ENSP综合实验(中小型网络）

一、实验背景

在当今数字化的企业环境中，一个稳定、高效且安全的网络架构对于业务的持续运营和发展至关重要。随着企业内部各部门业务的不断拓展，如财务部门对数据保密性要求极高，访客区域的网络接入需求逐渐增多，以及对外提供特定服务器服务的需求增长，构建一个既能满足日常办公和业务运营，又能保障信息安全和资源合理分配的园区网络迫在眉睫。

为了实现这些目标，本实验来模仿中型企业网路环境，通过一系列技术要求和配置。企业内部拥有多个不同的业务部门，各部门之间的网络流量需要合理规划和隔离，以避免相互干扰和数据泄露风险。同时，随着移动办公设备的普及，无线网络的覆盖和优化也成为提升员工工作效率的关键因素。此外，为了与外部网络进行安全、可靠的通信并对外提供部分服务，如FTP 服务，以及保障内部用户对外部网络和特定内部资源（如DNS服务器）的访问，需要精心设计和配置网络的各个层面，包括交换机、路由器和防火墙等设备，以适应复杂多变的网络环境和业务需求。

二、拓扑图规划

三、实验需求

1、所有主机通过DHCP获取地址（包括DNS地址）。

2、LSW1为默认STP域的根桥。

3、LSW1为VLAN10、30、100、101的根桥。

4、LSW2为VLAN20、40、102的根桥。

5、 LSW1与LSW2之间为配置Eth-Trunk，模式为LACP。

6、LSW1为VLAN10、30、100、101的网关。

7、 LSW2为VLAN20、40、102的网关。

8、AR1、AR2、LSW1、LSW2使用OSPF。

9、配置OSPF使得内部默认从AR1访问外网。

10、防火墙外部流量访问内部时默认先走R1、SW1

11、配置AC、AP。

12、内部可以访问DMZ服务器。

13、DMZ区域FTP服务器为Internet用户提供FTP服务。

14、DMZ区域DNS服务器为内部用户提供服务。

15.FW上配置Easy IP，使内部用户可以访问外网。

16.限制其它部门访问财务部。

17.访客区只可以访问服务器以及外网。

18.设置边缘端口。

19.设置访客区不可以互相访问。

四、配置思路

4-1、创建vlan和划分vlan

4-1-1在接入层需要进行VLAN划分、设置端口类型

LSW3

[LSW3]vlan batch 10 to 11 20 30 40 100 to 102
[LSW3]int e0/0/1
[LSW3-Ethernet0/0/1]port link-type trunk
[LSW3-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW3-Ethernet0/0/1]port trunk pvid vlan 100
[LSW3-Ethernet0/0/1]q
[LSW3]int e0/0/2
[LSW3-Ethernet0/0/2]port link-type trunk
[LSW3-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW3-Ethernet0/0/2]port trunk pvid vlan 100
[LSW3-Ethernet0/0/2]q
[LSW3]int e0/0/3
[LSW3-Ethernet0/0/3]port link-type access
[LSW3-Ethernet0/0/3]port default vlan 10
[LSW3-Ethernet0/0/3]q
[LSW3]int e0/0/3
[LSW3-Ethernet0/0/4]port link-type access
[LSW3-Ethernet0/0/4]port default vlan 10
[LSW3-Ethernet0/0/4]q
[LSW3]int g0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW3-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW3-GigabitEthernet0/0/1]q
[LSW3]

LSW4

[LSW4]vlan batch 10 to 11 20 30 40 100 to 102
[LSW4]int e0/0/1
[LSW4-Ethernet0/0/1]port link-type trunk
[LSW4-Ethernet0/0/1]port trunk allow-pass vlan 20
[LSW4-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW4-Ethernet0/0/1]q
[LSW4]int e0/0/2
[LSW4-Ethernet0/0/2]port link-type trunk
[LSW4-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW4-Ethernet0/0/2]port trunk pvid vlan 100
[LSW4-Ethernet0/0/2]q
[LSW4]int e0/0/1
[LSW4-Ethernet0/0/1]port trunk pvid vlan 100
[LSW4-Ethernet0/0/1]q
[LSW4]int e0/0/3
[LSW4-Ethernet0/0/3]port link-type access
[LSW4-Ethernet0/0/3]port default vlan 20
[LSW4-Ethernet0/0/3]q
[LSW4]int e0/0/4
[LSW4-Ethernet0/0/4]port link-type access
[LSW4-Ethernet0/0/4]port default vlan 20
[LSW4-Ethernet0/0/4]q

