H3C组网实例--公司现实案例(艰苦的一周)

  先概述一下背景:

   公司是成立没多长时间的,对IT投入还不算差,所以设备都是新的,路由交换设备主要用华三产品,但都是中低端的,一台S5500-EI做三层核心设备,其它为S3100做接入,非常简单的网络结构,内外网物理隔断,而且外网只开放几台公用电脑集中管理,所以可以不考虑外网接入问题。但蛋痛的是前期不知道那位大神做的规划,300台电脑使用一个网段,所有交换机当傻瓜设备来使用!!那真是一个汗。

    结果,还是杯具了,近段时间网络时断时续,arp攻击严重,但300多台设备,无从下手!只可以艰苦一周,决定对网络进行一次大的调整,重新规划,划分vlan!

    为不影响正常上班时间的使用,只好在周末进行了,为日后的管理,使用静态IP,那一台一台设备更改IP,半夜还在机房调试设备,至今仍历历在目!!

   废话不多说了,公司基本的网络图:

H3C组网实例--公司现实案例(艰苦的一周)

核心交换机S5500-EI主要配置:

 #
 version 5.20, Release 2215
#
 sysname GDD_HeXin_Jh
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
#
 domain default enable system 
#
 telnet server enable 
#
 gvrp     -----开启全局 gvrp
#
acl number 3000   -----设置相关acl策略实现控制部分vlan不能互访
 rule 1 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 
 rule 2 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 
 rule 3 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 
 rule 4 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 
 rule 5 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 
 rule 6 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 
acl number 3001
 rule 1 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 
 rule 2 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 
 rule 3 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 
 rule 4 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 
 rule 5 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 
 rule 6 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 
acl number 3002
 rule 1 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 
 rule 2 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 
 rule 3 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 
 rule 4 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 
 rule 5 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 
acl number 3003
 rule 1 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 
 rule 2 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 
 rule 3 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 
 rule 4 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 
 rule 5 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 
 rule 6 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 
acl number 3004
 rule 1 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 
 rule 2 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 
 rule 3 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 
 rule 4 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 
 rule 5 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 
 rule 6 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 
acl number 3005
 rule 1 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 
 rule 2 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 
 rule 3 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 
 rule 4 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 
 rule 5 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 
acl number 3006
 rule 1 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 
 rule 2 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 
 rule 3 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 
 rule 4 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 
 rule 5 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 
 rule 6 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 
#
vlan 1
#
vlan 10
 name zhongjili
#
vlan 12
 name xingzheng
#
vlan 16
 name caiwu
#
vlan 32
 name caigou
#
vlan 48
 name jishu
#
vlan 64
 name zhikong
#
vlan 80
 name zhiyi-led
#
vlan 82
 name shengguan
#
vlan 84
 name zhiyi
#
vlan 86
 name zhier
#
vlan 90
 name zhier-led
#
vlan 100
 name others
#
vlan 1000
 name fuwuqi
#
vlan 4000
#
radius scheme system
 server-type extended
 primary authentication 127.0.0.1 1645
 primary accounting 127.0.0.1 1646
 user-name-format without-domain
#
domain system 
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 
#
user-group system
 group-attribute allow-guest
#
local-user admin
 password cipher $c$3$H/4OBJArNH0CwNirmMs/iwdPh3Ilni1z8MidDOW4
 authorization-attribute level 3
 service-type telnet
 service-type web
#
interface NULL0
#
interface Vlan-interface1
 ip address 172.65.1.1 255.255.255.0 
#
interface Vlan-interface10
 ip address 172.65.10.254 255.255.255.0 
#
interface Vlan-interface12
 ip address 172.65.12.254 255.255.255.0 
#
interface Vlan-interface16
 ip address 172.65.16.254 255.255.255.0 
 packet-filter 3000 inbound
#
interface Vlan-interface32
 ip address 172.65.32.254 255.255.255.0 
 packet-filter 3002 inbound
#
interface Vlan-interface48
 ip address 172.65.48.254 255.255.255.0 
 packet-filter 3003 inbound
#
interface Vlan-interface64
 ip address 172.65.64.254 255.255.255.0

packet-filter 3004 inbound
#
interface Vlan-interface80
 ip address 172.65.80.254 255.255.255.0 
#
interface Vlan-interface82
 ip address 172.65.82.254 255.255.255.0 
 packet-filter 3005 inbound
#
interface Vlan-interface84
 ip address 172.65.84.254 255.255.255.0 
 packet-filter 3006 inbound
#
interface Vlan-interface86
 ip address 172.65.86.254 255.255.255.0 
 packet-filter 3001 inbound
  
