 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet0/0/2
 ip address 192.168.0.11 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet2/0/0
 eth-trunk 2
#
interface GigabitEthernet2/0/1
 eth-trunk 2
#
interface GigabitEthernet2/0/2
 eth-trunk 1
#
interface GigabitEthernet2/0/3
 eth-trunk 1
#
interface GigabitEthernet4/0/0
 ip address 192.168.0.20 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet4/0/1
 ip address 192.168.0.22 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet4/0/2
 ip address 192.168.0.24 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet4/0/3
 ip address 192.168.0.26 255.255.255.254 
 ospf network-type p2p
#
interface LoopBack0
 ip address 172.31.0.3 255.255.255.255 
#
ospf 1 router-id 172.31.0.3 
 area 0.0.0.0 
  network 172.31.0.3 0.0.0.0 
  network 192.168.0.2 0.0.0.1 
  network 192.168.0.10 0.0.0.1 
  network 192.168.0.18 0.0.0.1 
  network 192.168.0.20 0.0.0.1 
  network 192.168.0.22 0.0.0.1 
  network 192.168.0.24 0.0.0.1 
  network 192.168.0.26 0.0.0.1 
  network 192.168.0.28 0.0.0.1 
#
return
CORE-SW2
sysname CORE-SW2
#
interface Eth-Trunk1
 undo portswitch
 ip address 192.168.0.19 255.255.255.254 
 ospf network-type p2p
 mode lacp-static
#
interface Eth-Trunk2
 undo portswitch
 ip address 192.168.0.38 255.255.255.254 
 ospf network-type p2p
 mode lacp-static
#
interface GigabitEthernet0/0/1
 ip address 192.168.0.5 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet0/0/2
 ip address 192.168.0.13 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet2/0/0
 eth-trunk 2
#
interface GigabitEthernet2/0/1
 eth-trunk 2
#
interface GigabitEthernet2/0/2
 eth-trunk 1
#
interface GigabitEthernet2/0/3
 eth-trunk 1
#
interface GigabitEthernet4/0/0
 ip address 192.168.0.30 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet4/0/1
 ip address 192.168.0.32 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet4/0/2
 ip address 192.168.0.34 255.255.255.254 
 ospf network-type p2p
#
interface GigabitEthernet4/0/3
 ip address 192.168.0.36 255.255.255.254 
 ospf network-type p2p
#
interface LoopBack0
 ip address 172.31.0.4 255.255.255.255 
#
ospf 1 router-id 172.31.0.4 
 area 0.0.0.0 
  network 172.31.0.4 0.0.0.0 
  network 192.168.0.4 0.0.0.1 
  network 192.168.0.12 0.0.0.1 
  network 192.168.0.18 0.0.0.1 
  network 192.168.0.30 0.0.0.1 
  network 192.168.0.32 0.0.0.1 
  network 192.168.0.34 0.0.0.1 
  network 192.168.0.36 0.0.0.1 
  network 192.168.0.38 0.0.0.1 
#
return

AC 配置

AC1
sysname AC1
#
vlan batch 1024
#
interface Vlanif1024
 ip address 192.168.0.29 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type access
 port default vlan 1024
 mode lacp-static
#
interface GigabitEthernet0/0/23
 undo negotiation auto
 duplex half
 eth-trunk 1
#
interface GigabitEthernet0/0/24
 undo negotiation auto
 duplex half
 eth-trunk 1
#
interface LoopBack0
 ip address 172.31.0.5 255.255.255.255
#
ospf 1 router-id 172.31.0.5
 area 0.0.0.0
  network 172.31.0.5 0.0.0.0
  network 192.168.0.28 0.0.0.1
#
 undo info-center enable
#
capwap source interface vlanif1024
#
hsb-service 0
 service-ip-port local-ip 192.168.0.29 peer-ip 192.168.0.39 local-data-port 10240 peer-data-port 10240
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
 ac protect enable protect-ac 192.168.0.39
 security-profile name demo
  security wpa2 psk pass-phrase Passw0rd aes
 ssid-profile name demo
  ssid demo
 vap-profile name demo
  service-vlan vlan-id 10
  ssid-profile demo
  security-profile demo
 ap auth-mode no-auth
 ap-group name default
  radio 0
