目录

项目背景

拓扑图

需求

需求一:网络可靠性

需求二:基础业务(VLAN、IP、DHCP、路由)需求

需求三:网络隔离需求 

需求四:WLAN扩容需求

需求五:出口网络需求

需求六:准入认证

需求七:网络安全需求

项目背景

在X市的园区中,A公司作为总部,拥有两幢办公楼T1和T2,并分别在2000年和2002年投入使用。现在A公司计划将财务部和人力资源部的员工办公地点从T1迁移到T2。为了确保公司在扩建后的业务能够正常运转,A公司决定在某个假期期间完成T2楼的网络建设与整体网络的改造升级。

拓扑图

X园区改造前:

 X园区改造后:

需求

  1. 网络可靠性
  2. 基础业务(VLAN,IP,DHCP,路由)需求
  3. 网络隔离需求
  4. WLAN扩容需求
  5. 出口网络需求
  6. 准入认证
  7. 网络安全需求

需求一:网络可靠性

  1. T2汇聚交换机堆叠部署,X_T2_AGG-1作为主堆叠设备,X_T2_AGG-2作为备设备,堆叠ID分别为0,1堆叠后的设备命名为X_T2_AGG1
  2. 业务口堆叠,直接使用物理口作为堆叠接口且使用环形堆叠
  3. X_T2_AGG1与X_T1_CORE1以及接入交换机之间部署链路聚合,工作模式选择LACP模式,设备所有物理连接均作为成员链路且端口的接口必须都是选中状态

堆叠命令如下(ensp不支持):

S_T2_AGG-1:
stack slot 0 priority 150 
//配置优先级,slot号为0
int stack-port 0/1
 port interface XGigabitEthernet 0/0/1 enable 
//进入堆叠口0/1,将0/0/1接口加入到堆叠口0/1
int stack-port 0/2
 port interface XGigabitEthernet 0/0/2 enable
//进入堆叠口0/2,将0/0/2接口加入到堆叠口0/2

//当X_T2_AGG-2加入堆叠之后配置下面命令:
int stack-port 1/2
 port interface XGigabitEthernet 1/0/1 enable 
//进入堆叠口1/2(备交换机的另外一个堆叠口),将0/0/1接口加入到堆叠口1/2

X_T2_AGG-2:
int stack-port 0/1
 port interface XGigabitEthernet 0/0/2 enable
//进入堆叠口0/1,将0/0/2接口加入到堆叠口0/1

使用以下命令来检查堆叠是否成功

dis stack port
dis stack

链路聚合命令如下:

X_T2_AGG1:
interface Eth-Trunk1
    mode lacp-static
    trunkport GigabitEthernet 0/0/11 to 0/0/12
    trunkport GigabitEthernet 0/0/23 to 0/0/24
    port link-type trunk
    port trunk allow-pass vlan 100 209 
#
interface Eth-Trunk2
    mode lacp-static
    trunkport GigabitEthernet 0/0/21 to 0/0/22
    port link-type hybrid 
    port hybrid tagged vlan 31 to 35 41 to 45

#
interface Eth-Trunk3
    mode lacp-static
    trunkport GigabitEthernet 0/0/19 to 0/0/20
    port link-type hybrid 
    port hybrid tagged vlan 31 to 35 41 to 45 100  



X_T1_AGG1:
interface Eth-Trunk2
   port link-type hybrid 
   port hybrid tagged vlan 11 to 15 21 to 25 100
   mode lacp-static
interface Eth-Trunk3
   port link-type hybrid 
   port hybrid tagged vlan 11 to 15 21 to 25
   mode lacp-static
#
//Eth-Trunk1默认已配置好
X_T1_CORE1:
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 100 208
 mode lacp-static
#
interface Eth-Trunk2
    mode lacp-static
    trunkport GigabitEthernet 0/0/11 to 0/0/12
    trunkport GigabitEthernet 0/0/21 to 0/0/22
    port link-type trunk
    port trunk allow-pass vlan 100 209
#

接入层的配置Eth-Trunk和创建vlan

vlan具体规划看需求三,这里先提前创建

X_T1_ACC1(T1接入_1):
vlan batch 11 to 15 21 to 25
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 11 to 15 21 to 25 100




X_T1_ACC2(T1接入_2):
vlan batch 11 to 15 21 to 25
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 11 to 15 21 to 25



X_T2_ACC1(T2接入_1):
vlan batch 31 to 35 41 to 45
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 31 to 35 41 to 45
 mode lacp-static





X_T2_ACC2(T2接入_2):
vlan batch 31 to 35 41 to 45 100 
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 31 to 35 41 to 45 100
 mode lacp-static
#
interface GigabitEthernet0/0/22
 port link-type access
 port default vlan 100