#
interface Vlan-interface90
 ip address 172.65.90.254 255.255.255.0 
#
interface Vlan-interface100
 ip address 172.65.100.254 255.255.255.0 
#
interface Vlan-interface1000
 ip address 172.65.0.254 255.255.255.0 
#
interface Vlan-interface4000
 ip address 192.168.193.2 255.255.255.0 
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/5
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/7
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/8
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/9
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/10
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/11
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/12
 port link-mode bridge
 port access vlan 1000
#
interface GigabitEthernet1/0/13
 port link-mode bridge
#
interface GigabitEthernet1/0/14
 port link-mode bridge
#
interface GigabitEthernet1/0/15   
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp            ----开启相关trunk 口gvrp 实现vlan信息同步
#
interface GigabitEthernet1/0/16
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/17
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/18
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/19
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/20
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/21
 port link-mode bridge
 shutdown
#
interface GigabitEthernet1/0/22
 port link-mode bridge
 shutdown
#
interface GigabitEthernet1/0/23
 port link-mode bridge
 shutdown
#
interface GigabitEthernet1/0/24
 port link-mode bridge
 shutdown
#
interface GigabitEthernet1/0/25
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/26
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/27
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface GigabitEthernet1/0/28
 port link-mode bridge
 description conn to linda s7503
 port access vlan 4000
#
 ip route-static 0.0.0.0 0.0.0.0 192.168.193.1 description to linda
#
 load xml-configuration 
#
 load tr069-configuration
#
user-interface aux 0
 authentication-mode password
 set authentication password cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oCis8qnu0YiFNWT
user-interface vty 0 4
 authentication-mode scheme
 protocol inbound telnet
user-interface vty 5 15
#
return

接入交换机S3100 相关配置:

#
 sysname KongzhiqiErLou_1
#
 super password level 3 cipher .]@USE=B,53Q=^Q`MAF4<1!!
#
 loopback-detection enable
#
 gvrp
#
radius scheme system
#
domain system
#
local-user admin
 password cipher ^VL!HLV]BSCQ=^Q`MAF4<1!!
 service-type telnet terminal
 level 3
#
 stp enable
#
vlan 1
#
vlan 86
#
interface Vlan-interface1
 ip address 172.65.1.41 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/2
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/3
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/4
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/5
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/6
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/7
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/8
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/9
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/10
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/11
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/12
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/13
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/14
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/15
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/16
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/17
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/18
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/19
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/20
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/21
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/22
 port access vlan 86
 loopback-detection enable
#
interface Ethernet1/0/23
 loopback-detection enable
#
interface Ethernet1/0/24
 loopback-detection enable
#
interface GigabitEthernet1/1/1
 port link-type trunk
 port trunk permit vlan all
 gvrp               ----相关连接trunk口要相对应开启gvrp 实现vlan信息传递同步
#
interface GigabitEthernet1/1/2
 port link-type trunk
 port trunk permit vlan all
 shutdown
 gvrp
#
interface GigabitEthernet1/2/1
 port link-type trunk
 port trunk permit vlan all
 shutdown
 gvrp
#
interface GigabitEthernet1/2/2
 port link-type trunk
 port trunk permit vlan all
 gvrp
#
interface NULL0
#
 ip route-static 0.0.0.0 0.0.0.0 172.65.1.1 preference 60
#
user-interface aux 0
 authentication-mode scheme
 set authentication password cipher ^VL!HLV]BSCQ=^Q`MAF4<1!!
user-interface vty 0 4
 authentication-mode scheme
 protocol inbound telnet
#
return

 路由的基本配置:

因路由是总部设备,在此就不全贴了,配置关键点就是,

设置与核心交换机连接接口的IP,以及添加回程路由如下:

nterface GigabitEthernet0/0
port link-mode route
description To H3C S7503
speed 1000
ip address 192.168.193.1 255.255.255.0 sub
 
 
ip route-static 172.65.0.0 255.255.0.0 192.168.193.2  ----回程路由
 
 

从规划到实施,最后算是完满完成,历时两个多月的时间,不容易………经历过就好!!!………

上述仅为本人工作笔记,供日后参考使用………………















本文转自pimg200551CTO博客,原文链接:http://blog.51cto.com/pimg2005/1009202 ,如需转载请自行联系原作者





上一篇:“SDN分析”是开启未来智能网络大门的钥匙


下一篇:公司Ubuntu设置员工sudo权限实例