华为eNSP中型企业局域网网络规划设计(下)

时间:2024-05-10 16:25:37

→b站传送门,感谢大佬←

→华为eNSP中型企业局域网网络规划设计(上)←

→拓扑图传送门,可以自己配置着玩←
在这里插入图片描述

配置ospf

AR3

[AR3]ospf 1 router-id 3.3.3.3
//出口默认路由
[AR3-ospf-1]default-route-advertise always
#
 area 0.0.0.0 
  network 100.1.11.3 0.0.0.0 
  network 100.1.33.3 0.0.0.0 
  network 192.168.13.3 0.0.0.0 
  network 192.168.23.3 0.0.0.0 
#

AR1

[AR1]ospf 1 router-id 1.1.1.1
#
 area 0.0.0.0 
  network 192.168.12.1 0.0.0.0 
  network 192.168.13.1 0.0.0.0 
  network 192.168.77.1 0.0.0.0 
  network 192.168.87.1 0.0.0.0 
  network 192.168.91.1 0.0.0.0 
#

AR2

[AR2]ospf 1 router-id 2.2.2.2
#
 area 0.0.0.0 
  network 192.168.12.2 0.0.0.0 
  network 192.168.23.2 0.0.0.0 
  network 192.168.78.2 0.0.0.0 
  network 192.168.88.2 0.0.0.0 
  network 192.168.92.2 0.0.0.0 
#

SW9

[SW9]ospf 1 router-id 9.9.9.9
#
 area 0.0.0.0
  network 192.168.91.254 0.0.0.0
  network 192.168.92.254 0.0.0.0
#
 area 0.0.0.200
  network 192.168.200.254 0.0.0.0
#
 area 0.0.0.201
  network 192.168.201.254 0.0.0.0
#

SW7

[SW7]ospf 1 router-id 7.7.7.7
#
 area 0.0.0.0
  network 192.168.10.7 0.0.0.0
  network 192.168.20.7 0.0.0.0
  network 192.168.30.7 0.0.0.0
  network 192.168.40.7 0.0.0.0
  network 192.168.50.7 0.0.0.0
  network 192.168.60.7 0.0.0.0
  network 192.168.77.7 0.0.0.0
  network 192.168.78.7 0.0.0.0
#

SW8

[SW8]ospf 1 router-id 8.8.8.8
#
 area 0.0.0.0
  network 192.168.10.8 0.0.0.0
  network 192.168.20.8 0.0.0.0
  network 192.168.30.8 0.0.0.0
  network 192.168.40.8 0.0.0.0
  network 192.168.50.8 0.0.0.0
  network 192.168.60.8 0.0.0.0
  network 192.168.87.8 0.0.0.0
  network 192.168.88.8 0.0.0.0
#

配置出口动态nat

AR3

//配置静态出口路由
[AR3]ip route-static 0.0.0.0 0 100.1.11.5 preference 70
[AR3]ip route-static 0.0.0.0 0 100.1.33.5

//访问出口的流量
#
acl number 3000  
 rule 5 permit ip source 192.168.10.0 0.0.0.255 
 rule 10 permit ip source 192.168.20.0 0.0.0.255 
 rule 15 permit ip source 192.168.30.0 0.0.0.255 
 rule 20 permit ip source 192.168.40.0 0.0.0.255 
 rule 25 permit ip source 192.168.50.0 0.0.0.255 
 rule 30 permit ip source 192.168.60.0 0.0.0.255 
#
//配置动态nat
#
interface GigabitEthernet4/0/0
 ip address 100.1.33.3 255.255.255.0 
 nat outbound 3000
#
interface GigabitEthernet0/0/2
 ip address 100.1.11.3 255.255.255.0 
 nat outbound 3000
#

配置acl使各部门无法互访

SW1

#
acl number 3000
 rule 5 deny ip source 192.168.20.0 0.0.0.255
 rule 10 deny ip source 192.168.30.0 0.0.0.255
 rule 15 deny ip source 192.168.40.0 0.0.0.255
 rule 20 deny ip source 192.168.50.0 0.0.0.255
 rule 25 deny ip source 192.168.60.0 0.0.0.255
#

[SW1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
//或者deny ip destination xxx,接口上inbound acl

SW2

#
acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255
 rule 10 deny ip source 192.168.30.0 0.0.0.255
 rule 15 deny ip source 192.168.40.0 0.0.0.255
 rule 20 deny ip source 192.168.50.0 0.0.0.255
 rule 25 deny ip source 192.168.60.0 0.0.0.255
#

[SW2-GigabitEthernet0/0/1]traffic-filter outbound acl 3000

SW3

#
acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255
 rule 10 deny ip source 192.168.20.0 0.0.0.255
 rule 15 deny ip source 192.168.40.0 0.0.0.255
 rule 20 deny ip source 192.168.50.0 0.0.0.255
 rule 25 deny ip source 192.168.60.0 0.0.0.255
#

[SW3-GigabitEthernet0/0/1]traffic-filter outbound acl 3000

SW4

#
acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255
 rule 10 deny ip source 192.168.20.0 0.0.0.255
 rule 15 deny ip source 192.168.30.0 0.0.0.255
 rule 20 deny ip source 192.168.50.0 0.0.0.255
 rule 25 deny ip source 192.168.60.0 0.0.0.255
#

[SW4-GigabitEthernet0/0/1]traffic-filter outbound acl 3000

SW5

#
acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255
 rule 10 deny ip source 192.168.20.0 0.0.0.255
 rule 15 deny ip source 192.168.30.0 0.0.0.255
 rule 20 deny ip source 192.168.40.0 0.0.0.255
 rule 25 deny ip source 192.168.60.0 0.0.0.255
#

[SW5-GigabitEthernet0/0/1]traffic-filter outbound acl 3000

SW6

#
acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255
 rule 10 deny ip source 192.168.20.0 0.0.0.255
 rule 15 deny ip source 192.168.30.0 0.0.0.255
 rule 20 deny ip source 192.168.40.0 0.0.0.255
 rule 25 deny ip source 192.168.50.0 0.0.0.255
#

[SW6-GigabitEthernet0/0/1]traffic-filter outbound acl 3000

优化网络架构

  • SW7、SW8增加cost 使ospf不绕路

    SW7

    [SW7]int vlan40
    [SW7-Vlanif40]ospf cost 10
    [SW7-Vlanif40]int vlan 50
    [SW7-Vlanif50]ospf cost 10
    [SW7-Vlanif50]int vlan 60
    [SW7-Vlanif60]ospf cost 10
    

    SW8

    //增加cost 使ospf不绕路
    [SW8]int vlan10
    [SW8-Vlanif10]ospf cost 10
    [SW8-Vlanif10]int vlan 20
    [SW8-Vlanif20]ospf cost 10
    [SW8-Vlanif20]int vlan 30
    [SW8-Vlanif30]ospf cost 10
    
  • SW7、SW8配置根保护

    SW7、SW8

    [SW7]port-group trunk
    [SW7-port-group-trunk]stp root-protection 
    
  • SW1~6开启边缘端口保护

    SW1~6

    [SW1]stp bpdu-protection