1. IT分享知识网首页

构建稳定而安全的企业网络:网络规划的最佳实践

老牧童 未分类 阅读 43

构建稳定而安全的企业网络:网络规划的最佳实践构建一个稳定而安全的企业网络需要依靠一系列技术,因之前给大家分享的文章中,涉及到的技术比较零散,今天给大家整理的这篇文章,是把之前的各个技术点整

大家好,欢迎来到IT知识分享网。

构建一个稳定而安全的企业网络需要依靠一系列技术,因之前给大家分享的文章中,涉及到的技术比较零散,今天给大家整理的这篇文章,是把之前的各个技术点整合到一起,便于大家对之前文章中提到的技术点有个整体概念。

本篇文章中涉及到 IP、VLAN、DHCP、NAT、WLAN等。

企业网络实验配置信息:

相关地址规划:

外网服务器地址:220.220.220.80/24 网关:220.220.220.1/24

外网地址:110.110.110.0/24 网关: 110.110.110.1/24

内网区域有线终端网段:192.168.10.0/24

内网区域无线终端网段:192.168.20.0/24

无线AP管理地址段:192.168.21.0/24

相关vlan划分:

有线终端:vlan10

无线终端:vlan20

无线设备管理:vlan21

设备互联:vlan255

网络拓扑:

构建稳定而安全的企业网络:网络规划的最佳实践

详细配置过程:

1、外网区域 AR2配置

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf	
[Huawei]undo info-center en
Info: Information center is disabled.
[Huawei]
[Huawei]
[Huawei]sys	
[Huawei]sysname INter-R2
[INter-R2]
[INter-R2]int	
[INter-R2]interface gi	
[INter-R2]interface GigabitEthernet 0/0/0
[INter-R2-GigabitEthernet0/0/0]ip add	
[INter-R2-GigabitEthernet0/0/0]ip address 110.110.110.1 24
[INter-R2-GigabitEthernet0/0/0]int gi	
[INter-R2-GigabitEthernet0/0/0]int gi 0/0/1
[INter-R2-GigabitEthernet0/0/1]ip add 220.220.220.1 24
[INter-R2-GigabitEthernet0/0/1]q
[INter-R2]

2、外网server1端 配置

构建稳定而安全的企业网络:网络规划的最佳实践

3、出口路由AR1配置


<Huawei>sys
Enter system view, return user view with Ctrl+Z.
#关闭提示信息
[Huawei]undo info-center en
Info: Information center is disabled.
[Huawei]
[Huawei]
#更改设备名称
[Huawei]sysna	
[Huawei]sysname AR1
[AR1]
#对接口进行设置
[AR1]int	
[AR1]interface gi	
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]des	
[AR1-GigabitEthernet0/0/0]description to-hexin
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]ip a	
[AR1-GigabitEthernet0/0/0]ip add	
[AR1-GigabitEthernet0/0/0]ip address 192.168.255.2 24
[AR1-GigabitEthernet0/0/0]int gi 0/0/1
[AR1-GigabitEthernet0/0/1]des	
[AR1-GigabitEthernet0/0/1]description to-waiwang
[AR1-GigabitEthernet0/0/1]ip add 110.110.110.2 24
[AR1-GigabitEthernet0/0/1]q
[AR1]
#创建初级访问控制列表
[AR1]acl number 2002
[AR1-acl-basic-2002]ru	
[AR1-acl-basic-2002]rule 5 per	
[AR1-acl-basic-2002]rule 5 permit ?
  fragment             Check fragment packet
  none-first-fragment  Check the subsequence fragment packet  
  source               Specify source address
  time-range           Specify a special time
  vpn-instance         Specify a VPN-Instance
  <cr>                 Please press ENTER to execute command 
[AR1-acl-basic-2002]rule 5 permit sour	
[AR1-acl-basic-2002]rule 5 permit source 192.168.10.0 0.0.0.255
[AR1-acl-basic-2002]ru	
[AR1-acl-basic-2002]rule 10 per	
[AR1-acl-basic-2002]rule 10 permit ip ?
                                   ^
Error:Too many parameters found at '^' position.
[AR1-acl-basic-2002]rule 10 permit sour	
[AR1-acl-basic-2002]rule 10 permit source 192.168.20.0 0.0.0.255
[AR1-acl-basic-2002]
[AR1-acl-basic-2002]q
#将ACL 应用到路由器的出口
[AR1]int gi 0/0/1
[AR1-GigabitEthernet0/0/1]nat out	
[AR1-GigabitEthernet0/0/1]nat outbound 2002
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]q
[AR1]
#添加静态路由
[AR1]ip route-static 0.0.0.0 0.0.0.0 110.110.110.1
#添加回城路由
[AR1]ip route-static 192.168.10.0 255.255.255.0 192.168.255.1 description youxian
[AR1]ip route-static 192.168.20.0 255.255.255.0 192.168.255.1 description wuxian
[AR1]