需求二:基础业务(VLAN、IP、DHCP、路由)需求

  1. IP地址配置
  2. 所有三层设备之间部署多区域OSPF。Export1,Export2,Core1属于骨干区域,在Export1,Export2宣告默认路由
  3. 结合网络隔离需求进行区域划分

IP地址规划表如下

根据表中的规划逐个设备配置即可

表格中标记为 L2 的接口,按照创建 vla配置 trunk、配置 vlanif 的步骤完成互联配置

CORE 与 FW 互联的两个接口,允许 vlan 后,需要这是由于undo port trunk allow-pass vlan 1

因为FW 并没有 stp,会出现 vlan1 的环路问题
FW 的物理口是三层口,需要先输入命令 portswitch改成二层,再配置 trunk。

各设备环回口根据右侧备注,将来要加入对应的VPN实例当中。
完成后记得 ping 测试,保证直连通信没有问题

需求三:网络隔离需求 

  1. 在X TI CORE1 上通过部署两个 VPN 实例,实现内部、访客网络的隔离,实例名称分别为 Employee 与 Guest,RD 分别为 65001:1 与 65001:2
  2. 防火墙 X_T1_FW1 使用虚拟系统与X_T1_CORE1 上的两个 VPN 实例 Guest 和 Employee
    进行对接,虚拟系统名称和与其对接的 VPN 实例名称一致
  3. VLAN204 与VLAN206 分配给虚拟系统 Employee,VLANIF204 属于 untrust 安全域,VLANIF206 属于.trust 安全域
  4. VLAN205 与 VLAN207 分配给虚拟统 Guest,VLANIF205 属于 untrust 安全域,VLANIF207属于 trust 安全域。
  5. 虚拟系统 Employee 与虚拟系统 Guest 和X_T1_CORE1之间的所有链路分别属于 OSPF 的区域1与区域2
  6. 使用 IP-Prefix 作为过滤器进行路由过滤,Employee 与 Guest 互相不学习对方终端所在网段的明细路由与对应的 3类 LSA

终端接入规划表如下

  在Core1上创建VLAN资源

X_T1_Core1:
vlan batch 51 to 55 60 100 to 105 201 to 209

 在Core1上创建VRF

X_T1_Core1:
ip vpn-instance Employee
 ipv4-family
  route-distinguisher 65001:1
#
ip vpn-instance Guest
 ipv4-family
  route-distinguisher 65001:2
#

 在Core1上把接口划入VRF

X_T1_Core1:
interface Vlanif206
 ip binding vpn-instance Employee
 ip address 10.1.200.21 255.255.255.252
#
interface Vlanif207
 ip binding vpn-instance Guest
 ip address 10.1.200.25 255.255.255.252
#
interface Vlanif208
 ip binding vpn-instance Employee
 ip address 10.1.200.29 255.255.255.252
 dhcp select global
#
interface Vlanif209
 ip binding vpn-instance Employee
 ip address 10.1.200.33 255.255.255.252
 dhcp select global
#
interface LoopBack1
 ip binding vpn-instance Employee
 ip address 10.1.0.4 255.255.255.255
#
interface LoopBack2
 ip binding vpn-instance Guest
 ip address 10.1.0.5 255.255.255.255
#

interface Vlanif51
 ip binding vpn-instance Employee
 ip address 10.1.51.254 255.255.255.0
 dhcp select global
#
interface Vlanif52
 ip binding vpn-instance Employee
 ip address 10.1.52.254 255.255.255.0
 dhcp select global
#
interface Vlanif53
 ip binding vpn-instance Employee
 ip address 10.1.53.254 255.255.255.0
 dhcp select global
#
interface Vlanif54
 ip binding vpn-instance Employee
 ip address 10.1.54.254 255.255.255.0
 dhcp select global
#
interface Vlanif55
 ip binding vpn-instance Employee
 ip address 10.1.55.254 255.255.255.0
 dhcp select global
#
interface Vlanif101
 ip binding vpn-instance Guest
 ip address 10.1.101.254 255.255.255.0
 dhcp select global
#
interface Vlanif102
 ip binding vpn-instance Guest
 ip address 10.1.102.254 255.255.255.0
 dhcp select global
#
interface Vlanif103
 ip binding vpn-instance Guest
 ip address 10.1.103.254 255.255.255.0
 dhcp select global
#
interface Vlanif104
 ip binding vpn-instance Guest
 ip address 10.1.104.254 255.255.255.0
 dhcp select global
#
interface Vlanif105
 ip binding vpn-instance Guest
 ip address 10.1.105.254 255.255.255.0
 dhcp select global
#
interface Vlanif60
 ip binding vpn-instance Employee
 ip address 10.1.60.254 255.255.255.0
#