LSW5

[LSW5]vlan batch 10 to 11 20 30 40 100 to 102
[LSW5]int e0/0/1
[LSW5-Ethernet0/0/1]port link-type trunk
[LSW5-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW5-Ethernet0/0/1]port trunk pvid vlan 100
[LSW5-Ethernet0/0/1]q
[LSW5]int e0/0/2
[LSW5-Ethernet0/0/2]port link-type trunk
[LSW5-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW5-Ethernet0/0/2]port trunk pvid vlan 100
[LSW5-Ethernet0/0/2]q
[LSW5]int e0/0/3
[LSW5-Ethernet0/0/3]port link-type access
[LSW5-Ethernet0/0/3]port default vlan 30
[LSW5-Ethernet0/0/3]q
[LSW5]int e0/0/4
[LSW5-Ethernet0/0/4]port link-type access
[LSW5-Ethernet0/0/4]port default vlan 30
[LSW5-Ethernet0/0/4]q

LSW6

[LSW6][LSW5]vlan batch 10 to 11 20 30 40 100 to 102
[LSW6]int e0/0/1
[LSW6-Ethernet0/0/1]port link-type trunk 
[LSW6-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW6-Ethernet0/0/1]port trunk pvid vlan 100
[LSW6-Ethernet0/0/1]q
[LSW6]int e0/0/2
[LSW6-Ethernet0/0/2]port link-type trunk
[LSW6-Ethernet0/0/2]port trunk allow-pass vlan all
[LSW6-Ethernet0/0/2]port trunk pvid vlan 100
[LSW6-Ethernet0/0/2]q
[LSW6]int e0/0/3
[LSW6-Ethernet0/0/3]port link-type access
[LSW6-Ethernet0/0/3]port default vlan 40
[LSW6-Ethernet0/0/3]q
[LSW6]int e0/0/4
[LSW6-Ethernet0/0/4]port link-type access
[LSW6-Ethernet0/0/4]port default vlan 40
[LSW6-Ethernet0/0/4]q
[LSW6]int g0/0/1
[LSW6-GigabitEthernet0/0/1]port link-type trunk
[LSW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW6-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW6-GigabitEthernet0/0/1]q

4-1-2在接入层需要进行VLAN划分、设置端口类型。

LSW1

[LSW1]vlan batch 10 20 30 40 11 31 32 100 101 102
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/1]q
[LSW1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/2]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/2]q
[LSW1]int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/3]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/3]q
[LSW1]int g0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/4]port trunk pvid vlan 100
[LSW1-GigabitEthernet0/0/4]q
[LSW1]int g0/0/11
[LSW1-GigabitEthernet0/0/11]port link-type access
[LSW1-GigabitEthernet0/0/11]port default vlan 11
[LSW1-GigabitEthernet0/0/11]q
[LSW1]int g0/0/12
[LSW1-GigabitEthernet0/0/12]port link-type access
[LSW1-GigabitEthernet0/0/12]port default vlan 31
[LSW1-GigabitEthernet0/0/12]q
[LSW1]int g0/0/13
[LSW1-GigabitEthernet0/0/13]port link-type access
[LSW1-GigabitEthernet0/0/13]port default vlan 32
[LSW1-GigabitEthernet0/0/13]q

LSW2

[LSW2]vlan batch 10 20 30 40 34 33 22 100 101 102
[LSW2]int g0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/1]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/1]q
[LSW2]int g0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type trunk
[LSW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/2]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/2]q
[LSW2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/3]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/3]q
[LSW2]int g0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/4]port trunk pvid vlan 100
[LSW2-GigabitEthernet0/0/4]q
[LSW2]int g0/0/12
[LSW2-GigabitEthernet0/0/12]port link-type access
[LSW2-GigabitEthernet0/0/12]port default vlan 34
[LSW2-GigabitEthernet0/0/12]q
[LSW2]int g0/0/13
[LSW2-GigabitEthernet0/0/13]port link-type access
[LSW2-GigabitEthernet0/0/13]port default vlan 33
[LSW2-GigabitEthernet0/0/13]q
[LSW2]int g0/0/22
[LSW2-GigabitEthernet0/0/22]port link-type access
[LSW2-GigabitEthernet0/0/22]port default vlan 22
[LSW2-GigabitEthernet0/0/22]q
[LSW2]

