|
苏州某金融公司因扩大规模,需要对网络进行升级改造,原有的拓扑及设备清单,如下图所示: 一、需求分析 IT提出的升级改造要求如下: 1、原来的VLAN10留给综合部使用; 2、VLAN12继续为门禁监控使用; 3、新建VLAN30、40、50、60、80给不同的部门使用; 4、新建VLAN90,给访客专用,访客的设备无论是有线网络还是WIFI都连接到VLAN90,且只允许访问外网,不得访问内网资源; 二、配置过程 1、有道是:“有图走遍天下,无图寸步难行”,所以根据IT提出的要求,拓扑图更新如下:
2、核心交换机的配置: Sys CORE *设备交换机名称为CORE vlan bat 2 10 20 30 40 50 60 80 90 *创建这些VLAN dhcp enable *开启DHCP功能 dhcp snooping enable *开启dhcp snooping功能 以下是配置各个vlanif接口IP interface Vlanif2 ip address 192.168.1.2 255.255.255.0 dhcp select global # interface Vlanif10 ip address 192.168.8.1 255.255.255.0 dhcp select global # interface Vlanif20 ip address 192.168.12.1 255.255.255.0 dhcp select global # interface Vlanif30 ip address 192.168.200.1 255.255.255.0 dhcp select global # interface Vlanif40 ip address 192.168.204.1 255.255.255.0 # interface Vlanif50 ip address 192.168.208.1 255.255.255.0 # interface Vlanif60 ip address 192.168.212.1 255.255.255.0 # interface Vlanif80 ip address 192.168.100.1 255.255.255.0 dhcp select global # interface Vlanif90 ip address 192.168.104.1 255.255.255.0 dhcp select global # 以下是配置各个VLAN的DHCP地址池 ip pool vlan2 gateway-list 192.168.1.2 network 192.168.1.0 mask 255.255.255.0 excluded-ip-address 192.168.1.3 192.168.1.20 dns-list 114.114.114.114 # ip pool vlan10 gateway-list 192.168.8.1 network 192.168.8.0 mask 255.255.255.0 excluded-ip-address 192.168.8.2 192.168.8.20 dns-list 114.114.114.114 # ip pool vlan20 gateway-list 192.168.12.1 network 192.168.12.0 mask 255.255.255.0 excluded-ip-address 192.168.12.2 192.168.12.20 dns-list 114.114.114.114 # ip pool vlan30 gateway-list 192.168.200.1 network 192.168.200.0 mask 255.255.255.0 excluded-ip-address 192.168.200.2 192.168.200.20 dns-list 114.114.114.114 # ip pool vlan80 gateway-list 192.168.100.1 network 192.168.100.0 mask 255.255.255.0 excluded-ip-address 192.168.100.2 192.168.100.20 dns-list 114.114.114.114 # ip pool vlan90 gateway-list 192.168.104.1 network 192.168.104.0 mask 255.255.255.0 excluded-ip-address 192.168.104.2 192.168.104.20 dns-list 114.114.114.114 # 以下是配置trunk模式的交换机接口,注意:级联AP或者AP交换机的接口,必须配置port trunk pvid vlan x(x=AP所在管理VLAN) interface GigabitEthernet0/0/2 interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/2 port link-type trunk port trunk pvid vlan 2 port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 2 port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/5 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/7 port link-type access port default vlan 2 # 需要一条静态路由,ip route-static 0.0.0.0 0.0.0.0 192.168.1.1,上外网从192.168.1.1出去 VLAN90为访客专用网段,因此ACL配置如下: acl 3001 *创建acl3001 rule 5 deny ip source 192.168.104.