目录
项目背景
拓扑图
需求
需求一:网络可靠性
需求二:基础业务(VLAN、IP、DHCP、路由)需求
需求三:网络隔离需求
需求四:WLAN扩容需求
需求五:出口网络需求
需求六:准入认证
需求七:网络安全需求
项目背景
在X市的园区中,A公司作为总部,拥有两幢办公楼T1和T2,并分别在2000年和2002年投入使用。现在A公司计划将财务部和人力资源部的员工办公地点从T1迁移到T2。为了确保公司在扩建后的业务能够正常运转,A公司决定在某个假期期间完成T2楼的网络建设与整体网络的改造升级。
拓扑图
X园区改造前:
X园区改造后:
需求
网络可靠性基础业务(VLAN,IP,DHCP,路由)需求网络隔离需求WLAN扩容需求出口网络需求准入认证网络安全需求
需求一:网络可靠性
T2汇聚交换机堆叠部署,X_T2_AGG-1作为主堆叠设备,X_T2_AGG-2作为备设备,堆叠ID分别为0,1堆叠后的设备命名为X_T2_AGG1业务口堆叠,直接使用物理口作为堆叠接口且使用环形堆叠X_T2_AGG1与X_T1_CORE1以及接入交换机之间部署链路聚合,工作模式选择LACP模式,设备所有物理连接均作为成员链路且端口的接口必须都是选中状态
堆叠命令如下(ensp不支持):
S_T2_AGG-1:
stack slot 0 priority 150
//配置优先级,slot号为0
int stack-port 0/1
port interface XGigabitEthernet 0/0/1 enable
//进入堆叠口0/1,将0/0/1接口加入到堆叠口0/1
int stack-port 0/2
port interface XGigabitEthernet 0/0/2 enable
//进入堆叠口0/2,将0/0/2接口加入到堆叠口0/2
//当X_T2_AGG-2加入堆叠之后配置下面命令:
int stack-port 1/2
port interface XGigabitEthernet 1/0/1 enable
//进入堆叠口1/2(备交换机的另外一个堆叠口),将0/0/1接口加入到堆叠口1/2
X_T2_AGG-2:
int stack-port 0/1
port interface XGigabitEthernet 0/0/2 enable
//进入堆叠口0/1,将0/0/2接口加入到堆叠口0/1
使用以下命令来检查堆叠是否成功
dis stack port
dis stack
链路聚合命令如下:
X_T2_AGG1:
interface Eth-Trunk1
mode lacp-static
trunkport GigabitEthernet 0/0/11 to 0/0/12
trunkport GigabitEthernet 0/0/23 to 0/0/24
port link-type trunk
port trunk allow-pass vlan 100 209
#
interface Eth-Trunk2
mode lacp-static
trunkport GigabitEthernet 0/0/21 to 0/0/22
port link-type hybrid
port hybrid tagged vlan 31 to 35 41 to 45
#
interface Eth-Trunk3
mode lacp-static
trunkport GigabitEthernet 0/0/19 to 0/0/20
port link-type hybrid
port hybrid tagged vlan 31 to 35 41 to 45 100
X_T1_AGG1:
interface Eth-Trunk2
port link-type hybrid
port hybrid tagged vlan 11 to 15 21 to 25 100
mode lacp-static
interface Eth-Trunk3
port link-type hybrid
port hybrid tagged vlan 11 to 15 21 to 25
mode lacp-static
#
//Eth-Trunk1默认已配置好
X_T1_CORE1:
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 208
mode lacp-static
#
interface Eth-Trunk2
mode lacp-static
trunkport GigabitEthernet 0/0/11 to 0/0/12
trunkport GigabitEthernet 0/0/21 to 0/0/22
port link-type trunk
port trunk allow-pass vlan 100 209
#
接入层的配置Eth-Trunk和创建vlan
vlan具体规划看需求三,这里先提前创建
X_T1_ACC1(T1接入_1):
vlan batch 11 to 15 21 to 25
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 11 to 15 21 to 25 100
X_T1_ACC2(T1接入_2):
vlan batch 11 to 15 21 to 25
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 11 to 15 21 to 25
X_T2_ACC1(T2接入_1):
vlan batch 31 to 35 41 to 45
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 31 to 35 41 to 45
mode lacp-static
X_T2_ACC2(T2接入_2):
vlan batch 31 to 35 41 to 45 100
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 31 to 35 41 to 45 100
mode lacp-static
#
interface GigabitEthernet0/0/22
port link-type access
port default vlan 100
需求二:基础业务(VLAN、IP、DHCP、路由)需求
IP地址配置所有三层设备之间部署多区域OSPF。Export1,Export2,Core1属于骨干区域,在Export1,Export2宣告默认路由结合网络隔离需求进行区域划分
IP地址规划表如下
根据表中的规划逐个设备配置即可
表格中标记为 L2 的接口,按照创建 vla配置 trunk、配置 vlanif 的步骤完成互联配置
CORE 与 FW 互联的两个接口,允许 vlan 后,需要这是由于undo port trunk allow-pass vlan 1
因为FW 并没有 stp,会出现 vlan1 的环路问题 FW 的物理口是三层口,需要先输入命令 portswitch改成二层,再配置 trunk。
各设备环回口根据右侧备注,将来要加入对应的VPN实例当中。 完成后记得 ping 测试,保证直连通信没有问题
需求三:网络隔离需求
