先概述一下背景:
公司是成立没多长时间的,对IT投入还不算差,所以设备都是新的,路由交换设备主要用华三产品,但都是中低端的,一台S5500-EI做三层核心设备,其它为S3100做接入,非常简单的网络结构,内外网物理隔断,而且外网只开放几台公用电脑集中管理,所以可以不考虑外网接入问题。但蛋痛的是前期不知道那位大神做的规划,300台电脑使用一个网段,所有交换机当傻瓜设备来使用!!那真是一个汗。
结果,还是杯具了,近段时间网络时断时续,arp攻击严重,但300多台设备,无从下手!只可以艰苦一周,决定对网络进行一次大的调整,重新规划,划分vlan!
为不影响正常上班时间的使用,只好在周末进行了,为日后的管理,使用静态IP,那一台一台设备更改IP,半夜还在机房调试设备,至今仍历历在目!!
废话不多说了,公司基本的网络图:
核心交换机S5500-EI主要配置:
#
version 5.20, Release 2215
#
sysname GDD_HeXin_Jh
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
gvrp -----开启全局 gvrp
#
acl number 3000 -----设置相关acl策略实现控制部分vlan不能互访
rule 1 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 2 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 3 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 4 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 5 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 6 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3001
rule 1 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 3 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 4 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 5 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 6 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
acl number 3002
rule 1 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 2 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 3 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 4 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 5 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3003
rule 1 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 3 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 4 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 5 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 6 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3004
rule 1 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 3 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 4 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 5 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 6 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3005
rule 1 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 3 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 4 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 5 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3006
rule 1 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 3 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 4 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 5 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 6 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
#
vlan 1
#
vlan 10
name zhongjili
#
vlan 12
name xingzheng
#
vlan 16
name caiwu
#
vlan 32
name caigou
#
vlan 48
name jishu
#
vlan 64
name zhikong
#
vlan 80
name zhiyi-led
#
vlan 82
name shengguan
#
vlan 84
name zhiyi
#
vlan 86
name zhier
#
vlan 90
name zhier-led
#
vlan 100
name others
#
vlan 1000
name fuwuqi
#
vlan 4000
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$H/4OBJArNH0CwNirmMs/iwdPh3Ilni1z8MidDOW4
authorization-attribute level 3
service-type telnet
service-type web
#
interface NULL0
#
interface Vlan-interface1
ip address 172.65.1.1 255.255.255.0
#
interface Vlan-interface10
ip address 172.65.10.254 255.255.255.0
#
interface Vlan-interface12
ip address 172.65.12.254 255.255.255.0
#
interface Vlan-interface16
ip address 172.65.16.254 255.255.255.0
packet-filter 3000 inbound
#
interface Vlan-interface32
ip address 172.65.32.254 255.255.255.0
packet-filter 3002 inbound
#
interface Vlan-interface48
ip address 172.65.48.254 255.255.255.0
packet-filter 3003 inbound
#
interface Vlan-interface64
ip address 172.65.64.254 255.255.255.0
packet-filter 3004 inbound
#
interface Vlan-interface80
ip address 172.65.80.254 255.255.255.0
#
interface Vlan-interface82
ip address 172.65.82.254 255.255.255.0
packet-filter 3005 inbound
#
interface Vlan-interface84
ip address 172.65.84.254 255.255.255.0
packet-filter 3006 inbound
#
interface Vlan-interface86
ip address 172.65.86.254 255.255.255.0
packet-filter 3001 inbound
#
interface Vlan-interface90
ip address 172.65.90.254 255.255.255.0
#
interface Vlan-interface100
ip address 172.65.100.254 255.255.255.0
#
interface Vlan-interface1000
ip address 172.65.0.254 255.255.255.0
#
interface Vlan-interface4000
ip address 192.168.193.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/6
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/7
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/8
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/9
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/10
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/11
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/12
port link-mode bridge
port access vlan 1000
#
interface GigabitEthernet1/0/13
port link-mode bridge
#
interface GigabitEthernet1/0/14
port link-mode bridge
#
interface GigabitEthernet1/0/15
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp ----开启相关trunk 口gvrp 实现vlan信息同步
#
interface GigabitEthernet1/0/16
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/17
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/18
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/19
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/20
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/21
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/22
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/23
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/24
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/25
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/26
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/27
port link-mode bridge
port link-type trunk
port trunk permit vlan all
gvrp
#
interface GigabitEthernet1/0/28
port link-mode bridge
description conn to linda s7503
port access vlan 4000
#
ip route-static 0.0.0.0 0.0.0.0 192.168.193.1 description to linda
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 0
authentication-mode password
set authentication password cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oCis8qnu0YiFNWT
user-interface vty 0 4
authentication-mode scheme
protocol inbound telnet
user-interface vty 5 15
#
return
接入交换机S3100 相关配置:
#
sysname KongzhiqiErLou_1
#
super password level 3 cipher .]@USE=B,53Q=^Q`MAF4<1!!
#
loopback-detection enable
#
gvrp
#
radius scheme system
#
domain system
#
local-user admin
password cipher ^VL!HLV]BSCQ=^Q`MAF4<1!!
service-type telnet terminal
level 3
#
stp enable
#
vlan 1
#
vlan 86
#
interface Vlan-interface1
ip address 172.65.1.41 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/2
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/3
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/4
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/5
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/6
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/7
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/8
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/9
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/10
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/11
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/12
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/13
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/14
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/15
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/16
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/17
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/18
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/19
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/20
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/21
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/22
port access vlan 86
loopback-detection enable
#
interface Ethernet1/0/23
loopback-detection enable
#
interface Ethernet1/0/24
loopback-detection enable
#
interface GigabitEthernet1/1/1
port link-type trunk
port trunk permit vlan all
gvrp ----相关连接trunk口要相对应开启gvrp 实现vlan信息传递同步
#
interface GigabitEthernet1/1/2
port link-type trunk
port trunk permit vlan all
shutdown
gvrp
#
interface GigabitEthernet1/2/1
port link-type trunk
port trunk permit vlan all
shutdown
gvrp
#
interface GigabitEthernet1/2/2
port link-type trunk
port trunk permit vlan all
gvrp
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.65.1.1 preference 60
#
user-interface aux 0
authentication-mode scheme
set authentication password cipher ^VL!HLV]BSCQ=^Q`MAF4<1!!
user-interface vty 0 4
authentication-mode scheme
protocol inbound telnet
#
return
路由的基本配置:
因路由是总部设备,在此就不全贴了,配置关键点就是,
设置与核心交换机连接接口的IP,以及添加回程路由如下:
port link-mode route
description To H3C S7503
speed 1000
ip address 192.168.193.1 255.255.255.0 sub
从规划到实施,最后算是完满完成,历时两个多月的时间,不容易………经历过就好!!!………
上述仅为本人工作笔记,供日后参考使用………………
本文转自pimg200551CTO博客,原文链接:http://blog.51cto.com/pimg2005/1009202 ,如需转载请自行联系原作者