园区网扩展方案

项目背景：

由于公司进一步壮大，现有办公区域需要扩租，而恰好新办公区域就在现办公大楼园区的另一座大楼；

现网络由1台出口路由AR2240C-S、三层交换S5720S-52P-EI-AC、若干二层交换S5720S-52P-LI-AC组成；

新办公区域通过光纤从现机房AR2240C-S出口路由的光模块（SDP-GE-LX-SM1310）接到新办公区域机房的三层交换S5720S-52P-EI-AC的光模块（SDP-GE-LX-SM1310），三层下接入若干二层设备，实现网络扩展。

说明：

如图

R5为企业总部

R4模拟Internet

R2、R3分别模拟运营商电信（telecom）、联通ISP（unicom）

R1为现机房出口路由器

LSW1为现机房三层交换

LSW2、LSW3为现机房二层交换、

PC1、PC2属于vlan 108 （vlanif108:10.180.108.0/24）；PC3、PC4属于vlan 109(vlanif 109:10.180.109.0/24)

LSW4为新办公楼机房三层交换

PC5、PC6属于vlan 110 （vlanif110:10.180.110.0/24）；PC7、PC8属于vlan 111(vlanif 111:10.180.109.0/24)

 

项目目标：

需要一个稳定安全的网络环境来保证公司员工的Internet访问需求，研发和测试需求。

1、PC1~PC8之间可以互访；

2、PC1~PC8均可以访问Internet，

PC1、PC3、PC5、PC7正常情况下通过R2(telecom)访问R4(internet)，当R1-R2-R4之间链路出现故障时自动切换到R1-R3-R4访问Internet；

PC2、PC4、PC6、PC8正常情况下通过R3(unicom)访问R4(internet)，当R1-R3-R4之间链路出现故障时自动切换到R1-R2-R4访问Internet；

3、PC1~PC8均可以访问企业总部；

 

组网思路：

R5（总部）与R4(internet)之间运行ospf，区域area 2，实现连通性；配置GRE over IPsec实现与R1互通的v*n；

 

R4（internet）、R3（unicom）、R2（telecom）、R1（出口路由）模拟企业出口运营商网络及Internet，它们之间运行ospf，区域area 1，实现连通性；

 

R1上配置NAT（Easy-IP）、配置PBR(策略路由)实现分流及出口网冗余、配置GRE over IPsec实现与R5互通的v*n、配置与LSW1、LSW4之间的ospf实现IGP自动更新路由信息；

 

LSW1、LSW4通过vlanif 300与R1连接，ge0/0/2和ge0/0/3接口配置trunk口，与二层交换连接，允许vlan108、vlan109、vlan110、vlan111通过；

配置vlanif 108-109  vlanif 110-111，充当接入PC的网关；

配置dhcp，并IP/MAC绑定，实现固定的设备获取固定的IP；

 

LSW2、LSW3、LSW5、LSW6代表接入层交换机，分别属于vlan108、vlan109、vlan110、vlan111

 

配置：

一、先配置模拟internet

配置接口IP：

 

配置OSPF

R1:

[Huawei]ospf 1 router-id 1.1.1.1
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 10.1.1.0 0.0.0.255                --------------宣告的的路由器自己直连的网段
[Huawei-ospf-1-area-0.0.0.1]network 20.1.1.0 0.0.0.255

R2:

[Huawei]ospf 1 router-id 2.2.2.2
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 10.1.1.0 0.0.0.255

R3:

[Huawei]ospf 1 router-id 3.3.3.3
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 200.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 20.1.1.0 0.0.0.255

R4:

[Huawei]ospf 1 router-id 4.4.4.4
[Huawei-ospf-1]area 1
[Huawei-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 200.1.1.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 114.114.114.114 0.0.0.0

二、配置企业总部与internet的OSPF（配置失败）

R4:

由于不能把模拟的internet进一步引入ospf的另一个区域area 2，所以用静态路由来设置总部与internet的连通性；

R5

 

三、配置出口路由与三层交换之间的OSPF

R1配置：

[Huawei]int gi 0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 192.168.200.1 30
[Huawei-GigabitEthernet0/0/0]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 192.168.200.5 30
[Huawei]ospf
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.3
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.4 0.0.0.3

LSW1配置:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]vlan batch 108 109 110 111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan 300
[Huawei-vlan300]int vlanif 300
[Huawei-Vlanif300]ip addr 192.168.200.2 30
[Huawei-Vlanif300]q
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 300
[Huawei-GigabitEthernet0/0/1]q
[Huawei]int vlanif 108
[Huawei-Vlanif108]ip addr 10.180.108.1 24
[Huawei-Vlanif108]int vlanif 109
[Huawei-Vlanif109]ip addr 10.180.109.1 24
[Huawei]ospf 1 router-id 6.6.6.6
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 10.180.108.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 10.180.109.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.3
 

LSW4配置:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]vlan batch 110 111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan 300
[Huawei]int vlanif 300
[Huawei-Vlanif300]ip addr 192.168.200.6 30
[Huawei]un in en
Info: Information center is disabled.
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 300
[Huawei-GigabitEthernet0/0/1]
[Huawei-GigabitEthernet0/0/1]q
[Huawei]int vlanif 110
[Huawei-Vlanif110]ip addr 10.180.110.1 24
[Huawei-Vlanif110]int vlanif 111
[Huawei-Vlanif111]ip addr 10.180.111.1 24
[Huawei-Vlanif111]q
[Huawei]ospf 1 router-id 7.7.7.7
[Huawei-ospf-1]area 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.200.6 0.0.0.3
[Huawei-ospf-1-area-0.0.0.0]network 10.180.110.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]network 10.180.111.0 0.0.0.255

配置完成后，可以看到三层交换已经有到达internet的路由了

四、配置vlan

LSW1:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 108 109 300
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan 108 109 300
 

LSW2/LSW3:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.

