选拔赛网络系统 - 模块A

数据中心网络搭建

一、任务描述

某公司 2023 年业务发展迅速，计划在常州和无锡分别开设分公司扩展市场，FW1 是总公司的网络出口设备，SW1 是总公司的核心交换机，AC总公司提供无线管理功能；FW2 是常州分公司的出口设备，SW2 是常州分公司的核心交换机，RT1 是无锡分公司的出口设备，SW3 既是无锡分公司的接入交换机，同时也用来模拟 internet 交换机；因为总公司和常州分公司之间需要频繁传输数据，为了保障数据传输的稳定性和安全性，计划在总公司和常州分公司之间建立 ipsec VPN 保障数据的安全；

二、网络拓扑图

三、网络规划表

设备	端口及IP地址	对端设备	端口
FW1	eth0/1-2（trust 安全域）10.10.0.1/30	SW1	eth1/0/1-2
	eth0/5（untrust 安全域）223.18.0.2/30	SW3 (internet)	eth1/0/18
	loopback1（trust安全域）10.0.0.254/32
SW1	vlan 1000 10.10.0.2/30 eth1/0/1-2	FW1	eth0/1-2
	vlan 10（办公）eth1/0/3-4 192.168.10.1/24
	vlan 20（研发）eth1/0/5-6 192.168.20.1/24
	vlan 30（产品）eth1/0/7-8 192.168.30.1/24
	vlan 40（销售）eth1/0/9-10 192.168.40.1/24
	vlan 50（无线）192.168.50.1/24
	vlan 100(ap-manage) eth1/0/24 192.168.100.1/24	AC	eth1/0/24
	loopback1 10.0.0.253/32
AC	vlan 100(ap-manage) eth1/0/24 192.168.100.254	SW1	eth1/0/24
	eth1/0/1	AP	ETH
FW2	eth0/1（trust 安全域）10.20.0.1/30	SW2	eth1/0/24
	eth0/5（untrust 安全域）223.19.0.2/30	SW3(internet)	eth1/0/19
SW2	vlan 1000 eth1/0/24 10.20.0.2/30	FW1	eth0/1
	vlan 128（办公）eth1/0/1-8 192.168.128.0/24
	vlan 129（销售）eth1/0/9-16 192.168.129.0/24
RT1	G0/0 223.20.0.2/30	SW3 (internet)	eth1/0/20
	G0/1.130 192.168.130.1/24	SW3	eth1/0/24
	G0/1.131 192.168.131.1/24	SW3	eth1/0/24
SW3	eth1/0/24	RT1	G0/1
	Vlan 130 eth1/0/1-8
	Vlan 131 eth1/0/9-16
SW3(Internet)	Vlan18 eth1/0/18 223.18.0.1/30	FW1	eth0/5
	Vlan19 eth1/0/19 223.19.0.1/30	FW2	eth0/5
	Vlan20 eth1/0/20 223.20.0.1/30	RT1	G0/0
AP	ETH	AC	eth1/0/1
PC1	NIC	SW1	eth1/0/9
PC2	NIC	SW2	eth1/0/1

四、DEMO

Internet 相关配置

## vlan
vlan 17 to 19
int vlan 17
ip add 223.17.0.1 30
int vlan 18
ip add 223.18.0.1 30
int vlan 19
ip add 223.19.0.1 30

SW1 相关配置

## vlan
vlan 10 20 30 40
int vlan 10
ip add 192.168.10.1 24 
int vlan 20
ip add 192.168.20.1 24 
int vlan 30
ip add 192.168.30.1 24 
int vlan 40
ip add 192.168.40.1 24 
int vlan 100
ip add 10.10.0.2 30

## DHCP
dhcp enable
dhcp server ip-pool vlan10
network 192.168.10.0 mask 255.255.255.0
gateway-list 192.168.10.1
dns-list 218.2.2.2
explite day 1
dhcp server ip-pool vlan20
network 192.168.20.0 mask 255.255.255.0
gateway-list 192.168.20.1
dns-list 218.2.2.2
explite day 1
dhcp server ip-pool vlan30
network 192.168.30.0 mask 255.255.255.0
gateway-list 192.168.30.1
dns-list 218.2.2.2
explite day 1
dhcp server ip-pool vlan40
network 192.168.40.0 mask 255.255.255.0
gateway-list 192.168.40.1
dns-list 218.2.2.2
explite day 1
dhcp server ip-pool vlan50
network 192.168.50.0 mask 255.255.255.0
gateway-list 192.168.50.1
dns-list 218.2.2.2
explite day 1

