ENSP Demo OSPF & ETH & IPSec & WAF & WLAN

总部有六个部门,规划如图所示:

  1、计划每个部门最多 100 台主机,各属一个 VLAN ,各部门互通。

  2、部署 MSTP + VRRP 协议做网关冗余,VLAN 10、20、30、无线默认走 AGSW7,VLAN 40、50、60 默认走 AGSW8 ,实现负载备份,充分利用设备

  3、VRRP 追踪上行链路,实现对链路的监控

  4、各部门的IP地址均有 DHCP 自动分配,CSW9、CSW10 均使能DHCP全局地址池;CSW9分配 1 ~ 100 IP地址,CSW10 分配 101 ~ 200 IP地址,排除 201 ~ 254 用作网关与备用IP地址。

  5、汇聚设备 ASW7、ASW8 部署链路聚合做链路冗余

  6、防火墙 FW1 划分 Trust、Untrust、DMZ 区域,所有部门均可访问 DMZ 区域。

  7、防火墙 FW1 使能 NAT,经NAT转换后所有部门均可访问外网。

  8、防火墙 FW1 与核心交换机 CSW9、CSW10 部署 OSPF 动态路由协议,并配置为骨干区域 Area 0

  9、CSW9、CSW10、AGSW7、AGSW8 配置为 OSPF Stub 区域 Area 1 ,减小路由表

  10、部署无线网络 ,各部门无线网络与有线网络属同一 VLAN

分支机构有四个部门

  1、各部门之间互通,共用路由器 AR2 作为网关设备。

  2、防火墙 FW2 与 路由器 AR2 间使用静态路由

  3、防火墙 FW2 使能 NAT,经 NAT 转换后所有部门均可访问外网

总部与分支机构的防火墙均部署 IPSec VPN ,使两地互通。

其他:

  1、总部内各部门间若要隔离,可再配置 MUX-VLAN

  2、总部内同一部门内若要隔离,可再配置 Super VLAN

  3、总部内限制某部门访问外网,可在防火墙配置策略

  4、总部内 ACSW1 2 3 等接入交换机可配置 STP 边缘端口,防止主机插拔导致 STP 收敛

  5、总部内 AP 部署过多,不方便调整信道。

下面是各设备接口规划

总部设备:

模拟Internet:

分支机构设备:

各设备配置:

  极为相似的配置这里不再赘述

总部:

sys
sysname ACSW1

vlan batch 10 20 30 40 50 60 100 200
int e0/0/4
p l a 
p d v 10
int e0/0/1
p l t
p t a v 
int e0/0/2
p l t
undo p a v a
p t a v 10 100 200
int e0/0/3
p l t 
p t a v 100 200
p t p v 200

stp re
reg mstp
revision-level 1
instance 1 vlan 10 20 30 
instance 2 vlan 40 50 60
instance 3 vlan 100 200
ac re
sys
sysname AGSW7

vlan batch 10 20 30 40 50 60 100 200  

int g0/0/1
p l t
p t a v a 
int g0/0/2
p l t
p t a v a 
int g0/0/3
p l t
p t a v a 
int g0/0/4
p l t
p t a v a 
int g0/0/5
p l t
p t a v a 
int g0/0/6
p l t
p t a v a 
int g0/0/7
p l t
p t a v a 
int g0/0/8
p l t
p t a v a 

stp re
reg mstp
revision-level 1
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
instance 3 vlan 100 200
ac re
sys
sysname AGSW8

vlan batch 10 20 30 40 50 60 100 200 

int g0/0/1
p l t
p t a v a 
int g0/0/2
p l t
p t a v a 
int g0/0/3
p l t
p t a v a 
int g0/0/4
p l t
p t a v a 
int g0/0/5
p l t
p t a v a 
int g0/0/6
p l t
p t a v a 
int g0/0/7
p l t
p t a v a 
int g0/0/8
p l t
p t a v a 

stp re
reg mstp
revision-level 1
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60
instance 3 vlan 100 200
ac re
sys
sysname CSW9

vlan batch 10 20 30 40 50 60 70 100 200 

stp re
reg mstp
revision-level 1
instance 1 vlan 10 20 30
instance 2 vlan 40 50 60 
instance 3 vlan 100 200
ac re
stp instance 1 root primary
stp instance 3 root primary
int g0/0/1
p l t
p t a v a 
int g0/0/2
p l t
p t a v a 