 在Core1上把地址池也划分到对应实例

X_T1_Core1:
ip pool vlan11
vpn-instance Employee
ip pool vlan12
vpn-instance Employee
ip pool vlan13
vpn-instance Employee
ip pool vlan14
vpn-instance Employee
ip pool vlan15
vpn-instance Employee
ip pool vlan21
vpn-instance Employee
ip pool vlan22
vpn-instance Employee
ip pool vlan23
vpn-instance Employee
ip pool vlan24
vpn-instance Employee
ip pool vlan25
vpn-instance Employee
ip pool vlan31
vpn-instance Employee
ip pool vlan32
vpn-instance Employee
ip pool vlan33
vpn-instance Employee
ip pool vlan34
vpn-instance Employee
ip pool vlan35
vpn-instance Employee
ip pool vlan41
vpn-instance Employee
ip pool vlan42
vpn-instance Employee
ip pool vlan43
vpn-instance Employee
ip pool vlan44
vpn-instance Employee
ip pool vlan45
vpn-instance Employee
ip pool vlan51
vpn-instance Employee
ip pool vlan52
vpn-instance Employee
ip pool vlan53
vpn-instance Employee
ip pool vlan54
vpn-instance Employee
ip pool vlan55
vpn-instance Employee
ip pool vlan101
vpn-instance Guest
ip pool vlan102
vpn-instance Guest
ip pool vlan103
vpn-instance Guest
ip pool vlan104
vpn-instance Guest
ip pool vlan105
vpn-instance Guest

 在Core1上配置接口

X_T1_Core1:
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 100 208
 mode lacp-static
#
interface Eth-Trunk2
    mode lacp-static
    trunkport GigabitEthernet 0/0/11 to 0/0/12
    trunkport GigabitEthernet 0/0/21 to 0/0/22
    port link-type trunk
    port trunk allow-pass vlan 100 209
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 201
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 202
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass  vlan 51 to 55 101 to 105 100 
#
interface GigabitEthernet0/0/4
 port link-type trunk
 undo port trunk allow-pass vlan 1 
//(因为防火墙上没有生成树,所以vlan1会出环路,所以拒绝一下)
 port trunk allow-pass  vlan 204 205
#
interface GigabitEthernet0/0/5
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 206 to 207
#
interface GigabitEthernet0/0/6
 port link-type access
 port default vlan 60
#

在Core1上配置OSPF

X_T1_Core1:

ospf 10 router-id 10.1.0.3
 area 0.0.0.0
  network 10.1.200.2 0.0.0.0
  network 10.1.200.6 0.0.0.0
  network 10.1.0.3 0.0.0.0
 area 0.0.0.1
  network 10.1.200.13 0.0.0.0
 area 0.0.0.2
  network 10.1.200.17 0.0.0.0
#
ospf 1 router-id 10.1.0.4 vpn-instance Employee
 silent-interface all
 undo silent-interface Vlanif206
 undo silent-interface Vlanif208
 undo silent-interface Vlanif209
 vpn-instance-capability  simple 
 area 0.0.0.1
  network 10.1.0.0 0.0.255.255
#
ospf 2 router-id 10.1.0.5 vpn-instance Guest
 silent-interface all
 undo silent-interface Vlanif207
 vpn-instance-capability  simple 
 area 0.0.0.2
  network 10.1.0.0 0.0.255.255
#

 在Export1上配置OSPF

X_T1_Export1:
ospf 1 router-id 10.1.0.1 
 default-route-advertise always
 area 0.0.0.0 
  network 10.1.0.0 0.0.255.255

  在Export2上创建资源,配置接口

X_T1_Export2:
vlan 202
#
interface Ethernet6/0/0
 port link-type access
 port default vlan 202
#
interface Vlanif202
 ip address 10.1.200.5 255.255.255.252 
#
interface LoopBack0
 ip address 10.1.0.2 255.255.255.255 
#
interface GigabitEthernet0/0/1
 ip address 10.255.3.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.255.4.1 255.255.255.0 
#

 在Export2上配置OSPF

X_T1_Export2:
ospf 1 router-id 10.1.0.2 
 default-route-advertise always
 area 0.0.0.0 
  network 10.1.0.0 0.0.255.255

在X_T1_AGG1上配置接口,创建VLAN资源,配置DHCP中继和OSPF

X_T1_AGG1:
dhcp enable
#
vlan batch 11 to 15 21 to 25
#
interface Eth-Trunk2
   port link-type hybrid 
   port hybrid tagged vlan 11 to 15 21 to 25 100
   mode lacp-static
interface Eth-Trunk3
   port link-type hybrid 
   port hybrid tagged vlan 11 to 15 21 to 25
   mode lacp-static
#
interface Vlanif11
 ip address 10.1.11.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif12
 ip address 10.1.12.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif13
 ip address 10.1.13.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif14
 ip address 10.1.14.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif15
 ip address 10.1.15.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif21
 ip address 10.1.21.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif22
 ip address 10.1.22.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif23
 ip address 10.1.23.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif24
 ip address 10.1.24.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
interface Vlanif25
 ip address 10.1.25.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.29
#
ospf 1 router-id 10.1.0.6
 silent-interface all
 undo silent-interface Vlanif208
 area 0.0.0.1
  network 10.1.0.0 0.0.255.255

