华为eNSP的企业网络规划设计--含防火墙和无线网络区域_企业网项目建设实践 ensp

华为eNSP的企业网络规划设计--含防火墙和无线网络区域

• 前言
• 总体网络拓扑图
• 接口信息
• 一、项目概述
• • 1.1 项目简介
  • 1.2 项目总体功能设计
• 二、需求分析
• • 2.1总体需求
  • 2.2 具体需求
  • 2.3 非功能性需求
  • 2.4 网络架构技术需求
• 三、可行性分析
• • 3.1技术可行性分析
  • 3.2 经济效益分析
  • 3.3 社会效益分析
  • 3.4 项目风险分析
• 四、总体设计
• • 4.1 企业总部
  • 4.2 中间框架设计
  • 4.3 企业外部
• 五、详细设计
• • 5.1 总体拓补图
  • 5.2 结构介绍
  • • 5.2.1 企业内部基础设计
    • 5.2.2 企业核心层与防火墙设计
    • 5.2.3 企业服务器集群设计
    • 5.2.4 企业无线网络区域设计
    • 5.2.5 企业外部网络设计
  • 5.3 配置介绍
  • • 5.3.1 AR1
    • 5.3.2 AR2
    • 5.4.3 ISP
    • 5.3.4 FW1
    • 5.3.5 LSW1
    • 5.3.6 LSW2
    • 5.3.7 LSW3
    • 5.3.8 LSW4
    • 5.3.9 LSW5
    • 5.3.10 LSW6
    • 5.3.11 LSW7
    • 5.3.12 LSW8
    • 5.3.13 LSW9
    • 5.3.14 LSW 10
    • 5.3.15 LSW11
    • 5.3.16 AC1
• 六、系统测试
• • 公司内部DHCP自动获取IP地址
  • 各部门之间相互访问
  • 搭建防火墙以及防火墙策略
  • 搭建DNS域名解析
  • 搭建HTTP服务器
  • 搭建FTP服务器
  • 搭建部门客户端通过防火墙策略访问HTTP服务器，DNS服务器，FTP服务器
  • 公司内部通过防火墙访问外网
  • 公司内部通过防火墙访问外网HTTP
  • 公司内部通过防火墙访问dmz（受保护区域的服务器集群）
  • DNS服务器解析公司内部IP
  • 无线网区域
  • 设备连接无线网
  • DHCP分配IP地址
  • 无线区域访问企业外网
• 结束语

前言

作为通信网综合实践课程设计的总结与记录,本文将分享项目实践过程中的经验与心得。由于项目在不断优化与迭代,文中部分配置可能与最终方案存在差异。欢迎读者在评论区提出宝贵意见,共同探讨交流。本文主要面向已具备eNSP基础知识的读者。

该设计已经完全达到课设标准，如果想要做的更好可以根据配置自行更改
某个功能不起作用可能是型号或者版本不对， 欢迎评论区留言，会随时回复
另外附win10，安装链接
安装链接
此外也可以观看我的另一篇企业网络规划设计
基于华为eNSP的企业网络规划设计
基于ensp的IP企业网络规划

总体网络拓扑图

接口信息

一、项目概述

1.1 项目简介

完整设计和模拟中小型企业网络的规划与设施建设，包括企业内部各个部门的网络布局，无线网络覆盖的规划，服务器集群的架构设计，交换机的冗余防止与链路聚合设计，以及企业交换机在接入层、汇聚层和核心层的分层设计。
1.实现企业内部各部门和机构之间的高效网络互联互通。
2.构建安全、稳定、且高效的数据传输环境，确保网络运行可靠性。
3.评估并合理部署VPN技术，支持跨地域分支机构的安全通信需求。
4.规划与配置DNS服务，提高网络访问效率，优化用户体验。
5.设计并模拟企业防火墙策略，全面提升网络安全性，防御潜在威胁。
6.配置无线区域网络，供企业人员使用，并且能够使用DNS，通过防火墙访问外网
此网络设计方案需充分考虑企业实际业务需求、网络安全性、可扩展性以及后期运维成本等多个因素。

1.2 项目总体功能设计

整个网络设计采用分层架构，企业内部网络实现了各机构和部门之间的互联互通，并统一部署公共服务器供部门共享；外部网络通过运营商线路接入互联网，并通过设计防火墙技术防止外网用户攻击企业内网服务器，同时允许企业内部网络通过防火墙和DNS服务器获取外部资源，从而兼顾业务便利性与网络安全性；此外，还为企业内部员工设计了无线网络区域，以提升使用体验和便捷性。

