园区公网及私网网络配置ospf 小型园区网络配置

1、接入层交换机与核心交换机通过Eth-trunk组网保证可靠性；

2、每个部门业务划分到一个vlan中，部门间的业务在核心层上通过vlanif三层互通；

3、核心交换机作为DHCP server，为园区用户分配IP地址；

4、接入交换机配置DHCP snooping功能，防止内网用户私接小路由器分配IP地址；同时

配置IPSG功能，防止内网用户私自更改IP地址。

配置过程：

1、三层交换机配置
 [Huawei]sysname CORE
 [CORE]vlan 5 //创建vlan 5
 [CORE-vlan5]quit
 [CORE]interface Vlanif 5
 [CORE-Vlanif5]ip address 10.10.1.1 24
 [CORE-Vlanif5]q
 //假设连接网关电脑的接口为g0/0/8，将此接口加入到管理vlan中
 [CORE]interface g0/0/8
 [CORE-GigabitEthernet0/0/8]port link-type access
 [CORE-GigabitEthernet0/0/8]port default vlan 5
 [CORE-GigabitEthernet0/0/8]q
 //配置Telnet
 [CORE]telnet server enable
 [CORE]user-interface vty 0 4
 [CORE-ui-vty0-4]protocol inbound telnet
 [CORE-ui-vty0-4]authentication-mode aaa
 [CORE-ui-vty0-4]idle-timeout 15
 [CORE-ui-vty0-4]quit
 [CORE]aaa
 [CORE-aaa]local-user admin password cipher 123456
 [CORE-aaa]local-user admin privilege level 15 
 [CORE-aaa]local-user admin service-type telnet配置接入层交换机与用户端，使用户加入到vlan，并将接口配置为边缘端口
 [ACC1]vlan 10
 [ACC1-vlan10]q
 [ACC1]interface e0/0/1
 [ACC1-Ethernet0/0/1]port link-type access
 [ACC1-Ethernet0/0/1]port default vlan 10
 [ACC1-Ethernet0/0/1]stp edged-port enable //开启边缘端口配置
 [ACC1-Ethernet0/0/1]interface e0/0/22
 [ACC1-Ethernet0/0/22]port link-type access
 [ACC1-Ethernet0/0/22]port default vlan 10
 [ACC1-Ethernet0/0/22]stp edged-port enable
 [ACC1-Ethernet0/0/22]q 
 [ACC2]vlan 20
 [ACC2-vlan20]q
 [ACC2]interface e0/0/1 
 [ACC2-Ethernet0/0/1]port link-type access
 [ACC2-Ethernet0/0/1]port default vlan 20
 [ACC2-Ethernet0/0/1]stp edged-port enable
 [ACC2-Ethernet0/0/1]interface e0/0/2
 [ACC2-Ethernet0/0/2]port link-type access
 [ACC2-Ethernet0/0/2]port default vlan 20
 [ACC2-Ethernet0/0/2]stp edged-port enable
 [ACC2-Ethernet0/0/2]q//配置ACC1连接CORE的eth-trunk 1 ，透传部门A的vlan
 [ACC1]interface Eth-Trunk 1
 [ACC1-Eth-Trunk1]port link-type trunk //配置为trunk模式，用于透传vlan
 [ACC1-Eth-Trunk1]port trunk allow-pass vlan 10
 [ACC1-Eth-Trunk1]mode lacp-static //配置eth-trunk为lacp模式
 [ACC1-Eth-Trunk1]q
 [ACC1]interface e0/0/2
 [ACC1-Ethernet0/0/2]eth-trunk 1 //将e/0/0/2接口加入eth-trunk
 [ACC1-Ethernet0/0/2]q
 [ACC1]interface e0/0/3
 [ACC1-Ethernet0/0/3]eth-trunk 1 //将e/0/0/3接口加入eth-trunk
 [ACC1-Ethernet0/0/3]q[ACC1]stp bpdu-protection //配置BPDU保护功能，加强网络的稳定性
配置核心交换机：
 批量创建CORE 与ACC1、ACC2及园区出口器互通的VLAN.
 [CORE]vlan batch 10 20 100//配置CORE连接ACC1的eth-trunk 1 ，透传部门A的vlan
 [CORE]interface Eth-Trunk 1
 [CORE-Eth-Trunk1]port link-type trunk
 [CORE-Eth-Trunk1]port trunk allow-pass vlan 10
 [CORE-Eth-Trunk1]mode lacp-static
 [CORE-Eth-Trunk1]q
 [CORE]interface g0/0/2
 [CORE-GigabitEthernet0/0/2]eth-trunk 1