AC

[AC1]vlan batch 22
[AC1]int g0/0/2
[AC1-GigabitEthernet0/0/2]port link-type access
[AC1-GigabitEthernet0/0/2]port default vlan 22
[AC1-GigabitEthernet0/0/2]q
[AC1]q

4-2、配置各个设备的IP地址

LSW1

LSW2

AR1

AR2

AR3

DHCP-Server

[DHCP]int g0/0/1

[DHCP-GigabitEthernet0/0/1]ip add 192.168.11.11 24

AC1

[AC1]int vlanif 22

[AC1-Vlanif22]ip add 192.168.22.22 24

FW

4-3、配置静态路由

#

[FW]ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
[FW]ip route-static 192.168.0.0 255.255.192.0 10.1.1.1 preference 10
[FW]ip route-static 192.168.0.0 255.255.192.0 10.2.2.1
[FW]ip route-static 192.168.100.0 255.255.252.0 10.1.1.1 preference 10
[FW]ip route-static 192.168.100.0 255.255.252.0 10.2.2.1
[FW]q
#

AR1
[AR1]ip route-ststic 0.0.0.0 0.0.0.0 10.1.1.2

#
AR2
[AR2]ip route-ststic 0.0.0.0 0.0.0.0 10.2.2.2

#
LSW3-LSW6
[LSW3]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
[LSW4]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
[LSW5]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254
[LSW6]ip route-static 0.0.0.0 0.0.0.0 192.168.100.254

#
DHCP
[DHCP]ip route-static 0.0.0.0 0.0.0.0 192.168.11.254


#
AC
[AC1]ip route-static 0.0.0.0 0.0.0.0 192.168.22.254


#

4-4、在LAW1-LSW2配置链路聚合，模式为LACP

LSW1

[LSW1]int eth-trunk 1
[LSW1-Eth-Trunk1]mode lacp-static 	
[LSW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/10 0/0/20
[LSW1-Eth-Trunk1]port link-type trunk
[LSW1-Eth-Trunk1]port trunk allow-pass vlan all
[LSW1-Eth-Trunk1]port trunk pvid vlan 100
[LSW1-Eth-Trunk1]q
[LSW1]lacp priority 4096
[LSW1]int eth-trunk 1	
[LSW1-Eth-Trunk1]lacp preempt enable
[LSW1-Eth-Trunk1]q

查看链路聚合

LSW2

#


[LSW2]int eth-trunk 1
[LSW2-Eth-Trunk1]mode lacp-st	
[LSW2-Eth-Trunk1]mode lacp-static 
[LSW2-Eth-Trunk1]trunkport g	
[LSW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10 0/0/20
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2-Eth-Trunk1]port link-type trunk
[LSW2-Eth-Trunk1]port trunk allow-pass vlan all
[LSW2-Eth-Trunk1]port trunk pvid vlan 100
[LSW2-Eth-Trunk1]q