二、需求分析

2.1总体需求

总部与互联网能够通过防火墙进行通信，企业内部规定部门能够进行服务器的访问，员工能相互访问，企业外网不能通过防火墙访问公司信息，公司内部部署DNS，HTTP,FTP服务器，禁我们用到的设计思想就是根据交换机的三层架构来设计，核心层进行高速转发、冗余、均衡；汇聚层进行策略控制 ACL、VLAN、Qos、分组过滤、路由选择、组播管理；最后的接入层给用户接入，多端口、用户访问控制。

2.2 具体需求

①信息中心配置Eth-trunk 实现链路冗余
②企业内网划分多个vlan ，减小广播域大小，提高网络稳定性
③核心交换机作为用户网关实现vlan 间路由
④所有用户均为自动获取ip 地址
⑤出口配置NAT 实现地址转换
⑥设计防火墙保护企业隐私性问题
⑦外部网络通过运营商线路接入互联网
⑧允许企业内部网络通过防火墙和DNS服务器获取外部资源
⑨设计企业无线区域网络，方便员工访问互联网
⑩设计防护墙和服务器集群功能，设计备用交换机和路由器防止突然瘫痪

2.3 非功能性需求

通过dns 实现域名转换，整体结构具有冗余，能够很好的及时处理需要传递的信息，以及防止设备突然瘫痪。

2.4 网络架构技术需求

1.部署Eth-trunk技术实现交换机间链路冗余
2.采用核心交换机作为网关，实现VLAN间智能路由
3.配置DHCP服务实现IP地址自动分配管理
4.在出口路由器部署NAT技术实现地址转换
5.支持防火墙，服务器集群，无线上网区域等需求设计

三、可行性分析

3.1技术可行性分析

在本次设计用到的技术有防火墙USG6000V配置，无线AC及AP配置，VRRP（虚拟路由冗余协议），OSPF（最短路径优先），NAT（网络地址转换），DHCP（动态主机配置协议），MSTP（多生成树协议），ACL（访问控制列表），VLAN规划与设计，IP地址规划与设计，静态默认路由协议，DNS（域名解析系统），链路聚合协议等实现各部门之间的功能并且各协议能够很好的运行，在仿真软件上可以达到想要的功能和需求，在运用到相关企业的时候，我们只需要做相应的配置即可达到相应的目的，各种协议的运作能够完美的搭配，所以在技术上，该项目的技术可行性没有问题

3.2 经济效益分析

本次项目构建用的较为普通的交换机和路由器，需要对其进行相关配置，实现相关功能，在经济方面,用较低的成本可以实现我们想要的功能，不是在使用高昂交换机和路由器，去实现我们想要的功能，所以在经济方面上是可行的。

3.3 社会效益分析

该项目的建立是在模拟企业网的基础上实现的，所以对于一个企业来说，应该是可以实现的，并且能够很好的模拟企业网的运作，可以做为社会企业的运作。能够很好的实现网络的交互和各种功能的实现。

3.4 项目风险分析

该项目设置了防火墙，可以实时防止外网对企业内部的攻击，同时设计无线上网区域，能够便捷快速的访问互联网，各部门和外网之间采用ospf 协议通信，还有些具体的防护协议没有实现到该项目中，整体上来说，项目可运用于小型企业，在安全防护上没有太多的考虑，只考虑了需要实现的相关功能，所以后期还需要考虑防护问题，最后才能将项目完美的运行到企业当中。

四、总体设计

这里都是简写不赘述了

4.1 企业总部

这里分了6个部门，销售部vlan10，市场部vlan20，财务部vlan30，会议室vlan40，研发部vlan50，生产部vlan60。还有一个公司内部无线上网区域和它的管理器，能够管理相关区域信号等无线区域的网络名是：Huawei，密码是：huawei@123，各部门之间能够相互访问。

4.2 中间框架设计

实现链路冗余和核心交换机的交互，设置网关等等一系列操作，以及核心层，并且设计服务器集群，具有dns域名解析功能，设计防火墙等措施防止收到互联网攻击，NAT路由器和外网等设计。