4、核心交换机配置

<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo int	
[Huawei]undo inf	
[Huawei]undo info-center en
Info: Information center is disabled.
[Huawei]
#创建vlan
[Huawei]vlan bat	
[Huawei]vlan batch 10 20 to 21 255
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]
#给vlan添加描述信息
[Huawei]vlan 10
[Huawei-vlan10]dest	
[Huawei-vlan10]des	
[Huawei-vlan10]description youxian
[Huawei-vlan10]vlan 20
[Huawei-vlan20]dest	
[Huawei-vlan20]des	
[Huawei-vlan20]description wuxian
[Huawei-vlan20]vlan 21
[Huawei-vlan21]dec	
[Huawei-vlan21]de	
[Huawei-vlan21]description wuxian-manage
[Huawei-vlan21]vlan 255
[Huawei-vlan255]des	
[Huawei-vlan255]description hulian-AR1
[Huawei-vlan255]q
[Huawei]
#创建地址池、设置网关,DNS,地址池范围
[Huawei]ip pool vlan10
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-vlan10]gateway-list 192.168.10.1
[Huawei-ip-pool-vlan10]network 192.168.10.0 mask 255.255.255.0 
[Huawei-ip-pool-vlan10]dns-list 114.114.114.114
[Huawei-ip-pool-vlan10]q
[Huawei]
[Huawei]ip pool vlan20
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-vlan20]gateway-list 192.168.20.1
[Huawei-ip-pool-vlan20]network 192.168.20.0 mask 255.255.255.0
[Huawei-ip-pool-vlan20]dns-list 114.114.114.114
[Huawei-ip-pool-vlan20]q
[Huawei]
#设置网关ip
[Huawei]interface Vlanif 10
[Huawei-Vlanif10]ip add 192.168.10.1 24
[Huawei-Vlanif10]dhcp select global 
Error: Please enable DHCP in the global view first.
[Huawei-Vlanif10]
[Huawei-Vlanif10]q
[Huawei]dhcp en	
[Huawei]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[Huawei]
[Huawei]interface Vlanif 10
[Huawei-Vlanif10]dhcp select global 
[Huawei-Vlanif10]q
[Huawei]
[Huawei]interface Vlanif 20
[Huawei-Vlanif20]ip add 192.168.20.1 24
[Huawei-Vlanif20]dhcp se	
[Huawei-Vlanif20]dhcp select gl	
[Huawei-Vlanif20]dhcp select global 
[Huawei-Vlanif20]q
[Huawei]
[Huawei]interface Vlanif 255
[Huawei-Vlanif255]ip add 192.168.255.1 255.255.255.0
[Huawei-Vlanif255]q
[Huawei]
#将各个接口加入到各自的vlan中
[Huawei]interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]description to-AR1
[Huawei-GigabitEthernet0/0/1]port link-type access 
[Huawei-GigabitEthernet0/0/1]port default vlan 255
[Huawei-GigabitEthernet0/0/1]q
[Huawei]
[Huawei]interface GigabitEthernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access 
[Huawei-GigabitEthernet0/0/2]port default vlan 10
[Huawei-GigabitEthernet0/0/2]q
[Huawei]
[Huawei]int GigabitEthernet 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access 
[Huawei-GigabitEthernet0/0/3]port default vlan 10
[Huawei-GigabitEthernet0/0/3]q
[Huawei]
[Huawei]interface GigabitEthernet 0/0/23
[Huawei-GigabitEthernet0/0/23]port link-type trunk 
[Huawei-GigabitEthernet0/0/23]port trunk allow-pass vlan 20 to 21
[Huawei-GigabitEthernet0/0/23]port trunk pvid vlan 21
[Huawei-GigabitEthernet0/0/23]q
[Huawei]
[Huawei]interface GigabitEthernet 0/0/24
[Huawei-GigabitEthernet0/0/24]description to-AC6005
[Huawei-GigabitEthernet0/0/24]port link-type trunk 
[Huawei-GigabitEthernet0/0/24]port trunk allow-pass vlan 20 to 21
[Huawei-GigabitEthernet0/0/24]q
[Huawei]
[Huawei]
#添加上联静态路由
[Huawei]
[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.255.2
[Huawei]

