天天看點
傳回

H3C組網執行個體--公司現實案例(艱苦的一周)

  先概述一下背景:

   公司是成立沒多長時間的,對IT投入還不算差,是以裝置都是新的,路由交換裝置主要用華三産品,但都是中低端的,一台S5500-EI做三層核心裝置,其它為S3100做接入,非常簡單的網絡結構,内外網實體隔斷,而且外網隻開放幾台公用電腦集中管理,是以可以不考慮外網接入問題。但蛋痛的是前期不知道那位大神做的規劃,300台電腦使用一個網段,所有交換機當傻瓜裝置來使用!!那真是一個汗。

    結果,還是杯具了,近段時間網絡時斷時續,arp攻擊嚴重,但300多台裝置,無從下手!隻可以艱苦一周,決定對網絡進行一次大的調整,重新規劃,劃分vlan!

    為不影響正常上班時間的使用,隻好在周末進行了,為日後的管理,使用靜态IP,那一台一台裝置更改IP,半夜還在機房調試裝置,至今仍曆曆在目!!

   廢話不多說了,公司基本的網絡圖:

<a href="http://blog.51cto.com/attachment/201210/094444908.jpg" target="_blank"></a>

核心交換機S5500-EI主要配置:

 #

 version 5.20, Release 2215

#

 sysname GDD_HeXin_Jh

 irf mac-address persistent timer

 irf auto-update enable

 undo irf link-delay

 domain default enable system 

 telnet server enable 

 gvrp     -----開啟全局 gvrp

acl number 3000   -----設定相關acl政策實作控制部分vlan不能互訪

 rule 1 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 

 rule 2 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 

 rule 3 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 

 rule 4 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 

 rule 5 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 

 rule 6 deny ip source 172.65.16.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 

acl number 3001

 rule 1 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 

 rule 2 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 

 rule 3 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 

 rule 4 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 

 rule 5 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 

 rule 6 deny ip source 172.65.86.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 

acl number 3002

 rule 1 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 

 rule 2 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 

 rule 3 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 

 rule 4 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 

 rule 5 deny ip source 172.65.32.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 

acl number 3003

 rule 1 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 

 rule 2 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 

 rule 3 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 

 rule 4 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 

 rule 5 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 

 rule 6 deny ip source 172.65.48.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 

acl number 3004

 rule 1 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 

 rule 2 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 

 rule 3 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 

 rule 4 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 

 rule 5 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 

 rule 6 deny ip source 172.65.64.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 

acl number 3005

 rule 1 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 

 rule 2 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 

 rule 3 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 

 rule 4 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.84.0 0.0.0.255 

 rule 5 deny ip source 172.65.82.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 