[Huawei]vlan batch 108 109

Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 108 109 300
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 108/109
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 108/109

LSW4:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 110 111 300
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type trunk
[Huawei-GigabitEthernet0/0/3]port trunk allow-pass vlan 110 111 300

 

LSW5/LSW6:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.

[Huawei]vlan batch 110 111

Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 110 111 300
[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 110/111
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 110/111

 

五、配置DHCP 及IP POOL（配置完成，发现PC并不能获取到IP，是不是eNSP不支持）

因为在步骤三中已经配置了vlanif，所以直接配置dhcp及ip pool即可

LWS1:

[Huawei]dhcp enable
[Huawei]ip pool 108
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-108]gateway-list 10.180.108.1
[Huawei-ip-pool-108]network 10.180.108.0 mask 255.255.255.0
[Huawei-ip-pool-108]excluded-ip-address 10.180.108.10 10.180.108.254
[Huawei-ip-pool-108]static-bind ip-address 10.180.108.2 mac-address 5489-9819-741f             (PC1的mac地址)
[Huawei-ip-pool-108]static-bind ip-address 10.180.108.3 mac-address 5489-98ca-3928             (PC2的mac地址)

[Huawei-ip-pool-108]ip pool 109
Info:It's successful to create an IP address pool.
[Huawei-ip-pool-109]gateway-list 10.180.109.1
[Huawei-ip-pool-109]network 10.180.109.0 mask 255.255.255.0
[Huawei-ip-pool-109]excluded-ip-address 10.180.109.10 10.180.109.254
[Huawei-ip-pool-109]static-bind ip-address 10.180.10.2 mac-address 5489-982d-79b7          （PC3的mac地址）
[Huawei-ip-pool-109]static-bind ip-address 10.180.109.3 mac-address 5489-98f4-6304          （PC4的mac地址）

由于在eNSP上配置DHCP后PC并不能获取到IP，所以还是手动配置吧

 

配置完成后，每个PC都可以访问Internet（114.114.114.114）

并且每个PC之间都互通：

到此，连通性配置完成！！！

七、配置NAT（easy-ip）

在eNSP中，联通性可以这样完成，但是现实中，必须配置NAT

  在出口路由器上配置NAT,实现局域网网段（10.180.108.0/22）与外网IP10.1.1.1和20.1.1.1的动态映射；

[Huawei]acl 2001
[Huawei-acl-basic-2001]dis th
[Huawei-acl-basic-2001]rule permit source 192.168.1.0 0.0.0.255
[Huawei-acl-basic-2001]rule permit source 192.168.2.0 0.0.0.255
[Huawei-acl-basic-2001]q
[Huawei]int gi 0/0/0
[Huawei-GigabitEthernet0/0/0]nat outbound 2001
[Huawei-GigabitEthernet0/0/0]int gi0/0/1
[Huawei-GigabitEthernet0/0/1]nat outbound 2001

八、配置策略路由（未完待续）

出口路由配置：
1、配置acl

<Huawei>sys
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.1.1 0.0.0.0
[Huawei-acl-adv-3001]rule permit ip source 192.168.2.1 0.0.0.0
[Huawei-acl-adv-3001]acl 3002
[Huawei-acl-adv-3002]rule permit ip source 192.168.1.2 0.0.0.0
[Huawei-acl-adv-3002]rule permit ip source 192.168.2.2 0.0.0.0
[Huawei-acl-adv-3002]q
[Huawei]acl 3003
[Huawei-acl-adv-3003]rule permit ip source 192.168.1.0 0.0.0.255 destination 192
.168.1.254 0
[Huawei-acl-adv-3003]rule permit ip source 192.168.2.0 0.0.0.255 destination 19
2.168.2.254 0
[Huawei-acl-adv-3003]q

2、配置流匹配

[Huawei]traffic classifier c1
[Huawei-classifier-c1]if-match acl 3001
[Huawei-classifier-c1]traffic classifier c2
[Huawei-classifier-c2]if-match acl 3002
[Huawei-classifier-c2]traffic classifier c3
[Huawei-classifier-c3]if-match acl 3003
[Huawei-classifier-c3]q

3、配置流行为

[Huawei]traffic behavior b1
[Huawei-behavior-b1]redirect ip-nexthop 10.1.1.2
[Huawei-behavior-b1]traffic behavior b2
[Huawei-behavior-b2]redirect ip-nexthop 20.1.1.2
[Huawei-behavior-b2]traffic behavior b3
[Huawei-behavior-b3]permit
[Huawei-behavior-b3]q

4、配置流策略

[Huawei]traffic policy p1
[Huawei-trafficpolicy-p1]classifier c3 behavior b3
[Huawei-trafficpolicy-p1]classifier c1 behavior b1
[Huawei-trafficpolicy-p1]classifier c2 behavior b2
[Huawei-trafficpolicy-p1]q

5、配置流应用

[Huawei]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-policy  p1 inbound
[Huawei-GigabitEthernet0/0/2]q