本文详细介绍了企业网络配置,包括有线网络的DHCP中继与OSPF协议配置,无线网络的DHCP服务器、用户速率限制及AP管理,以及出口网络的NAT、IPSec隧道和L2TP over IPSec设置,确保了网络的稳定与高效运行。
(二)有线网络配置
4.在交换机S3、S4上配置DHCP中继,对VLAN10内的用户进行中继,使得总部PC1用户使用DHCP Relay方式获取IP地址。
5.DHCP服务器搭建于EG1上,地址池命名为Pool_VLAN10,DHCP对外服务使用loopback 0地址。
Ser dhcp
Int vlan 10
ip helper-address 11.1.0.11
9.总部与分部内网均使用OSPF协议组网,总部、分部与互联网间使用静态路由协议。具体要求如下:总部S3、S4、EG1间运行OSPF,进程号为10,规划单区域0;分部S7、EG2间运行OSPF,进程号为20,规划单区域0;服务器区使用静态路由组网;重发布路由进OSPF中使用类型1。
R3:
需要写AC,S5的loopback路由 到S5出口。
S4
int g0/24
ip ospf netw point-to-point
int vlan 100
ip ospf network point-to-point
router-id 11.1.0.34
graceful-restart
passive-interface VLAN 10
passive-interface VLAN 20
passive-interface VLAN 30
passive-interface VLAN 40
passive-interface VLAN 50
passive-interface VLAN 60
network 10.1.0.4 0.0.0.3 area 0
network 11.1.0.34 0.0.0.0 area 0
network 192.1.10.253 0.0.0.0 area 0
network 192.1.20.253 0.0.0.0 area 0
network 192.1.30.253 0.0.0.0 area 0
network 192.1.40.253 0.0.0.0 area 0
network 192.1.50.253 0.0.0.0 area 0
network 192.1.60.253 0.0.0.0 area 0
network 192.1.100.253 0.0.0.0 area 0
S3:
int g0/24
ip ospf netw point-to-point
int vlan 100
ip ospf network point-to-point
router-id 11.1.0.33
graceful-restart
passive-interface VLAN 10
passive-interface VLAN 20
passive-interface VLAN 30
passive-interface VLAN 40
passive-interface VLAN 50
passive-interface VLAN 60
network 10.1.0.1 0.0.0.0 area 0
network 10.1.0.0 0.0.0.3 area 0
network 11.1.0.33 0.0.0.0 area 0
network 192.1.10.252 0.0.0.0 area 0
network 192.1.20.252 0.0.0.0 area 0
network 192.1.30.252 0.0.0.0 area 0
network 192.1.40.252 0.0.0.0 area 0
network 192.1.50.252 0.0.0.0 area 0
network 192.1.60.252 0.0.0.0 area 0
network 192.1.100.252 0.0.0.0 area 0
EG1:
int range g0/0-1
ip ospf network point-to-point
ip route 0.0.0.0 0.0.0.0 20.1.0.2
router ospf 10
router-id 11.1.0.11
yes
network 10.1.0.2 0.0.0.3 a 0
network 10.1.0.6 0.0.0.3 a 0
network 11.1.0.11 0.0.0.0 a 0
default-in or al metric-type 1
EG2:
router ospf 20
router-id 11.1.0.12
graceful-restart
network 10.1.0.18 0.0.0.0 area 0
network 11.1.0.12 0.0.0.0 area 0
default-information originate metric-type 1
int g0/1
ip ospf netw point-to-point
S7:
Router ospf 20
router-id 11.1.0.67
graceful-restart
passive-interface VLAN 10
passive-interface VLAN 20
passive-interface VLAN 50
passive-interface VLAN 60
network 10.1.0.17 0.0.0.0 area 0
network 10.1.0.67 0.0.0.0 area 0
network 193.1.10.0 0.0.0.255 area 0
network 193.1.20.0 0.0.0.255 area 0
network 193.1.50.0 0.0.0.255 area 0
network 193.1.60.0 0.0.0.255 area 0
network 193.1.100.0 0.0.0.255 area 0
S5:
ip route 0.0.0.0 0.0.0.0 40.1.0.2
ip route 11.1.0.204 255.255.255.255 194.1.100.2
