整体规划
采用三层网络结构,核心、汇聚三层互联,堆叠采用40G网络,汇聚10G,接入1G,网关下放到汇聚,交换机采用独立管理VLAN,模拟某工厂真实网络情况。
功能实现
1、核心、汇聚堆叠,动态端口聚合
2、配置DHCP服务器为多个VLAN服务
3、静态路由与OSPF配置
4、外网NAT访问实现
5、接入交换机Telnet、管理IP实现
6、SNMP网管服务部署
7、监控摄像头隔离
8、DHCP仿冒防御
9、端口隔离
配置详情
1、设置固定IP,配置主机名
如图片所示
2、核心堆叠,采用40G口堆叠
核心1
<hexin1>sys
System View: return to User View with Ctrl+Z.
[hexin1]int range FortyGigE 1/0/53 to FortyGigE 1/0/54
[hexin1-if-range]shu
[hexin1-if-range]quit
[hexin1]irf member 1 priority 32
[hexin1]irf-port 1/1
[hexin1-irf-port1/1]port group interface FortyGigE 1/0/53
[hexin1-irf-port1/1]port group interface FortyGigE 1/0/54
[hexin1-irf-port1/1]quit
[hexin1]irf-port-configuration active
[hexin1]int range FortyGigE 1/0/53 to FortyGigE 1/0/54
[hexin1-if-range]un sh
[hexin1-if-range]save
核心2
[hexin2]sys
[hexin2]irf member 1 renumber 2
Renumbering the member ID may result in configuration change or loss. Continue?[Y/N]:y
[hexin2]quit
<hexin2>reboot
<hexin2>sys
System View: return to User View with Ctrl+Z.
[hexin2]interface range FortyGigE 2/0/53 to FortyGigE 2/0/54
[hexin2-if-range]shu
[hexin2-if-range]quit
[hexin2]irf member 2 priority 1
[hexin2]irf-port 2/2
[hexin2-irf-port2/2]port group interface FortyGigE 2/0/53
[hexin2-irf-port2/2]port group interface FortyGigE 2/0/54
[hexin2-irf-port2/2]qui
[hexin2]irf-port-configuration active
[hexin2]interface range FortyGigE 2/0/53 to FortyGigE 2/0/54
[hexin2-if-range]un sh
[hexin2-if-range]quit
[hexin2]save
连接堆叠线后,机器自动重启,此时两台交换机终端都会显示为 hexin1
3、车间汇聚堆叠,采用40G口
步骤与核心相同,堆叠后两台终端都会显示为 chejianhuiju1
4、按图片为交换机配置IP和VLAN,三层采用路由模式,汇聚下联trunk,接入上联trunk,下联对应vlan
车间汇聚做端口聚合
[chejianhuiju1]vlan 1004
[chejianhuiju1-vlan1004]int vlan 1004
[chejianhuiju1-Vlan-interface1004]ip add 10.0.4.254 24
[chejianhuiju1-Vlan-interface1004]quit
[chejianhuiju1]int Bridge-Aggregation 1
[chejianhuiju1-Bridge-Aggregation1]link-aggregation mode dynamic
[chejianhuiju1-Bridge-Aggregation1]quit
[chejianhuiju1]int g1/0/1
[chejianhuiju1-GigabitEthernet1/0/1]port link-aggregation group 1
[chejianhuiju1-GigabitEthernet1/0/1]int g2/0/1
[chejianhuiju1-GigabitEthernet2/0/1]port link-aggregation group 1
[chejianhuiju1-GigabitEthernet2/0/1]dis link-aggregation verbose
GE1/0/1 0 32768 0 0x8000, 0000-0000-0000 {EF}
GE2/0/1 0 32768 0 0x8000, 0000-0000-0000 {EF}
[chejianhuiju1-GigabitEthernet2/0/1]vlan 1004
[chejianhuiju1-vlan1004]port Bridge-Aggregation 1
[chejianhuiju1]int Bridge-Aggregation 1
[chejianhuiju1-Bridge-Aggregation1]port link-type trunk
[chejianhuiju1-Bridge-Aggregation1]port trunk permit vlan all
[chejianhuiju1-Bridge-Aggregation1]save
验证生产设备,ping 10.0.20.4 10.0.50.5 10.0.4.254 都通
5、配置OSPF,实现车间、办公、生产服务器、基础服务器互通
配置核心
<hexin1>sys
System View: return to User View with Ctrl+Z.
