計科高可用服務器架構實訓（防火墻、雙機熱備，VRRP、MSTP、DHCP、OSPF）

一、項目介紹

??需求分析：

（1）總部和分部要求網絡拓撲簡單，方便維護，網絡有擴展和冗余性；

（2）總部分財務部，人事部，工程部，技術部，提供有一定的安全性；

（3）總部要求核心交換機具有冗余性，可靠性；

（4）總部的數據有一定的私密性，不允許外部網絡及分公司訪問，采用防火墻配置DMZ區域；

（5）外部網絡有兩條運營商線路互為備份，流量主走電信，聯通為備用。

二、設計方案及規劃

1.相關規劃說明（包括DHCP、WWW、HTTP等服務相關的參數配置說明）

（1）該企業網采用三層架構；

（2）終端層8臺PC機，兩兩劃分為一個部門，分別為財務部，人事部，工程部，技術部，并劃分各自的vlan，分別是vlan10,vlan20,vlan30,vlan40；

（3）接入層，使用4臺二層交換機，用于用戶終端的接入，設計其與終端層各PC機間的端口類型為access類型；

（4）匯聚層，使用4臺三層交換機，設計其與接入層各交換機間的端口類型為trunk類型。該層采用的技術有：OSPF,VLAN劃分,MSTP,VRRP等技術；

（5）核心層，使用2個路由器，用于連接讓其內網實現互通，采用的技術有：OSPF等技術。

（6）防火墻區，分三個區域DMZ區域（數據中心）、Trust區域（內網）、Untrust區域（外網）。

1.1網絡IP地址規劃

交換機lsw1,2,3,4,9,10使用交換機S3700，交換機lsw5,6,7,8,11使用交換機S5700，路由器整體使用AR1220與AR2220,防火墻USG600V.

Vlan區域	IP網段
Lsw1,PC1,PC2	192.168.10.0/24
Lsw2,PC3,PC4	192.168.20.0/24
Lsw3.PC5,PC6	192.168.30.0/24
Lsw4,PC7,PC8	192.168.40.0/24
AR7與FW4	192.168.97.0/24
AR7與AR6	192.168.93.0/24
AR7,PC11	192.168.13.0/24
AR7與AR5間	192.168.94.0/24
AR4與FW3間	100.1.1.0/24
AR4與FW2	192.168.90.0/24
AR9與Server1,2之間	192.168.80.0/24
AR4與AR6之間	192.168.96.0/24
AR4與A52之間	192.168.95.0/24

1.2網絡管理設計

（1）內部員工都需要訪問外網；

（2）不同部門之間能夠實現相互通信；

（3）總部可以訪問到外網及分部的部門，但是外網不能訪問到內網。

三、設計內容及步驟

1.1設計topo圖及連接設備

三個防火墻，3臺臺服務器，三臺S5700交換機，五臺S700交換機，六臺路由器，十二臺PC

基本配置:

LSW2如LSW1配置相同

例：

LSW1

sys

undo info en

sys LSW1

vlan batch 10 20 30 40 88

int g 0/0/1

p l a

p d v 10

int g 0/0/2

p l a

p d v 20

int g 0/0/3

p l a

p d v 30

int g 0/0/4

p l a

p d v 40

int g 0/0/6

p l a

p d v 88

int g 0/0/5

p l tr

p tr a v all

int g 0/0/7

p l tr

p tr a v all

int g 0/0/8

p l tr

p tr a v all

配置MSTP

S1配置：

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp instance 1 root primary

stp instance 2 root secondary

S2配置：

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp instance 2 root primary

stp instance 1 root secondary

基本配置：

LSW9如LSW10配置相同

例：

LSW10

int g 0/0/1

p l tr

p tr a v all

int g 0/0/2

p l tr

p tr a v all

int g 0/0/3

p l tr

p tr a v all

配置vrrp+mstp:

LSW9:

sys

sysname LSW9

undo info enable

vlan batch 10 20 30 40 88 66? 15 16

interface vlanif 10

ip address 192.168.10.1 24

vrrp vrid 10 virtual-ip 192.168.10.254

vrrp vrid 10 priority 150

vrrp vrid 10 preempt-mode timer delay 1

vrrp vrid 10 timer advertise 1

vrrp vrid 10 track interface g 0/0/1 reduced 70

interface vlanif 20

ip address 192.168.20.1 24

vrrp vrid 20 virtual-ip 192.168.20.254

vrrp vrid 20 priority 110

vrrp vrid 20 preempt-mode timer delay 1

vrrp vrid 20 timer advertise 1

interface vlanif 30

ip address 192.168.30.1 24

vrrp vrid 30 virtual-ip 192.168.30.254

vrrp vrid 30 priority 110

vrrp vrid 30 preempt-mode timer delay 1

vrrp vrid 30 timer advertise 1

interface vlanif 40

ip address 192.168.40.1 24

vrrp vrid 40 virtual-ip 192.168.40.254

vrrp vrid 40 priority 110

vrrp vrid 40 preempt-mode timer delay 1

vrrp vrid 40 timer advertise 1

interface vlanif 88

ip address 192.168.88.1 24

vrrp vrid 88 virtual-ip 192.168.88.254

vrrp vrid 88 priority 110

vrrp vrid 88 preempt-mode timer delay 1

vrrp vrid 88 timer advertise 1

interface vlanif 66

ip address 192.168.66.1 24

vrrp vrid 66 virtual-ip 192.168.66.254

vrrp vrid 66 priority 110

vrrp vrid 66 preempt-mode timer delay 1

vrrp vrid 66 timer advertise 1

LSW10:

sys

sysname LSWS10

undo info enable

vlan batch 10 20 30 40 88 66 15 16

interface vlanif 10

ip address 192.168.10.2 24

vrrp vrid 10 virtual-ip 192.168.10.254

vrrp vrid 10 priority 150

vrrp vrid 10 preempt-mode timer delay 1

vrrp vrid 10 timer advertise 1

vrrp vrid 10 track interface g 0/0/1 reduced 70

interface vlanif 20

ip address 192.168.20.2 24

vrrp vrid 20 virtual-ip 192.168.20.254

vrrp vrid 20 priority 110

vrrp vrid 20 preempt-mode timer delay 1

vrrp vrid 20 timer advertise 1

interface vlanif 30

ip address 192.168.30.2 24

vrrp vrid 30 virtual-ip 192.168.30.254

vrrp vrid 30 priority 110

vrrp vrid 30 preempt-mode timer delay 1

vrrp vrid 30 timer advertise 1

interface vlanif 40

ip address 192.168.40.2 24

vrrp vrid 40 virtual-ip 192.168.40.254

vrrp vrid 40 priority 110

vrrp vrid 40 preempt-mode timer delay 1

vrrp vrid 40 timer advertise 1

interface vlanif 88

ip address 192.168.88.1 24

vrrp vrid 88 virtual-ip 192.168.88.254

vrrp vrid 88 priority 110

vrrp vrid 88 preempt-mode timer delay 1

vrrp vrid 88 timer advertise 1

interface vlanif 66

ip address 192.168.66.1 24

vrrp vrid 66 virtual-ip 192.168.66.254

vrrp vrid 66 priority 110

vrrp vrid 66 preempt-mode timer delay 1

vrrp vrid 66 timer advertise 1

S9配置:

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp root primary

LSW S10配置：

stp region-configuration

region-name STP

instance 1 vlan 10 20

instance 2 vlan 30 40

revision-level 1

active region-configuration

stp root secondary

LSW9:

vlan batch 15 16

interface vlanif 15

ip address 192.168.15.2 24

interface GigabitEthernet 0/0/4

port link-type access

port default vlan 15

interface vlanif 16

ip address 192.168.25.1 24

interface GigabitEthernet 0/0/5

port link-type access

port default vlan 16

ospf 1 router-id 3.3.3.3

default-route-advertise

area 0.0.0.0

network 192.168.15.0 0.0.0.255

network 192.168.25.0 0.0.0.255

network 192.168.10.0 0.0.0.255

network 192.168.20.0 0.0.0.255

network 192.168.30.0 0.0.0.255

network 192.168.40.0 0.0.0.255

LSW10

vlan batch 15 16

interface vlanif 15

ip address 192.168.16.2 24

interface GigabitEthernet 0/0/5

port link-type access

port default vlan 15

interface vlanif 16

ip address 192.168.26.1 24

interface GigabitEthernet 0/0/4

port link-type access

port default vlan 16

ospf 1 router-id 4.4.4.4

default-route-advertise

area 0.0.0.0

network 192.168.16.0 0.0.0.255

network 192.168.26.0 0.0.0.255

2.4核心層配置

基配+配置路由ospf

AR1：

sys

undo info en

sys AR1

int g 0/0/0

ip add 192.168.15.1 24

int g 0/0/1

ip add 192.168.16.1 24

int g0/0/2

ip add 192.168.102.2 24

int g4/0/0

ip add 192.168.104.2 24

int LoopBack 0

ip add 1.1.1.1 32

ospf 1 router-id 1.1.1.1

default-route-advertise

area 0.0.0.0

network 1.1.1.1 0.0.0.0

network 192.168.15.0 0.0.0.255

network 192.168.16.0 0.0.0.255

network 192.168.102.0 0.0.0.255

network 192.168.104.0 0.0.0.255

AR2：

sys

undo info en

sys AR2

int g 0/0/0

ip add 192.168.26.2 24

int g 0/0/1

ip add 192.168.25.2 24

int g0/0/2

ip add 192.168.103.2 24

int g4/0/0

ip add 192.168.105.2 24

int LoopBack 0

ip add 2.2.2.2 32

ospf 1 router-id 2.2.2.2

default-route-advertise

area 0.0.0.0

network 2.2.2.2 0.0.0.0

network 192.168.25.0 0.0.0.255

network 192.168.26.0 0.0.0.255

network 192.168.103.0 0.0.0.255

network 192.168.105.0 0.0.0.255

2.5 DHCP配置

sys

sys DHCP

undo info en

int g 0/0/1

p l tr

p t a v a

vlan batch 10 20 30 40

dhcp enable

int g 0/0/1

dhcp select global

ip pool 1

network 192.168.10.0 mask 24

gateway-list 192.168.10.254

dns-list 192.168.88.10

ip pool 2

network 192.168.20.0 mask 24

gateway-list 192.168.20.254

dns-list 192.168.88.10

ip pool 3

network 192.168.30.0 mask 24

gateway-list 192.168.30.254

dns-list 192.168.88.10

ip pool 4

network 192.168.40.0 mask 24

gateway-list 192.168.40.254

dns-list 192.168.88.10

interface vlanif 10

ip address 192.168.10.253 24

dhcp select global

interface vlanif 20

ip address 192.168.20.253 24

dhcp select global

interface vlanif 30

ip address 192.168.30.253 24

dhcp select global

interface vlanif 40

ip address 192.168.40.253 24

dhcp select global

2.6網絡服務商區域配置

基礎配置+ospf

AR7

sys

sys AR7

undo info en

int g 0/0/1?????????????????

ip add 192.168.93.1 24

int g 0/0/2

ip add 192.168.10.254 24

int g 0/0/0

ip add 192.168.94.1 24

int g 4/0/0

ip add 192.168.97.1 24

ospf 1

default-route-advertise

area 1

network 192.168.97.0 0.0.0.255

network 192.168.94.0 0.0.0.255

network 192.168.93.0 0.0.0.255

network 192.168.10.0 0.0.0.255

AR5：

sys

sys AR5

undo info en

int g0/0/1

ip add 192.168.94.2 24

int g0/0/0

ip add 192.168.95.2 24

ospf 1

default-route-advertise

area 1

network 192.168.94.0 0.0.0.255

network 192.168.95.0 0.0.0.255

AR6：

sys

sys AR6

undo info en

int g 0/0/1

ip add 192.168.96.2 24

int g 0/0/0

ip add 192.168.93.2 24

ospf 1

default-route-advertise

area 1

network 192.168.93.0 0.0.0.255

network 192.168.96.0 0.0.0.255

AR4：

sys

sys AR4

undo info en

int g 0/0/1

ip add 192.168.96.1 24

int g 0/0/2

ip add 100.1.1.10 24

int g 0/0/0

ip add 192.168.95.1 24

int g 3/0/0

ip add 100.1.10.11 24

ospf 1

default-route-advertise

area 1

network 192.168.96.0 0.0.0.255

network 192.168.95.0 0.0.0.255

area 0

network 100.1.1.0 0.0.0.255

network 100.1.10.0 0.0.0.255

2.7分公司AR8配置

AR8：

sys

sys AR8

undo info en

int g 0/0/1

ip add 192.168.91.1 24

int g 0/0/2

ip add 192.168.110.1 24

int g 0/0/0

ip add 192.168.100.1 24

ospf? 1

area 1

net 192.168.100.0 0.0.0.255

net 192.168.110.0 0.0.0.255

net 192.168.91.0 0.0.0.255

2.8防火墻FW4配置

FW4

sys

sys FW4

undo info en

int g 1/0/1

ip add 192.168.97.254 24

int g 1/0/0

ip add 192.168.91.2 24

firewall zone trust

add int g 1/0/0

firewall zone untrust

add int g 1/0/1

int g 1/0/0

service-manage ping permit

int g 1/0/1

service-manage ping permit

配置防火墻ospf:

ospf 1

default-route-advertise

area 0

network 192.168.97.0 0.0.0.255

area 1

network 192.168.91.0 0.0.0.255

安全策略：

security-policy

rule name ospf

service ospf

source-zone trust

destination-zone untrust

action permit

dis th

security-policy

rule name TtoU

source-zone trust

destination-zone untrust

action permit

2.9數據中心配置

AR9

sys

sys AR9

undo info en

int g 0/0/1

ip add 192.168.80.1 24

int g 0/0/0

ip add 192.168.90.1 24

int g 0/0/2

ip add 192.168.106.1 24

ospf 1

default-route-advertise

area 0

network 192.168.106.0 0.0.0.255

network 192.168.90.0 0.0.0.255

network 192.168.80.0 0.0.0.255

2.10防火墻FW3、FW2配置

FW3：

sys

sys FW3

undo info en

int g 1/0/1

ip add 192.168.90.2 24

int g 1/0/0

ip add 192.168.99.1 24

int g 1/0/2

ip add 100.1.1.1 24

int g 1/0/3

ip add 192.168.102.1 24

int g 1/0/4

ip add 192.168.103.1 24

FW2

sys

sys FW2

undo info en

int g 1/0/1

ip add 100.1.10.2 24

int g 1/0/0

ip add 192.168.99.2 24

int g 1/0/3

ip add 192.168.105.1 24

int g 1/0/2

ip add 192.168.104.1 24

int g 1/0/4

ip add 192.168.106.2 24

int g0/0/0

service-manage all permit

FW3：

####trust

###dmz

###untrust

int g 1/0/3

vrrp vrid 1 virtual-ip 192.168.102.254 24 active

int g 1/0/4

vrrp vrid 4 virtual-ip 192.168.103.254 24 active

int g 1/0/1

vrrp vrid 8 virtual-ip 192.168.90.254 24 active

int g 1/0/2

vrrp vrid 12 virtual-ip 100.1.1.254 24 active

int g 1/0/0

vrrp vrid 16 virtual-ip 192.168.99.254 24 active

####雙機熱備

firewall zone name ha

set priority 99

add interface g 1/0/0

firewall zone trust

add int g 1/0/3

add int g 1/0/4

firewall zone untrust

add int g 1/0/2

firewall zone dmz

add int g 1/0/1

#防火墻雙機熱設備配置

hrp int g 1/0/0 remote 192.168.99.2

hrp enable

#防火墻配置安全策略

FW3

security-policy

rule name UtoD

source-zone untrust

destination-zone dmz

action permit

security-policy

rule name TtoD

source-zone trust

destination-zone dmz

action permit

security-policy

rule name DtoT

source-zone dmz

destination-zone trust

action permit

security-policy

rule name TtoU

source-zone trust

destination-zone untrust

action permit

security-policy

rule name UtoT

source-zone untrust

destination-zone trust

action permit

service-manage all permit

配置ospf

ospf 1 router-id 13.13.13.13

default-route-advertise

area 0

network 192.168.102.0 0.0.0.255

network 192.168.103.0 0.0.0.255

network 192.168.99.0 0.0.0.255

network 192.168.90.0 0.0.0.255

area 2

network 100.1.1.0 0.0.0.255

F2：

####trust

###untrust

###dmz

int g 1/0/2

vrrp vrid 1 virtual-ip 192.168.104.254 24 standby

int g 1/0/3

vrrp vrid 4 virtual-ip 192.168.105.254 24 standby

int g 1/0/1

vrrp vrid 8 virtual-ip 100.1.10.254 24 standby

int g 1/0/4

vrrp vrid 12 virtual-ip 192.168.106.254 24 standby

#防火墻雙機熱設備配置

hrp int g 1/0/0 remote 192.168.99.1

hrp enable

hrp standby-device

firewall zone name ha

set priority 99

add int g 1/0/0

firewall zone trust

add int g 1/0/2

add int g 1/0/3

firewall zone untrust

add int g 1/0/1

firewall zone dmz

add int g 1/0/4

配置ospf:

ospf 1 router-id 12.12.12.12

default-route-advertise

area 0

network 192.168.105.0 0.0.0.255

network 192.168.104.0 0.0.0.255

network 192.168.99.0 0.0.0.255

network 192.168.106.0 0.0.0.255

network 100.1.10.0 0.0.0.255

2.11防火墻配置NAT

源地址轉換：

FW3：????????????????????????????????????????????????????????????????????????????

nat address-group 4

mode pat

section 100.1.1.20 100.1.1.30

nat-policy

rule name TtoU

source-zone trust

destination-zone untrust

source-address 192.168.10.0 24

source-address 192.168.20.0 24

source-address 192.168.30.0 24

source-address 192.168.40.0 24

action source-nat address-group 4?

nat-policy

rule name UtoT

source-zone untrust

destination-zone trust

action source-nat address-group 4?

目的地址轉換：

nat server zone dmz protocol tcp global? 100.1.1.5 80 inside 192.168.80.10 80

nat server zone dmz protocol tcp global? 100.1.1.4 80 inside 192.168.80.20 80

security-policy

rule name tohttp

source-zone untrust

destination-zone dmz

action permit

3．項目測試

3.1測試網絡連通性

（1）各部門內部的網絡互通；

PC1ping PC2，PC4，PC6，PC8

數據中心不能訪問外網
vrrp主備切換

DHCP動態地址分配

防火墻主備切換
NAT源地址轉換，當各部門訪問外網時都是通過轉換后IP地址出去，通過抓包看是否轉換成功。
NAT目的地址轉換，通過http測試。