计科高可用服务器架构实训（防火墙、双机热备，VRRP、MSTP、DHCP、OSPF）

一、项目介绍

需求分析：

（1）总部和分部要求网络拓扑简单，方便维护，网络有扩展和冗余性；

（2）总部分财务部，人事部，工程部，技术部，提供有一定的安全性；

（3）总部要求核心交换机具有冗余性，可靠性；

（4）总部的数据有一定的私密性，不允许外部网络及分公司访问，采用防火墙配置DMZ区域；

（5）外部网络有两条运营商线路互为备份，流量主走电信，联通为备用。

二、设计方案及规划

1.相关规划说明（包括DHCP、WWW、HTTP等服务相关的参数配置说明）

（1）该企业网采用三层架构；

（2）终端层8台PC机，两两划分为一个部门，分别为财务部，人事部，工程部，技术部，并划分各自的vlan，分别是vlan10,vlan20,vlan30,vlan40；

（3）接入层，使用4台二层交换机，用于用户终端的接入，设计其与终端层各PC机间的端口类型为access类型；

（4）汇聚层，使用4台三层交换机，设计其与接入层各交换机间的端口类型为trunk类型。该层采用的技术有：OSPF,VLAN划分,MSTP,VRRP等技术；

（5）核心层，使用2个路由器，用于连接让其内网实现互通，采用的技术有：OSPF等技术。

（6）防火墙区，分三个区域DMZ区域（数据中心）、Trust区域（内网）、Untrust区域（外网）。

1.1网络IP地址规划

交换机lsw1,2,3,4,9,10使用交换机S3700，交换机lsw5,6,7,8,11使用交换机S5700，路由器整体使用AR1220与AR2220,防火墙USG600V.

Vlan区域	IP网段
Lsw1,PC1,PC2	192.168.10.0/24
Lsw2,PC3,PC4	192.168.20.0/24
Lsw3.PC5,PC6	192.168.30.0/24
Lsw4,PC7,PC8	192.168.40.0/24
AR7与FW4	192.168.97.0/24
AR7与AR6	192.168.93.0/24
AR7,PC11	192.168.13.0/24
AR7与AR5间	192.168.94.0/24
AR4与FW3间	100.1.1.0/24
AR4与FW2	192.168.90.0/24
AR9与Server1,2之间	192.168.80.0/24
AR4与AR6之间	192.168.96.0/24
AR4与A52之间	192.168.95.0/24

1.2网络管理设计

（1）内部员工都需要访问外网；

（2）不同部门之间能够实现相互通信；

（3）总部可以访问到外网及分部的部门，但是外网不能访问到内网。

三、设计内容及步骤

1.1设计topo图及连接设备

三个防火墙，3台台服务器，三台S5700交换机，五台S700交换机，六台路由器，十二台PC

基本配置:

LSW2如LSW1配置相同

例：

LSW1

sys

undo info en

sys LSW1

vlan batch 10 20 30 40 88

int g 0/0/1

p l a

p d v 10

int g 0/0/2

p l a

p d v 20

int g 0/0/3

p l a

p d v 30

int g 0/0/4

p l a

p d v 40

int g 0/0/6

p l a

p d v 88

int g 0/0/5

p l tr

p tr a v all

int g 0/0/7

p l tr

p tr a v all

int g 0/0/8

p l tr

p tr a v all

配置MSTP

S1配置：

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp instance 1 root primary

stp instance 2 root secondary

S2配置：

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp instance 2 root primary

stp instance 1 root secondary

基本配置：

LSW9如LSW10配置相同

例：

LSW10

int g 0/0/1

p l tr

p tr a v all

int g 0/0/2

p l tr

p tr a v all

int g 0/0/3

p l tr

p tr a v all

配置vrrp+mstp:

LSW9:

sys

sysname LSW9

undo info enable

vlan batch 10 20 30 40 88 66 15 16

interface vlanif 10

ip address 192.168.10.1 24

vrrp vrid 10 virtual-ip 192.168.10.254

vrrp vrid 10 priority 150

vrrp vrid 10 preempt-mode timer delay 1

vrrp vrid 10 timer advertise 1

vrrp vrid 10 track interface g 0/0/1 reduced 70

interface vlanif 20

ip address 192.168.20.1 24

vrrp vrid 20 virtual-ip 192.168.20.254

vrrp vrid 20 priority 110

vrrp vrid 20 preempt-mode timer delay 1

vrrp vrid 20 timer advertise 1

interface vlanif 30

ip address 192.168.30.1 24

vrrp vrid 30 virtual-ip 192.168.30.254

vrrp vrid 30 priority 110

vrrp vrid 30 preempt-mode timer delay 1

vrrp vrid 30 timer advertise 1

interface vlanif 40

ip address 192.168.40.1 24

vrrp vrid 40 virtual-ip 192.168.40.254

vrrp vrid 40 priority 110

vrrp vrid 40 preempt-mode timer delay 1

vrrp vrid 40 timer advertise 1

interface vlanif 88

ip address 192.168.88.1 24

vrrp vrid 88 virtual-ip 192.168.88.254

vrrp vrid 88 priority 110

vrrp vrid 88 preempt-mode timer delay 1

vrrp vrid 88 timer advertise 1

interface vlanif 66

ip address 192.168.66.1 24

vrrp vrid 66 virtual-ip 192.168.66.254

vrrp vrid 66 priority 110

vrrp vrid 66 preempt-mode timer delay 1

vrrp vrid 66 timer advertise 1

LSW10:

sys

sysname LSWS10

undo info enable

vlan batch 10 20 30 40 88 66 15 16

interface vlanif 10

ip address 192.168.10.2 24

vrrp vrid 10 virtual-ip 192.168.10.254

vrrp vrid 10 priority 150

vrrp vrid 10 preempt-mode timer delay 1

vrrp vrid 10 timer advertise 1

vrrp vrid 10 track interface g 0/0/1 reduced 70

interface vlanif 20

ip address 192.168.20.2 24

vrrp vrid 20 virtual-ip 192.168.20.254

vrrp vrid 20 priority 110

vrrp vrid 20 preempt-mode timer delay 1

vrrp vrid 20 timer advertise 1

interface vlanif 30

ip address 192.168.30.2 24

vrrp vrid 30 virtual-ip 192.168.30.254

vrrp vrid 30 priority 110

vrrp vrid 30 preempt-mode timer delay 1

vrrp vrid 30 timer advertise 1

interface vlanif 40

ip address 192.168.40.2 24

vrrp vrid 40 virtual-ip 192.168.40.254

vrrp vrid 40 priority 110

vrrp vrid 40 preempt-mode timer delay 1

vrrp vrid 40 timer advertise 1

interface vlanif 88

ip address 192.168.88.1 24

vrrp vrid 88 virtual-ip 192.168.88.254

vrrp vrid 88 priority 110

vrrp vrid 88 preempt-mode timer delay 1

vrrp vrid 88 timer advertise 1

interface vlanif 66

ip address 192.168.66.1 24

vrrp vrid 66 virtual-ip 192.168.66.254

vrrp vrid 66 priority 110

vrrp vrid 66 preempt-mode timer delay 1

vrrp vrid 66 timer advertise 1

S9配置:

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp root primary

LSW S10配置：

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp root secondary

LSW9:

vlan batch 15 16

interface vlanif 15

ip address 192.168.15.2 24

interface GigabitEthernet 0/0/4

port link-type access

port default vlan 15

interface vlanif 16

ip address 192.168.25.1 24

interface GigabitEthernet 0/0/5

port link-type access

port default vlan 16

ospf 1 router-id 3.3.3.3

default-route-advertise

area 0.0.0.0

network 192.168.15.0 0.0.0.255

network 192.168.25.0 0.0.0.255

network 192.168.10.0 0.0.0.255

network 192.168.20.0 0.0.0.255

network 192.168.30.0 0.0.0.255

network 192.168.40.0 0.0.0.255

LSW10

vlan batch 15 16

interface vlanif 15

ip address 192.168.16.2 24

interface GigabitEthernet 0/0/5

port link-type access

port default vlan 15

interface vlanif 16

ip address 192.168.26.1 24

interface GigabitEthernet 0/0/4

port link-type access

port default vlan 16

ospf 1 router-id 4.4.4.4

default-route-advertise

area 0.0.0.0

network 192.168.16.0 0.0.0.255

network 192.168.26.0 0.0.0.255

2.4核心层配置

基配+配置路由ospf

AR1：

sys

undo info en

sys AR1

int g 0/0/0

ip add 192.168.15.1 24

int g 0/0/1

ip add 192.168.16.1 24

int g0/0/2

ip add 192.168.102.2 24

int g4/0/0

ip add 192.168.104.2 24

int LoopBack 0

ip add 1.1.1.1 32

ospf 1 router-id 1.1.1.1

default-route-advertise

area 0.0.0.0

network 1.1.1.1 0.0.0.0

network 192.168.15.0 0.0.0.255

network 192.168.16.0 0.0.0.255

network 192.168.102.0 0.0.0.255

network 192.168.104.0 0.0.0.255

AR2：

sys

undo info en

sys AR2

int g 0/0/0

ip add 192.168.26.2 24

int g 0/0/1

ip add 192.168.25.2 24

int g0/0/2

ip add 192.168.103.2 24

int g4/0/0

ip add 192.168.105.2 24

int LoopBack 0

ip add 2.2.2.2 32

ospf 1 router-id 2.2.2.2

default-route-advertise

area 0.0.0.0

network 2.2.2.2 0.0.0.0

network 192.168.25.0 0.0.0.255

network 192.168.26.0 0.0.0.255

network 192.168.103.0 0.0.0.255

network 192.168.105.0 0.0.0.255

2.5 DHCP配置

sys

sys DHCP

undo info en

int g 0/0/1

p l tr

p t a v a

vlan batch 10 20 30 40

dhcp enable

int g 0/0/1

dhcp select global

ip pool 1

network 192.168.10.0 mask 24

gateway-list 192.168.10.254

dns-list 192.168.88.10

ip pool 2

network 192.168.20.0 mask 24

gateway-list 192.168.20.254

dns-list 192.168.88.10

ip pool 3

network 192.168.30.0 mask 24

gateway-list 192.168.30.254

dns-list 192.168.88.10

ip pool 4

network 192.168.40.0 mask 24

gateway-list 192.168.40.254

dns-list 192.168.88.10

interface vlanif 10

ip address 192.168.10.253 24

dhcp select global

interface vlanif 20

ip address 192.168.20.253 24

dhcp select global

interface vlanif 30

ip address 192.168.30.253 24

dhcp select global

interface vlanif 40

ip address 192.168.40.253 24

dhcp select global

2.6网络服务商区域配置

基础配置+ospf

AR7

sys

sys AR7

undo info en

int g 0/0/1

ip add 192.168.93.1 24

int g 0/0/2

ip add 192.168.10.254 24

int g 0/0/0

ip add 192.168.94.1 24

int g 4/0/0

ip add 192.168.97.1 24

ospf 1

default-route-advertise

area 1

network 192.168.97.0 0.0.0.255

network 192.168.94.0 0.0.0.255

network 192.168.93.0 0.0.0.255

network 192.168.10.0 0.0.0.255

AR5：

sys

sys AR5

undo info en

int g0/0/1

ip add 192.168.94.2 24

int g0/0/0

ip add 192.168.95.2 24

ospf 1

default-route-advertise

area 1

network 192.168.94.0 0.0.0.255

network 192.168.95.0 0.0.0.255

AR6：

sys

sys AR6

undo info en

int g 0/0/1

ip add 192.168.96.2 24

int g 0/0/0

ip add 192.168.93.2 24

ospf 1

default-route-advertise

area 1

network 192.168.93.0 0.0.0.255

network 192.168.96.0 0.0.0.255

AR4：

sys

sys AR4

undo info en

int g 0/0/1

ip add 192.168.96.1 24

int g 0/0/2

ip add 100.1.1.10 24

int g 0/0/0

ip add 192.168.95.1 24

int g 3/0/0

ip add 100.1.10.11 24

ospf 1

default-route-advertise

area 1

network 192.168.96.0 0.0.0.255

network 192.168.95.0 0.0.0.255

area 0

network 100.1.1.0 0.0.0.255

network 100.1.10.0 0.0.0.255

2.7分公司AR8配置

AR8：

sys

sys AR8

undo info en

int g 0/0/1

ip add 192.168.91.1 24

int g 0/0/2

ip add 192.168.110.1 24

int g 0/0/0

ip add 192.168.100.1 24

ospf 1

area 1

net 192.168.100.0 0.0.0.255

net 192.168.110.0 0.0.0.255

net 192.168.91.0 0.0.0.255

2.8防火墙FW4配置

FW4

sys

sys FW4

undo info en

int g 1/0/1

ip add 192.168.97.254 24

int g 1/0/0

ip add 192.168.91.2 24

firewall zone trust

add int g 1/0/0

firewall zone untrust

add int g 1/0/1

int g 1/0/0

service-manage ping permit

int g 1/0/1

service-manage ping permit

配置防火墙ospf:

ospf 1

default-route-advertise

area 0

network 192.168.97.0 0.0.0.255

area 1

network 192.168.91.0 0.0.0.255

安全策略：

security-policy

rule name ospf

service ospf

source-zone trust

destination-zone untrust

action permit

dis th

security-policy

rule name TtoU

source-zone trust

destination-zone untrust

action permit

2.9数据中心配置

AR9

sys

sys AR9

undo info en

int g 0/0/1

ip add 192.168.80.1 24

int g 0/0/0

ip add 192.168.90.1 24

int g 0/0/2

ip add 192.168.106.1 24

ospf 1

default-route-advertise

area 0

network 192.168.106.0 0.0.0.255

network 192.168.90.0 0.0.0.255

network 192.168.80.0 0.0.0.255

2.10防火墙FW3、FW2配置

FW3：

sys

sys FW3

undo info en

int g 1/0/1

ip add 192.168.90.2 24

int g 1/0/0

ip add 192.168.99.1 24

int g 1/0/2

ip add 100.1.1.1 24

int g 1/0/3

ip add 192.168.102.1 24

int g 1/0/4

ip add 192.168.103.1 24

FW2

sys

sys FW2

undo info en

int g 1/0/1

ip add 100.1.10.2 24

int g 1/0/0

ip add 192.168.99.2 24

int g 1/0/3

ip add 192.168.105.1 24

int g 1/0/2

ip add 192.168.104.1 24

int g 1/0/4

ip add 192.168.106.2 24

int g0/0/0

service-manage all permit

FW3：

####trust

###dmz

###untrust

int g 1/0/3

vrrp vrid 1 virtual-ip 192.168.102.254 24 active

int g 1/0/4

vrrp vrid 4 virtual-ip 192.168.103.254 24 active

int g 1/0/1

vrrp vrid 8 virtual-ip 192.168.90.254 24 active

int g 1/0/2

vrrp vrid 12 virtual-ip 100.1.1.254 24 active

int g 1/0/0

vrrp vrid 16 virtual-ip 192.168.99.254 24 active

####双机热备

firewall zone name ha

set priority 99

add interface g 1/0/0

firewall zone trust

add int g 1/0/3

add int g 1/0/4

firewall zone untrust

add int g 1/0/2

firewall zone dmz

add int g 1/0/1

#防火墙双机热设备配置

hrp int g 1/0/0 remote 192.168.99.2

hrp enable

#防火墙配置安全策略

FW3

security-policy

rule name UtoD

source-zone untrust

destination-zone dmz

action permit

security-policy

rule name TtoD

source-zone trust

destination-zone dmz

action permit

security-policy

rule name DtoT

source-zone dmz

destination-zone trust

action permit

security-policy

rule name TtoU

source-zone trust

destination-zone untrust

action permit

security-policy

rule name UtoT

source-zone untrust

destination-zone trust

action permit

service-manage all permit

配置ospf

ospf 1 router-id 13.13.13.13

default-route-advertise

area 0

network 192.168.102.0 0.0.0.255

network 192.168.103.0 0.0.0.255

network 192.168.99.0 0.0.0.255

network 192.168.90.0 0.0.0.255

area 2

network 100.1.1.0 0.0.0.255

F2：

####trust

###untrust

###dmz

int g 1/0/2

vrrp vrid 1 virtual-ip 192.168.104.254 24 standby

int g 1/0/3

vrrp vrid 4 virtual-ip 192.168.105.254 24 standby

int g 1/0/1

vrrp vrid 8 virtual-ip 100.1.10.254 24 standby

int g 1/0/4

vrrp vrid 12 virtual-ip 192.168.106.254 24 standby

#防火墙双机热设备配置

hrp int g 1/0/0 remote 192.168.99.1

hrp enable

hrp standby-device

firewall zone name ha

set priority 99

add int g 1/0/0

firewall zone trust

add int g 1/0/2

add int g 1/0/3

firewall zone untrust

add int g 1/0/1

firewall zone dmz

add int g 1/0/4

配置ospf:

ospf 1 router-id 12.12.12.12

default-route-advertise

area 0

network 192.168.105.0 0.0.0.255

network 192.168.104.0 0.0.0.255

network 192.168.99.0 0.0.0.255

network 192.168.106.0 0.0.0.255

network 100.1.10.0 0.0.0.255

2.11防火墙配置NAT

源地址转换：

FW3：

nat address-group 4

mode pat

section 100.1.1.20 100.1.1.30

nat-policy

rule name TtoU

source-zone trust

destination-zone untrust

source-address 192.168.10.0 24

source-address 192.168.20.0 24

source-address 192.168.30.0 24

source-address 192.168.40.0 24

action source-nat address-group 4

nat-policy

rule name UtoT

source-zone untrust

destination-zone trust

action source-nat address-group 4

目的地址转换：

nat server zone dmz protocol tcp global 100.1.1.5 80 inside 192.168.80.10 80

nat server zone dmz protocol tcp global 100.1.1.4 80 inside 192.168.80.20 80

security-policy

rule name tohttp

source-zone untrust

destination-zone dmz

action permit

3．项目测试

3.1测试网络连通性

（1）各部门内部的网络互通；

PC1ping PC2，PC4，PC6，PC8

数据中心不能访问外网
vrrp主备切换

DHCP动态地址分配

防火墙主备切换
NAT源地址转换，当各部门访问外网时都是通过转换后IP地址出去，通过抓包看是否转换成功。
NAT目的地址转换，通过http测试。