#

4-5、在DHCP_Server上配置DHCP

#
[DHCP]dhcp enable
[DHCP]int g0/0/1
[DHCP-GigabitEthernet0/0/1]dhcp select global 
[DHCP-GigabitEthernet0/0/1]q
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 255.255.255.0
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.246 192.168.10.253
[DHCP-ip-pool-vlan10]dns-list 172.16.1.200
[DHCP-ip-pool-vlan10]q
[DHCP]ip pool vlan20
[DHCP-ip-pool-vlan20]gateway-list 192.168.20.254
[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 255.255.255.0
[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.246 192.168.20.253
[DHCP-ip-pool-vlan20]dns-list 172.16.1.200
[DHCP-ip-pool-vlan20]q
[DHCP]ip pool vlan30
[DHCP-ip-pool-vlan30]gateway-list 192.168.30.254
[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 255.255.255.0
[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.246 192.168.30.253
[DHCP-ip-pool-vlan30]dns-list 172.16.1.200
[DHCP-ip-pool-vlan30]q
[DHCP]ip pool vlan40
[DHCP-ip-pool-vlan40]gateway-list 192.168.40.254
[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 255.255.255.0
[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.246 192.168.40.253
[DHCP-ip-pool-vlan40]dns-list 172.16.1.200
[DHCP-ip-pool-vlan40]q
[DHCP]ip pool vlan100
[DHCP-ip-pool-vlan100]gateway-list 192.168.100.254
[DHCP-ip-pool-vlan100]network 192.168.100.0 mask 255.255.255.0
[DHCP-ip-pool-vlan100]excluded-ip-address 192.168.100.1 192.168.100.10
[DHCP-ip-pool-vlan100]excluded-ip-address 192.168.100.246 192.168.100.253
[DHCP-ip-pool-vlan100]dns-list 172.16.1.200
[DHCP-ip-pool-vlan100]Option 43 sub-option 3 ascii 192.168.22.22
[DHCP-ip-pool-vlan100]q
[DHCP]ip pool vlan101
[DHCP-ip-pool-vlan101]gateway-list 192.168.101.254
[DHCP-ip-pool-vlan101]network 192.168.101.0 mask 255.255.255.0
[DHCP-ip-pool-vlan101]excluded-ip-address 192.168.101.246 192.168.101.253
[DHCP-ip-pool-vlan101]Lease day 0 hour 3 minute 0
[DHCP-ip-pool-vlan101]dns-list 172.16.1.200
[DHCP-ip-pool-vlan101]q
[DHCP]ip pool vlan102
[DHCP-ip-pool-vlan102]gateway-list 192.168.102.254
[DHCP-ip-pool-vlan102]network 192.168.102.0 mask 255.255.255.0
[DHCP-ip-pool-vlan102]excluded-ip-address 192.168.102.246 192.168.102.253
[DHCP-ip-pool-vlan102]Lease day 0 hour 3 minute 0
[DHCP-ip-pool-vlan102]q

#

4-6、DHCP中继器

需要在LSW1和LSW2上的vlanif 10 20 30 40 100 101 102

注：LSW1和LSW2一样的配置，在这里LSW2略

#

[LSW1]dhcp enable
[LSW1]int vlanif 10
[LSW1-Vlanif10]dhcp select relay 
[LSW1-Vlanif10]dhcp relay server-ip 192.168.11.11 
[LSW1-Vlanif10]q
[LSW1]int vlanif 20
[LSW1-Vlanif20]dhcp select relay
[LSW1-Vlanif20]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif20]q
[LSW1]int vlanif 30
[LSW1-Vlanif30]dhcp select relay
[LSW1-Vlanif30]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif30]q
[LSW1]int vlanif 40
[LSW1-Vlanif40]dhcp select relay
[LSW1-Vlanif40]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif40]q
[LSW1]int vlanif 100
[LSW1-Vlanif100]dhcp select relay
[LSW1-Vlanif100]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif100]q
[LSW1]int vlanif 101
[LSW1-Vlanif101]dhcp select relay
[LSW1-Vlanif101]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif101]q
[LSW1]int vlanif 102
[LSW1-Vlanif102]dhcp select relay
[LSW1-Vlanif102]dhcp relay server-ip 192.168.11.11
[LSW1-Vlanif102]q
[LSW1]q

#

4-7、配置STP

LSW1

#

[LSW1]stp enable
[LSW1]stp mode mstp
[LSW1]stp instance 1 priority 4096
[LSW1]stp instance 2 priority 8192
[LSW1]stp instance 3 priority 4096
[LSW1]stp instance 4 priority 8192
[LSW1]stp instance 10 priority 4096
[LSW1]stp instance 11 priority 4096
[LSW1]stp instance 12 priority 8192
[LSW1]stp instance 0 root primary
[LSW1]stp region-configuration 
[LSW1-mst-region]region-name huawei
[LSW1-mst-region]instance 1 vlan 10
[LSW1-mst-region]instance 2 vlan 20
[LSW1-mst-region]instance 3 vlan 30
[LSW1-mst-region]instance 4 vlan 40
[LSW1-mst-region]instance 10 vlan 100
[LSW1-mst-region]instance 11 vlan 101
[LSW1-mst-region]instance 12 vlan 102
[LSW1-mst-region]active region-configuration
[LSW1-mst-region]q