   vap-profile demo wlan 1
  radio 1
   vap-profile demo wlan 1
  radio 2
   vap-profile demo wlan 1
#
return
AC2
sysname AC2
#
vlan batch 1024
#
interface Vlanif1024
 ip address 192.168.0.39 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type access
 port default vlan 1024
 mode lacp-static
#
interface GigabitEthernet0/0/23
 undo negotiation auto
 duplex half
 eth-trunk 1
#
interface GigabitEthernet0/0/24
 undo negotiation auto
 duplex half
 eth-trunk 1
#
interface LoopBack0
 ip address 172.31.0.6 255.255.255.255
#
ospf 1 router-id 172.31.0.6
 area 0.0.0.0
  network 172.31.0.6 0.0.0.0
  network 192.168.0.38 0.0.0.1
#
 undo info-center enable
#
capwap source interface vlanif1024
#
hsb-service 0
 service-ip-port local-ip 192.168.0.39 peer-ip 192.168.0.29 local-data-port 10240 peer-data-port 10240
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
 ac protect enable protect-ac 192.168.0.29 priority 1
 security-profile name demo
  security wpa2 psk pass-phrase Passw0rd aes
 ssid-profile name demo
  ssid demo
 vap-profile name demo
  service-vlan vlan-id 10
  ssid-profile demo
  security-profile demo
 ap auth-mode no-auth
 ap-group name default
  radio 0
   vap-profile demo wlan 1
  radio 1
   vap-profile demo wlan 1
  radio 2
   vap-profile demo wlan 1
#
return

办公网络配置

OFFICE-AGG-SW1
sysname OFFICE-AGG-SW1
#
undo info-center enable
#
vlan batch 10 91 94 1023 to 1024
#
stp instance 1 root primary
stp instance 2 root secondary
#
dhcp enable
#
stp region-configuration
 region-name access-network
 instance 1 vlan 10
 instance 2 vlan 91 94
 active region-configuration
#
ip pool vlan10
 gateway-list 172.16.16.1
 network 172.16.16.0 mask 255.255.240.0
 excluded-ip-address 172.16.16.2 172.16.16.3
 dns-list 223.5.5.5
#
ip pool vlan94
 gateway-list 172.31.8.1
 network 172.31.8.0 mask 255.255.254.0
 excluded-ip-address 172.31.8.2 172.31.8.3
 dns-list 223.5.5.5
 option 43 sub-option 2 ip-address 192.168.0.29 192.168.0.39 
#
interface Vlanif10
 ip address 172.16.16.2 255.255.240.0
 vrrp vrid 10 virtual-ip 172.16.16.1
 vrrp vrid 10 priority 120
 ospf network-type p2p
 dhcp select global
#
interface Vlanif91
 ip address 172.31.2.2 255.255.254.0
 vrrp vrid 91 virtual-ip 172.31.2.1
 ospf network-type p2mp
#
interface Vlanif94
 ip address 172.31.8.2 255.255.254.0
 vrrp vrid 94 virtual-ip 172.31.8.1
 ospf network-type p2p
 dhcp select global
#
interface Vlanif1023
 ip address 192.168.0.21 255.255.255.254
 ospf network-type p2p
#
interface Vlanif1024
 ip address 192.168.0.31 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 91 94
 mode lacp-static
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 91 94
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 91 94
#
interface GigabitEthernet0/0/21
 eth-trunk 1
#
interface GigabitEthernet0/0/22
 eth-trunk 1
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 1023
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 1024
#
interface LoopBack0
 ip address 172.31.0.7 255.255.255.255
#
ospf 1 router-id 172.31.0.7
 area 0.0.0.0
  network 172.31.0.7 0.0.0.0
  network 192.168.0.20 0.0.0.1
  network 192.168.0.30 0.0.0.1
 area 0.0.0.1
  network 172.16.16.0 0.0.15.255
  network 172.31.2.0 0.0.1.255
  network 172.31.8.0 0.0.1.255
  stub no-summary
#
return
OFFICE-AGG-SW2
sysname OFFICE-AGG-SW2
#
undo info-center enable
#
vlan batch 10 91 94 1023 to 1024
#
stp instance 1 root secondary
stp instance 2 root primary
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
 region-name access-network
 instance 1 vlan 10