在X TI CORE1 上通过部署两个 VPN 实例,实现内部、访客网络的隔离,实例名称分别为 Employee 与 Guest,RD 分别为 65001:1 与 65001:2防火墙 X_T1_FW1 使用虚拟系统与X_T1_CORE1 上的两个 VPN 实例 Guest 和 Employee 进行对接,虚拟系统名称和与其对接的 VPN 实例名称一致VLAN204 与VLAN206 分配给虚拟系统 Employee,VLANIF204 属于 untrust 安全域,VLANIF206 属于.trust 安全域VLAN205 与 VLAN207 分配给虚拟统 Guest,VLANIF205 属于 untrust 安全域,VLANIF207属于 trust 安全域。虚拟系统 Employee 与虚拟系统 Guest 和X_T1_CORE1之间的所有链路分别属于 OSPF 的区域1与区域2使用 IP-Prefix 作为过滤器进行路由过滤,Employee 与 Guest 互相不学习对方终端所在网段的明细路由与对应的 3类 LSA
终端接入规划表如下
在Core1上创建VLAN资源
X_T1_Core1:
vlan batch 51 to 55 60 100 to 105 201 to 209
在Core1上创建VRF
X_T1_Core1:
ip vpn-instance Employee
ipv4-family
route-distinguisher 65001:1
#
ip vpn-instance Guest
ipv4-family
route-distinguisher 65001:2
#
在Core1上把接口划入VRF
X_T1_Core1:
interface Vlanif206
ip binding vpn-instance Employee
ip address 10.1.200.21 255.255.255.252
#
interface Vlanif207
ip binding vpn-instance Guest
ip address 10.1.200.25 255.255.255.252
#
interface Vlanif208
ip binding vpn-instance Employee
ip address 10.1.200.29 255.255.255.252
dhcp select global
#
interface Vlanif209
ip binding vpn-instance Employee
ip address 10.1.200.33 255.255.255.252
dhcp select global
#
interface LoopBack1
ip binding vpn-instance Employee
ip address 10.1.0.4 255.255.255.255
#
interface LoopBack2
ip binding vpn-instance Guest
ip address 10.1.0.5 255.255.255.255
#
interface Vlanif51
ip binding vpn-instance Employee
ip address 10.1.51.254 255.255.255.0
dhcp select global
#
interface Vlanif52
ip binding vpn-instance Employee
ip address 10.1.52.254 255.255.255.0
dhcp select global
#
interface Vlanif53
ip binding vpn-instance Employee
ip address 10.1.53.254 255.255.255.0
dhcp select global
#
interface Vlanif54
ip binding vpn-instance Employee
ip address 10.1.54.254 255.255.255.0
dhcp select global
#
interface Vlanif55
ip binding vpn-instance Employee
ip address 10.1.55.254 255.255.255.0
dhcp select global
#
interface Vlanif101
ip binding vpn-instance Guest
ip address 10.1.101.254 255.255.255.0
dhcp select global
#
interface Vlanif102
ip binding vpn-instance Guest
ip address 10.1.102.254 255.255.255.0
dhcp select global
#
interface Vlanif103
ip binding vpn-instance Guest
ip address 10.1.103.254 255.255.255.0
dhcp select global
#
interface Vlanif104
ip binding vpn-instance Guest
ip address 10.1.104.254 255.255.255.0
dhcp select global
#
interface Vlanif105
ip binding vpn-instance Guest
ip address 10.1.105.254 255.255.255.0
dhcp select global
#
interface Vlanif60
ip binding vpn-instance Employee
ip address 10.1.60.254 255.255.255.0
#
在Core1上把地址池也划分到对应实例
X_T1_Core1:
ip pool vlan11
vpn-instance Employee
ip pool vlan12
vpn-instance Employee
ip pool vlan13
vpn-instance Employee
ip pool vlan14
vpn-instance Employee
ip pool vlan15
vpn-instance Employee
ip pool vlan21
vpn-instance Employee
ip pool vlan22
vpn-instance Employee
ip pool vlan23
vpn-instance Employee
ip pool vlan24
vpn-instance Employee
ip pool vlan25
vpn-instance Employee
ip pool vlan31
vpn-instance Employee
ip pool vlan32
vpn-instance Employee
ip pool vlan33
vpn-instance Employee
ip pool vlan34
vpn-instance Employee
ip pool vlan35
vpn-instance Employee
ip pool vlan41
vpn-instance Employee
ip pool vlan42
vpn-instance Employee
ip pool vlan43
