整體規(guī)劃

采用三層網(wǎng)絡(luò)結(jié)構(gòu)沪哺，核心沈自、匯聚三層互聯(lián)，堆疊采用40G網(wǎng)絡(luò)辜妓，匯聚10G枯途，接入1G，網(wǎng)關(guān)下放到匯聚籍滴，交換機(jī)采用獨(dú)立管理VLAN酪夷，模擬某工廠真實(shí)網(wǎng)絡(luò)情況。

功能實(shí)現(xiàn)

1孽惰、核心晚岭、匯聚堆疊，動(dòng)態(tài)端口聚合

2勋功、配置DHCP服務(wù)器為多個(gè)VLAN服務(wù)

3腥例、靜態(tài)路由與OSPF配置

4、外網(wǎng)NAT訪問(wèn)實(shí)現(xiàn)

5酝润、接入交換機(jī)Telnet、管理IP實(shí)現(xiàn)

6璃弄、SNMP網(wǎng)管服務(wù)部署

7要销、監(jiān)控?cái)z像頭隔離

8、DHCP仿冒防御

9夏块、端口隔離

項(xiàng)目文件分享

模擬器為H3C官方HCL模擬器疏咐，安裝并導(dǎo)入即可

?下載

配置詳情

1纤掸、設(shè)置固定IP，配置主機(jī)名

如圖片所示

2浑塞、核心堆疊借跪，采用40G口堆疊

核心1

<hexin1>sys

System View: return to User View with Ctrl+Z.

[hexin1]int range FortyGigE 1/0/53 to FortyGigE 1/0/54

[hexin1-if-range]shu

[hexin1-if-range]quit

[hexin1]irf member 1 priority 32

[hexin1]irf-port 1/1

[hexin1-irf-port1/1]port group interface FortyGigE 1/0/53

[hexin1-irf-port1/1]port group interface FortyGigE 1/0/54

[hexin1-irf-port1/1]quit

[hexin1]irf-port-configuration active

[hexin1]int range FortyGigE 1/0/53 to FortyGigE 1/0/54

[hexin1-if-range]un sh

[hexin1-if-range]save

核心2

[hexin2]sys

[hexin2]irf member 1 renumber 2

Renumbering the member ID may result in configuration change or loss. Continue?[Y/N]:y

[hexin2]quit

<hexin2>reboot

<hexin2>sys

System View: return to User View with Ctrl+Z.

[hexin2]interface range FortyGigE 2/0/53 to FortyGigE 2/0/54

[hexin2-if-range]shu

[hexin2-if-range]quit

[hexin2]irf member 2 priority 1

[hexin2]irf-port 2/2

[hexin2-irf-port2/2]port group interface FortyGigE 2/0/53

[hexin2-irf-port2/2]port group interface FortyGigE 2/0/54

[hexin2-irf-port2/2]qui

[hexin2]irf-port-configuration? active

[hexin2]interface range FortyGigE 2/0/53 to FortyGigE 2/0/54

[hexin2-if-range]un sh

[hexin2-if-range]quit

[hexin2]save

連接堆疊線后，機(jī)器自動(dòng)重啟酌壕，此時(shí)兩臺(tái)交換機(jī)終端都會(huì)顯示為?hexin1

3掏愁、車間匯聚堆疊，采用40G口

步驟與核心相同卵牍，堆疊后兩臺(tái)終端都會(huì)顯示為?chejianhuiju1

4果港、按圖片為交換機(jī)配置IP和VLAN，三層采用路由模式糊昙，匯聚下聯(lián)trunk辛掠，接入上聯(lián)trunk，下聯(lián)對(duì)應(yīng)vlan