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 *拒绝从192.168.104.0/24网段到192.168.0.0/16网段(内网全部网段)的流量 rule 10 permit ip source 192.168.104.0 0.0.0.255 destination 0.0.0.0 0 *允许104网段上外网 traffic classifier vlan90 *创建流分类 if-match acl 3001 *将ACL与流分类关联 q [CORE]traffic behavior vlan90 *创建流行为 [CORE-behavior-vlan90]deny *配置流行为动作为拒绝报文通过 [CORE-behavior-vlan90]q [CORE]traffic policy vlan90 *创建流策略 [CORE-trafficpolicy-vlan90]classifier vlan90 behavior vlan90 *将流分类vlan90与流行为vlan90关联 [CORE]vlan 90 *注意,此处不是int vlan90,而是 vlan 90命令 [CORE-vlan90]traffic-policy vlan90 inbound *流策略应用在接口入方向 [CORE-vlan90]dis th 3、AC控制器的配置: vlan bat 2 80 90 *创建VLAN2 80 90,其中2为AP管理,80为员工使用,90为访客使用 dhcp enable interface Vlanif2 ip address 192.168.1.3 255.255.255.0 dhcp select global # interface Vlanif80 dhcp select global # interface Vlanif90 dhcp select global # interface GigabitEthernet0/0/1 port link-type trunk p t a v a capwap source interface vlanif2 *配置AC建立CAPWAP隧道使用的接口,即interface vlanif2作为AC的源接口 Wlan *进入无线配置 dis ap unauthorized record *查看未通过认证的AP regulatory-domain-profile name wlan *创建域管理模板 q ap-group name aps *创建名为aps的ap组,目的是把AP添加进AP组里方便管理 regulatory-domain-profile wlan *AP组引用域管理模板 ap-id 0 ap-mac 00e0-xxxx-xx80 *导入该AP的mac,ap-id 0是手动为ap设置的顺序编号,注意不可重复 ap-group aps *加入到AP组aps里 dis ap all *查看上线AP,状态:nor为正常工作,可能需要等2分钟 dis ap unauthorized record *查看未通过认证的AP(备用命令) ap-confirm all *确认未通过认证的ap,允许其上线(备用命令) undo ap auth-mode *关闭AP认证,直接让AP自动完成上线(备用命令) ap-id 0 *进入编号为0的AP配置,这里通过display this查看当前配置信息,也可以通过ap-name给AP命名(备用命令) security-profile name office *创建安全模板 security wpa-wpa2 psk pass-phrase 18913530333 aes *配置安全模式、WIFI密码 security-profile name guest *创建安全模板 security wpa-wpa2 psk pass-phrase 123456789 aes *配置安全模式、WIFI密码 ssid-profile name offic *创建ssid模板 ssid office *ssid名称,即wifi名 ssid-profile name guest *创建ssid模板 ssid guest *ssid名称,即wifi名 vap-profile name office *创建vap模板 service-vlan vlan-id 80 *配置业务vlan,即给连接无线用户分配地址的vlan,此处为VLAN80 ssid-profile offic *引用ssid模板 security-profile office *引用安全模板 forward-mode direct-forward *配置转发模式:直接转发,华为设备默认直接转发,此命令可不执行 vap-profile name guest service-vlan vlan-id 90 ssid-profile guest security-profile guest ap-group name aps *进入AP组配置 regulatory-domain-profile wlan radio 0 vap-profile office wlan 1 vap-profile guest wlan 2 后增加AP dis ap unauthorized record ap-confirm all ap-id 1 ap-group aps ap-name 19f-1 增加5G信号 [AC6605-wlan-view]ap-group name aps [AC6605-wlan-ap-group-aps]radio 1 [AC6605-wlan-group-radio-aps/1]vap-pro [AC6605-wlan-group-radio-aps/1]vap-profile office wlan 1 [AC6605-wlan-group-radio-aps/1]vap-pro [AC6605-wlan-group-radio-aps/1]vap-profile guest wlan 2 交换机的VLAN端口配置略…… 三、验证配置: 1、不同VLAN的PC之间互相访问,通过; 2、VLAN90的PC,只能上外网,禁止访问内网其他VLAN,通过; 3、无线终端连接WIFI,两个SSID绑定了不同的VLAN,通过;
4、连接guest这个SSID的无线终端,可以访问外网
5、连接guest这个SSID,即在VLAN90内的客户端, 禁止访问内网其他VLAN
6、连接guest这个SSID的无线终端,哪怕是在同一个VLAN内,也是禁止互相访问的
|
|
|