 instance 2 vlan 91 94
 active region-configuration
#
ip pool vlan10
 gateway-list 172.16.16.1
 network 172.16.16.0 mask 255.255.240.0
 excluded-ip-address 172.16.16.2 172.16.16.3
 dns-list 223.5.5.5
#
ip pool vlan94
 gateway-list 172.31.8.1
 network 172.31.8.0 mask 255.255.254.0
 excluded-ip-address 172.31.8.2 172.31.8.3
 dns-list 223.5.5.5
 option 43 sub-option 2 ip-address 192.168.0.29 192.168.0.39 
#
interface Vlanif10
 ip address 172.16.16.3 255.255.240.0
 vrrp vrid 10 virtual-ip 172.16.16.1
 ospf network-type p2p
 dhcp select global
#
interface Vlanif91
 ip address 172.31.2.3 255.255.254.0
 vrrp vrid 91 virtual-ip 172.31.2.1
 vrrp vrid 91 priority 120
 ospf network-type p2mp
#
interface Vlanif94
 ip address 172.31.8.3 255.255.254.0
 vrrp vrid 94 virtual-ip 172.31.8.1
 vrrp vrid 94 priority 120
 ospf network-type p2p
 dhcp select global
#
interface Vlanif1023
 ip address 192.168.0.23 255.255.255.254
 ospf network-type p2p
#
interface Vlanif1024
 ip address 192.168.0.33 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10 91 94
 mode lacp-static
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 91 94
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 91 94
#
interface GigabitEthernet0/0/21
 eth-trunk 1
#
interface GigabitEthernet0/0/22
 eth-trunk 1
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 1023
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 1024
#
interface LoopBack0
 ip address 172.31.0.8 255.255.255.255
#
ospf 1 router-id 172.31.0.8
 area 0.0.0.0
  network 172.31.0.8 0.0.0.0
  network 192.168.0.22 0.0.0.1
  network 192.168.0.32 0.0.0.1
 area 0.0.0.1
  network 172.16.16.0 0.0.15.255
  network 172.31.2.0 0.0.1.255
  network 172.31.8.0 0.0.1.255
  stub no-summary
#
return
AP-ACC-SW
sysname AP-ACC-SW
#
vlan batch 10 91 94
#
stp region-configuration
 region-name access-network
 instance 1 vlan 10
 instance 2 vlan 91 94
 active region-configuration
#
interface Vlanif91
 ip address 172.31.2.4 255.255.254.0
 ospf network-type p2mp
 ospf dr-priority 0
#
interface Ethernet0/0/1
 port link-type trunk
 port trunk pvid vlan 94
 port trunk allow-pass vlan 10 94
 stp edged-port enable
#
interface Ethernet0/0/2
 port link-type trunk
 port trunk pvid vlan 94
 port trunk allow-pass vlan 10 94
 stp edged-port enable
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 91 94
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 91 94
#
ospf 1 router-id 172.31.2.4
 area 0.0.0.1
  network 172.31.2.0 0.0.1.255
  stub
#
return
OFFICE-ACC-SW
sysname OFFICE-ACC-SW
#
vlan batch 10 91
#
stp region-configuration
 region-name access-network
 instance 1 vlan 10
 instance 2 vlan 91 94
 active region-configuration
#
interface Vlanif91
 ip address 172.31.2.5 255.255.254.0
 ospf network-type p2mp
 ospf dr-priority 0
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 91
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 91
#
ospf 1 router-id 172.31.2.5
 area 0.0.0.1
  network 172.31.2.0 0.0.1.255
  stub
#
return

视频监控网络配置

VIDEO-AGG-SW1
sysname VIDEO-AGG-SW1
#
undo info-center enable
#
vlan batch 20 92 1023 to 1024
#
stp instance 1 root primary
stp instance 2 root secondary
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
 region-name access-network
 instance 1 vlan 20
 instance 2 vlan 92
 active region-configuration
#
ip pool vlan20
 gateway-list 172.16.32.1
 network 172.16.32.0 mask 255.255.240.0
 excluded-ip-address 172.16.32.2 172.16.32.3
 dns-list 223.5.5.5 223.6.6.6
#
interface Vlanif20
 ip address 172.16.32.2 255.255.240.0
 vrrp vrid 20 virtual-ip 172.16.32.1