ip route 11.1.0.205 255.255.255.255 194.1.100.3
AC1:
ip route 0.0.0.0 0.0.0.0 194.1.100.254
AC2:
Ip route 0.0.0.0 0.0.0.0 194.1.100.254
12.R1、R2、R3部署IGP中OSPF动态路由实现直连网段互联互通。
R1
int range g0/1-2
ip ospf network point-to-point
router ospf 10
network 12.1.0.1 0.0.0.15 a 0
network 13.1.0.1 0.0.0.15 a 0
network 40.1.0.1 0.0.0.0 a 0
router-id 11.1.0.1
yes
network 11.1.0.1 0.0.0.0 a 0
redis stat
ip route 20.1.0.0 255.255.0.0 20.1.0.1
router bgp 100
bgp log-neighbor-changes
neighbor 11.1.0.2 remote-as 100
neighbor 11.1.0.2 update-source Loopback 0
neighbor 11.1.0.3 remote-as 100
neighbor 11.1.0.3 update-source Loopback 0
!
address-family ipv4
neighbor 11.1.0.2 activate
neighbor 11.1.0.3 activate
R2
Ip route 30.1.0.0 255.255.0.0 30.1.0.1
int range g0/1-2
ip ospf network point-to-point
router ospf 10
router-id 11.1.0.2
yes
network 11.1.0.2 0.0.0.0 a 0
network 12.1.0.2 0.0.0.15 a 0
network 23.1.0.2 0.0.0.15 a 0
redis static metric-type 1 su
router bgp 100
bgp log-neighbor-changes
neighbor 11.1.0.1 remote-as 100
neighbor 11.1.0.1 update-source Loopback 0
neighbor 11.1.0.3 remote-as 100
neighbor 11.1.0.3 update-source Loopback 0
!
address-family ipv4
R3
ip route 11.1.0.204 255.255.255.255 40.1.0.1
ip route 194.1.100.0 255.255.255.0 40.1.0.1
ip route 11.1.0.205 255.255.255.255 40.1.0.1
int range g0/1-2
ip ospf network point-to-point
router ospf 10
router-id 11.1.0.3
yes
network 11.1.0.3 0.0.0.0 a 0
network 13.1.0.3 0.0.0.15 a 0
network 23.1.0.3 0.0.0.15 a 0
router bgp 100
bgp log-neighbor-changes
neighbor 11.1.0.1 remote-as 100
neighbor 11.1.0.1 update-source Loopback 0
neighbor 11.1.0.2 remote-as 100
neighbor 11.1.0.2 update-source Loopback 0
network 11.1.0.204 mask 255.255.255.255
network 11.1.0.205 mask 255.255.255.255
network 194.1.100.0 mask 255.255.255.0
address-family ipv4
neighbor 11.1.0.2 activate
neighbor 11.1.0.3 activate
这里会有个问题:
IBGP收到的next-hop为40.1.0.1 不可达,需要添加next-hop self
更改结果为40.1.0.1变为11.1.0.3。
16.总部财务、销售IPv4用户与互联网互通主路径规划为:S3-EG1。
17.总部研发、市场IPv4用户与互联网互通主路径规划为:S4-EG1。
修改S3的研发,市场vlan cost值为5
修改S4的财务,销售vlan cost值为5
(三)无线网络配置
4.使用S3、S4作为总部无线用户和无线AP的DHCP服务器,使用S6/S7作为分部无线用户和无线AP的DHCP服务器。
S1:
Int g0/21
switchport mode trunk
switchport trunk native vlan 50
switchport trunk allowed vlan only 50,60
int g0/22
switchport mode trunk
switchport trunk native vlan 50
switchport trunk allowed vlan only 50,60
S3:S3是50,60主
service dhcp
ip dhcp pool vlan50
option 43 ip 11.1.0.204 11.1.0.205
network 192.1.50.0 255.255.255.0
default-router 192.1.50.254
ip dhcp pool vlan60
network 192.1.60.0 255.255.255.0
default-router 192.1.60.254
S7:
ip dhcp pool vlan50
option 43 ip 11.1.0.204 11.1.0.205
network 193.1.50.0 255.255.255.0
default-router 193.1.50.254
!