車間匯聚做端口聚合

[chejianhuiju1]vlan 1004

[chejianhuiju1-vlan1004]int vlan 1004

[chejianhuiju1-Vlan-interface1004]ip add 10.0.4.254 24

[chejianhuiju1-Vlan-interface1004]quit

[chejianhuiju1]int Bridge-Aggregation 1

[chejianhuiju1-Bridge-Aggregation1]link-aggregation mode dynamic

[chejianhuiju1-Bridge-Aggregation1]quit

[chejianhuiju1]int g1/0/1

[chejianhuiju1-GigabitEthernet1/0/1]port link-aggregation group 1

[chejianhuiju1-GigabitEthernet1/0/1]int g2/0/1

[chejianhuiju1-GigabitEthernet2/0/1]port link-aggregation group 1

[chejianhuiju1-GigabitEthernet2/0/1]dis link-aggregation verbose

? GE1/0/1? ? ? ? ? ? 0? ? ? 32768? ? 0? ? ? ? 0x8000, 0000-0000-0000 {EF}

? GE2/0/1? ? ? ? ? ? 0? ? ? 32768? ? 0? ? ? ? 0x8000, 0000-0000-0000 {EF}

[chejianhuiju1-GigabitEthernet2/0/1]vlan 1004

[chejianhuiju1-vlan1004]port Bridge-Aggregation 1

[chejianhuiju1]int Bridge-Aggregation 1

[chejianhuiju1-Bridge-Aggregation1]port link-type trunk

[chejianhuiju1-Bridge-Aggregation1]port trunk permit vlan all

[chejianhuiju1-Bridge-Aggregation1]save

驗(yàn)證生產(chǎn)設(shè)備释牺，ping 10.0.20.4 10.0.50.5 10.0.4.254 都通

5萝衩、配置OSPF，實(shí)現(xiàn)車間没咙、辦公猩谊、生產(chǎn)服務(wù)器、基礎(chǔ)服務(wù)器互通

配置核心

<hexin1>sys

System View: return to User View with Ctrl+Z.

[hexin1]ospf

[hexin1-ospf-1]area 0

[hexin1-ospf-1-area-0.0.0.0]netwo

[hexin1-ospf-1-area-0.0.0.0]network 10.0.70.0 0.0.0.255

[hexin1-ospf-1-area-0.0.0.0]network 10.0.40.0 0.0.0.255

[hexin1-ospf-1-area-0.0.0.0]network 10.0.60.0 0.0.0.255

[hexin1-ospf-1-area-0.0.0.0]network 10.0.30.0 0.0.0.255

[hexin1-ospf-1-area-0.0.0.0]network 10.0.50.0 0.0.0.255

[hexin1-ospf-1-area-0.0.0.0]quit

配置車間匯聚

<chejianhuiju1>sys

System View: return to User View with Ctrl+Z.