5、AC 管理配置

[AC6005]
[AC6005]vlan bat	
[AC6005]vlan batch 21
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6005]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[AC6005]
[AC6005]
[AC6005]vlan 21
[AC6005-vlan21]description wuxian-manage
[AC6005-vlan21]
[AC6005-vlan21]q
[AC6005]
[AC6005]int Vlanif 21
[AC6005-Vlanif21]ip add 192.168.21.1 24
[AC6005-Vlanif21]dhcp select interface 
[AC6005-Vlanif21]
[AC6005-Vlanif21]q
[AC6005]
[AC6005]interface GigabitEthernet 0/0/1
[AC6005-GigabitEthernet0/0/1]port link-type trunk 
[AC6005-GigabitEthernet0/0/1]port trunk allow-pass vlan 21
[AC6005-GigabitEthernet0/0/1]q
[AC6005]
[AC6005]capwap source interface Vlanif 21
[AC6005]
[AC6005]wlan
[AC6005-wlan-view]
[AC6005-wlan-view]security-profile name wyf-security
[AC6005-wlan-sec-prof-wyf-security]security wpa2 psk pass-phrase 88888888 aes
Warning: The current password is too simple. For the sake of security, you are a
dvised to set a password containing at least two of the following: lowercase let
ters a to z, uppercase letters A to Z, digits, and special characters. Continue?
 [Y/N]:y
[AC6005-wlan-sec-prof-wyf-security]q
[AC6005-wlan-view]ssid-profile name wyf	
[AC6005-wlan-view]ssid-profile name wyf-ssid
[AC6005-wlan-ssid-prof-wyf-ssid]ssid wyf
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-ssid-prof-wyf-ssid]q
[AC6005-wlan-view]vap-profile name wyf-vap
[AC6005-wlan-vap-prof-wyf-vap]service-vlan vlan-id 20
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wyf-vap]ssid-profile wyf-ssid
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wyf-vap]q
[AC6005-wlan-view]sec	
[AC6005-wlan-view]security-profile wy	
[AC6005-wlan-view]security-profile wyf-security
                                   ^
Error: Unrecognized command found at '^' position.
[AC6005-wlan-view]security-profile ?
  name  Name
[AC6005-wlan-view]security-profile na	
[AC6005-wlan-view]security-profile name ?
  STRING<1-35>  The profile name cannot have a double quotation mark at the firs
t or last character and cannot contain any space or 
                question mark
[AC6005-wlan-view]security-profile name wyf-security
[AC6005-wlan-sec-prof-wyf-security]
[AC6005-wlan-sec-prof-wyf-security]q
[AC6005-wlan-view]re	
[AC6005-wlan-view]regulatory-domain-profile name wyf
[AC6005-wlan-regulate-domain-wyf]q
[AC6005-wlan-view]ap-group name wyf
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC6005-wlan-ap-group-wyf]reg	
[AC6005-wlan-ap-group-wyf]regulatory-domain-profile wyf