在X_T2_AGG1上配置接口,创建VLAN资源和配置DHCP中继和OSPF 

X_T2_AGG1:

dhcp enable
vlan batch 31 to 35 41 to 45 100 209
#
interface Eth-Trunk1
    mode lacp-static
    trunkport GigabitEthernet 0/0/11 to 0/0/12
    trunkport GigabitEthernet 0/0/23 to 0/0/24
    port link-type trunk
    port trunk allow-pass vlan 100 209 
#
interface Eth-Trunk2
    mode lacp-static
    trunkport GigabitEthernet 0/0/21 to 0/0/22
    port link-type hybrid 
    port hybrid tagged vlan 31 to 35 41 to 45

#
interface Eth-Trunk3
    mode lacp-static
    trunkport GigabitEthernet 0/0/19 to 0/0/20
    port link-type hybrid 
    port hybrid tagged vlan 31 to 35 41 to 45 100  
#

interface Vlanif209
 ip address 10.1.200.34 255.255.255.252
#
interface Vlanif31
 ip address 10.1.31.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif32
 ip address 10.1.32.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif33
 ip address 10.1.33.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif34
 ip address 10.1.34.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif35
 ip address 10.1.35.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif41
 ip address 10.1.41.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif42
 ip address 10.1.42.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif43
 ip address 10.1.43.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif44
 ip address 10.1.44.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33
#
interface Vlanif45
 ip address 10.1.45.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.1.200.33

#
ospf 1 router-id 10.1.0.7
 silent-interface all
 undo silent-interface Vlanif209
 area 0.0.0.1
  network 10.1.0.0 0.0.255.255

在防火墙上创建虚拟系统,分配资源,配置OSPF

X_T1_FW1:
vlan batch 204 to 207
#
interface GigabitEthernet1/0/1
 portswitch
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 204 to 205
#
interface GigabitEthernet1/0/2
 portswitch
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 206 to 207
#
int Vlanif 204
int Vlanif 205
int Vlanif 206
int Vlanif 207
int LoopBack 1
int LoopBack 2
#
vsys enable 
#
vsys name Employee 
 assign interface LoopBack1
 assign vlan 204
 assign vlan 206
#
vsys name Guest 
 assign interface LoopBack2
 assign vlan 205
 assign vlan 207
#
ospf 1 router-id 10.1.0.8 vpn-instance Employee
 vpn-instance-capability  simple 
 area 0.0.0.1
  network 10.1.0.0 0.0.255.255
#
ospf 2 router-id 10.1.0.9 vpn-instance Guest
 vpn-instance-capability  simple 
 area 0.0.0.2
  network 10.1.0.0 0.0.255.255

进入虚拟系统 Employee,配置vlanif204、206、Loopback 1 ,Virtual-if1的IP地址,配置安全策略允许OSPF流量通过,并将接口划入对应安全区域。

switch vsys Employee 
//切换Employee虚拟系统
sys
//进入系统视图
interface Vlanif204
 ip binding vpn-instance Employee
 ip address 10.1.200.14 255.255.255.252
#
interface Vlanif206
 ip binding vpn-instance Employee
 ip address 10.1.200.22 255.255.255.252
#
interface LoopBack1
 ip binding vpn-instance Employee
 ip address 10.1.0.8 255.255.255.255
#

interface Virtual-if1
 ip address 10.1.200.253 255.255.255.255
#
firewall zone trust
 add interface Vlanif206
#
firewall zone untrust
 add interface Vlanif204
 add interface Virtual-if1
#
security-policy
 rule name OSPF
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit
#
return
//退出Employee虚拟系统

进入虚拟系统Guest,配置vlanif205、207、Loopback 2 ,Virtual-if2的IP地址,配置安全策略允许OSPF流量通过,并将接口划入对应安全区域。

switch vsys Guest 
interface Vlanif205
 ip binding vpn-instance Guest
 ip address 10.1.200.18 255.255.255.252
#
interface Vlanif207
 ip binding vpn-instance Guest
 ip address 10.1.200.26 255.255.255.252
#
interface LoopBack2
 ip binding vpn-instance Guest
 ip address 10.1.0.9 255.255.255.255
#
interface Virtual-if2
 ip address 10.1.200.254 255.255.255.255
#
firewall zone trust
 add interface Vlanif207
#
firewall zone untrust
 add interface Vlanif205
 add interface Virtual-if2
#
security-policy
 rule name OSPF
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit
#
return