 [CORE-GigabitEthernet0/0/2]q
 [CORE]interface g0/0/3
 [CORE-GigabitEthernet0/0/3]eth-trunk 1
 [CORE-GigabitEthernet0/0/3]q//配置vlanif接口用于部门A与部门B之间互访.
 [CORE]interface Vlanif 10
 [CORE-Vlanif10]ip address 10.10.10.1 24
 [CORE-Vlanif10]interface Vlanif 20
 [CORE-Vlanif20]ip add 10.10.20.1 24
 [CORE-Vlanif20]q
 //同理配置ACC2与CORE相连的eth-trunk 2和CORE与ACC2连接的eth-trunk 2//配置三层交换与上层相连接口
 [CORE]interface Vlanif 100 //配置vlanif，使core与路由之间三层互通
 [CORE-Vlanif100]ip add 10.10.100.1 24
 [CORE-Vlanif100]q
 [CORE]interface g0/0/1
 [CORE-GigabitEthernet0/0/1]port link-type access
 [CORE-GigabitEthernet0/0/1]port default vlan 100
 [CORE-GigabitEthernet0/0/1]q//核心交换机（CORE）为DHCP server 配置如下:（部门A）
 [CORE]dhcp enable
 [CORE]ip pool 10
 [CORE-ip-pool-10]network 10.10.10.0 mask 255.255.255.0
 [CORE-ip-pool-10]gateway-list 10.10.10.254
 [CORE-ip-pool-10]dns-list 8.8.8.8
 [CORE-ip-pool-10]static-bind ip-address 10.10.10.100 mac-address a-b-c //为部门打印机预留固
 定ip地址
 [CORE]interface Vlanif 10
 [CORE-Vlanif10]dhcp select global
 [CORE-Vlanif10]q
 //部门B配置相同//在CORE上配置一条到园区出口网关的静态路由，使内部数据可以发送到出口路由器
 [CORE]ip route-static 0.0.0.0 0 10.10.100.2//公网ip地址：1.1.1.2/30
 [ROUTER]interface g0/0/1
 [ROUTER-GigabitEthernet0/0/1]ip add 10.10.100.2 24
 [ROUTER-GigabitEthernet0/0/1]q
 [ROUTER-GigabitEthernet0/0/0]ip add 1.1.1.2 30
 [ROUTER-GigabitEthernet0/0/0]q//配置允许上网的acl，将所有允许访问的Internet的用户网段写入acl
 [ROUTER]acl 2000
 [ROUTER-acl-basic-2000]rule permit source 10.10.10.0 0.0.0.255
 [ROUTER-acl-basic-2000]rule permit source 10.10.20.0 0.0.0.255
 [ROUTER-acl-basic-2000]rule permit source 10.10.100.0 0.0.0.255
 [ROUTER-acl-basic-2000]q
 [ROUTER]interface g0/0/0 //在连接公网的接口配置NAT转换，实现内网用户访问Internet
 [ROUTER-GigabitEthernet0/0/0]nat outbound 2000
 [ROUTER-GigabitEthernet0/0/0]q//配置到内网的明显路由和到公网的静态默认路由
 [ROUTER]ip route-static 10.10.10.0 255.255.255.0 10.10.100.1
 [ROUTER]ip route-static 10.10.20.0 255.255.255.0 10.10.100.1
 [ROUTER]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
 //配置DNS地址解析功能，DNS服务器地址为运营商给的
 [ROUTER]dns resolve
 [ROUTER]dns server 8.8.8.8
 [ROUTER]dns proxy enable//在接入交换机ACC1和ACC2上开启DHCP Snooping功能
 [ACC1]dhcp snooping en 
 [ACC1]dhcp snooping enable //开启DHCP Snooping功能
 [ACC1]interface Eth-Trunk 1
 [ACC1-Eth-Trunk1]dhcp snooping enable
 [ACC1-Eth-Trunk1]dhcp snooping trusted //配置为信任接口
 //在连接终端上开启dhcp snooping功能
 [ACC1]interface e0/0/1
 [ACC1-Ethernet0/0/1]dhcp snooping enable
 [ACC1-Ethernet0/0/1]interface e0/0/22
 [ACC1-Ethernet0/0/22]dhcp snooping enable
 [ACC1-Ethernet0/0/22]q

完成上述配置之后，部门A的用户就可以从合法
DHCP服务器上获取ip地址，内网私接的小路由器分配地址不会
干扰到内网正常用户