vpn-instance Employee
ip pool vlan44
vpn-instance Employee
ip pool vlan45
vpn-instance Employee
ip pool vlan51
vpn-instance Employee
ip pool vlan52
vpn-instance Employee
ip pool vlan53
vpn-instance Employee
ip pool vlan54
vpn-instance Employee
ip pool vlan55
vpn-instance Employee
ip pool vlan101
vpn-instance Guest
ip pool vlan102
vpn-instance Guest
ip pool vlan103
vpn-instance Guest
ip pool vlan104
vpn-instance Guest
ip pool vlan105
vpn-instance Guest
在Core1上配置接口
X_T1_Core1:
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 208
mode lacp-static
#
interface Eth-Trunk2
mode lacp-static
trunkport GigabitEthernet 0/0/11 to 0/0/12
trunkport GigabitEthernet 0/0/21 to 0/0/22
port link-type trunk
port trunk allow-pass vlan 100 209
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 201
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 202
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 51 to 55 101 to 105 100
#
interface GigabitEthernet0/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
//(因为防火墙上没有生成树,所以vlan1会出环路,所以拒绝一下)
port trunk allow-pass vlan 204 205
#
interface GigabitEthernet0/0/5
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 206 to 207
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 60
#
在Core1上配置OSPF
X_T1_Core1:
ospf 10 router-id 10.1.0.3
area 0.0.0.0
network 10.1.200.2 0.0.0.0
network 10.1.200.6 0.0.0.0
network 10.1.0.3 0.0.0.0
area 0.0.0.1
network 10.1.200.13 0.0.0.0
area 0.0.0.2
network 10.1.200.17 0.0.0.0
#
ospf 1 router-id 10.1.0.4 vpn-instance Employee
silent-interface all
undo silent-interface Vlanif206
undo silent-interface Vlanif208
undo silent-interface Vlanif209
vpn-instance-capability simple
area 0.0.0.1
network 10.1.0.0 0.0.255.255
#
ospf 2 router-id 10.1.0.5 vpn-instance Guest
silent-interface all
undo silent-interface Vlanif207
vpn-instance-capability simple
area 0.0.0.2
network 10.1.0.0 0.0.255.255
#
在Export1上配置OSPF
X_T1_Export1:
ospf 1 router-id 10.1.0.1
default-route-advertise always
area 0.0.0.0
network 10.1.0.0 0.0.255.255
在Export2上创建资源,配置接口
X_T1_Export2:
vlan 202
#
interface Ethernet6/0/0
port link-type access
port default vlan 202
#
interface Vlanif202
ip address 10.1.200.5 255.255.255.252
#
interface LoopBack0
ip address 10.1.0.2 255.255.255.255
#
interface GigabitEthernet0/0/1
ip address 10.255.3.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.255.4.1 255.255.255.0
#
在Export2上配置OSPF
X_T1_Export2:
ospf 1 router-id 10.1.0.2
default-route-advertise always
area 0.0.0.0
network 10.1.0.0 0.0.255.255
在X_T1_AGG1上配置接口,创建VLAN资源,配置DHCP中继和OSPF
X_T1_AGG1:
dhcp enable
#
vlan batch 11 to 15 21 to 25
#
interface Eth-Trunk2
port link-type hybrid
port hybrid tagged vlan 11 to 15 21 to 25 100
mode lacp-static
interface Eth-Trunk3
port link-type hybrid
port hybrid tagged vlan 11 to 15 21 to 25
mode lacp-static
#
interface Vlanif11
ip address 10.1.11.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif12
ip address 10.1.12.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif13
ip address 10.1.13.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif14
ip address 10.1.14.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif15
