文章/答案/技术大牛

发布

社区首页 >专栏 >中小型网络思路规划配置分享，H3C HCL模拟器

中小型网络思路规划配置分享，H3C HCL模拟器

王忘杰

发布于 2022-09-22 10:29:40

77900

代码可运行

文章被收录于专栏：王忘杰的小屋王忘杰的小屋

运行总次数：0

代码可运行

整体规划

采用三层网络结构，核心、汇聚三层互联，堆叠采用40G网络，汇聚10G，接入1G，网关下放到汇聚，交换机采用独立管理VLAN，模拟某工厂真实网络情况。

功能实现

1、核心、汇聚堆叠，动态端口聚合 2、配置DHCP服务器为多个VLAN服务 3、静态路由与OSPF配置 4、外网NAT访问实现 5、接入交换机Telnet、管理IP实现 6、SNMP网管服务部署 7、监控摄像头隔离 8、DHCP仿冒防御 9、端口隔离

配置详情

1、设置固定IP，配置主机名如图片所示

2、核心堆叠，采用40G口堆叠核心1

<hexin1>sys
System View: return to User View with Ctrl+Z.
[hexin1]int range FortyGigE 1/0/53 to FortyGigE 1/0/54
[hexin1-if-range]shu
[hexin1-if-range]quit
[hexin1]irf member 1 priority 32
[hexin1]irf-port 1/1
[hexin1-irf-port1/1]port group interface FortyGigE 1/0/53
[hexin1-irf-port1/1]port group interface FortyGigE 1/0/54
[hexin1-irf-port1/1]quit
[hexin1]irf-port-configuration active
[hexin1]int range FortyGigE 1/0/53 to FortyGigE 1/0/54
[hexin1-if-range]un sh
[hexin1-if-range]save

核心2

[hexin2]sys
[hexin2]irf member 1 renumber 2
Renumbering the member ID may result in configuration change or loss. Continue?[Y/N]:y
[hexin2]quit
<hexin2>reboot
<hexin2>sys
System View: return to User View with Ctrl+Z.
[hexin2]interface range FortyGigE 2/0/53 to FortyGigE 2/0/54
[hexin2-if-range]shu
[hexin2-if-range]quit
[hexin2]irf member 2 priority 1
[hexin2]irf-port 2/2
[hexin2-irf-port2/2]port group interface FortyGigE 2/0/53
[hexin2-irf-port2/2]port group interface FortyGigE 2/0/54
[hexin2-irf-port2/2]qui
[hexin2]irf-port-configuration  active
[hexin2]interface range FortyGigE 2/0/53 to FortyGigE 2/0/54
[hexin2-if-range]un sh
[hexin2-if-range]quit
[hexin2]save

连接堆叠线后，机器自动重启，此时两台交换机终端都会显示为 hexin1

3、车间汇聚堆叠，采用40G口步骤与核心相同，堆叠后两台终端都会显示为 chejianhuiju1

4、按图片为交换机配置IP和VLAN，三层采用路由模式，汇聚下联trunk，接入上联trunk，下联对应vlan 车间汇聚做端口聚合

[chejianhuiju1]vlan 1004
[chejianhuiju1-vlan1004]int vlan 1004
[chejianhuiju1-Vlan-interface1004]ip add 10.0.4.254 24
[chejianhuiju1-Vlan-interface1004]quit
[chejianhuiju1]int Bridge-Aggregation 1
[chejianhuiju1-Bridge-Aggregation1]link-aggregation mode dynamic
[chejianhuiju1-Bridge-Aggregation1]quit
[chejianhuiju1]int g1/0/1
[chejianhuiju1-GigabitEthernet1/0/1]port link-aggregation group 1
[chejianhuiju1-GigabitEthernet1/0/1]int g2/0/1
[chejianhuiju1-GigabitEthernet2/0/1]port link-aggregation group 1
[chejianhuiju1-GigabitEthernet2/0/1]dis link-aggregation verbose
  GE1/0/1             0       32768    0         0x8000, 0000-0000-0000 {EF}
  GE2/0/1             0       32768    0         0x8000, 0000-0000-0000 {EF}
[chejianhuiju1-GigabitEthernet2/0/1]vlan 1004
[chejianhuiju1-vlan1004]port Bridge-Aggregation 1
[chejianhuiju1]int Bridge-Aggregation 1
[chejianhuiju1-Bridge-Aggregation1]port link-type trunk
[chejianhuiju1-Bridge-Aggregation1]port trunk permit vlan all
[chejianhuiju1-Bridge-Aggregation1]save