在Core1上检查OSPF邻居关系

如下所示表示正常

 

进程1属于 Employee,三个邻居: T1 AGG 208 & T2 AGG209  和 FW 206

进程 2 属于 Guest,一个邻居: FW 207

进程 10 属于全局,四个邻居: Export1 201 &Export2 202  + FW 204 205

请仔细检查

在Core1上配置 ip-prefix 来过滤路由,并在OSPF 1 中area 1 中应用,在OSPF 2 中area 2 中应用

ip ip-prefix Employee deny 10.1.11.0 24 
ip ip-prefix Employee deny 10.1.12.0 24 
ip ip-prefix Employee deny 10.1.13.0 24 
ip ip-prefix Employee deny 10.1.14.0 24 
ip ip-prefix Employee deny 10.1.15.0 24 

ip ip-prefix Employee deny 10.1.21.0 24 
ip ip-prefix Employee deny 10.1.22.0 24 
ip ip-prefix Employee deny 10.1.23.0 24 
ip ip-prefix Employee deny 10.1.24.0 24 
ip ip-prefix Employee deny 10.1.25.0 24 

ip ip-prefix Employee deny 10.1.31.0 24 
ip ip-prefix Employee deny 10.1.32.0 24 
ip ip-prefix Employee deny 10.1.33.0 24 
ip ip-prefix Employee deny 10.1.34.0 24 
ip ip-prefix Employee deny 10.1.35.0 24 

ip ip-prefix Employee deny 10.1.41.0 24 
ip ip-prefix Employee deny 10.1.42.0 24 
ip ip-prefix Employee deny 10.1.43.0 24 
ip ip-prefix Employee deny 10.1.44.0 24 
ip ip-prefix Employee deny 10.1.45.0 24 

ip ip-prefix Employee deny 10.1.51.0 24 
ip ip-prefix Employee deny 10.1.52.0 24 
ip ip-prefix Employee deny 10.1.53.0 24 
ip ip-prefix Employee deny 10.1.54.0 24 
ip ip-prefix Employee deny 10.1.55.0 24 

ip ip-prefix Employee deny 10.1.60.0 24 
ip ip-prefix Employee permit 0.0.0.0 0 less-equal 32
//允许其他路由通过
#

ip ip-prefix Guest deny 10.1.101.0 24
ip ip-prefix Guest deny 10.1.102.0 24
ip ip-prefix Guest deny 10.1.103.0 24
ip ip-prefix Guest deny 10.1.104.0 24
ip ip-prefix Guest deny 10.1.105.0 24
ip ip-prefix Guest permit 0.0.0.0 0 less-equal 32
//允许其他路由通过
#
ospf 10
 area 0.0.0.1
  filter ip-prefix Guest import
#
 area 0.0.0.2
  filter ip-prefix Employee import
#

路由过滤并不代表不需要通信,两个区域依旧可以依靠默认路由通信。
默认路由是从 X Export1&2 引入的。

跨区域流量经过防火墙,就意味着某些流量需要放通,否则将会全部被过滤。目前还没有明确说明在后面的需求中需要注意隐藏的安全策略问题。

需求四:WLAN扩容需求

  1. X T1 AP1已在AC 上线且正常提供无线服务,X T2 AP1和X TI AP1在相同管理 VIan上线并提供相同的无线服务,即延续当前的 WLAN 相关配置
  2. 内部无线用户使用的SSID 为X Employee 010 ,密码为 huawei@123
  3. 外部无线用户使用的 SSID 为X Guest 010  ,密码为 huawei@123

预配如下:

X_T1_AC:
interface Vlanif100
 ip address 10.1.100.254 255.255.255.0
 dhcp select global
#
ip pool vlan100
 gateway-list 10.1.100.254 
 network 10.1.100.0 mask 255.255.255.0 
 option 43 sub-option 2 ip-address 10.1.100.254  指定AC的IP地址
#
capwap source interface vlanif100
创建ap组
ap-group name X
配置安全模板
security-profile name HCIE
  security wpa-wpa2 psk pass-phrase huawei@123
配置SSID模板
ssid-profile name X_Guest_010
  ssid X_Guest_010
 ssid-profile name X_Employee_010
  ssid X_Employee_010
配置vap模板,绑定SSID模板,安全模板,和配置转发模式,服务VLAN(不是管理VLAN)
vap-profile name X_Employee_010
  forward-mode tunnel
  service-vlan vlan-pool Employee
  ssid-profile X_Employee_010
  security-profile HCIE
X_T1_AP1已经纳管
 ap-id 0 type-id 56 ap-mac 00e0-fc09-24b0 
  ap-name X_T1_AP1
  ap-group X