int eth-trunk 0
mode lacp-static
lacp priority 1

int g0/0/3
eth-trunk 0
int g0/0/4
eth-trunk 0

int vlanif 70
ip add 192.168.70.1 30
int g0/0/5
p l a 
p d v 70

int g0/0/6
p l t 
p t a v 100 200

int vlanif 10
ip add 192.168.10.252 24
int vlanif 20
ip add 192.168.20.252 24
int vlanif 30
ip add 192.168.30.252 24
int vlanif 40
ip add 192.168.40.252 24
int vlanif 50
ip add 192.168.50.252 24
int vlanif 60
ip add 192.168.60.252 24
int vlanif 100
ip add 192.168.100.252 24

int vlanif 10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
vrrp vrid 10 track interface g0/0/5 reduced 50
int vlanif 20
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 120
vrrp vrid 20 track interface g0/0/5 reduced 50
int vlanif 30
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 120
vrrp vrid 30 track interface g0/0/5 reduced 50
int vlanif 40
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 90
vrrp vrid 40 track interface g0/0/5
int vlanif 50
vrrp vrid 50 virtual-ip 192.168.50.254
vrrp vrid 50 priority 90
vrrp vrid 50 track interface g0/0/5
int vlanif 60
vrrp vrid 60 virtual-ip 192.168.60.254
vrrp vrid 60 priority 90
vrrp vrid 60 track interface g0/0/5
int vlanif 100
vrrp vrid 100 virtual-ip 192.168.100.254
vrrp vrid 100 priority 120
vrrp vrid 100 track interface g0/0/5 reduced 50

ospf 1 router-id 9.9.9.9
a 0
net 192.168.70.1 0.0.0.0
q
a 1
stub
net 192.168.10.0 0.0.0.255
net 192.168.20.0 0.0.0.255
net 192.168.30.0 0.0.0.255
net 192.168.40.0 0.0.0.255
net 192.168.50.0 0.0.0.255
net 192.168.60.0 0.0.0.255
net 192.168.100.0 0.0.0.255

q
dhcp enable
ip pool vlan10
network 192.168.10.0 mask 24
gateway-list 192.168.10.254 
excluded-ip-address 192.168.10.101 192.168.10.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan20
network 192.168.20.0 mask 24
gateway-list 192.168.20.254 
excluded-ip-address 192.168.20.101 192.168.20.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan30
network 192.168.30.0 mask 24
gateway-list 192.168.30.254 
excluded-ip-address 192.168.30.101 192.168.30.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan40
network 192.168.40.0 mask 24
gateway-list 192.168.40.254 
excluded-ip-address 192.168.40.101 192.168.40.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan50
network 192.168.50.0 mask 24
gateway-list 192.168.50.254 
excluded-ip-address 192.168.50.101 192.168.50.253 
dns-list 192.168.90.20
lease day 3

ip pool vlan60
network 192.168.60.0 mask 24
gateway-list 192.168.60.254 
excluded-ip-address 192.168.60.101 192.168.60.253 
dns-list 192.168.90.20
lease day 3

int vlanif 10
dhcp select global
int vlanif 20
dhcp select global
int vlanif 30
dhcp select global
int vlanif 40
dhcp select global
int vlanif 50
dhcp select global
int vlanif 60
dhcp select global
sys
sysname CSW10

vlan batch 10 20 30 40 50 60 80 100 200 

stp re
reg mstp
revision-level 1
instance 1 vlan 10 20 30
instance 2 vlan 30 40 50
instance 3 vlan 100 200
ac re
stp instance 2 root primary

int g0/0/1
p l t
p t a v a 
int g0/0/2
p l t
p t a v a 

int eth-trunk 0
mode lacp-static
lacp priority 2

int g0/0/3
eth-trunk 0
int g0/0/4
eth-trunk 0

int vlanif 80
ip add 192.168.80.1 30
int g0/0/5
p l a 
p d v 80

int g0/0/6
p l t 
p t a v 100 200

int vlanif 10
ip add 192.168.10.253 24
int vlanif 20
ip add 192.168.20.253 24
int vlanif 30
ip add 192.168.30.253 24
int vlanif 40
ip add 192.168.40.253 24
int vlanif 50
ip add 192.168.50.253 24
int vlanif 60
ip add 192.168.60.253 24
int vlanif 100
ip add 192.168.100.253 24

