2023年12月25日发(作者:)
介绍:
下面为一般企业网络的结构、规划以及配置。
对内网部门划分 vlan、无线配置、服务器的映射以及内网之间的互访都做了介绍。
1.各部门、服务器、无线都独立一个网段。
2.无线网络采用旁挂直接转发模式。
3.无线网络不能访问公司内网资源、只允许上网。
设备:
外网防火墙:USG5120
核心:
接入:
S5700
S3700
无线控制器:AC6005
无线 AP: AP6010DN-AGN
网络拓扑:
地址规划:
设备
FW1
接口
G0/0/1
G0/0/0
Vlanif 10
LSW1
Vlanif 101
Vlanif 102
IP 地址
202.100.1.1/24
10.10.10.1/24
10.10.10.254/24
192.168.101.254/24
192.168.102.254/24
描述
外网
内网
与 USG 对接地址
服务器网段
销售部门
Vlanif 103
Vlanif 104
Vlanif 200
LSW2
LSW3
AC6005
Vlanif 200
Vlanif 200
Vlanif 88
Vlanif 200
192.168.103.254/24
102.168.104.254/24
192.168.200.254/24
192.168.200.2/24
192.168.200.3/24
192.168.88.6/24
192.168.200.6/24
技术部门
无线网段
管理网段
LSW2 管理地址
LSW3 管理地址
无线管理网段
AC6005 管理地址
Vlan 规划:
Vlan ID
10
88
101
102
103
104
200
描述
上行接口
无线 AP 管理
服务器
销售
技术
无线 STA
管理
接口规划:
设备 接口
G0/0/24
类型
Access Port link-type access
Port default vlan 10
G0/0/8 Trunk Port link-type trunk
Port trunk allow-pass vlan 88 200
LSW1
G0/0/11 Access Port link-type access
Port default vlan 101
G0/0/1 Trunk Port link-type trunk
Port trunk allow-pass vlan all
G0/0/2 Trunk Port link-type trunk
Port trunk allow-pass vlan all
G0/0/1 Trunk Port link-type trunk
Port trunk allow-pass vlan all
LSW2 E0/0/1 Access
Port link-type access
Port default vlan 102
E0/0/22 Trunk Port link-type trunk (接 AP 接口)
Port trunk pvid vlan 88
Port trunk allow-pass vlan 88 104
G0/0/1 Trunk Port link-type trunk
Port trunk allow-pass vlan all
E0/0/1
LSW3
E0/0/22 Trunk
Access Port link-type access
Port default vlan 102
Port link-type trunk (接 AP 接口)
Port trunk pvid vlan 88
Port trunk allow-pass vlan 88 104
AC6005
G0/0/8 Trunk
Port link-type trunk
Port trunk allow-pass vlan 88 200
操作步骤:
1.
#
sysname FW1
#
interface GigabitEthernet0/0/0
alias Lan
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet0/0/1
alias Wan
ip address 202.100.1.1 255.255.255.0
#
#
防火墙配置。
firewall zone trust
add interface GigabitEthernet0/0/0
#
firewall zone untrust
add interface GigabitEthernet0/0/1
#
ip route-static 0.0.0.0 0.0.0.0 202.100.1.2
ip route-static 192.168.0.0 255.255.0.0 10.10.10.254
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
easy-ip GigabitEthernet0/0/1
#
firewall packet-filter default permit interzone trust untrust direction outbound
则
#
//允许内网到外网的默认域间规
2.
#
LSW 配置。
sysname LSW1
#
vlan batch 10 88 101 to 104 200
#
dhcp enable
#
interface Vlanif10
ip address 10.10.10.254 255.255.255.0
#
interface Vlanif101
description Server
ip address 192.168.101.254 255.255.255.0
#
interface Vlanif102
ip address 192.168.102.254 255.255.255.0
#
interface Vlanif103
ip address 192.168.103.254 255.255.255.0
#
interface Vlanif104
description WLAN-STA
ip address 192.168.104.254 255.255.255.0
dhcp select interface
dhcp server dns-list 192.168.101.2
#
interface Vlanif200
description Manager
ip address 192.168.200.254 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan all
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 88 200
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 10
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1
#
3.
#
sysname LSW2
#
vlan batch 88 102 to 104 200
#
interface Vlanif200
ip address 192.168.200.2 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 102
#
interface Ethernet0/0/22
port link-type trunk
port trunk pvid vlan 88
port trunk allow-pass vlan 88 104
LSW2 配置。
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
ip route-static 0.0.0.0 0.0.0.0 192.168.200.254
#
4.
#
sysname LSW3
#
vlan batch 88 102 to 104 200
#
interface Vlanif200
ip address 192.168.200.3 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 103
#
interface Ethernet0/0/22
port link-type trunk
LSW3 配置。
port trunk pvid vlan 88
port trunk allow-pass vlan 88 104
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan all
#
ip route-static 0.0.0.0 0.0.0.0 192.168.200.254
#
5. AC6005 配置。
Vlan 88 为无线 AP 管理网段、配置 DHCP 为 AP 分配地址。
#
sysname AC6005
#
vlan batch 88 200
#
dhcp enable
#
interface Vlanif88
ip address 192.168.88.6 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 192.168.200.6 255.255.255.0
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 88 200
#
interface Wlan-Ess104
port hybrid untagged vlan 104
#
wlan
wlan ac source interface vlanif88
ap-auth-mode no-auth
wmm-profile name wmm1 id 1
traffic-profile name tra1 id 1
security-profile name sec1 id 1
service-set name ser1 id 1
wlan-ess 104
ssid HUAWEI
traffic-profile id 1
security-profile id 1
service-vlan 104
radio-profile name radio1 id 1
wmm-profile id 1
#
等待 AP 上线后、AP 绑定射频与服务集。
#
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
ap 1 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
无线网络测试。
6.
#
内网服务器映射到外网、供外部用户访问。
nat server protocol tcp global 202.100.1.1 www inside 192.168.101.2 www
#
并要在防火墙配置转发策略、允许访问服务器。防火墙默认为拒绝访问。
#
policy interzone trust untrust inbound
policy 1
action permit
policy service service-set http
policy destination 192.168.101.2 0
#
测试从外网访问内部服务器。
服务器设置:
客户端访问测试:
7. 部门之间互访测试。
CLIENT1 PING CLIENT2
8. 访问之间做限制、无线接入用户无法访问销售部门、技术部门和服务器。
访问限制配置在核心交换机上:
#
acl number 3000
rule 5 permit ip source 192.168.104.0 0.0.0.255 destination 192.168.101.0 0.0.0.255
rule 10 permit ip source 192.168.104.0 0.0.0.255 destination 192.168.102.0 0.0.0.255
rule 15 permit ip source 192.168.104.0 0.0.0.255 destination 192.168.103.0 0.0.0.255
#
traffic classifier c1
if-match acl 3000
#
traffic behavior b1
deny
#
traffic policy p1
classifier c1 behavior b1
#
drop-profile default
#
vlan 104
traffic-policy p1 inbound
#
配置后测试:
发布评论