#

LSW2

[LSW2]stp enable
[LSW2]stp mode mstp
[LSW2]stp instance 1 priority 8192
[LSW2]stp instance 2 priority 4096
[LSW2]stp instance 3 priority 8192
[LSW2]stp instance 4 priority 4096
[LSW2]stp instance 10 priority 8192
[LSW2]stp instance 11 priority 8192
[LSW2]stp instance 12 priority 4096
[LSW2]stp instance 0 root secondary
[LSW2]stp region-configuration 
[LSW2-mst-region]region-name huawei
[LSW2-mst-region]instance 1 vlan 10
[LSW2-mst-region]instance 2 vlan 20
[LSW2-mst-region]instance 3 vlan 30
[LSW2-mst-region]instance 4 vlan 40
[LSW2-mst-region]instance 10 vlan 100
[LSW2-mst-region]instance 11 vlan 101
[LSW2-mst-region]instance 12 vlan 102
[LSW2-mst-region]active region-configuration
[LSW2-mst-region]q
[LSW2]

4-8、配置VRRP

LSW1作为vlan 10 30 100 101 的主网关，LSW2作为vlan20 40 102的主网关

LSW1

#

[LSW1]int vlanif 10
[LSW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW1-Vlanif10]vrrp vrid 10 priority 120
[LSW1-Vlanif10]vrrp vrid 10 preempt-mode timer delay 20
[LSW1-Vlanif10]q
[LSW1]int vlanif 20
[LSW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 
[LSW1]int vlanif 30
[LSW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[LSW1-Vlanif30]vrrp vrid 30 priority 140
[LSW1-Vlanif30]q
[LSW1]int vlan40 
[LSW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[LSW1-Vlanif40]q
[LSW1]int vlanif 100
[LSW1-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[LSW1-Vlanif100]vrrp vrid 100 priority  160
[LSW1-Vlanif100]q
[LSW1]int vlanif 101
[LSW1-Vlanif101]vrrp vrid 101 virtual-ip 192.168.101.254
[LSW1-Vlanif101]vrrp vrid 101 priority 170
[LSW1-Vlanif101]q
[LSW1]int vlanif 102
[LSW1-Vlanif102]vrrp vrid 102 virtual-ip 192.168.102.254
[LSW1-Vlanif102]q


#

LSW2


#

[LSW2]int vlanif 10
[LSW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW2-Vlanif10]q
[LSW2]int vlanif 20
[LSW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[LSW2-Vlanif20]vrrp vrid 20 priority 130
[LSW2-Vlanif20]q
[LSW2]int vlanif 30
[LSW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[LSW2-Vlanif30]q
[LSW2]int vlanif 40
[LSW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[LSW2-Vlanif40]vrrp vrid 40 priority 150
[LSW2-Vlanif40]q
[LSW2]int vlanif 100	
[LSW2-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[LSW2-Vlanif100]q
[LSW2]int vlanif 101
[LSW2-Vlanif101]vrrp vrid 101 virtual-ip 192.168.101.254
[LSW2-Vlanif101]q
[LSW2]int vlanif 102
[LSW2-Vlanif102]vrrp vrid 102 virtual-ip 192.168.102.254
[LSW2-Vlanif102]vrrp vrid 102 priority 180
[LSW2-Vlanif102]q


#

4-9、配置OSPF

LSW1、LSW2、AR1、AR2都要配置

#

[LSW1]ospf 10 router-id 3.3.3.3
[LSW1-ospf-10]area 0
[LSW1-ospf-10-area-0.0.0.0]network 10.11.11.0 0.0.0.3
[LSW1-ospf-10-area-0.0.0.0]network 10.12.12.0 0.0.0.3
[LSW1-ospf-10-area-0.0.0.0]network 3.3.3.3 0.0.0.0 
[LSW1-ospf-10-area-0.0.0.0]area 0.0.0.10
[LSW1-ospf-10-area-0.0.0.10]network 192.168.10.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.10]area 0.0.0.11
[LSW1-ospf-10-area-0.0.0.11]network 192.168.11.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.11]area 0.0.0.20
[LSW1-ospf-10-area-0.0.0.20]network 192.168.20.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.20]area 0.0.0.30
[LSW1-ospf-10-area-0.0.0.30]network 192.168.30.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.30]area 0.0.0.40
[LSW1-ospf-10-area-0.0.0.40]network 192.168.40.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.40]area 0.0.0.100
[LSW1-ospf-10-area-0.0.0.100]network 192.168.100.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.100]area 0.0.0.101
[LSW1-ospf-10-area-0.0.0.101]network 192.168.101.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.101]area 0.0.0.102
[LSW1-ospf-10-area-0.0.0.102]network 192.168.102.0 0.0.0.255
[LSW1-ospf-10-area-0.0.0.102]q
[LSW1-ospf-10]q