验证生产设备，ping 10.0.20.4 10.0.50.5 10.0.4.254 都通

5、配置OSPF，实现车间、办公、生产服务器、基础服务器互通

配置核心

<hexin1>sys
System View: return to User View with Ctrl+Z.
[hexin1]ospf
[hexin1-ospf-1]area 0
[hexin1-ospf-1-area-0.0.0.0]netwo
[hexin1-ospf-1-area-0.0.0.0]network 10.0.70.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.40.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.60.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.30.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]network 10.0.50.0 0.0.0.255
[hexin1-ospf-1-area-0.0.0.0]quit

配置车间汇聚

<chejianhuiju1>sys
System View: return to User View with Ctrl+Z.
[chejianhuiju1]ospf
[chejianhuiju1-ospf-1]area 0
[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
[chejianhuiju1-ospf-1-area-0.0.0.0]network 10.0.50.0 0.0.0.255
[chejianhuiju1-ospf-1-area-0.0.0.0]quit

生产设备ping核心通，其他配置类似。

6、配置DHCP服务器使用三层交换机搭建DHCP服务器，ping测试

[H3C]hostname dhcp
[dhcp]int g1/0/1
[dhcp-GigabitEthernet1/0/1]port link-mode route
[dhcp-GigabitEthernet1/0/1]ip add 10.0.0.1 24
[dhcp-GigabitEthernet1/0/1]save
[dhcp-GigabitEthernet1/0/1]quit
[dhcp]ip route-static 0.0.0.0 0 10.0.0.254
[dhcp]ping 10.0.0.254
Ping 10.0.0.254 (10.0.0.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.0.0.254: icmp_seq=0 ttl=255 time=0.000 ms

创建DHCP池

[dhcp]dhcp enable

dhcp server ip-pool bangong
 gateway-list 10.0.3.254
 network 10.0.3.0 mask 255.255.255.0
 address range 10.0.3.100 10.0.3.200
 dns-list 8.8.8.8
 expired day 3
#
dhcp server ip-pool wuxian
 gateway-list 10.0.2.254
 network 10.0.2.0 mask 255.255.255.0
 address range 10.0.2.150 10.0.2.200
 dns-list 114.114.114.114
 expired day 3
#

沿途汇聚、核心都要开启DHCP中继，二层只要有对应VLAN并trunk即可。

[jichuhuiju]dhcp enable
#
interface Vlan-interface1002
 dhcp select relay
 dhcp relay server-address 10.0.0.1
#
interface Vlan-interface1003
 dhcp select relay
 dhcp relay server-address 10.0.0.1
#

查看客户端IP，成功获取IP

[dhcp]display dhcp server ip-in-use
IP address       Client identifier/    Lease expiration      Type
                 Hardware address
10.0.2.150       0038-6163-312e-3334-  Jun 26 20:35:43 2021  Auto(C)
                 3266-2e31-3730-362d-
                 4745-302f-302f-31
10.0.3.100       0038-6137-362e-3466-  Jun 28 20:35:31 2021  Auto(C)
                 3864-2e31-3230-362d-
                 4745-302f-302f-31

7、配置专线，仅办公和无线可以访问办公汇聚、无线汇聚、核心、专线静态路由

[wuxianhuiju] ip route-static 10.1.0.0 24 10.0.60.10
[hexin1]ip route-static 10.1.0.0 24 10.0.90.18
[zhuanxianwangguan]ip route-static 10.0.2.0 24 10.0.90.15

测试办公和无线都可以访问专线IP10.1.0.2

8、配置办公和无线能访问外网，但外网无法直接访问内网办公汇聚、无线汇聚、核心默认路由，外网网关静态路由

[bangonghuiju]ip route-static 0.0.0.0 0 10.0.30.6
[wuxianhuiju]ip route-static 0.0.0.0 0 10.0.60.10
[hexin1]ip route-static 0.0.0.0 0 10.0.10.1

[waibuwangguan]ip route-static 10.0.3.0 24 10.0.10.2
[waibuwangguan]ip route-static 10.0.2.0 24 10.0.10.2