## loopback
int loopback 1
ip add 10.0.0.253 32

## ip地址
int g1/0/2
port link-type access
port acceess vlan 1000
int rang g1/0/3 to g1/0/4
port link-type access
port access vlan 10
int rang g1/0/5 to g1/0/6
port link-type access
port access vlan 20
int rang g1/0/7 to g1/0/8
port link-type access
port access vlan 30
int rang g1/0/9 to g1/0/10
port link-type access
port access vlan 40

FW1 相关配置

## loopback
int loopback 1
ip add 10.0.0.254 32

## ip地址
int g1/0/2
ip add 10.10.0.1 30
int g1/0/5
ip add 223.17.0.2 30
nat outbound 2000 address-group 1

## 路由
ip route-static 10.0.0.253 32 10.10.0.2

## 安全策略
acl number 2000
rule 0 permit source 192.168.0.0 0.0.255.255

## 安全域
security-zone name Untrust
import interface GigabitEthernet1/0/5
security-zone name Management
import interface GigabitEthernet1/0/1
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface LoopBack1

## NAT地址转换
nat address-group 1
address 223.17.0.2 223.17.0.2

AC 相关配置

## vlan
vlan 50 100
int vlan 50
ip add 192.168.50.1 24
 dhcp select relay
 dhcp relay server-address 10.1.1.1
quit
int vlan100
ip add 192.168.100.254 24
quit
int g1/0/23
port link-type access
port access vlan 100
int g1/0/1
port link-type access
port access vlan 50
quit

## DHCP
dhcp enable

## WLAN
wlan auto-ap enable
wlan auto-persistent enable
wlan ap ap1 model WA6320-HCL 
serial-id H3C_7E-FF-09-10-03-00
vlan 1
radio 1
radio enable
service-template st1
radio 2
gigabitethernet 1

SW2 相关配置

## vlan
[SW2]vlan 128 129 1000
[SW2]int vlan 128
[SW2-vlan-int128]ip add 192.168.128.1 24
[SW2-vlan-int128]quit
[SW2]int vlan 129
[SW2-vlan-int129]ip add 192.168.129.1 24
[SW2]int vlan1000
[SW2-vlan-int1000]ip add 10.20.0.2 30
[SW2-vlan-int1000]quit
[SW2]int g1/0/24
[SW2-G1/0/24]port link-type access
[SW2-G1/0/24]port access vlan 1000

## SSH
[SW2]ssh server enable
[SW2]line vty 0 4
[SW2-line-vty0-4]authentication-mode scheme
[SW2-line-vty0-4]local-user ssh_user class manage
[SW2-luser-manage-ssh_user]password simple ssh@2023
[SW2-luser-manage-ssh_user]service-type ssh

## 静态路由
[SW2]ip route-static 0.0.0.0 0.0.0.0 10.20.0.1

RT1 相关配置

## DHCP
[RT1]dhcp enable
[RT1]dhcp server ip-pool wx130
[RT1-dhcp-pool-wx130]gateway-list 192.168.130.1
[RT1-dhcp-pool-wx130]network 192.168.130.0 mask 255.255.255.0
[RT1-dhcp-pool-wx130]dns-list 218.2.2.2
[RT1-dhcp-pool-wx130]quit
[RT1]dhcp server ip-pool wx131
[RT1-dhcp-pool-wx131]gateway-list 192.168.131.1
[RT1-dhcp-pool-wx131]network 192.168.131.0 mask 255.255.255.0
[RT1-dhcp-pool-wx131]dns-list 218.2.2.2

