中小企业网络结构设计1(华为版) 
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://xiaoxia.blog.51cto.com/23357/62442 |
 要求:
某企业,专线接入,有华为路由器一台,三层交换机一台,二层交换机若干;
1、要求划几个VLAN,为不同部门。
2、所有主机能够通过路由器上网。
设计思路:
1、路由器配置比较简单,主要做NAT转换和ACL控制哪些主机能上外网;
2、三层交换机,划分VLAN,实现内部VLAN间路由,可直接接终端或二层交换机
3、二层交换相接终端。。
设计时,关于防病毒ACL列表、VLAN间互联隔离技术等问题此处未讨论。感兴趣的朋友,我们可以另起篇章进行讨论。
本设计以华为产品为例,思科产品配置原理相同,只是命令行不同而已。欢迎有志之士把它翻译成思科的配置。
基实也可以不要三层交换机,直接在路由器上做单臂也可以。。只是不适合复杂的网络和发展。。
配置:
一、路由器配置
version 5.20, Release 1205P02, Basic # 给路由器命名 sysname HUAWE-ROUTE # domain default enable system # vlan 1 # radius scheme system server-type extended primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domain # domain system access-limit disable state active idle-cut disable self-service-url disable # 定义ACL列表,允许所有IP访问外网,这里你可以指定允许某些或禁止某些主机上网。 acl number 2000 rule 0 permit # interface Aux0 async mode flow link-protocol ppp # 接专线的接口,配置运营商分配的IP interface Ethernet0/0 nat outbound 2000 duplex full speed 100 ip address 218.22.3.126 255.255.255.252 # 接局域网三层交换机的地址 interface Ethernet0/1 DESC TO—SWitch duplex full speed 100 ip address 192.168.8.1 255.255.255.252 # interface NULL0
# 至公网默认路由 ip route-static 0.0.0.0 0.0.0.0 218.22.3.125 至三层交换机回程路由 ip route-static 192.168.0.0 255.255.0.0 192.168.8.2 # user-interface con 0 user-interface aux 0 未设置TELNET登陆密码,这样外网的人登陆不了,当然你也登陆不了。哈安全吧。(如果想TELNET,需要设置密码和ACL禁止外网的人登陆) user-interface vty 0 4 # Return 二、三层交换配置
# 给交换机命名 sysname hwswich # 设备SUPER密码
super password level 3 cipher ;1>$VGEA)N2C+1!! # radius scheme system server-type huawei primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domain domain system
radius-scheme system access-limit disable state active vlan-assignment-mode integer idle-cut disable self-service-url disable messenger time disable domain default enable system
# local-server nas-ip 127.0.0.1 key huawei 建立业务VLAN及与路由器互联口VLAN vlan 5 desc to-router # vlan 10 desc bumen1 # vlan 20 desc bumen2 # 分别给SVI接口设计IP地址,即所属VLAN PC终端的网关 # interface Vlan-interface 5 DESC to-router ip address 192.168.8.2 255.255.255.252 interface Vlan-interface 10
ip address 192.168.1.1 255.255.255.0 # interface Vlan-interface 20 ip address 192.168.2.1 255.255.255.0 # 与二层交换机互联接口
interface Ethernet0/1 duplex full speed 100 port link-type trunk port trunk permit vlan 10 20 # 接普通终端的接口 interface Ethernet0/2 port access vlan 10 # interface Ethernet0/3 port access vlan 20 # interface Ethernet0/4 shutdown # interface Ethernet0/5 # interface Ethernet0/6 shutdown # interface Ethernet0/7 shutdown # interface Ethernet0/8 shutdown # interface Ethernet0/9 shutdown # interface Ethernet0/10 shutdown # interface Ethernet0/11 shutdown # interface Ethernet0/12 shutdown # interface Ethernet0/13 shutdown # interface Ethernet0/14 shutdown # interface Ethernet0/15 shutdown # interface Ethernet0/16 shutdown # interface Ethernet0/17 shutdown # interface Ethernet0/18 shutdown # interface Ethernet0/19 shutdown # interface Ethernet0/20 shutdown # interface Ethernet0/21 shutdown # interface Ethernet0/22 shutdown # interface Ethernet0/23 shutdown # 与路由器互联接口 interface Ethernet0/24 desc to-router duplex full speed 100 port access vlan 5 #
SNMP网关配置,可以不要 snmp-agent snmp-agent local-engineid 800007DB000FE23F864D6877 snmp-agent community read public snmp-agent sys-info contact HuaWei_Hotline 4008302118or8008302118 snmp-agent sys-info location BeiJing China snmp-agent sys-info version all # 设置默认路由
ip route-static 0.0.0.0 0.0.0.0 192.168.8.1 user-interface aux 0
设置TELNET登陆密码
user-interface vty 0 4 authentication-mode password set authentication password cipher CZP'5O+PV9=FQ!! # return 三、二层交换机配置
#
sysname L1-1 # # radius scheme system server-type huawei primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domain domain system
radius-scheme system access-limit disable state active idle-cut disable self-service-url disable messenger time disable domain default enable system
# local-server nas-ip 127.0.0.1 key huawei # interface Aux0/0 # vlan 1 # vlan 10 # vlan 20 # #
interface Ethernet0/1
port access vlan 10 # interface Ethernet0/2 port access vlan 10 # interface Ethernet0/3 port access vlan 10 # interface Ethernet0/4 port access vlan 10 # interface Ethernet0/5 port access vlan 10 # interface Ethernet0/6 port access vlan 10 # interface Ethernet0/7 port access vlan 10 # interface Ethernet0/8 port access vlan 10 # interface Ethernet0/9 port access vlan 10 # interface Ethernet0/10 port access vlan 10 # interface Ethernet0/11 port access vlan 10 # interface Ethernet0/12 port access vlan 20 # interface Ethernet0/13 port access vlan 20 # interface Ethernet0/14 port access vlan 20 # interface Ethernet0/15 port access vlan 20 # interface Ethernet0/16 port access vlan 20 # interface Ethernet0/17 port access vlan 20 # interface Ethernet0/18 port access vlan 20 # interface Ethernet0/19 port access vlan 20 # interface Ethernet0/20 port access vlan 20 # interface Ethernet0/21 port access vlan 20 # interface Ethernet0/22 port access vlan 20 # interface Ethernet0/23 port access vlan 20 # interface Ethernet0/24 duplex full speed 100 port link-type trunk port trunk permit vlan 10 20 # user-interface aux 0
user-interface vty 0 4
# return 本文出自 “小侠唐在飞” 博客,请务必保留此出处http://xiaoxia.blog.51cto.com/23357/62442 本文出自 51CTO.COM技术博客 |
小侠唐在飞
博客统计信息
热门文章
最新评论
友情链接