ip address 10.1.15.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif21
ip address 10.1.21.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif22
ip address 10.1.22.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif23
ip address 10.1.23.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif24
ip address 10.1.24.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
interface Vlanif25
ip address 10.1.25.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
#
ospf 1 router-id 10.1.0.6
silent-interface all
undo silent-interface Vlanif208
area 0.0.0.1
network 10.1.0.0 0.0.255.255
在X_T2_AGG1上配置接口,创建VLAN资源和配置DHCP中继和OSPF
X_T2_AGG1:
dhcp enable
vlan batch 31 to 35 41 to 45 100 209
#
interface Eth-Trunk1
mode lacp-static
trunkport GigabitEthernet 0/0/11 to 0/0/12
trunkport GigabitEthernet 0/0/23 to 0/0/24
port link-type trunk
port trunk allow-pass vlan 100 209
#
interface Eth-Trunk2
mode lacp-static
trunkport GigabitEthernet 0/0/21 to 0/0/22
port link-type hybrid
port hybrid tagged vlan 31 to 35 41 to 45
#
interface Eth-Trunk3
mode lacp-static
trunkport GigabitEthernet 0/0/19 to 0/0/20
port link-type hybrid
port hybrid tagged vlan 31 to 35 41 to 45 100
#
interface Vlanif209
ip address 10.1.200.34 255.255.255.252
#
interface Vlanif31
ip address 10.1.31.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif32
ip address 10.1.32.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif33
ip address 10.1.33.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif34
ip address 10.1.34.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif35
ip address 10.1.35.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif41
ip address 10.1.41.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif42
ip address 10.1.42.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif43
ip address 10.1.43.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif44
ip address 10.1.44.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
interface Vlanif45
ip address 10.1.45.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
#
ospf 1 router-id 10.1.0.7
silent-interface all
undo silent-interface Vlanif209
area 0.0.0.1
network 10.1.0.0 0.0.255.255
在防火墙上创建虚拟系统,分配资源,配置OSPF
X_T1_FW1:
vlan batch 204 to 207
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 204 to 205
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 206 to 207
#
int Vlanif 204
int Vlanif 205
int Vlanif 206
int Vlanif 207
int LoopBack 1
int LoopBack 2
#
vsys enable
#
vsys name Employee
assign interface LoopBack1
assign vlan 204
assign vlan 206
#
vsys name Guest
assign interface LoopBack2
assign vlan 205
assign vlan 207
#
ospf 1 router-id 10.1.0.8 vpn-instance Employee
vpn-instance-capability simple
area 0.0.0.1
network 10.1.0.0 0.0.255.255
#
ospf 2 router-id 10.1.0.9 vpn-instance Guest
vpn-instance-capability simple
area 0.0.0.2
network 10.1.0.0 0.0.255.255
进入虚拟系统 Employee,配置vlanif204、206、Loopback 1 ,Virtual-if1的IP地址,配置安全策略允许OSPF流量通过,并将接口划入对应安全区域。
switch vsys Employee
//切换Employee虚拟系统
sys
//进入系统视图
interface Vlanif204
ip binding vpn-instance Employee
ip address 10.1.200.14 255.255.255.252
#
interface Vlanif206
ip binding vpn-instance Employee
ip address 10.1.200.22 255.255.255.252