 vrrp vrid 20 priority 120
 ospf network-type p2p
 dhcp select global
#
interface Vlanif92
 ip address 172.31.4.2 255.255.254.0
 vrrp vrid 92 virtual-ip 172.31.4.1
 ospf network-type p2mp
#
interface Vlanif1023
 ip address 192.168.0.25 255.255.255.254
 ospf network-type p2p
#
interface Vlanif1024
 ip address 192.168.0.35 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 20 92
 mode lacp-static
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
interface GigabitEthernet0/0/21
 eth-trunk 1
#
interface GigabitEthernet0/0/22
 eth-trunk 1
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 1023
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 1024
#
interface LoopBack0
 ip address 172.31.0.9 255.255.255.255
#
ospf 1 router-id 172.31.0.9
 area 0.0.0.0
  network 172.31.0.9 0.0.0.0
  network 192.168.0.24 0.0.0.1
  network 192.168.0.34 0.0.0.1
 area 0.0.0.2
  network 172.16.32.0 0.0.15.255
  network 172.31.4.0 0.0.1.255
  stub no-summary
#
return
VIDEO-AGG-SW2
sysname VIDEO-AGG-SW2
#
undo info-center enable
#
vlan batch 20 92 1023 to 1024
#
stp instance 1 root secondary
stp instance 2 root primary
#
dhcp enable
#
 region-name access-network
 instance 1 vlan 20
 instance 2 vlan 92
 active region-configuration
#
ip pool vlan20
 gateway-list 172.16.32.1
 network 172.16.32.0 mask 255.255.240.0
 excluded-ip-address 172.16.32.2 172.16.32.3
 dns-list 223.5.5.5 223.6.6.6
#
interface Vlanif20
 ip address 172.16.32.3 255.255.240.0
 vrrp vrid 20 virtual-ip 172.16.32.1
 ospf network-type p2p
 dhcp select global
#
interface Vlanif92
 ip address 172.31.4.3 255.255.254.0
 vrrp vrid 92 virtual-ip 172.31.4.1
 vrrp vrid 92 priority 120
 ospf network-type p2mp
#
interface Vlanif1023
 ip address 192.168.0.27 255.255.255.254
 ospf network-type p2p
#
interface Vlanif1024
 ip address 192.168.0.37 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 20 92
 mode lacp-static
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
interface GigabitEthernet0/0/21
 eth-trunk 1
#
interface GigabitEthernet0/0/22
 eth-trunk 1
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 1023
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 1024
#
interface LoopBack0
 ip address 172.31.0.10 255.255.255.255
#
ospf 1 router-id 172.31.0.10
 area 0.0.0.0
  network 172.31.0.10 0.0.0.0
  network 192.168.0.26 0.0.0.1
  network 192.168.0.36 0.0.0.1
 area 0.0.0.2
  network 172.16.32.0 0.0.15.255
  network 172.31.4.0 0.0.1.255
  stub no-summary
#
return
VIDEO-ACC-SW1
sysname VIDEO-ACC-SW1
#
vlan batch 20 92
#
diffserv domain default
#
stp region-configuration
 region-name access-network
 instance 1 vlan 20
 instance 2 vlan 92
 active region-configuration
#
interface Vlanif92
 ip address 172.31.4.4 255.255.254.0
 ospf network-type p2mp
 ospf dr-priority 0
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
ospf 1 router-id 172.31.4.4
 area 0.0.0.2
  network 172.31.4.0 0.0.1.255
  stub
#
return
VIDEO-ACC-SW2
sysname VIDEO-ACC-SW2
#
vlan batch 20 92
#
diffserv domain default
#
stp region-configuration
 region-name access-network
 instance 1 vlan 20
 instance 2 vlan 92
 active region-configuration
#
interface Vlanif92
 ip address 172.31.4.5 255.255.254.0
 ospf network-type p2mp
 ospf dr-priority 0
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20 92
#
ospf 1 router-id 172.31.4.5
 area 0.0.0.2
  network 172.31.4.0 0.0.1.255
  stub
#
return

服务器网络配置

SERVER-AGG-SW1
sysname DMZ-AGG-SW1
#
undo info-center enable
#
vlan batch 30 93 1023 to 1024
#
stp instance 1 root primary