#


LSW2
[LSW2]ospf 10 router-id 4.4.4.4
[LSW2-ospf-10]area 0
[LSW2-ospf-10-area-0.0.0.0]network 10.21.21.0 0.0.0.3
[LSW2-ospf-10-area-0.0.0.0]network 10.22.22.0 0.0.0.3
[LSW2-ospf-10-area-0.0.0.0]  network 4.4.4.4 0.0.0.0
[LSW2-ospf-10-area-0.0.0.0] area 0.0.0.10
[LSW2-ospf-10-area-0.0.0.10]  network 192.168.10.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.10] area 0.0.0.20
[LSW2-ospf-10-area-0.0.0.20]  network 192.168.20.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.20] area 0.0.0.22
[LSW2-ospf-10-area-0.0.0.22]  network 192.168.22.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.22] area 0.0.0.30
[LSW2-ospf-10-area-0.0.0.30]  network 192.168.30.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.30] area 0.0.0.40
[LSW2-ospf-10-area-0.0.0.40]  network 192.168.40.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.40] area 0.0.0.100
[LSW2-ospf-10-area-0.0.0.100]  network 192.168.100.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.100] area 0.0.0.101
[LSW2-ospf-10-area-0.0.0.101]  network 192.168.101.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.101] area 0.0.0.102
[LSW2-ospf-10-area-0.0.0.102] network 192.168.102.0 0.0.0.255
[LSW2-ospf-10-area-0.0.0.102]

#


AR1
[AR1]ospf 10 router-id 1.1.1.1   
[AR1-ospf-10]default-route-advertise  #下发一条缺省路由到普通ospf
[AR1-ospf-10]area 0
[AR1-ospf-10-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[AR1-ospf-10-area-0.0.0.0]network 10.11.11.0 0.0.0.3
[AR1-ospf-10-area-0.0.0.0]network 10.21.21.0 0.0.0.3
[AR1-ospf-10-area-0.0.0.0]q
[AR1-ospf-10]q

#


AR2
[AR2]ospf 10 router-id 2.2.2.2
[AR2-ospf-10]default-route-advertise cost 5
[AR2-ospf-10]area 0
[AR2-ospf-10-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[AR2-ospf-10-area-0.0.0.0]network 10.12.12.0 0.0.0.3
[AR2-ospf-10-area-0.0.0.0]network 10.22.22.0 0.0.0.3
[AR2-ospf-10-area-0.0.0.0]q
[AR2-ospf-10]q

4-10 配置AC

先查看AP1、AP2的地址获取情况

AP1

AP2

配置AC


#

[AC]vlan pool vlan101
[AC-ip-pool-vlan101]vlan 101
[AC-ip-pool-vlan101]vlan pool vlan102
[AC-ip-pool-vlan102]vlan 102

#

[AC]capwap source int vlanif 22    #配置信令源

#

创建域管理模板
#

[AC]wlan
[AC-wlan-view]regulatory-domain-profile name cfig
[AC-wlan-regulate-domain-cfig]country-code CN      #配置国家代码
[AC-wlan-regulate-domain-cfig]q
[AC-wlan-view]ap-group name bg
[AC-wlan-ap-group-bg]regulatory-domain-profile cfig
[AC-wlan-ap-group-bg]ap-group name guest
[AC-wlan-ap-group-guest]regulatory-domain-profile cfig
[AC-wlan-ap-group-guest]q
[AC-wlan-view]q
[AC]

#

配置AP上线

#

[AC]WLAN
[AC-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fca1-3f10       #这里的mac地址要在AP上查看
[AC-wlan-ap-1]ap-name GUEST
[AC-wlan-ap-1]ap-group guest
[AC-wlan-ap-1]ap-id 2 ap-mac 00e0-fc60-5700
[AC-wlan-ap-2]
[AC-wlan-ap-2]ap-name BanGong
[AC-wlan-ap-2]ap-group bg
[AC-wlan-ap-2]