int vlanif 10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 90
vrrp vrid 10 track interface g0/0/5
int vlanif 20
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 90
vrrp vrid 20 track interface g0/0/5
int vlanif 30
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 90
vrrp vrid 30 track interface g0/0/5
int vlanif 40
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 120
vrrp vrid 40 track interface g0/0/5  reduced 50
int vlanif 50
vrrp vrid 50 virtual-ip 192.168.50.254
vrrp vrid 50 priority 120
vrrp vrid 50 track interface g0/0/5  reduced 50
int vlanif 60
vrrp vrid 60 virtual-ip 192.168.60.254
vrrp vrid 60 priority 120
vrrp vrid 60 track interface g0/0/5  reduced 50
int vlanif 100
vrrp vrid 100 virtual-ip 192.168.100.254
vrrp vrid 100 priority 90
vrrp vrid 100 track interface g0/0/5

ospf 1 router-id 10.10.10.10
a 0
net 192.168.80.1 0.0.0.0
q
a 1
stub
net 192.168.10.0 0.0.0.255
net 192.168.20.0 0.0.0.255
net 192.168.30.0 0.0.0.255
net 192.168.40.0 0.0.0.255
net 192.168.50.0 0.0.0.255
net 192.168.60.0 0.0.0.255
net 192.168.100.0 0.0.0.255

q
dhcp enable
ip pool vlan10
network 192.168.10.0 mask 24
gateway-list 192.168.10.254 
excluded-ip-address 192.168.10.1 192.168.10.100 
excluded-ip-address 192.168.10.201 192.168.10.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan20
network 192.168.20.0 mask 24
gateway-list 192.168.20.254 
excluded-ip-address 192.168.20.1 192.168.20.100 
excluded-ip-address 192.168.20.201 192.168.20.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan30
network 192.168.30.0 mask 24
gateway-list 192.168.30.254 
excluded-ip-address 192.168.30.1 192.168.30.100 
excluded-ip-address 192.168.30.201 192.168.30.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan40
network 192.168.40.0 mask 24
gateway-list 192.168.40.254 
excluded-ip-address 192.168.40.1 192.168.40.100 
excluded-ip-address 192.168.40.201 192.168.40.253 
dns-list 192.168.90.10
lease day 3

ip pool vlan50
network 192.168.50.0 mask 24
gateway-list 192.168.50.254 
excluded-ip-address 192.168.50.1 192.168.50.100 
excluded-ip-address 192.168.50.201 192.168.50.253 
dns-list 192.168.90.20
lease day 3

ip pool vlan60
network 192.168.60.0 mask 24
gateway-list 192.168.60.254 
excluded-ip-address 192.168.60.1 192.168.60.100 
excluded-ip-address 192.168.60.201 192.168.60.253 
dns-list 192.168.90.20
lease day 3

int vlanif 10
dhcp select global
int vlanif 20
dhcp select global
int vlanif 30
dhcp select global
int vlanif 40
dhcp select global
int vlanif 50
dhcp select global
int vlanif 60
dhcp select global
sys
sysname FW1

firewall zone trust 
add int g1/0/0
add int g1/0/1
firewall zone untrust
add int g1/0/3
firewall zone dmz
add int g1/0/2

int g1/0/0
ip add 192.168.70.2 30
service-m ping permit
service-m ssh permit
service-m http permit
service-m https permit

int g1/0/1
ip add 192.168.80.2 30
ip add 192.168.70.2 30
service-m ping permit
service-m ssh permit
service-m http permit
service-m https permit

int g1/0/2
ip add 192.168.90.2 24
ip add 192.168.70.2 30
service-m ping permit
service-m ssh permit
service-m http permit
service-m https permit

int g1/0/3
ip add 12.0.0.1 30
ip add 192.168.70.2 30
service-m ping permit
service-m ssh permit
service-m http permit
service-m https permit

q
ip route-static 0.0.0.0 0 12.0.0.2

ospf 1 router-id 1.1.1.1
defulat-route-advertise
a 0
net 192.168.70.2 0.0.0.0 
net 192.168.80.2 0.0.0.0
net 192.168.90.2 0.0.0.0

security-policy 
rule name 1
aaction permit

nat-policy 
rule name 1
source-address 192.168.0.0 0.0.255.255
destination-address 172.16.0.0 0.0.255.255
action no-nat
rule name 2
source-address 172.16.0.0 0.0.255.255
destination-address 192.168.0.0 0.0.255.255
action no-nat
rule name 5
source-zone trust
destination-zone untrust
action source-nat easy-ip


acl 3000 
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255 

ipsec proposal ipsecvpn
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128

ike proposal 1
authentication-method pre-share
authentication-algorithm sha2-256
encryption-algorithm aes-256
dh group14
sa duration 3600