在ap组上应用vap模板
ap-group name X
vap-profile X_Employee_010 wlan 1 radio 0
vap-profile  X_Guest_010 wlan 2 radio 0
vap-profile X_Employee_010 wlan 1 radio 1
vap-profile  X_Guest_010 wlan 2 radio 1

在AC上创建VLAN,配置接口允许VLAN通过,创建VLAN池,在vap模板里绑定vlan池:

X_T1_AC1:
vlan batch  51 to 55 101 to 105
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 51 to 55 100 to 105 203
#
vlan pool Employee
vlan 51 to 55
#
vlan pool Guest
vlan 101 to 105
#
wlan
ap-id 1 ap-mac 00e0-fcb8-14c0
 ap-group X
 ap-name X_T2_AP1
#
vap-profile name X_Guest_010
  forward-mode tunnel
  service-vlan vlan-pool Guest
  ssid-profile X_Guest_010
  security-profile HCIE
#
vap-profile name X_Employee_010
  forward-mode tunnel
  service-vlan vlan-pool Employee
  ssid-profile X_Employee_010
  security-profile HCIE
#

 检查AP是否上线命令:

dis ap all

状态为nor表示上线成功

需求五:出口网络需求

  1. 新增出口路由器 X _T1_Export2 ,采用双 internet 线路实现上网流量的负载分担
  2. GE0/0/1接口采用静态配置 IP 地址 (10.255.3.1/24 ) ,网关为 10.255.3.254
  3. GEO/0/2 接口采用静态配置 IP 地址(10255.4.1/24) ,网关为 10.255.4.254
  4. 配置默认路由
  5.  所有用户通过 X _T1_Export2 路由器方问 Internet 时,需要通过 NAT 替换私网 IP 地址
    对所有通过防火墙策略的 IP 报文进行源也址与端口转换
  6.  Export_2的GEO/0/1 使用当前接口 IP也址作为转换后的地址
  7. Export _2的 GEO/0/2 使用地址池 (10.55.4.2-10.255.4.100) 替换私网 IP 地址和端口
  8. X 园区内网服务器 (10.1.60.101) 向外提供 web 服务(端口号 80) 公网用户通过 10.255.4.1的8081 号端口访问该服务

在X_T1_Export2上配置默认路由,配置acl,并应用在接口上:

X_T1_Export2:

acl number 2000  
 rule 5 permit 
#
interface GigabitEthernet0/0/1
 ip address 10.255.3.1 255.255.255.0 
 nat outbound 2000
#
nat  address-group 0 10.255.4.2 10.255.4.100
#
interface GigabitEthernet0/0/2
 ip address 10.255.4.1 255.255.255.0 
 nat outbound  2000 address-group 0
 nat server protocol tcp global current-interface 8081 inside 10.1.60.101 80
#
ip route-static 0.0.0.0 0 10.255.3.254
ip route-static 0.0.0.0 0 10.255.4.254

在Employee防火墙上配置安全策略:


X_T1_FW1:

switch vsys Employee 

security-policy
 rule name Internet_to_server101
  source-zone untrust
  destination-zone trust
  source-address-exclude range 10.1.101.0 10.1.105.255
  destination-address 10.1.60.101 mask 255.255.255.255
  service protocol tcp destination-port 80
  action permit
#
return
(退出虚拟系统)

需求六:准入认证

  1. 为保证“端到端”网络安全,需要对除服务器外的有线终端进行认证
  2. 有线终端中,PC 支持 802.1X 认证,打印机及 IP 电话等哑终端不支持;已知当前采用的接入交换机不支持 802.1X 认证与策略联动功能
  3.  汇聚交换机与认证服务器之间采用 RADIUS协议进行交互,服务器地址为 10.1.60.2,用默认端口号进行认证、授权和计费,密钥为 huawei@123
  4. 所有涉及到的模板等均命名为Employee
  5. 认证域为 employee,且不允许用户使用其他域
  6. RADIUS 服务器通过 VLAN 池名称方式下发用户的 VLAN 信息
  7.  对于所有AP 设备,需要根据AP 的 MAC 地址,强制其到 ap_noauthen 域进行认证,且认证模式为 none

注意:ensp不支持802.1x认证

接入层交换机自定义二层透明传输协议,并在下联接口上应用,命令如下


X_T1_ACC1(T1接入_1):
 l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
 l2protocol-tunnel user-defined-protocol 802.1x enable




X_T1_ACC2(T1接入_2):
 l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
 l2protocol-tunnel user-defined-protocol 802.1x enable



X_T2_ACC1(T2接入_1):
 l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
 l2protocol-tunnel user-defined-protocol 802.1x enable





X_T2_ACC2(T2接入_2):
 l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/20
 l2protocol-tunnel user-defined-protocol 802.1x enable