#
interface LoopBack1
ip binding vpn-instance Employee
ip address 10.1.0.8 255.255.255.255
#
interface Virtual-if1
ip address 10.1.200.253 255.255.255.255
#
firewall zone trust
add interface Vlanif206
#
firewall zone untrust
add interface Vlanif204
add interface Virtual-if1
#
security-policy
rule name OSPF
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
#
return
//退出Employee虚拟系统
进入虚拟系统Guest,配置vlanif205、207、Loopback 2 ,Virtual-if2的IP地址,配置安全策略允许OSPF流量通过,并将接口划入对应安全区域。
switch vsys Guest
interface Vlanif205
ip binding vpn-instance Guest
ip address 10.1.200.18 255.255.255.252
#
interface Vlanif207
ip binding vpn-instance Guest
ip address 10.1.200.26 255.255.255.252
#
interface LoopBack2
ip binding vpn-instance Guest
ip address 10.1.0.9 255.255.255.255
#
interface Virtual-if2
ip address 10.1.200.254 255.255.255.255
#
firewall zone trust
add interface Vlanif207
#
firewall zone untrust
add interface Vlanif205
add interface Virtual-if2
#
security-policy
rule name OSPF
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
#
return
在Core1上检查OSPF邻居关系
如下所示表示正常
进程1属于 Employee,三个邻居: T1 AGG 208 & T2 AGG209 和 FW 206
进程 2 属于 Guest,一个邻居: FW 207
进程 10 属于全局,四个邻居: Export1 201 &Export2 202 + FW 204 205
请仔细检查
在Core1上配置 ip-prefix 来过滤路由,并在OSPF 1 中area 1 中应用,在OSPF 2 中area 2 中应用
ip ip-prefix Employee deny 10.1.11.0 24
ip ip-prefix Employee deny 10.1.12.0 24
ip ip-prefix Employee deny 10.1.13.0 24
ip ip-prefix Employee deny 10.1.14.0 24
ip ip-prefix Employee deny 10.1.15.0 24
ip ip-prefix Employee deny 10.1.21.0 24
ip ip-prefix Employee deny 10.1.22.0 24
ip ip-prefix Employee deny 10.1.23.0 24
ip ip-prefix Employee deny 10.1.24.0 24
ip ip-prefix Employee deny 10.1.25.0 24
ip ip-prefix Employee deny 10.1.31.0 24
ip ip-prefix Employee deny 10.1.32.0 24
ip ip-prefix Employee deny 10.1.33.0 24
ip ip-prefix Employee deny 10.1.34.0 24
ip ip-prefix Employee deny 10.1.35.0 24
ip ip-prefix Employee deny 10.1.41.0 24
ip ip-prefix Employee deny 10.1.42.0 24
ip ip-prefix Employee deny 10.1.43.0 24
ip ip-prefix Employee deny 10.1.44.0 24
ip ip-prefix Employee deny 10.1.45.0 24
ip ip-prefix Employee deny 10.1.51.0 24
ip ip-prefix Employee deny 10.1.52.0 24
ip ip-prefix Employee deny 10.1.53.0 24
ip ip-prefix Employee deny 10.1.54.0 24
ip ip-prefix Employee deny 10.1.55.0 24
ip ip-prefix Employee deny 10.1.60.0 24
ip ip-prefix Employee permit 0.0.0.0 0 less-equal 32
//允许其他路由通过
#
ip ip-prefix Guest deny 10.1.101.0 24
ip ip-prefix Guest deny 10.1.102.0 24
ip ip-prefix Guest deny 10.1.103.0 24
ip ip-prefix Guest deny 10.1.104.0 24
ip ip-prefix Guest deny 10.1.105.0 24
ip ip-prefix Guest permit 0.0.0.0 0 less-equal 32
//允许其他路由通过
#
ospf 10
area 0.0.0.1
filter ip-prefix Guest import
#
area 0.0.0.2
filter ip-prefix Employee import
#
路由过滤并不代表不需要通信,两个区域依旧可以依靠默认路由通信。 默认路由是从 X Export1&2 引入的。
跨区域流量经过防火墙,就意味着某些流量需要放通,否则将会全部被过滤。目前还没有明确说明在后面的需求中需要注意隐藏的安全策略问题。
需求四:WLAN扩容需求
X T1 AP1已在AC 上线且正常提供无线服务,X T2 AP1和X TI AP1在相同管理 VIan上线并提供相同的无线服务,即延续当前的 WLAN 相关配置内部无线用户使用的SSID 为X Employee 010 ,密码为 huawei@123外部无线用户使用的 SSID 为X Guest 010 ,密码为 huawei@123
预配如下:
X_T1_AC:
interface Vlanif100
ip address 10.1.100.254 255.255.255.0
dhcp select global
#
ip pool vlan100
