ensp小实验(ospf+dhcp+防火墙)

前言

今天给大家分享一个ensp的小实验，里面包含了ospf、dhcp、防火墙的内容，如果需要文件的可以私我。

一、拓扑图

二、实训需求

某学校新建一个分校区网络，经过与校领导和网络管理员的沟通，现通过了设备选型和组网解决方案，作为售后工程师，你需要按照方案进行网络建设与调试，使网络满足校方要求，并顺利验收。

网络说明和主要工作包括：

1. 校园内部网络拟定采用C类地址192.168.x.0/24进行规划，需要按照图示进行子网划分，以满足组网IP需求。
2. 网络分为接入、汇聚、核心三个层次，接入层交换机采用华为S3700，为二层交换机，主要进行用户的接入，为区分不同业务，进行了VLAN划分，各交换机均连接了不同VLAN的用户，并能保证把不同用户的数据向汇聚层发送。
3. 汇聚层设备采用华为S5700交换机，为三层交换机，下行接口vlanif10、vlanif20、vlanif30和vlanif40，分别作为不同用户的网关（GW），使内网用户能够上网。
4. 核心层设备选用华为AR2200路由器，用于连接核心交换机。核心路由器和分布层交换机、防火墙之间通过运行动态路由协议OSPF来学习路由信息，以实现内网各网段之间的互通。
5. 核心交换机选用华为S5700交换机，为二层交换机，主要负责内网、外网和内网服务器的VLAN隔离。
6. 内网设置防火墙来保障网络安全。设备选用华为USG5500防火墙。要求通过防火墙使内网不同用户通过NAT来实现访问外网，而同时不被外网所攻击。Trust区1-4号PC和7-10号PC可以访问所有的其他PC。Untrust区域的Client1只可以访问Server，其他禁止。DMZ的Server1不能访问任何PC。防火墙出口做EasyIP soure-nat转换。防火墙出口做NAT server使外网Client1可以访问内网服务器Server1。
7. 汇聚层交换机SW2和SW5使用基于接口的DHCP功能。主机利用DHCP获取IP地址。

三、设备配置命令

防火墙 

interface GigabitEthernet0/0/1
ip address 192.168.50.1 255.255.255.0 interface GigabitEthernet0/0/2
ip address 192.168.60.1 255.255.255.0 interface GigabitEthernet0/0/3
ip address 192.168.70.1 255.255.255.0 firewall zone trust
add interface GigabitEthernet0/0/1firewall zone untrust
add interface GigabitEthernet0/0/3firewall zone dmz
add interface GigabitEthernet0/0/2ospf 1 
area 0.0.0.0 
network 192.168.70.0 0.0.0.255 
area 0.0.0.1 
network 192.168.50.0 0.0.0.255 
area 0.0.0.2 
network 192.168.60.0 0.0.0.255 nat server 0 protocol tcp global interface GigabitEthernet0/0/3 8080 inside 192.168.60.2 wwwpolicy interzone trust untrust outbound
policy 10 
action permit policy interzone trust dmz outbound
policy 10 
action permit policy interzone dmz untrust inbound
policy 10 
action permit 
policy source 192.168.80.2 mask 32
policy destination 192.168.60.2 mask 32nat-policy interzone trust untrust outbound 
policy 10 
action source-nat 
easy-ip GigabitEthernet0/0/3

SW1

sysname SW1vlan batch 10 20 30 40 50interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 50interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40 50interface GigabitEthernet0/0/3
port link-type access
port default vlan 50

SW2

sysname SW2vlan batch 10 20 50
dhcp enableinterface Vlanif10
ip address 192.168.10.1 255.255.255.0 
dhcp select interfaceinterface Vlanif20
ip address 192.168.20.1 255.255.255.0 
dhcp select interfaceinterface Vlanif50
ip address 192.168.50.2 255.255.255.0 interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 50interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20ospf 1 
area 0.0.0.1 
network 192.168.10.0 0.0.0.255 
network 192.168.20.0 0.0.0.255 
network 192.168.50.0 0.0.0.255 

SW3

sysname SW3vlan batch 10 20interface Ethernet0/0/1
port link-type access
port default vlan 10interface Ethernet0/0/2
port link-type access
port default vlan 20interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20

SW4

sysname SW4vlan batch 10 20interface Ethernet0/0/1
port link-type access
port default vlan 10interface Ethernet0/0/2
port link-type access
port default vlan 20interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20

SW5

sysname SW5vlan batch 30 40 50dhcp enableinterface Vlanif30
ip address 192.168.30.1 255.255.255.0 
dhcp select interfaceinterface Vlanif40
ip address 192.168.40.1 255.255.255.0 
dhcp select interfaceinterface Vlanif50
ip address 192.168.50.3 255.255.255.0 interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 40 50interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30 40ospf 1 
area 0.0.0.1 
network 192.168.30.0 0.0.0.255 
network 192.168.40.0 0.0.0.255 
network 192.168.50.0 0.0.0.255 

SW6

sysname SW6vlan batch 30 40interface Ethernet0/0/1
port link-type access
port default vlan 30interface Ethernet0/0/2
port link-type access
port default vlan 40interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 40

SW7

sysname SW7vlan batch 30 40interface Ethernet0/0/1
port link-type access
port default vlan 30interface Ethernet0/0/2
port link-type access
port default vlan 40interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30 40

AR1

sysname R1interface GigabitEthernet0/0/0
ip address 192.168.70.2 255.255.255.0 interface GigabitEthernet0/0/1
ip address 192.168.80.1 255.255.255.0 ospf 1 
area 0.0.0.0 
network 192.168.70.0 0.0.0.255 
area 0.0.0.3 
network 192.168.80.0 0.0.0.255 

四、网络测试

PC1 ping Server

PC1 ping Client1

PC7 ping Server

PC7 ping Client1

Client1 ping Server

Client1 ping PC1

Server ping PC1

Server ping PC7

Easy-ip