[hexin1]ospf
[hexin1-ospf-1]area 0
[hexin1-ospf-1-area-0.0.0.0]netwo
[hexin1-ospf-1-area-0.0.0.0]network 10.0.70.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.40.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.60.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.30.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.50.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]quit
配置车间汇聚
<chejianhuiju1>sys
System View: return to User View with Ctrl+Z.
[chejianhuiju1]ospf
[chejianhuiju1-ospf-1]area 0
[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.50.0 0.0.0.255
[chejianhuiju1-ospf-1-area-0.0.0.0]quit
生产设备ping核心通,其他配置类似。
6、配置DHCP服务器
使用三层交换机搭建DHCP服务器,ping测试
[H3C]hostname dhcp
[dhcp]int g1/0/1
[dhcp-GigabitEthernet1/0/1]port link-mode route
[dhcp-GigabitEthernet1/0/1]ip add 10.0.0.1 24
[dhcp-GigabitEthernet1/0/1]save
[dhcp-GigabitEthernet1/0/1]quit
[dhcp]ip route-static 0.0.0.0 0 10.0.0.254
[dhcp]ping 10.0.0.254
Ping 10.0.0.254 (10.0.0.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.0.0.254: icmp_seq=0 ttl=255 time=0.000 ms
创建DHCP池
[dhcp]dhcp enable
dhcp server ip-pool bangong
gateway-list 10.0.3.254
network 10.0.3.0 mask 255.255.255.0
address range 10.0.3.100 10.0.3.200
DNS-list 8.8.8.8
expired day 3
#
dhcp server ip-pool wuxian
gateway-list 10.0.2.254
network 10.0.2.0 mask 255.255.255.0
address range 10.0.2.150 10.0.2.200
dns-list 114.114.114.114
expired day 3
#
沿途汇聚、核心都要开启DHCP中继,二层只要有对应VLAN并trunk即可。
[jichuhuiju]dhcp enable
#
interface Vlan-interface1002
dhcp select relay
dhcp relay server-address 10.0.0.1
#
interface Vlan-interface1003
dhcp select relay
dhcp relay server-address 10.0.0.1
#
查看客户端IP,成功获取IP
[dhcp]display dhcp server ip-in-use
IP address Client identifier/ Lease expiration Type
Hardware address
10.0.2.150 0038-6163-312e-3334- Jun 26 20:35:43 2021 Auto(C)
3266-2e31-3730-362d-
4745-302f-302f-31
10.0.3.100 0038-6137-362e-3466- Jun 28 20:35:31 2021 Auto(C)
3864-2e31-3230-362d-
4745-302f-302f-31
7、配置专线,仅办公和无线可以访问
办公汇聚、无线汇聚、核心、专线静态路由
[wuxianhuiju] ip route-static 10.1.0.0 24 10.0.60.10
[hexin1]ip route-static 10.1.0.0 24 10.0.90.18
[zhuanxianwangguan]ip route-static 10.0.2.0 24 10.0.90.15
测试办公和无线都可以访问专线IP10.1.0.2
8、配置办公和无线能访问外网,但外网无法直接访问内网
办公汇聚、无线汇聚、核心默认路由,外网网关静态路由
[bangonghuiju]ip route-static 0.0.0.0 0 10.0.30.6
[wuxianhuiju]ip route-static 0.0.0.0 0 10.0.60.10
[hexin1]ip route-static 0.0.0.0 0 10.0.10.1
[waibuwangguan]ip route-static 10.0.3.0 24 10.0.10.2
[waibuwangguan]ip route-static 10.0.2.0 24 10.0.10.2
配置最简单NAT访问方式Easy IP
[waibuwangguan]acl basic 200
[waibuwangguan-acl-ipv4-basic-2000]rule 0 permit source 10.0.2.0 0.0.0.255
[waibuwangguan-acl-ipv4-basic-2000]acl basic 2001
[waibuwangguan-acl-ipv4-basic-2001]rule 0 permit source 10.0.3.0 0.0.0.255
[waibuwangguan-acl-ipv4-basic-2001]quit
[waibuwangguan]int g0/0
[waibuwangguan-GigabitEthernet0/0]nat outbound 2001
[waibuwangguan-GigabitEthernet0/0]nat outbound 2000
办公和无线ping外网1.1.1.2通,外网ping内网不通
9、POE供电
受模拟器限制无法实现,实际在无线接入执行 poe enable 即可
10、办公人员通过telnet远程管理车间接入交换机
车间汇聚创建管理vlan2000
[chejianhuiju1]vlan 2000
[chejianhuiju1-vlan2000]int vlan 2000
[chejianhuiju1-Vlan-interface2000]ip add 192.168.1.254 24
车间接入创建管理vlan,开启telnet服务,设置默认路由
<chejianjieru>sys
System View: return to User View with Ctrl+Z.