gateway-list 10.1.100.254
network 10.1.100.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.1.100.254 指定AC的IP地址
#
capwap source interface vlanif100
创建ap组
ap-group name X
配置安全模板
security-profile name HCIE
security wpa-wpa2 psk pass-phrase huawei@123
配置SSID模板
ssid-profile name X_Guest_010
ssid X_Guest_010
ssid-profile name X_Employee_010
ssid X_Employee_010
配置vap模板,绑定SSID模板,安全模板,和配置转发模式,服务VLAN(不是管理VLAN)
vap-profile name X_Employee_010
forward-mode tunnel
service-vlan vlan-pool Employee
ssid-profile X_Employee_010
security-profile HCIE
X_T1_AP1已经纳管
ap-id 0 type-id 56 ap-mac 00e0-fc09-24b0
ap-name X_T1_AP1
ap-group X
在ap组上应用vap模板
ap-group name X
vap-profile X_Employee_010 wlan 1 radio 0
vap-profile X_Guest_010 wlan 2 radio 0
vap-profile X_Employee_010 wlan 1 radio 1
vap-profile X_Guest_010 wlan 2 radio 1
在AC上创建VLAN,配置接口允许VLAN通过,创建VLAN池,在vap模板里绑定vlan池:
X_T1_AC1:
vlan batch 51 to 55 101 to 105
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 51 to 55 100 to 105 203
#
vlan pool Employee
vlan 51 to 55
#
vlan pool Guest
vlan 101 to 105
#
wlan
ap-id 1 ap-mac 00e0-fcb8-14c0
ap-group X
ap-name X_T2_AP1
#
vap-profile name X_Guest_010
forward-mode tunnel
service-vlan vlan-pool Guest
ssid-profile X_Guest_010
security-profile HCIE
#
vap-profile name X_Employee_010
forward-mode tunnel
service-vlan vlan-pool Employee
ssid-profile X_Employee_010
security-profile HCIE
#
检查AP是否上线命令:
dis ap all
状态为nor表示上线成功
需求五:出口网络需求
新增出口路由器 X _T1_Export2 ,采用双 internet 线路实现上网流量的负载分担GE0/0/1接口采用静态配置 IP 地址 (10.255.3.1/24 ) ,网关为 10.255.3.254GEO/0/2 接口采用静态配置 IP 地址(10255.4.1/24) ,网关为 10.255.4.254配置默认路由 所有用户通过 X _T1_Export2 路由器方问 Internet 时,需要通过 NAT 替换私网 IP 地址 对所有通过防火墙策略的 IP 报文进行源也址与端口转换 Export_2的GEO/0/1 使用当前接口 IP也址作为转换后的地址Export _2的 GEO/0/2 使用地址池 (10.55.4.2-10.255.4.100) 替换私网 IP 地址和端口X 园区内网服务器 (10.1.60.101) 向外提供 web 服务(端口号 80) 公网用户通过 10.255.4.1的8081 号端口访问该服务
在X_T1_Export2上配置默认路由,配置acl,并应用在接口上:
X_T1_Export2:
acl number 2000
rule 5 permit
#
interface GigabitEthernet0/0/1
ip address 10.255.3.1 255.255.255.0
nat outbound 2000
#
nat address-group 0 10.255.4.2 10.255.4.100
#
interface GigabitEthernet0/0/2
ip address 10.255.4.1 255.255.255.0
nat outbound 2000 address-group 0
nat server protocol tcp global current-interface 8081 inside 10.1.60.101 80
#
ip route-static 0.0.0.0 0 10.255.3.254
ip route-static 0.0.0.0 0 10.255.4.254
在Employee防火墙上配置安全策略:
X_T1_FW1:
switch vsys Employee
security-policy
rule name Internet_to_server101
source-zone untrust
destination-zone trust
source-address-exclude range 10.1.101.0 10.1.105.255
destination-address 10.1.60.101 mask 255.255.255.255
service protocol tcp destination-port 80
action permit
#
return
(退出虚拟系统)
需求六:准入认证
为保证“端到端”网络安全,需要对除服务器外的有线终端进行认证有线终端中,PC 支持 802.1X 认证,打印机及 IP 电话等哑终端不支持;已知当前采用的接入交换机不支持 802.1X 认证与策略联动功能 汇聚交换机与认证服务器之间采用 RADIUS协议进行交互,服务器地址为 10.1.60.2,用默认端口号进行认证、授权和计费,密钥为 huawei@123所有涉及到的模板等均命名为Employee认证域为 employee,且不允许用户使用其他域RADIUS 服务器通过 VLAN 池名称方式下发用户的 VLAN 信息 对于所有AP 设备,需要根据AP 的 MAC 地址,强制其到 ap_noauthen 域进行认证,且认证模式为 none
注意:ensp不支持802.1x认证
接入层交换机自定义二层透明传输协议,并在下联接口上应用,命令如下
X_T1_ACC1(T1接入_1):
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
l2protocol-tunnel user-defined-protocol 802.1x enable