[chejianhuiju1]ospf

[chejianhuiju1-ospf-1]area 0

[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255

[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255

[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.50.0 0.0.0.255

[chejianhuiju1-ospf-1-area-0.0.0.0]quit

生產(chǎn)設(shè)備ping核心通镜撩，其他配置類似预柒。

6、配置DHCP服務(wù)器

使用三層交換機(jī)搭建DHCP服務(wù)器袁梗，ping測(cè)試

[H3C]hostname dhcp

[dhcp]int g1/0/1

[dhcp-GigabitEthernet1/0/1]port link-mode route

[dhcp-GigabitEthernet1/0/1]ip add 10.0.0.1 24

[dhcp-GigabitEthernet1/0/1]save

[dhcp-GigabitEthernet1/0/1]quit

[dhcp]ip route-static 0.0.0.0 0 10.0.0.254

[dhcp]ping 10.0.0.254

Ping 10.0.0.254 (10.0.0.254): 56 data bytes, press CTRL_C to break

56 bytes from 10.0.0.254: icmp_seq=0 ttl=255 time=0.000 ms

創(chuàng)建DHCP池

[dhcp]dhcp enable

dhcp server ip-pool bangong

gateway-list 10.0.3.254

network 10.0.3.0 mask 255.255.255.0

address range 10.0.3.100 10.0.3.200

dns-list 8.8.8.8

expired day 3

#

dhcp server ip-pool wuxian

gateway-list 10.0.2.254

network 10.0.2.0 mask 255.255.255.0

address range 10.0.2.150 10.0.2.200

dns-list 114.114.114.114

expired day 3

#

沿途匯聚宜鸯、核心都要開(kāi)啟DHCP中繼，二層只要有對(duì)應(yīng)VLAN并trunk即可遮怜。

[jichuhuiju]dhcp enable

#

interface Vlan-interface1002

dhcp select relay

dhcp relay server-address 10.0.0.1

#

interface Vlan-interface1003

dhcp select relay

dhcp relay server-address 10.0.0.1

#

查看客戶端IP淋袖，成功獲取IP

[dhcp]display dhcp server ip-in-use

IP address? ? ? Client identifier/? ? Lease expiration? ? ? Type

? ? ? ? ? ? ? ? Hardware address

10.0.2.150? ? ? 0038-6163-312e-3334-? Jun 26 20:35:43 2021? Auto(C)

? ? ? ? ? ? ? ? 3266-2e31-3730-362d-

? ? ? ? ? ? ? ? 4745-302f-302f-31

10.0.3.100? ? ? 0038-6137-362e-3466-? Jun 28 20:35:31 2021? Auto(C)

? ? ? ? ? ? ? ? 3864-2e31-3230-362d-

? ? ? ? ? ? ? ? 4745-302f-302f-31

7、配置專線锯梁，僅辦公和無(wú)線可以訪問(wèn)

辦公匯聚即碗、無(wú)線匯聚、核心陌凳、專線靜態(tài)路由

[wuxianhuiju] ip route-static 10.1.0.0 24 10.0.60.10

[hexin1]ip route-static 10.1.0.0 24 10.0.90.18

[zhuanxianwangguan]ip route-static 10.0.2.0 24 10.0.90.15

測(cè)試辦公和無(wú)線都可以訪問(wèn)專線IP10.1.0.2

8剥懒、配置辦公和無(wú)線能訪問(wèn)外網(wǎng)，但外網(wǎng)無(wú)法直接訪問(wèn)內(nèi)網(wǎng)

辦公匯聚合敦、無(wú)線匯聚初橘、核心默認(rèn)路由，外網(wǎng)網(wǎng)關(guān)靜態(tài)路由

[bangonghuiju]ip route-static 0.0.0.0 0 10.0.30.6

[wuxianhuiju]ip route-static 0.0.0.0 0 10.0.60.10

[hexin1]ip route-static 0.0.0.0 0 10.0.10.1

[waibuwangguan]ip route-static 10.0.3.0 24 10.0.10.2

[waibuwangguan]ip route-static 10.0.2.0 24 10.0.10.2

配置最簡(jiǎn)單NAT訪問(wèn)方式Easy IP

[waibuwangguan]acl basic 200

[waibuwangguan-acl-ipv4-basic-2000]rule 0 permit source 10.0.2.0 0.0.0.255

[waibuwangguan-acl-ipv4-basic-2000]acl basic 2001

[waibuwangguan-acl-ipv4-basic-2001]rule 0 permit source 10.0.3.0 0.0.0.255

[waibuwangguan-acl-ipv4-basic-2001]quit

[waibuwangguan]int g0/0

[waibuwangguan-GigabitEthernet0/0]nat outbound 2001

[waibuwangguan-GigabitEthernet0/0]nat outbound 2000

辦公和無(wú)線ping外網(wǎng)1.1.1.2通，外網(wǎng)ping內(nèi)網(wǎng)不通

9保檐、POE供電

受模擬器限制無(wú)法實(shí)現(xiàn)耕蝉，實(shí)際在無(wú)線接入執(zhí)行?poe enable?即可

10、辦公人員通過(guò)telnet遠(yuǎn)程管理車間接入交換機(jī)

車間匯聚創(chuàng)建管理vlan2000

[chejianhuiju1]vlan 2000

[chejianhuiju1-vlan2000]int vlan 2000

[chejianhuiju1-Vlan-interface2000]ip add 192.168.1.254 24

車間接入創(chuàng)建管理vlan夜只，開(kāi)啟telnet服務(wù)垒在，設(shè)置默認(rèn)路由

<chejianjieru>sys

System View: return to User View with Ctrl+Z.