ip dhcp pool vlan60
network 193.1.60.0 255.255.255.0
default-router 193.1.60.254
service dhcp
int g0/23
switchport mode trunk
switchport trunk native vlan 50
switchport trunk allowed vlan only 50,60
EG1:
Service dhcp
ip dhcp pool Pool_VLAN10
network 192.1.10.0 255.255.255.0
default-router 192.1.10.254
8.AC1为主用,AC2为备用。AP与AC1、AC2均建立隧道,当AP与AC1失去连接时能无缝切换至AC2并提供服务。
wlan-config 1 test-ZB_XX
tun local
wlan-config 2 test-FB_XX
tun local
wlan-based per-user-limit down-streams average-data-rate 800 burst-data-rate 800
ap-group ZB
interface-map 1 60
ap-group FB
interface-map 2 60
int g0/1
sw mo tr
sw tr a vlan on 100
AC1:
wlan hot-backup 11.1.0.205
local-ip 11.1.0.204
con 10
pri le 7
ap-group ZB
ap-group FB
exit
wlan hot-backup ena
AC2:
wlan hot-backup 11.1.0.204
local-ip 11.1.0.205
con 10
pri le 5
ap-group ZB
ap-group FB
exit
wlan hot-backup ena
10.为了保障每个用户的无线体验,针对WLAN ID2下的每个用户的下行平均速率为 800KB/s ,突发速率为1600KB/s。
11.总部每AP最大带点人数为30人。
12.分部通过时间调度,要求每周一至周五的21:00至23:30期间关闭无线服务。
13.总部设置AP信号发送强度为30。
14.总部关闭低速率(11b/g 1M、2M、5M,11a 6M、9M)应用接入。
wlan-config 1 test-ZB_XX
tun local
wlan-config 2 test-FB_XX
tun local
wlan-based per-user-limit down-streams average-data-rate 800 burst-data-rate 800
ap-group ZB
interface-map 1 60
ap-group FB
interface-map 2 60
schedule session 8
schedule session 8 time-range 1 period Mon to Fri time 21:00 to 23:30
ap-config 0074.9c72.1b0f
ap-name AP1
sta-limit 30
ap-group ZB
channe 1 ra 1
channe 149 ra 2
power local 30 ra 1
power local 30 ra 2
ap-config c470.abb6.c6e4
ap-name AP2
ap-group ZB
sta-limit 30
channe 1 ra 1
channe 149 ra 2
power local 30 ra 1
ac-con
802.11b network rate 2 disabled
802.11b network rate 1 disabled
802.11b network rate 5 disabled
802.11g network rate 2 disabled
802.11g network rate 1 disabled
802.11g network rate 5 disabled
802.11a network rate 6 disabled
power local 30 ra 2
ap-config c470.abb6.c94c
schedule session 8
ap-name AP3
AP-GROUP FB
sta-limit 30
channe 1 ra 1
channe 149 ra 2
power local 30 ra 1
power local 30 ra 2
(四)出口网络配置
1.出口网关上进行NAT配置实现总部与分部的所有用户(ACL 110)均可访问互联网,通过NAPT方式将内网用户IP地址转换到互联网接口上。
EG1:
ip access-list extended 110
5 deny ip 100.0.0.1 ip 100.0.0.2 (拒绝掉ispec的流量)
10 permit ip 192.1.0.0 0.0.255.255 any
ip nat pool all prefix-length 30
address 20.1.0.1 20.1.0.1 match interface g0/4
ip nat inside source list 110 interface GigabitEthernet 0/4 overload
EG2:
int g0/4
ip nat out
int g0/1
ip nat in
ip access-list extended 110
5 deny ip 100.0.0.2 ip 100.0.0.1