## 单臂路由
[RT1]int G0/1.130
[RT1-G0/1.130]ip address 192.168.130.1 24
[RT1-G0/1.130]vlan-type dot1q vid 130
[RT1-G0/1.130]quit
[RT1]int G0/1.131
[RT1-G0/1.131]ip address 192.168.131.1 24
[RT1-G0/1.131]vlan-type dot1q vid 131

## IP地址
[RT1]int G0/0
[RT1-G0/0]ip address 223.19.0.2 30

## NAT
[RT1]acl basic 2000
[RT1-acl-ipv4-basic-2000]rule 0 permit source 192.168.0.0 0.0.255.255
[RT1]nat address-group 1
[RT1-nat-address-group-1]address 223.19.0.1 223.19.0.1
[RT1]int g0/0
[RT1-G0/0]nat outbound 2000 address-group 1

SW3 相关配置

## VLAN
[SW3]vlan 130 131
[SW3]int range g1/0/1 to g1/0/8
[SW3-if-range]port link-type access
[SW3-if-range]port access vlan130
[SW3]int range g1/0/9 to g1/0/16
[SW3-if-range]port link-type access
[SW3-if-range]port access vlan131
[SW3]int g1/0/24
[SW3-g1/0/24]port link-type trunk
[SW3--g1/0/24]port trunk permit vlan 130 131

## 限速
[SW3]int range g1/0/1 to g1/0/8
[SW3-if-range]speed 100

## 端口安全功能
[SW3]port-security enable
[SW3]port-security timer disableport 120
[SW3]int range g1/0/11 to g1/0/12
[SW3-if-range]port-security intrusion-mode disableport-temporarily
[SW3-if-range]port-security max-mac-count 5

## DHCP Snooping
[SW3]dhcp snooping enable
[SW3]int g1/0/24
[SW3-g1/0/24]dhcp snooping trust

FW2 相关配置

## web配置
[FW2]int g1/0/1
[FW2-G1/0/1]ip add 192.168.0.120 24
[FW2]security-zone name management
[FW2-security-zone-Management]import interface GigabitEthernet 1/0/1
[FW2-security-zone-Management]quit
[FW2]acl advanced 3000
[FW2-acl-ipv4-adv-3000]rule permit ip
[FW2-acl-ipv4-adv-3000]quit
[FW2]zone-pair security source management destination local
[FW2-zone-pair-security-Management-Local]packet-filter 3000
[FW2-zone-pair-security-Management-Local]zone-pair security source local destination management
[FW2-zone-pair-security-Local-Management]packet-filter 3000

## VPN

## NAT
[FW2]time-range work-time 8:30 to 17:30 working-day
[FW2]acl basic 2000
[FW2-acl-ipv4-basic-2000]rule 0 permit source 192.168.128.0 0.0.0.255 time-range work-time
[FW2-acl-ipv4-basic-2000]rule 1 permit source 192.168.129.0 0.0.0.255
[FW2]nat address-group 1
[FW2-nat-address-group-1]address 223.18.0.1 223.18.0.1
[FW2]int g1/0/5
[FW2-G1/0/5]nat outbound 2000 address-group 1

## IP地址配置
[FW2]int g1/0/5
[FW2-G1/0/5]ip add 223.18.0.2 30
[FW2]int g1/0/0
[FW2-G1/0/0]ip add 10.20.0.1 30

## 安全策略
### 将对应端口加入对应的安全域
[FW2]security-zone name trust
[FW2-security-zone-Trust]import int g1/0/0
[FW2]security-zone name untrust
[FW2-security-zone-untrust]import int g1/0/5
### 放行Trust到Untrust的报文
[FW2]security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
### 放行Trust到Local的报文，配置完Trust域的设备可以PING通防火墙
[FW2]security-policy ip
rule 1 name trust-local
action pass
source-zone trust
destination-zone local
### 放行Local到其他域的报文，配置完防火墙可以PING通其他设备
rule 2 name local-all
action pass
source-zone local

## 静态路由
[FW2]ip route-static 0.0.0.0 0.0.0.0 223.18.0.1
[FW2]ip route-static 192.168.128.0 255.255.255.0 10.20.0.2
[FW2]ip route-static 192.168.129.0 255.255.255.0 10.20.0.2