#

配置VLAN业务参数
#
创建安全模板
[AC]wlan
[AC-wlan-view]security-profile name bg      #创建密码文件，用于办公区域
[AC-wlan-sec-prof-bg]security wpa2 psk pass-phrase 12345678 aes     #wifi密码为：12345678
[AC-wlan-sec-prof-bg]security-profile name guest     #创建密码文件，用于访客区
[AC-wlan-sec-prof-guest]security wpa2 psk pass-phrase 12345678 aes  #wifi密码为：12345678
[AC-wlan-sec-prof-guest]q
[AC-wlan-view]q

#

创建SSID模板
#

[AC]wlan
[AC-wlan-view]ssid-profile name bg     #创建wifi名称文件
[AC-wlan-ssid-prof-bg]ssid BanGong      #办公区域wifi名称为BanGong
[AC-wlan-ssid-prof-bg]ssid-profile name guest
[AC-wlan-ssid-prof-guest]ssid guest
[AC-wlan-ssid-prof-guest]

#

创建VPA模板
#

[AC]wlan
[AC-wlan-view]vap-profile name bg
[AC-wlan-vap-prof-bg]forward-mode tunnel
[AC-wlan-vap-prof-bg]service-vlan vlan-id 102
[AC-wlan-vap-prof-bg]ssid-profile bg
[AC-wlan-vap-prof-bg]security-profile bg
[AC-wlan-vap-prof-bg]vap-profile name guest
[AC-wlan-vap-prof-guest]forward-mode tunnel
[AC-wlan-vap-prof-guest]service-vlan vlan-id 101
[AC-wlan-vap-prof-guest]ssid-profile guest
[AC-wlan-vap-prof-guest]security-profile guest
[AC-wlan-vap-prof-guest]q
[AC-wlan-view]q
[AC]


#

调用VAP模板

#

[AC]wlan
[AC-wlan-view]ap-group name bg
[AC-wlan-ap-group-bg]vap-profile bg wlan 1 radio 0    #配置P的组“bg”中的设备发射wifi信号
[AC-wlan-ap-group-bg]vap-profile bg wlan 1 radio 1
[AC-wlan-ap-group-bg]q
[AC-wlan-view]ap-group name guest
[AC-wlan-ap-group-guest]vap-profile bg wlan 1 radio 0 #配置P的组“guest”中的设备发射wifi信号
[AC-wlan-ap-group-guest]vap-profile bg wlan 1 radio 1
[AC-wlan-ap-group-guest]

4-11、测试，无线设备连接WLAN 和获取IP

这里只演示STA1

4-12、配置防火墙

将接口加入对应的安全区域

#
[FW]firewall zone trust
[FW-zone-trust]add int g1/0/1
[FW-zone-trust]add int g1/0/2
[FW-zone-trust]q
[FW]firewall zone untrust
[FW-zone-untrust]add int g1/0/6
[FW-zone-untrust]q
[FW]firewall zone dmz
[FW-zone-dmz]add int g1/0/0
[FW-zone-dmz]q
[FW]quit

#

配置NAT Server，使内部FTP为Internet用户提供FTP http服务：

#
FTP服务器公网地址为202.1.1.4，且外网用户必须使用2121端口才能访问企业内部服务器，不进行反向NAT。
#
[FW] nat server ut->d-ftp protocol tcp global 202.1.1.4 2121 inside 172.16.1.100 ftp no-reverse

#

配置安全策略

#

[FW]security-policy                     #进入nat策略视图
[FW-policy-security]rule name t->d          #允许trust区域流量到DMZ区域                                                     
[FW-policy-security-rule-t->d]source-zone trust       	#源区域
[FW-policy-security-rule-t->d]destination-zone dmz       #目的区域
[FW-policy-security-rule-t->d]action permit            #执行动作允许
[FW-policy-security-rule-t->d]q
[FW-policy-security]rule name t->ut            #允许trust区域流量到untrust区域
[FW-policy-security-rule-t->ut]source-zone trust
[FW-policy-security-rule-t->ut]destination-zone untrust
[FW-policy-security-rule-t->ut]action permit
[FW-policy-security-rule-t->ut]rule name ut-d      #允许trust区域流量到dmz区域
[FW-policy-security-rule-ut-d]source-zone untrust
[FW-policy-security-rule-ut-d]destination-zone dmz
[FW-policy-security-rule-ut-d]destination-address 172.16.1.0 mask 255.255.255.0    #源IP为172.16.1.0/24
[FW-policy-security-rule-ut-d]service ftp
[FW-policy-security-rule-ut-d]service http
[FW-policy-security-rule-ut-d]action permit
[FW-policy-security-rule-ut-d]q
[FW-policy-security]q
[FW]q

