先概述一下背景:
公司是成立沒多長時間的,對IT投入還不算差,是以裝置都是新的,路由交換裝置主要用華三産品,但都是中低端的,一台S5500-EI做三層核心裝置,其它為S3100做接入,非常簡單的網絡結構,内外網實體隔斷,而且外網隻開放幾台公用電腦集中管理,是以可以不考慮外網接入問題。但蛋痛的是前期不知道那位大神做的規劃,300台電腦使用一個網段,所有交換機當傻瓜裝置來使用!!那真是一個汗。
結果,還是杯具了,近段時間網絡時斷時續,arp攻擊嚴重,但300多台裝置,無從下手!隻可以艱苦一周,決定對網絡進行一次大的調整,重新規劃,劃分vlan!
為不影響正常上班時間的使用,隻好在周末進行了,為日後的管理,使用靜态IP,那一台一台裝置更改IP,半夜還在機房調試裝置,至今仍曆曆在目!!
廢話不多說了,公司基本的網絡圖:
<a href="http://blog.51cto.com/attachment/201210/094444908.jpg" target="_blank"></a>
核心交換機S5500-EI主要配置:
#
version 5.20, Release 2215
#
sysname GDD_HeXin_Jh
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
domain default enable system
telnet server enable
gvrp -----開啟全局 gvrp
acl number 3000 -----設定相關acl政策實作控制部分vlan不能互訪
rule 1 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 2 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 3 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 4 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 5 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 6 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3001
rule 1 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 3 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 4 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 5 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 6 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
acl number 3002
rule 1 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 2 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 3 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 4 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 5 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3003
rule 1 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 3 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 4 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 5 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 6 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3004
rule 1 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 3 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 4 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 5 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 6 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3005
rule 1 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 3 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 4 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.84.0 0.0.0.255
rule 5 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
acl number 3006
rule 1 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.16.0 0.0.0.255
rule 2 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.32.0 0.0.0.255
rule 3 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.48.0 0.0.0.255
rule 4 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.64.0 0.0.0.255
rule 5 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.82.0 0.0.0.255
rule 6 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.86.0 0.0.0.255
vlan 1
vlan 10
name zhongjili
vlan 12
name xingzheng
vlan 16
name caiwu
vlan 32
name caigou
vlan 48
name jishu
vlan 64
name zhikong
vlan 80
name zhiyi-led
vlan 82
name shengguan
vlan 84
name zhiyi
vlan 86
name zhier
vlan 90
name zhier-led
vlan 100
name others
vlan 1000
name fuwuqi
vlan 4000
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
user-group system
group-attribute allow-guest
local-user admin
password cipher $c$3$H/4OBJArNH0CwNirmMs/iwdPh3Ilni1z8MidDOW4
authorization-attribute level 3
service-type telnet
service-type web
interface NULL0
interface Vlan-interface1
ip address 172.65.1.1 255.255.255.0
interface Vlan-interface10
ip address 172.65.10.254 255.255.255.0
interface Vlan-interface12
ip address 172.65.12.254 255.255.255.0
interface Vlan-interface16
ip address 172.65.16.254 255.255.255.0
packet-filter 3000 inbound
interface Vlan-interface32
ip address 172.65.32.254 255.255.255.0
packet-filter 3002 inbound
interface Vlan-interface48
ip address 172.65.48.254 255.255.255.0
packet-filter 3003 inbound
interface Vlan-interface64
ip address 172.65.64.254 255.255.255.0
packet-filter 3004 inbound
interface Vlan-interface80
ip address 172.65.80.254 255.255.255.0
interface Vlan-interface82
ip address 172.65.82.254 255.255.255.0
packet-filter 3005 inbound
interface Vlan-interface84
ip address 172.65.84.254 255.255.255.0
packet-filter 3006 inbound
interface Vlan-interface86
ip address 172.65.86.254 255.255.255.0
packet-filter 3001 inbound
interface Vlan-interface90
ip address 172.65.90.254 255.255.255.0
interface Vlan-interface100
ip address 172.65.100.254 255.255.255.0
interface Vlan-interface1000
ip address 172.65.0.254 255.255.255.0
interface Vlan-interface4000
ip address 192.168.193.2 255.255.255.0
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 1000
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
interface GigabitEthernet1/0/15
port link-type trunk
port trunk permit vlan all
gvrp ----開啟相關trunk 口gvrp 實作vlan資訊同步
interface GigabitEthernet1/0/16
gvrp
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
interface GigabitEthernet1/0/20
interface GigabitEthernet1/0/21
shutdown
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
interface GigabitEthernet1/0/24
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
description conn to linda s7503
port access vlan 4000
ip route-static 0.0.0.0 0.0.0.0 192.168.193.1 description to linda
load xml-configuration
load tr069-configuration
user-interface aux 0
authentication-mode password
set authentication password cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oCis8qnu0YiFNWT
user-interface vty 0 4
authentication-mode scheme
protocol inbound telnet
user-interface vty 5 15
return
接入交換機S3100 相關配置:
sysname KongzhiqiErLou_1
super password level 3 cipher .]@USE=B,53Q=^Q`MAF4<1!!
loopback-detection enable
domain system
password cipher ^VL!HLV]BSCQ=^Q`MAF4<1!!
service-type telnet terminal
level 3
stp enable
ip address 172.65.1.41 255.255.255.0
interface Aux1/0/0
interface Ethernet1/0/1
port access vlan 86
interface Ethernet1/0/2
interface Ethernet1/0/3
interface Ethernet1/0/4
interface Ethernet1/0/5
interface Ethernet1/0/6
interface Ethernet1/0/7
interface Ethernet1/0/8
interface Ethernet1/0/9
interface Ethernet1/0/10
interface Ethernet1/0/11
interface Ethernet1/0/12
interface Ethernet1/0/13
interface Ethernet1/0/14
interface Ethernet1/0/15
interface Ethernet1/0/16
interface Ethernet1/0/17
interface Ethernet1/0/18
interface Ethernet1/0/19
interface Ethernet1/0/20
interface Ethernet1/0/21
interface Ethernet1/0/22
interface Ethernet1/0/23
interface Ethernet1/0/24
interface GigabitEthernet1/1/1
gvrp ----相關連接配接trunk口要相對應開啟gvrp 實作vlan資訊傳遞同步
interface GigabitEthernet1/1/2
interface GigabitEthernet1/2/1
interface GigabitEthernet1/2/2
ip route-static 0.0.0.0 0.0.0.0 172.65.1.1 preference 60
set authentication password cipher ^VL!HLV]BSCQ=^Q`MAF4<1!!
路由的基本配置:
因路由是總部裝置,在此就不全貼了,配置關鍵點就是,
設定與核心交換機連接配接接口的IP,以及添加回程路由如下:
nterface GigabitEthernet0/0
port link-mode route
description To H3C S7503
speed 1000
ip address 192.168.193.1 255.255.255.0 sub
ip route-static 172.65.0.0 255.255.0.0 192.168.193.2 ----回程路由
從規劃到實施,最後算是完滿完成,曆時兩個多月的時間,不容易………經曆過就好!!!………
上述僅為本人工作筆記,供日後參考使用………………
本文轉自pimg200551CTO部落格,原文連結:http://blog.51cto.com/pimg2005/1009202 ,如需轉載請自行聯系原作者