在T1_AGG1和T2_AGG1上配置radius服务器,进入aaa视图配置802.1x认证模板,并确认下行接口为hybrid口


X_T1_AGG1 && X_T2_AGG1:
radius-server template employee
 radius-server shared-key cipher huawei@123
 radius-server authentication 10.1.60.2 1812
 radius-server accounting 10.1.60.2 1813
#配置radius服务器
aaa
 authentication-scheme employee
  authentication-mode radius
#配置认证模板
 accounting-scheme employee
  accounting-mode radius
#配置计费模板
domain employee
  authentication-scheme employee
  accounting-scheme employee
  radius-server  employee
#配置employee域并调用上面的模板
authentication-scheme noauthen
  authentication-mode none
#配置noauthen认证模板
domain ap_noauthen
  authentication-scheme noauthen
#配置ap_noauthen域并调用noauthen模板

interface Eth-Trunk2
   port link-type hybrid 
interface Eth-Trunk3
   port link-type hybrid

在T1_AGG1和T2_AGG1上配置dot1x接入模板,默认参数;配置mac接入模板,默认参数,配置认证模板调用dot1x接入模板、mac接入模板和认证域;在下联的Eth-Trunk调用认证模板;创建vlan池;对于所有的ap设备,根据AP的MAC地址,强制到ap_noauthen域进行认证,且认证模式为none

X_T1_AGG1 && X_T2_AGG1:
dot1x-access-profile name Employee
mac-access-profile name Employee
#
authentication-profile name Employee
  dot1x-access-profile Employee
  mac-access-profile name Employee
  access-domain employee
#
interface Eth-Trunk2
authentication-profile  Employee
interface Eth-Trunk3
authentication-profile  Employee
#

X_T1_AGG1:
vlan pool market
vlan 11 to 15
vlan pool procure
vlan 21 to 25
#创建vlan池
domain ap_noauthen mac-authen force mac-address e813-6e72-c2e0 mask ffff-ffff-ffff
#根据AP的MAC地址,强制到ap_noauthen域进行认证
X_T2_AGG1:
vlan pool finance
vlan 31 to 35
vlan pool hr
vlan 41 to 45
#创建vlan池
domain ap_noauthen mac-authen force mac-address e833-6e32-c3e0 mask ffff-ffff-ffff
#根据AP的MAC地址,强制到ap_noauthen域进行认证

由于 AGG 下行接口配置了 802.1x 认证,无用户需要通过 capwap 隧道绕行 AC,才能避免认证失败在 AC 上配置隧道集中转发:

X_T1_AC:
vap-profile name X_Guest_010
  forward-mode tunnel
#
vap-profile name X_Employee_010
  forward-mode tunnel

需求七:网络安全需求

  1. 防火墙上配置安全策略实现用户访问权限的控制仅采购部、市场部、内部无线用户、外部无线用户可以访问 internet
  2. 内部无线用户仅可以访问服务器网段的某一服务器,其地址为 10.1.60.100
  3. 外部无线用户仅可以访问服务器网段中的 HTTP 服务(服务名为 Guest Service),IP 地址为10.1.60.99,端口号为3389(TCP)
  4. 安全策略须按照下列规则配置:必须包含源、目安全区域;若包含特定服务,需使用系统预定义服务或自定义服务(service-set)表示
  5. 部署PBR:
    内部无线用户属于实例 Employee,服务器也属于 Emplovee,流量并不会经过FW。所以需要先配置 PBR,引导流量走 FW。
    无线流量已配置隧道集中转发从 AC 进入 CORE,在 CORE 的入口上配置 PBR

注意:ensp不支持PBR

Employee防火墙的系统视图下自定义服务类型:

ip service-set Guest_Service type object 
 service 0 protocol tcp destination-port 3389
#配置 Guest_Service服务类型

在Employ防火墙上配置安全策略:

to_Internet规则用来允许采购部、市场部、内部无线用户访问Internet;

Employee_to_server100规则用来内部无线用户仅可以访问10.1.60.100服务器;

Employee_to_server规则用来拒绝内部无线用户访问其他服务器;

Guest_to_Server99规则用来允许外部无线用户仅可以访问服务器网段中的 HTTP 服务(服务名为 Guest Service),IP 地址为10.1.60.99,端口号为3389(TCP);

Internet_to_server101规则用来允许X 园区内网服务器 (10.1.60.101) 向外提供 web 服务(端口号 80) 公网用户通过 10.255.4.1的8081 号端口访问该服务,且拒绝外部无线用户(Guest)来访问101,因为外部无线用户仅可以访问服务器10.1.60.99。