[chejianjieru]vlan 2000

[chejianjieru-vlan2000]int vlan 2000

[chejianjieru-Vlan-interface2000]ip add 192.168.1.2 24

[chejianjieru-Vlan-interface2000]quit

[chejianjieru]user-interface vty 0 4

[chejianjieru-line-vty0-4]authentication-mode scheme

[chejianjieru-line-vty0-4]quit

[chejianjieru]local-user admin

New local user added.

[chejianjieru-luser-manage-admin]password simple 123456

[chejianjieru-luser-manage-admin]authorization-attribute user-role level-15

[chejianjieru-luser-manage-admin]service-type telnet

[chejianjieru-luser-manage-admin]quit

[chejianjieru]telnet server enable

[chejianjieru]save

[chejianjieru]ip route-static 0.0.0.0 0 192.168.1.254

核心添加靜態(tài)路由

[hexin1]ip route-static 192.168.1.0 24 10.0.20.4

辦公人員遠(yuǎn)程telnet

<bangonghuiju>telnet 192.168.1.2

Trying 192.168.1.2 ...

Press CTRL+K to abort

Connected to 192.168.1.2 ...

******************************************************************************

* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? *

* no decompiling or reverse-engineering shall be allowed.? ? ? ? ? ? ? ? ? ? *

******************************************************************************

login: admin

Password:

<chejianjieru>

11、配置snmp網(wǎng)絡(luò)管理協(xié)議

配置向10.0.0.1發(fā)送設(shè)備信息

snmp-agent

snmp-agent community write private

snmp-agent community read public

snmp-agent sys-info version all

snmp-agent target-host trap address udp-domain 10.0.0.1 params securityname public v2c

12扔亥、配置監(jiān)控網(wǎng)絡(luò)场躯，辦公和無(wú)線可以訪問(wèn)監(jiān)控服務(wù)器，不可訪問(wèn)攝像頭砸王，攝像頭僅與監(jiān)控服務(wù)器互相訪問(wèn)

核心設(shè)置靜態(tài)路由推盛，監(jiān)控匯聚設(shè)置默認(rèn)路由

[hexin1]ip route-static 10.0.5.0 24 10.0.80.17

[jiankonghuiju]ip route-static 0.0.0.0 0 10.0.80.16

在監(jiān)控匯聚上聯(lián)接口配置ACL規(guī)則，只允許訪問(wèn)10.0.5.1發(fā)出谦铃，其他禁止耘成，從而達(dá)到只允許監(jiān)控服務(wù)器被訪問(wèn)的目的

[jiankonghuiju]acl basic 2000

[jiankonghuiju-acl-ipv4-basic-2000]rule 0 permit source 10.0.5.1 0

[jiankonghuiju-acl-ipv4-basic-2000]rule 1 deny

[jiankonghuiju-acl-ipv4-basic-2000]quit

[jiankonghuiju]int Ten-GigabitEthernet1/0/49

[jiankonghuiju-Ten-GigabitEthernet1/0/49]packet-filter 2000 outbound

測(cè)試辦公可以ping通10.0.5.1，不能ping通10.0.5.2

13驹闰、配置DHCP snooping瘪菌，防止仿冒攻擊

全局開(kāi)啟dhcp snooping，上聯(lián)端口啟用dhcp信任

[bangongjieru]dhcp snooping enable

[bangongjieru]interface GigabitEthernet1/0/2

[bangongjieru]dhcp snooping trust

14嘹朗、配置端口隔離师妙，減少接入傻瓜交換機(jī)造成的網(wǎng)絡(luò)風(fēng)暴，防御ARP攻擊

[H3C]port-isolate group 2

[H3C]int g1/0/1

[H3C-GigabitEthernet1/0/1]port-isolate enable group 2

[H3C-GigabitEthernet1/0/1]int g1/0/2

[H3C-GigabitEthernet1/0/2]port-isolate enable group 2

[H3C-GigabitEthernet1/0/2]quit

[H3C]dis port-isolate group 2

Port isolation group information:

Group ID: 2

Group members:

GigabitEthernet1/0/1? ? ? ? ? GigabitEthernet1/0/2

總結(jié)

爽