配置最简单NAT访问方式Easy IP

[waibuwangguan]acl basic 200
[waibuwangguan-acl-ipv4-basic-2000]rule 0 permit source 10.0.2.0 0.0.0.255
[waibuwangguan-acl-ipv4-basic-2000]acl basic 2001
[waibuwangguan-acl-ipv4-basic-2001]rule 0 permit source 10.0.3.0 0.0.0.255
[waibuwangguan-acl-ipv4-basic-2001]quit
[waibuwangguan]int g0/0
[waibuwangguan-GigabitEthernet0/0]nat outbound 2001
[waibuwangguan-GigabitEthernet0/0]nat outbound 2000

办公和无线ping外网1.1.1.2通，外网ping内网不通

9、POE供电受模拟器限制无法实现，实际在无线接入执行 poe enable 即可

10、办公人员通过telnet远程管理车间接入交换机车间汇聚创建管理vlan2000

[chejianhuiju1]vlan 2000
[chejianhuiju1-vlan2000]int vlan 2000
[chejianhuiju1-Vlan-interface2000]ip add 192.168.1.254 24

车间接入创建管理vlan，开启telnet服务，设置默认路由

<chejianjieru>sys
System View: return to User View with Ctrl+Z.
[chejianjieru]vlan 2000
[chejianjieru-vlan2000]int vlan 2000
[chejianjieru-Vlan-interface2000]ip add 192.168.1.2 24
[chejianjieru-Vlan-interface2000]quit
[chejianjieru]user-interface vty 0 4
[chejianjieru-line-vty0-4]authentication-mode scheme
[chejianjieru-line-vty0-4]quit
[chejianjieru]local-user admin
New local user added.
[chejianjieru-luser-manage-admin]password simple 123456
[chejianjieru-luser-manage-admin]authorization-attribute user-role level-15
[chejianjieru-luser-manage-admin]service-type telnet
[chejianjieru-luser-manage-admin]quit
[chejianjieru]telnet server enable
[chejianjieru]save
[chejianjieru]ip route-static 0.0.0.0 0 192.168.1.254

核心添加静态路由

[hexin1]ip route-static 192.168.1.0 24 10.0.20.4

办公人员远程telnet

<bangonghuiju>telnet 192.168.1.2
Trying 192.168.1.2 ...
Press CTRL+K to abort
Connected to 192.168.1.2 ...

******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

login: admin
Password:
<chejianjieru>

11、配置snmp网络管理协议配置向10.0.0.1发送设备信息

snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 10.0.0.1 params securityname public v2c

12、配置监控网络，办公和无线可以访问监控服务器，不可访问摄像头，摄像头仅与监控服务器互相访问核心设置静态路由，监控汇聚设置默认路由

[hexin1]ip route-static 10.0.5.0 24 10.0.80.17
[jiankonghuiju]ip route-static 0.0.0.0 0 10.0.80.16

在监控汇聚上联接口配置ACL规则，只允许访问10.0.5.1发出，其他禁止，从而达到只允许监控服务器被访问的目的

[jiankonghuiju]acl basic 2000
[jiankonghuiju-acl-ipv4-basic-2000]rule 0 permit source 10.0.5.1 0
[jiankonghuiju-acl-ipv4-basic-2000]rule 1 deny
[jiankonghuiju-acl-ipv4-basic-2000]quit
[jiankonghuiju]int Ten-GigabitEthernet1/0/49
[jiankonghuiju-Ten-GigabitEthernet1/0/49]packet-filter 2000 outbound

测试办公可以ping通10.0.5.1，不能ping通10.0.5.2

13、配置DHCP snooping，防止仿冒攻击全局开启dhcp snooping，上联端口启用dhcp信任

[bangongjieru]dhcp snooping enable
[bangongjieru]interface GigabitEthernet1/0/2
[bangongjieru]dhcp snooping trust

14、配置端口隔离，减少接入傻瓜交换机造成的网络风暴，防御ARP攻击

[H3C]port-isolate group 2
[H3C]int g1/0/1
[H3C-GigabitEthernet1/0/1]port-isolate enable group 2
[H3C-GigabitEthernet1/0/1]int g1/0/2
[H3C-GigabitEthernet1/0/2]port-isolate enable group 2
[H3C-GigabitEthernet1/0/2]quit
[H3C]dis port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:
GigabitEthernet1/0/1          GigabitEthernet1/0/2