10 permit ip 193.1.0.0 0.0.255.255 any
ip nat pool all prefix-length 30
address 30.1.0.1 30.1.0.1 match interface g0/4
ip nat inside source list 110 interface GigabitEthernet 0/4 overload
8.要求使用ipsec隧道主模式,安全协议采用esp协议,加密算法采用3des,认证算法采用md5,以IKE方式建立ipsec SA。在EG1和EG2上所配置的参数要求如下:ipsec加密转换集名称为myset;预共享密钥为明文123456;静态的ipsec加密图mymap。ACL编号为101。
更改:
R3/EG1/EG2
R3-EG1/2使用ipsec建立
EG1-EG2 使用l2tp over ipsec
Ipsec使用动态模式。
LSN:Tun 地址为 100.0.0.1
LAC:Tun 地址为 100.0.0.2
使用lo2 建立邻居
LNS:
Vpdn en
Vpdn-group 1
Accept-dialin
Virtual-template 1
L2tp tun authentication
L2tp tun pass ruijie
Source-ip 20.1.0.1 (可选)
Username l2tp1 password l2tp1
Ip local pool l2tp-pool 100.0.0.1 100.0.0.2
Int l 2
Ip add 100.0.0.1 24
Int virtual-template 1
Ip unnu loopback 2
Ppp au pap chap
Ppp default ip address pool l2tp-pool、
LAC:
l2tp-class l2tp-class
Authentication
Password ruijie
Pseudowrite-class l2tp-pse
Encapsulation l2tpv2
Protocal l2tpv2 l2tp-class
Ip local interface g0/0 (公网)
Int virtual-ppp 1
Ppp pap sent-username l2tpuser1 password l2tpuser1
Ip add negotiate
Pseudowire 30.0.0.1 12 pw-class l2tp-pse
随便输
Ipsec
EG1:
cry is po 10
au pre
encryption 3des
hash md5
group 2
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
mode transport
ip access-list extended 101
10 permit ip 192.1.0.0 0.0.255.255 194.1.0.0 0.0.255.255
access-list 102 permit ip host 100.0.0.1 host 100.0.0.2
crypto isakmp key 0 123456 address 13.1.0.3
crypto isakmp key 0 123456 address 30.1.0.1
crypto map mymap 1 ipsec-isakmp
set transform-set 3dessha
mat address 101
set peer 13.1.0.3
crypto map mymap 2 ipsec-isakmp
set transform-set 3dessha
mat address 102
set peer 30.1.0.13
int virtual-ppp 1
ip ospf network point-to-point
router ospf 20
network 100.0.0.2 0.0.0.0 a 0
int g0/4
cry map mymap
EG2:
cry is po 10
au pre
encryption 3des
hash md5
group 2
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
mode transport
ip access-list extended 101
10 permit ip 193.1.0.0 0.0.255.255 194.1.0.0 0.0.255.255
access-list 102 permit ip host 100.0.0.2 host 100.0.0.1
crypto isakmp key 0 123456 address 23.1.0.3
crypto isakmp key 0 123456 address 20.1.0.1
crypto map mymap 1 ipsec-isakmp
set transform-set 3dessha
mat address 101
set peer 23.1.0.3
crypto map mymap 2 ipsec-isakmp
set transform-set 3dessha
mat address 102
set peer 20.1.0.1
int virtual-ppp 1
ip ospf network point-to-point
router ospf 20
network 100.0.0.2 0.0.0.0 a 0
int g0/4
cry map mymap
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