X_T1_FW:

switch vsys Employee 
security-policy
 rule name OSPF
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit
#OSPF安全策略,上面已经配过,这里仅是再次展示
 rule name to_Internet
  source-zone trust
  destination-zone untrust
  source-address range 10.1.11.0 10.1.15.255
  source-address range 10.1.21.0 10.1.25.255
  source-address range 10.1.51.0 10.1.55.255
  action permit
 rule name Employee_to_server100
  source-zone trust
  destination-zone trust
  source-address range 10.1.51.0 10.1.55.255
  destination-address 10.1.60.100 mask 255.255.255.255
  action permit
 rule name Employee_to_server
  source-zone trust
  destination-zone trust
  source-address range 10.1.51.0 10.1.51.255
  destination-address 10.1.60.0 mask 255.255.255.0
  action deny
#
 rule name Guest_to_Server99
  source-zone untrust
  destination-zone trust
  source-address range 10.1.101.0 10.1.105.255
  destination-address 10.1.60.99 mask 255.255.255.255
  service Guest_Service
  action permit
#
 rule name Internet_to_server101
  source-zone untrust
  destination-zone trust
  source-address-exclude range 10.1.101.0 10.1.105.255
  destination-address 10.1.60.101 mask 255.255.255.255
  service protocol tcp destination-port 80
  action permit
#

Guest防火墙的安全策略如下:

security-policy
 rule name OSPF
  source-zone local
  source-zone trust
  source-zone untrust
  destination-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit
#OSPF规则,上面已经配过,这里仅是再次展示
 rule name to_Internet
  source-zone trust
  destination-zone untrust
  source-address range 10.1.101.0 10.1.105.255
  action permit
#to_Internet规则用来满足外部无线用户的访问10.1.60.99服务器,同时也可以访问 internet

防火墙安全策略条数:
Employee:
OSPF一条,访问外网的一条,内部无线访问服务器100的一条,内部无线拒绝其他服务器的一条,Guest访问99(tcp3389)的一条,Internet访问101(80)的一条,一共6条
Guest:
OSPF一条,访问外网的一条,一共2条


配置PBR,在X_T1_Core1上配在acl3000,并在接口上调用:

acl number 3000
 rule  permit ip source 10.1.51.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
 rule  permit ip source 10.1.52.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
 rule  permit ip source 10.1.53.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
 rule  permit ip source 10.1.54.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
 rule  permit ip source 10.1.55.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
#用来抓取内部无线用户的流量

interface GigabitEthernet0/0/3
 traffic-redirect inbound acl 3000 vpn-instance Employee ip-nexthop 10.1.200.22
#在0/0/3接口上调用,把内部无线用户的流量重定向到10.1.200.22(Employee防火墙的vlanif206接口ip)

在X_T1_Core1上配在acl3001,并在接口上调用:

10.1.60.101的回包通过Core的VIAN206送到Employee防火墙上,Employee防火墙根据Employee实例路由表默认路由到Core的全局vlan204上,此时全局路由表中有两条默认路由,一向指向Export1另一向指向Export2,如果流量往Export1走那么会导致往返路径不一致,所以我们要把回程流量指向Export2,也就是10.1.200.5 

acl number 3001
 rule 5 permit ip source 10.1.60.101 0
#用来抓取10.1.60.101的回包流量

interface GigabitEthernet0/0/4
 traffic-redirect inbound acl 3001 ip-nexthop 10.1.200.5

验证命令

X _T1_AC1:

dis ap all

X_T1_Core1:

display ospf peer brief
display ip interface brief
display ip routing-table
display ip routing-table vpn-instance Employee
display ip routing-table vpn-instance Guest

X_T1_AGG1:

display ospf peer brief
display access-user
display ip routing-table

X_T2_AGG1:

dis stack
dis eth-trunk
display ospf peer brief
display access-user
display ip routing-table

X_T1_Export1 &&  X_T1_Export2:

display ospf peer brief
display ip interface brief
display ip routing-table

X_T1_FW1:

display ospf peer brief
display ip interface brief
display ip routing-table vpn instance Employee
display ip routing-table vpn instance Guest

# 运维 # 网络 # 服务器 # 网络协议 # 网络安全 # tcp/ip
Logo
开放原子开发者工作坊

开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!

更多推荐

第二届开放原子大赛首批创新成果集结武汉,诚邀广大开发者共鉴开源技术盛宴

第二届开放原子大赛首批创新成果集结武汉,诚邀广大开发者共鉴开源技术盛宴

avatar 开放原子开发者工作坊

诚邀报名 | 开源基础设施能力建设分论坛:打造开源生态的“心脏”

诚邀报名 | 开源基础设施能力建设分论坛:打造开源生态的“心脏”

avatar 开放原子开发者工作坊

诚邀报名 | 编程语言分论坛:AI时代的技术革新与开源实践

诚邀报名 | 编程语言分论坛:AI时代的技术革新与开源实践

avatar 开放原子开发者工作坊