X_T1_ACC2(T1接入_2):
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
l2protocol-tunnel user-defined-protocol 802.1x enable
X_T2_ACC1(T2接入_1):
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
l2protocol-tunnel user-defined-protocol 802.1x enable
X_T2_ACC2(T2接入_2):
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
l2protocol-tunnel user-defined-protocol 802.1x enable
在T1_AGG1和T2_AGG1上配置radius服务器,进入aaa视图配置802.1x认证模板,并确认下行接口为hybrid口
X_T1_AGG1 && X_T2_AGG1:
radius-server template employee
radius-server shared-key cipher huawei@123
radius-server authentication 10.1.60.2 1812
radius-server accounting 10.1.60.2 1813
#配置radius服务器
aaa
authentication-scheme employee
authentication-mode radius
#配置认证模板
accounting-scheme employee
accounting-mode radius
#配置计费模板
domain employee
authentication-scheme employee
accounting-scheme employee
radius-server employee
#配置employee域并调用上面的模板
authentication-scheme noauthen
authentication-mode none
#配置noauthen认证模板
domain ap_noauthen
authentication-scheme noauthen
#配置ap_noauthen域并调用noauthen模板
interface Eth-Trunk2
port link-type hybrid
interface Eth-Trunk3
port link-type hybrid
在T1_AGG1和T2_AGG1上配置dot1x接入模板,默认参数;配置mac接入模板,默认参数,配置认证模板调用dot1x接入模板、mac接入模板和认证域;在下联的Eth-Trunk调用认证模板;创建vlan池;对于所有的ap设备,根据AP的MAC地址,强制到ap_noauthen域进行认证,且认证模式为none
X_T1_AGG1 && X_T2_AGG1:
dot1x-access-profile name Employee
mac-access-profile name Employee
#
authentication-profile name Employee
dot1x-access-profile Employee
mac-access-profile name Employee
access-domain employee
#
interface Eth-Trunk2
authentication-profile Employee
interface Eth-Trunk3
authentication-profile Employee
#
X_T1_AGG1:
vlan pool market
vlan 11 to 15
vlan pool procure
vlan 21 to 25
#创建vlan池
domain ap_noauthen mac-authen force mac-address e813-6e72-c2e0 mask ffff-ffff-ffff
#根据AP的MAC地址,强制到ap_noauthen域进行认证
X_T2_AGG1:
vlan pool finance
vlan 31 to 35
vlan pool hr
vlan 41 to 45
#创建vlan池
domain ap_noauthen mac-authen force mac-address e833-6e32-c3e0 mask ffff-ffff-ffff
#根据AP的MAC地址,强制到ap_noauthen域进行认证
由于 AGG 下行接口配置了 802.1x 认证,无用户需要通过 capwap 隧道绕行 AC,才能避免认证失败在 AC 上配置隧道集中转发:
X_T1_AC:
vap-profile name X_Guest_010
forward-mode tunnel
#
vap-profile name X_Employee_010
forward-mode tunnel
需求七:网络安全需求
防火墙上配置安全策略实现用户访问权限的控制仅采购部、市场部、内部无线用户、外部无线用户可以访问 internet内部无线用户仅可以访问服务器网段的某一服务器,其地址为 10.1.60.100外部无线用户仅可以访问服务器网段中的 HTTP 服务(服务名为 Guest Service),IP 地址为10.1.60.99,端口号为3389(TCP)安全策略须按照下列规则配置:必须包含源、目安全区域;若包含特定服务,需使用系统预定义服务或自定义服务(service-set)表示部署PBR: 内部无线用户属于实例 Employee,服务器也属于 Emplovee,流量并不会经过FW。所以需要先配置 PBR,引导流量走 FW。 无线流量已配置隧道集中转发从 AC 进入 CORE,在 CORE 的入口上配置 PBR
注意:ensp不支持PBR
Employee防火墙的系统视图下自定义服务类型:
ip service-set Guest_Service type object
service 0 protocol tcp destination-port 3389
#配置 Guest_Service服务类型
在Employ防火墙上配置安全策略:
to_Internet规则用来允许采购部、市场部、内部无线用户访问Internet;
Employee_to_server100规则用来内部无线用户仅可以访问10.1.60.100服务器;
Employee_to_server规则用来拒绝内部无线用户访问其他服务器;
Guest_to_Server99规则用来允许外部无线用户仅可以访问服务器网段中的 HTTP 服务(服务名为 Guest Service),IP 地址为10.1.60.99,端口号为3389(TCP);
Internet_to_server101规则用来允许X 园区内网服务器 (10.1.60.101) 向外提供 web 服务(端口号 80) 公网用户通过 10.255.4.1的8081 号端口访问该服务,且拒绝外部无线用户(Guest)来访问101,因为外部无线用户仅可以访问服务器10.1.60.99。
X_T1_FW:
switch vsys Employee
security-policy