stp instance 2 root secondary
#
stp region-configuration
 region-name access-network
 instance 1 vlan 30
 instance 2 vlan 93
 active region-configuration
#
interface Vlanif30
 ip address 172.16.48.2 255.255.240.0
 vrrp vrid 30 virtual-ip 172.16.48.1
 vrrp vrid 30 priority 120
 ospf network-type p2p
#
interface Vlanif93
 ip address 172.31.6.2 255.255.254.0
 vrrp vrid 93 virtual-ip 172.31.6.1
 ospf network-type p2mp
#
interface Vlanif1023
 ip address 192.168.0.7 255.255.255.254
 ospf network-type p2p
#
interface Vlanif1024
 ip address 192.168.0.15 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 30 93
 mode lacp-static
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
interface GigabitEthernet0/0/21
 eth-trunk 1
#
interface GigabitEthernet0/0/22
 eth-trunk 1
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 1023
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 1024
#
interface LoopBack0
 ip address 172.31.0.11 255.255.255.255
#
ospf 1 router-id 172.31.0.11
 area 0.0.0.0
  network 172.31.0.11 0.0.0.0
  network 192.168.0.6 0.0.0.1
  network 192.168.0.14 0.0.0.1
 area 0.0.0.3
  network 172.16.48.0 0.0.15.255
  network 172.31.6.0 0.0.1.255
  stub no-summary
#
return
SERVER-AGG-SW2
sysname DMZ-AGG-SW2
#
undo info-center enable
#
vlan batch 30 93 1023 to 1024
#
stp instance 1 root secondary
stp instance 2 root primary
#
stp region-configuration
 region-name access-network
 instance 1 vlan 30
 instance 2 vlan 93
 active region-configuration
#
interface Vlanif30
 ip address 172.16.48.3 255.255.240.0
 vrrp vrid 30 virtual-ip 172.16.48.1
 ospf network-type p2p
#
interface Vlanif93
 ip address 172.31.6.3 255.255.254.0
 vrrp vrid 93 virtual-ip 172.31.6.1
 vrrp vrid 93 priority 120
 ospf network-type p2mp
#
interface Vlanif1023
 ip address 192.168.0.9 255.255.255.254
 ospf network-type p2p
#
interface Vlanif1024
 ip address 192.168.0.17 255.255.255.254
 ospf network-type p2p
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 30 93
 mode lacp-static
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
interface GigabitEthernet0/0/21
 eth-trunk 1
#
interface GigabitEthernet0/0/22
 eth-trunk 1
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 1023
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 1024
#
interface LoopBack0
 ip address 172.31.0.12 255.255.255.255
#
ospf 1 router-id 172.31.0.12
 area 0.0.0.0
  network 172.31.0.12 0.0.0.0
  network 192.168.0.8 0.0.0.1
  network 192.168.0.16 0.0.0.1
 area 0.0.0.3
  network 172.16.48.0 0.0.15.255
  network 172.31.6.0 0.0.1.255
  stub no-summary
#
return
SERVER-ACC-SW1
sysname SERVER-ACC-SW1
#
undo info-center enable
#
vlan batch 30 93
#
stp region-configuration
 region-name access-network
 instance 1 vlan 30
 instance 2 vlan 93
 active region-configuration
#
interface Vlanif93
 ip address 172.31.6.4 255.255.254.0
 ospf network-type p2mp
 ospf dr-priority 0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
ospf 1 router-id 172.31.6.4
 area 0.0.0.3
  network 172.31.6.0 0.0.1.255
  stub
#
return
SERVER-ACC-SW2
sysname SERVER-ACC-SW2
#
undo info-center enable
#
vlan batch 30 93
#
stp region-configuration
 region-name access-network
 instance 1 vlan 30
 instance 2 vlan 93
 active region-configuration
#
interface Vlanif93
 ip address 172.31.6.5 255.255.254.0
 ospf network-type p2mp
 ospf dr-priority 0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 30 93
#
ospf 1 router-id 172.31.6.5
 area 0.0.0.3
  network 172.31.6.0 0.0.1.255
  stub
#
return
posted @ 2025-11-11 09:17  liy36  阅读(39)  评论(0)    收藏  举报