企业网络典型配置案例

介绍：

下面为一般企业网络的结构、规划以及配置。

对内网部门划分vlan、无线配置、服务器的映射以及内网之间的互访都做了介绍。

1.各部门、服务器、无线都独立一个网段。

2.无线网络采用旁挂直接转发模式。

3.无线网络不能访问公司内网资源、只允许上网。

设备：

外网防火墙：USG5120

核心： S5700

接入： S3700

无线控制器：AC6005

无线AP： AP6010DN-AGN

网络拓扑：

地址规划：

地址规划：

Vlan 规划：

接口规划：

操作步骤：

1.防火墙配置。

#

sysname FW1

#

interface GigabitEthernet0/0/0

alias Lan

ip address 10.10.10.1 255.255.255.0

#

interface GigabitEthernet0/0/1

alias Wan

ip address 202.100.1.1 255.255.255.0

#

#

firewall zone trust

add interface GigabitEthernet0/0/0

#

firewall zone untrust

add interface GigabitEthernet0/0/1

#

ip route-static 0.0.0.0 0.0.0.0 202.100.1.2

ip route-static 192.168.0.0 255.255.0.0 10.10.10.254

#

nat-policy interzone trust untrust outbound

policy 1

action source-nat

easy-ip GigabitEthernet0/0/1

#

firewall packet-filter default permit interzone trust untrust direction outbound //允许内网到外网的默认域间规则

#

2. LSW配置。

#

sysname LSW1

#

vlan batch 10 88 101 to 104 200

#

dhcp enable

#

interface Vlanif10

ip address 10.10.10.254 255.255.255.0

#

interface Vlanif101

description Server

ip address 192.168.101.254 255.255.255.0

#

interface Vlanif102

ip address 192.168.102.254 255.255.255.0

#

interface Vlanif103

ip address 192.168.103.254 255.255.255.0

#

interface Vlanif104

description WLAN-STA

ip address 192.168.104.254 255.255.255.0

dhcp select interface

dhcp server dns-list 192.168.101.2

#

interface Vlanif200

description Manager

ip address 192.168.200.254 255.255.255.0

#

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan all

#

interface GigabitEthernet0/0/2

port link-type trunk

port trunk allow-pass vlan all

#

interface GigabitEthernet0/0/8

port link-type trunk

port trunk allow-pass vlan 88 200

#

interface GigabitEthernet0/0/11

port link-type access

port default vlan 101

#

interface GigabitEthernet0/0/24

port link-type access

port default vlan 10

#

ip route-static 0.0.0.0 0.0.0.0 10.10.10.1

#

3. LSW2配置。

#

sysname LSW2

#

vlan batch 88 102 to 104 200

#

interface Vlanif200

ip address 192.168.200.2 255.255.255.0

#

interface Ethernet0/0/1

port link-type access

port default vlan 102

#

interface Ethernet0/0/22

port link-type trunk

port trunk pvid vlan 88

port trunk allow-pass vlan 88 104

#

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan all

#

ip route-static 0.0.0.0 0.0.0.0 192.168.200.254

#

4. LSW3配置。

#

sysname LSW3

#

vlan batch 88 102 to 104 200

#

interface Vlanif200

ip address 192.168.200.3 255.255.255.0

#

interface Ethernet0/0/1

port link-type access

port default vlan 103

#

interface Ethernet0/0/22

port link-type trunk

port trunk pvid vlan 88

port trunk allow-pass vlan 88 104

#

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan all

#

ip route-static 0.0.0.0 0.0.0.0 192.168.200.254

#

5. AC6005配置。

Vlan 88为无线AP管理网段、配置DHCP为AP分配地址。

#

sysname AC6005

#

vlan batch 88 200

#

dhcp enable

#

interface Vlanif88

ip address 192.168.88.6 255.255.255.0

dhcp select interface

#

interface Vlanif200

ip address 192.168.200.6 255.255.255.0

#

interface GigabitEthernet0/0/8

port link-type trunk

port trunk allow-pass vlan 88 200

#

interface Wlan-Ess104

port hybrid untagged vlan 104

#

wlan

wlan ac source interface vlanif88

ap-auth-mode no-auth

wmm-profile name wmm1 id 1

traffic-profile name tra1 id 1

security-profile name sec1 id 1

service-set name ser1 id 1

wlan-ess 104

ssid HUAWEI

traffic-profile id 1

security-profile id 1

service-vlan 104

radio-profile name radio1 id 1

wmm-profile id 1

#

等待AP上线后、AP绑定射频与服务集。

#

ap 0 radio 0

radio-profile id 1

service-set id 1 wlan 1

ap 1 radio 0

radio-profile id 1

service-set id 1 wlan 1

无线网络测试。

6. 内网服务器映射到外网、供外部用户访问。

#

nat server protocol tcp global 202.100.1.1 www inside 192.168.101.2 www

#

并要在防火墙配置转发策略、允许访问服务器。防火墙默认为拒绝访问。

#

policy interzone trust untrust inbound

policy 1

action permit

policy service service-set http

policy destination 192.168.101.2 0

#

测试从外网访问内部服务器。

服务器设置：

客户端访问测试：

7. 部门之间互访测试。

CLIENT1 PING CLIENT2

8. 访问之间做限制、无线接入用户无法访问销售部门、技术部门和服务器。

访问限制配置在核心交换机上：

#

acl number 3000

rule 5 permit ip source 192.168.104.0 0.0.0.255 destination 192.168.101.0 0.0.0.255

rule 10 permit ip source 192.168.104.0 0.0.0.255 destination 192.168.102.0 0.0.0.255

rule 15 permit ip source 192.168.104.0 0.0.0.255 destination 192.168.103.0 0.0.0.255

#

traffic classifier c1

if-match acl 3000

#

traffic behavior b1

deny

#

traffic policy p1

classifier c1 behavior b1

#

drop-profile default

#

vlan 104

traffic-policy p1 inbound

#

配置后测试：