ike peer 1 
exchange-mode main
pre-shared-key cipher zx@123
ike-proposal 1
remote-address 23.0.0.1
local-id 12
remote-id 23

ipsec policy ipsecvpn 1 isakmp
security acl 3000
proposal ipsecvpn
ike-peer 1

int g1/0/3
ipsec policy ipsecvpn

分支机构:

sys
sysname ACSW15

vlan batch 10 20 
int e0/0/1
p l t 
p t a v a 
int e0/0/2
p l a 
p d v 10
sys
sysname AGSW13

vlan batch 10 20
int g0/0/1
p l t
p t a v a 
int g0/0/2
p l t
p t a v a 
int g0/0/3
p l t 
p t a v a 
sys
sysname AGSW14

vlan batch 30 40
int g0/0/1
p l t
p t a v a 
int g0/0/2
p l t
p t a v a 
int g0/0/3
p l t 
p t a v a 
sys
sysname AR2

dhcp enable

int g0/0/0
ip add 172.16.50.1 30
int g0/0/1.10
dot1q termination vid 10
ip add 172.16.10.254 24
arp broadcast enable
dhcp select interface
int g0/0/1.20
dot1q termination vid 20
ip add 172.16.20.254 24
arp broadcast enable
dhcp select interface
int g2/0/0.30
dot1q termination vid 30
ip add 172.16.30.254 24
arp broadcast enable
dhcp select interface
int g2/0/0.40
dot1q termination vid 40
ip add 172.16.40.254 24
arp broadcast enable
dhcp select interface

ip route-static 0.0.0.0 0 172.16.50.2
sys
sysname FW2

int g1/0/1
ip add 172.16.50.2 30
int g1/0/0
ip add 23.0.0.1 30

firewall zone trust
add interface g1/0/1
firewall zone untrust
add interface g1/0/0

ip route-static 0.0.0.0 0 23.0.0.2
ip route-static 172.16.0.0 16 172.16.50.1

security-policy 
rule name 1
action permit

nat-policy 
rule name 1
source-address 172.16.0.0 0.0.255.255
destination-address 192.168.0.0 0.0.255.255
action no-nat
rule name 2
source-address 192.168.0.0 0.0.255.255
destination-address 172.16.0.0 0.0.255.255
action no-nat
rule name 5
source-zone trust
destination-zone untrust
action source-nat easy-ip

int g1/0/1
service-manage ping permit
service-manage ssh permit
service-manage http permit
service-manage https permit
int g1/0/0
service-manage ping permit
service-manage ssh permit
service-manage http permit
service-manage https permit


acl 3000
rule 5 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255

ipsec proposal ipsecvpn
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128

ike proposal 1
authentication-method pre-share
authentication-algorithm sha2-256
encryption-algorithm aes-256
dh group14
sa duration 3600

ike peer 1 
exchange-mode main
pre-shared-key cipher zx@123
ike-proposal 1
remote-address 12.0.0.1
local-id 23
remote-id 12

ipsec policy ipsecvpn 1 isakmp
security acl 3000
proposal ipsecvpn
ike-peer 1

int g1/0/0
ipsec policy ipsecvpn

AC配置

sys
sysname AC1

vlan batch 200

stp re
reg mstp
revision-level 1
instance 1 vlan 10 20 30
instance 2 vlan 30 40 50
instance 3 vlan 100 200
ac re

dhcp enable
int vlan 200
ip add 192.168.200.254 24
dhcp select interface 

capture-packet
capwap source interface vlanif 200

int g0/0/1
p l t
p t a v a 
q

vlan pool vlan123456
vlan 10 20 30 40 50 60

wlan
security-profile name 1
security wpa-wpa2 psk pass-phrase zxc@1234 aes
q

ssid-profile name 1
ssid vlan100_wifi

vap-profile name 1
security-profile 1
ssid-profile 1
service-vlan vlan123456
q
ap auth-mode no-auth 
ap-group name default
vap-profile 1 wlan 1 radio all

 

posted @   让我读个条  阅读(138)  评论(0编辑  收藏  举报
相关博文:
· ENSP Demo 006 Experiment
· ENSP Demo 015.1 IPSec_manual
· 思科交换机配置
· NGFW-虚拟系统与站点建立IPSec
· HCIP-Security2.1 SLB服务器负载均衡&域间域内双向NAT
阅读排行:
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· .NET10 - 预览版1新功能体验(一)
点击右上角即可分享
微信分享提示
AI FOR CODE 大赛