acl number 3006

 rule 1 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.16.0 0.0.0.255 

 rule 2 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.32.0 0.0.0.255 

 rule 3 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.48.0 0.0.0.255 

 rule 4 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.64.0 0.0.0.255 

 rule 5 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.82.0 0.0.0.255 

 rule 6 deny ip source 172.65.84.0 0.0.0.255 destination 172.65.86.0 0.0.0.255 

vlan 1

vlan 10

 name zhongjili

vlan 12

 name xingzheng

vlan 16

 name caiwu

vlan 32

 name caigou

vlan 48

 name jishu

vlan 64

 name zhikong

vlan 80

 name zhiyi-led

vlan 82

 name shengguan

vlan 84

 name zhiyi

vlan 86

 name zhier

vlan 90

 name zhier-led

vlan 100

 name others

vlan 1000

 name fuwuqi

vlan 4000

radius scheme system

 server-type extended

 primary authentication 127.0.0.1 1645

 primary accounting 127.0.0.1 1646

 user-name-format without-domain

domain system 

 access-limit disable 

 state active 

 idle-cut disable 

 self-service-url disable 

user-group system

 group-attribute allow-guest

local-user admin

 password cipher $c$3$H/4OBJArNH0CwNirmMs/iwdPh3Ilni1z8MidDOW4

 authorization-attribute level 3

 service-type telnet

 service-type web

interface NULL0

interface Vlan-interface1

 ip address 172.65.1.1 255.255.255.0 

interface Vlan-interface10

 ip address 172.65.10.254 255.255.255.0 

interface Vlan-interface12

 ip address 172.65.12.254 255.255.255.0 

interface Vlan-interface16

 ip address 172.65.16.254 255.255.255.0 

 packet-filter 3000 inbound

interface Vlan-interface32

 ip address 172.65.32.254 255.255.255.0 

 packet-filter 3002 inbound

interface Vlan-interface48

 ip address 172.65.48.254 255.255.255.0 

 packet-filter 3003 inbound

interface Vlan-interface64

 ip address 172.65.64.254 255.255.255.0

packet-filter 3004 inbound

interface Vlan-interface80

 ip address 172.65.80.254 255.255.255.0 

interface Vlan-interface82

 ip address 172.65.82.254 255.255.255.0 

 packet-filter 3005 inbound

interface Vlan-interface84

 ip address 172.65.84.254 255.255.255.0 

 packet-filter 3006 inbound

interface Vlan-interface86

 ip address 172.65.86.254 255.255.255.0 

 packet-filter 3001 inbound

interface Vlan-interface90

 ip address 172.65.90.254 255.255.255.0 

interface Vlan-interface100

 ip address 172.65.100.254 255.255.255.0 

interface Vlan-interface1000

 ip address 172.65.0.254 255.255.255.0 

interface Vlan-interface4000

 ip address 192.168.193.2 255.255.255.0 

interface GigabitEthernet1/0/1

 port link-mode bridge

 port access vlan 1000

interface GigabitEthernet1/0/2

interface GigabitEthernet1/0/3

interface GigabitEthernet1/0/4

interface GigabitEthernet1/0/5

interface GigabitEthernet1/0/6

interface GigabitEthernet1/0/7

interface GigabitEthernet1/0/8

interface GigabitEthernet1/0/9

interface GigabitEthernet1/0/10

interface GigabitEthernet1/0/11

interface GigabitEthernet1/0/12

interface GigabitEthernet1/0/13

interface GigabitEthernet1/0/14

interface GigabitEthernet1/0/15   

 port link-type trunk

 port trunk permit vlan all

 gvrp            ----開啟相關trunk 口gvrp 實作vlan資訊同步

interface GigabitEthernet1/0/16

 gvrp

interface GigabitEthernet1/0/17

interface GigabitEthernet1/0/18

interface GigabitEthernet1/0/19

interface GigabitEthernet1/0/20

interface GigabitEthernet1/0/21

 shutdown

interface GigabitEthernet1/0/22

interface GigabitEthernet1/0/23

interface GigabitEthernet1/0/24

interface GigabitEthernet1/0/25

interface GigabitEthernet1/0/26

interface GigabitEthernet1/0/27

interface GigabitEthernet1/0/28

 description conn to linda s7503

 port access vlan 4000

 ip route-static 0.0.0.0 0.0.0.0 192.168.193.1 description to linda

 load xml-configuration 

 load tr069-configuration

user-interface aux 0

 authentication-mode password

 set authentication password cipher $c$3$XTwA6nu6Xq1vRhgQvvY+6oCis8qnu0YiFNWT

user-interface vty 0 4

 authentication-mode scheme

 protocol inbound telnet

user-interface vty 5 15

return

接入交換機S3100 相關配置:

 sysname KongzhiqiErLou_1

 super password level 3 cipher .]@USE=B,53Q=^Q`MAF4&lt;1!!

 loopback-detection enable

domain system

 password cipher ^VL!HLV]BSCQ=^Q`MAF4&lt;1!!

 service-type telnet terminal

 level 3

 stp enable

 ip address 172.65.1.41 255.255.255.0

interface Aux1/0/0

interface Ethernet1/0/1

 port access vlan 86

interface Ethernet1/0/2

interface Ethernet1/0/3

interface Ethernet1/0/4

interface Ethernet1/0/5

interface Ethernet1/0/6

interface Ethernet1/0/7

interface Ethernet1/0/8

interface Ethernet1/0/9

interface Ethernet1/0/10

interface Ethernet1/0/11

interface Ethernet1/0/12

interface Ethernet1/0/13

interface Ethernet1/0/14

interface Ethernet1/0/15

interface Ethernet1/0/16

interface Ethernet1/0/17

interface Ethernet1/0/18

interface Ethernet1/0/19

interface Ethernet1/0/20

interface Ethernet1/0/21

interface Ethernet1/0/22

interface Ethernet1/0/23

interface Ethernet1/0/24

interface GigabitEthernet1/1/1

 gvrp               ----相關連接配接trunk口要相對應開啟gvrp 實作vlan資訊傳遞同步

interface GigabitEthernet1/1/2

interface GigabitEthernet1/2/1

interface GigabitEthernet1/2/2

 ip route-static 0.0.0.0 0.0.0.0 172.65.1.1 preference 60

 set authentication password cipher ^VL!HLV]BSCQ=^Q`MAF4&lt;1!!

 路由的基本配置:

因路由是總部裝置,在此就不全貼了,配置關鍵點就是,

設定與核心交換機連接配接接口的IP,以及添加回程路由如下:

nterface GigabitEthernet0/0

port link-mode route

description To H3C S7503

speed 1000

ip address 192.168.193.1 255.255.255.0 sub

ip route-static 172.65.0.0 255.255.0.0 192.168.193.2  ----回程路由

從規劃到實施,最後算是完滿完成,曆時兩個多月的時間,不容易………經曆過就好!!!………

上述僅為本人工作筆記,供日後參考使用………………

本文轉自pimg200551CTO部落格,原文連結:http://blog.51cto.com/pimg2005/1009202 ,如需轉載請自行聯系原作者

網絡虛拟化 網絡協定 網絡帶寬 網絡 靜态網絡 網絡帶寬問題 限制網絡
上一篇: LINUX NTP 伺服器搭建
下一篇: alter system switch logfile與alter system archive log current

繼續閱讀