rule name OSPF
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
#OSPF安全策略,上面已经配过,这里仅是再次展示
rule name to_Internet
source-zone trust
destination-zone untrust
source-address range 10.1.11.0 10.1.15.255
source-address range 10.1.21.0 10.1.25.255
source-address range 10.1.51.0 10.1.55.255
action permit
rule name Employee_to_server100
source-zone trust
destination-zone trust
source-address range 10.1.51.0 10.1.55.255
destination-address 10.1.60.100 mask 255.255.255.255
action permit
rule name Employee_to_server
source-zone trust
destination-zone trust
source-address range 10.1.51.0 10.1.51.255
destination-address 10.1.60.0 mask 255.255.255.0
action deny
#
rule name Guest_to_Server99
source-zone untrust
destination-zone trust
source-address range 10.1.101.0 10.1.105.255
destination-address 10.1.60.99 mask 255.255.255.255
service Guest_Service
action permit
#
rule name Internet_to_server101
source-zone untrust
destination-zone trust
source-address-exclude range 10.1.101.0 10.1.105.255
destination-address 10.1.60.101 mask 255.255.255.255
service protocol tcp destination-port 80
action permit
#
Guest防火墙的安全策略如下:
security-policy
rule name OSPF
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
#OSPF规则,上面已经配过,这里仅是再次展示
rule name to_Internet
source-zone trust
destination-zone untrust
source-address range 10.1.101.0 10.1.105.255
action permit
#to_Internet规则用来满足外部无线用户的访问10.1.60.99服务器,同时也可以访问 internet
防火墙安全策略条数: Employee: OSPF一条,访问外网的一条,内部无线访问服务器100的一条,内部无线拒绝其他服务器的一条,Guest访问99(tcp3389)的一条,Internet访问101(80)的一条,一共6条 Guest: OSPF一条,访问外网的一条,一共2条
配置PBR,在X_T1_Core1上配在acl3000,并在接口上调用:
acl number 3000
rule permit ip source 10.1.51.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.52.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.53.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.54.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.55.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
#用来抓取内部无线用户的流量
interface GigabitEthernet0/0/3
traffic-redirect inbound acl 3000 vpn-instance Employee ip-nexthop 10.1.200.22
#在0/0/3接口上调用,把内部无线用户的流量重定向到10.1.200.22(Employee防火墙的vlanif204接口ip)
在X_T1_Core1上配在acl3001,并在接口上调用:
10.1.60.101的回包通过Core的VIAN206送到Employee防火墙上,Employee防火墙根据Employee实例路由表默认路由到Core的全局vlan204上,此时全局路由表中有两条默认路由,一向指向Export1另一向指向Export2,如果流量往Export1走那么会导致往返路径不一致,所以我们要把回程流量指向Export2,也就是10.1.200.5
acl number 3001
rule 5 permit ip source 10.1.60.101 0
#用来抓取10.1.60.101的回包流量
interface GigabitEthernet0/0/4
traffic-redirect inbound acl 3001 ip-nexthop 10.1.200.5
验证命令
X _T1_AC1:
dis ap all
X_T1_Core1:
display ospf peer brief
display ip interface brief
display ip routing-table
display ip routing-table vpn-instance Employee
display ip routing-table vpn-instance Guest
X_T1_AGG1:
display ospf peer brief
display access-user
display ip routing-table
X_T2_AGG1:
dis stack
dis eth-trunk
display ospf peer brief
display access-user
display ip routing-table
X_T1_Export1 && X_T1_Export2:
display ospf peer brief
display ip interface brief
display ip routing-table
X_T1_FW1:
display ospf peer brief
display ip interface brief
display ip routing-table vpn instance Employee
display ip routing-table vpn instance Guest
相关阅读
发表评论