#

配置easy-IP使得内部用户可以访问外网

#

[FW]nat-policy
[FW-policy-nat]rule name t->ut
[FW-policy-nat-rule-t->ut]source-zone trust
[FW-policy-nat-rule-t->ut]destination-zone untrust
[FW-policy-nat-rule-t->ut]action source-nat easy-ip
[FW-policy-nat-rule-t->ut]q
[FW-policy-nat]q
[FW-policy-security]rule name d->ut
[FW-policy-security-rule-t->ut]source-zone dmz
[FW-policy-security-rule-t->ut]destination-zone untrust
[FW-policy-security-rule-t->ut]action source-nat easy-ip
[FW-policy-security-rule-t->ut]q
[FW-policy-security]q

#

4-13、查看全部PC是否获取IP，每台PC都可以访问得到外网，就是内网可以访问外网

PC1

PC2

其他PC都获取到IP和都可以访问外网和DMZ区域。

外网用户访问内部服务器

开启FTP服务

4-14、端口安全

限制其它部门访问财务部。


#

[LSW4]acl 3000
[LSW4-acl-adv-3001]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255        #禁止财务部访问办公区
[LSW4-acl-adv-3000]rule 10 deny  ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255      #禁止财务部访问人事部
[LSW4-acl-adv-3000]rule 15 deny  ip source 192.168.40.0 0.0.0.255 
[LSW4-acl-adv-3000]destination 192.168.40.0 0.0.0.255  #禁止财务部访问访客区
[LSW4-acl-adv-3000]q
[LSW4]int vlanif 40
[LSW4-Vlanif20]traffic-filter vlan 20 inbound acl 3000

#

测试：PC2是不可以访问其它部门的

访客区只可以访问服务器以及外网。

#

[LSW6]acl 3001
[LSW6-acl-adv-3001]rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
[LSW6-acl-adv-3001]rule 10 permit ip source 192.168.40.0 0.0.0.255 destination 20.20.20.0 0.0.0.255
[LSW6-acl-adv-3001]rule 15 deny ip source 192.1680.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW6-acl-adv-3001]rule  deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[LSW6-acl-adv-3001]rule 25 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[LSW6-acl-adv-3001]q
[LSW6]int vlanif 40
[LSW6-Vlanif40]traffic-filter vlan 40 inbound acl 3001


#

测试：访客区只可以访问外网和DMZ区的，不可可以访问其它部门的

4-15、LSW3-LSW6设置边缘端口

#

[LSW3]int e0/0/3
[LSW3-Ethernet0/0/3]stp edged-port enable
[LSW3-Ethernet0/0/3]q
[LSW3]int e0/0/4
[LSW3-Ethernet0/0/4]stp edged-port enable
[LSW3-Ethernet0/0/4]q
[LSW3]q

#
[LSW4]int e0/0/3
[LSW4-Ethernet0/0/3]stp edged-port enable
[LSW4-Ethernet0/0/3]q
[LSW4]int e0/0/4
[LSW4-Ethernet0/0/4]stp edged-port enable
[LSW4-Ethernet0/0/4]q
[LSW4]q

#
[LSW5]int e0/0/3
[LSW5-Ethernet0/0/3]stp edged-port enable
[LSW5-Ethernet0/0/3]q
[LSW5]int e0/0/4
[LSW5-Ethernet0/0/4]stp edged-port enable
[LSW5-Ethernet0/0/4]q
[LSW5]q


#
[LSW6]int e0/0/3
[LSW6-Ethernet0/0/3]stp edged-port enable
[LSW6-Ethernet0/0/3]q
[LSW6]int e0/0/4
[LSW6-Ethernet0/0/4]stp edged-port enable
[LSW6-Ethernet0/0/4]q
[LSW6]q

4-16、端口隔离

在访客区做端口隔离

[LSW6]int e0/0/3
[LSW6-Ethernet0/0/3]port-isolate enable group 1
[LSW6]int e0/0/4
[LSW6-Ethernet0/0/4]port-isolate enable group 1

测试：访客区之间不同通信的

以上就是本实验的大致情况，

非常感谢各位读者们阅读。