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC6005-wlan-ap-group-wyf]
[AC6005-wlan-ap-group-wyf]radio 0
[AC6005-wlan-group-radio-wyf/0]vap-profile wyf-vap wlan 1
Info: This operation may take a few seconds, please wait...done.
[AC6005-wlan-group-radio-wyf/0]q
[AC6005-wlan-ap-group-wyf]radi	
[AC6005-wlan-ap-group-wyf]radio 1
[AC6005-wlan-group-radio-wyf/1]vap	
[AC6005-wlan-group-radio-wyf/1]vap-profile wyf-va	
[AC6005-wlan-group-radio-wyf/1]vap-profile wyf-vap wla	
[AC6005-wlan-group-radio-wyf/1]vap-profile wyf-vap wlan 1
Info: This operation may take a few seconds, please wait...done.
[AC6005-wlan-group-radio-wyf/1]
[AC6005-wlan-group-radio-wyf/1]q
[AC6005-wlan-ap-group-wyf]ap id 0 ty	
[AC6005-wlan-ap-group-wyf]ap id 0 ty
[AC6005-wlan-ap-group-wyf]ap-	
[AC6005-wlan-ap-group-wyf]ap-?
  ap-system-profile  Bind AP system profile
[AC6005-wlan-ap-group-wyf]ap-id	
[AC6005-wlan-ap-group-wyf]ap-i?
                          ^
Error: Unrecognized command found at '^' position.
[AC6005-wlan-ap-group-wyf]q
[AC6005-wlan-view]ap	
[AC6005-wlan-view]ap-	
[AC6005-wlan-view]ap-group
[AC6005-wlan-view]ap-id 0 ty	
[AC6005-wlan-view]ap-id 0 type-id 56 ap-ma	
[AC6005-wlan-view]ap-id 0 type-id 56 ap-mac 00e0-fcb4-3110 ap-sn 210235448310EE0
5741D
[AC6005-wlan-ap-0]ap-	
[AC6005-wlan-ap-0]ap-grou	
[AC6005-wlan-ap-0]ap-group 
[AC6005-wlan-ap-0]ap-?
  ap-group           AP group
  ap-name            AP name
  ap-system-profile  Bind AP system profile
[AC6005-wlan-ap-0]ap-name wyf01
[AC6005-wlan-ap-0]ap-group wyf
Warning: This operation may cause AP reset. If the country code changes, it will
 clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6005-wlan-ap-0]q
[AC6005-wlan-view]
[AC6005-wlan-view]q
[AC6005]q
<AC6005>save
  The current configuration will be written to the device. 
  Are you sure to continue? (y/n)[n]:y
  It will take several minutes to save configuration file, please wait.......
  Configuration file has been saved successfully
  Note: The configuration file will take effect after being activated
<AC6005>

测试:

无线设备STA1、STA2都 能够ping 通 server1和PC1/PC2

构建稳定而安全的企业网络:网络规划的最佳实践

同理,有线终端PC 也能够ping通 外网server1和无线终端STA。

写在最后:

自我设限,固步自封,唯有突破极限,才能发掘潜能。以上就是本期整理的《构建稳定而安全的企业网络:网络规划的最佳实践》,自己经历过的风雨,所以知道你也会坚强。你的【点赞】+【关注】,我会自动解读为认可。

作者简介:

我是“网络系统技艺者”,系统运维工程师一枚,持续分享【网络技术+系统运维技术】干货。码字不易,如果您觉得文章还可以,就收藏吧,也许在以后某个时间能够用得到。

免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://yundeesoft.com/51990.html

(0)
老牧童老牧童
0

相关推荐

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

关注微信