[chejianjieru]vlan 2000
[chejianjieru-vlan2000]int vlan 2000
[chejianjieru-Vlan-interface2000]ip add 192.168.1.2 24
[chejianjieru-Vlan-interface2000]quit
[chejianjieru]user-interface vty 0 4
[chejianjieru-line-vty0-4]authentication-mode scheme
[chejianjieru-line-vty0-4]quit
[chejianjieru]local-user admin
New local user added.
[chejianjieru-luser-manage-admin]password simple 123456
[chejianjieru-luser-manage-admin]authorization-attribute user-role level-15
[chejianjieru-luser-manage-admin]service-type telnet
[chejianjieru-luser-manage-admin]quit
[chejianjieru]telnet server enable
[chejianjieru]save
[chejianjieru]ip route-static 0.0.0.0 0 192.168.1.254
核心添加静态路由
[hexin1]ip route-static 192.168.1.0 24 10.0.20.4
办公人员远程telnet
<bangonghuiju>telnet 192.168.1.2
Trying 192.168.1.2 ...
Press CTRL+K to abort
Connected to 192.168.1.2 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: admin
Password:
<chejianjieru>
11、配置snmp网络管理协议
配置向10.0.0.1发送设备信息
snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 10.0.0.1 params securityname public v2c
12、配置监控网络,办公和无线可以访问监控服务器,不可访问摄像头,摄像头仅与监控服务器互相访问
核心设置静态路由,监控汇聚设置默认路由
[hexin1]ip route-static 10.0.5.0 24 10.0.80.17
[jiankonghuiju]ip route-static 0.0.0.0 0 10.0.80.16
在监控汇聚上联接口配置ACL规则,只允许访问10.0.5.1发出,其他禁止,从而达到只允许监控服务器被访问的目的
[jiankonghuiju]acl basic 2000
[jiankonghuiju-acl-ipv4-basic-2000]rule 0 permit source 10.0.5.1 0
[jiankonghuiju-acl-ipv4-basic-2000]rule 1 deny
[jiankonghuiju-acl-ipv4-basic-2000]quit
[jiankonghuiju]int Ten-GigabitEthernet1/0/49
[jiankonghuiju-Ten-GigabitEthernet1/0/49]packet-filter 2000 outbound
测试办公可以ping通10.0.5.1,不能ping通10.0.5.2
13、配置DHCP snooping,防止仿冒攻击
全局开启dhcp snooping,上联端口启用dhcp信任
[bangongjieru]dhcp snooping enable
[bangongjieru]interface GigabitEthernet1/0/2
[bangongjieru]dhcp snooping trust
14、配置端口隔离,减少接入傻瓜交换机造成的网络风暴,防御ARP攻击
[H3C]port-isolate group 2
[H3C]int g1/0/1
[H3C-GigabitEthernet1/0/1]port-isolate enable group 2
[H3C-GigabitEthernet1/0/1]int g1/0/2
[H3C-GigabitEthernet1/0/2]port-isolate enable group 2
[H3C-GigabitEthernet1/0/2]quit
[H3C]dis port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:
GigabitEthernet1/0/1 GigabitEthernet1/0/2
总结
爽