4.3 企业外部

采用简单的ospf和NAT转换设计，一些基础的互联网客户端，互联网PC，以及互联网HTTP等

五、详细设计

5.1 总体拓补图

5.2 结构介绍

5.2.1 企业内部基础设计

5.2.2 企业核心层与防火墙设计

5.2.3 企业服务器集群设计

5.2.4 企业无线网络区域设计

5.2.5 企业外部网络设计

5.3 配置介绍

内容和配置太多，如图

5.3.1 AR1

[V200R003C00]# sysname AR1# board add 0/4 1GEC # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip# drop illegal-mac alarm# undo info-center enable# set cpu-usage threshold 80 restore 75#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Local priority 15#interface GigabitEthernet0/0/0 ip address 192.168.80.21 255.255.255.252 #interface GigabitEthernet0/0/1 ip address 192.168.80.17 255.255.255.252 #interface GigabitEthernet0/0/2 ip address 192.168.80.6 255.255.255.252 #interface GigabitEthernet4/0/0 ip address 192.168.80.14 255.255.255.252 #interface NULL0#ospf 30  area 0.0.0.0 network 192.168.80.4 0.0.0.3 network 192.168.80.12 0.0.0.3 network 192.168.80.16 0.0.0.3 network 192.168.80.20 0.0.0.3 #user-interface con 0 authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return

5.3.2 AR2

[V200R003C00]# sysname AR2# board add 0/4 1GEC # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip# drop illegal-mac alarm# undo info-center enable# set cpu-usage threshold 80 restore 75#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Local priority 15#interface GigabitEthernet0/0/0 ip address 192.168.80.25 255.255.255.252 #interface GigabitEthernet0/0/1 ip address 192.168.80.18 255.255.255.252 #interface GigabitEthernet0/0/2 ip address 192.168.80.2 255.255.255.252 #interface GigabitEthernet4/0/0 ip address 192.168.80.10 255.255.255.252 #interface NULL0#ospf 40  area 0.0.0.0 network 192.168.80.0 0.0.0.3 network 192.168.80.8 0.0.0.3 network 192.168.80.16 0.0.0.3 network 192.168.80.24 0.0.0.3 #user-interface con 0 authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return

5.4.3 ISP

[V200R003C00]# sysname ISP# snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00#portal local-server load portalpage.zip# drop illegal-mac alarm# undo info-center enable# set cpu-usage threshold 80 restore 75#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http#firewall zone Local priority 15#interface GigabitEthernet0/0/0 ip address 94.65.28.1 255.255.255.240 #interface GigabitEthernet0/0/1 ip address 46.35.88.2 255.255.255.240 #interface GigabitEthernet0/0/2#interface NULL0#user-interface con 0 authentication-mode passworduser-interface vty 0 4user-interface vty 16 20#wlan ac#return

5.3.4 FW1

!Software Version V500R005C10SPC300!Last configuration was saved at 2024-11-26 22:55:02 UTC#sysname FW1# l2tp domain suffix-separator @#undo info-center enable# ipsec sha2 compatible enable #undo telnet server enableundo telnet ipv6 server enable# update schedule location-sdb weekly Sun 23:54# firewall defend action discard# banner enable# user-manage web-authentication security port 8887 undo privacy-statement english undo privacy-statement chinesepage-setting user-manage security version tlsv1.1 tlsv1.2password-policy level highuser-manage single-sign-on aduser-manage single-sign-on tsmuser-manage single-sign-on radiususer-manage auto-sync online-user# web-manager security version tlsv1.1 tlsv1.2 web-manager enable web-manager security enable#firewall dataplane to manageplane application-apperceive default-action drop# undo ips log merge enable# decoding uri-cache disable# update schedule ips-sdb daily 05:37 update schedule av-sdb daily 05:37 update schedule sa-sdb daily 05:37 update schedule cnc daily 05:37 update schedule file-reputation daily 05:37#ip vpn-instance default ipv4-family# time-range worktime period-range 08:00:00 to 18:00:00 working-day #ike proposal default encryption-algorithm aes-256 aes-192 aes-128 dh group14 authentication-algorithm sha2-512 sha2-384 sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 #aaa authentication-scheme default authentication-scheme admin_local authentication-scheme admin_radius_local authentication-scheme admin_hwtacacs_local authentication-scheme admin_ad_local authentication-scheme admin_ldap_local authentication-scheme admin_radius authentication-scheme admin_hwtacacs authentication-scheme admin_ad authorization-scheme default accounting-scheme default domain default service-type internetaccess ssl-vpn l2tp ike internet-access mode password reference user current-domain manager-user audit-admin password cipher @%@%L0,~O3:KVKNO]h/Cb!a<C{Kw6GU8DttPcS0@Tc3Emm(T{KzC@%@% service-type web terminal level 15 manager-user api-admin password cipher @%@%uJa|Tb9e7AK@sH-Gd_02o\\>nzD)MJ*|ii*v@AtYo\\l+R\\>qo@%@% level 15 manager-user admin password cipher @%@%]Sp\":!7&*~w0-U&q\\6}.E.V!+h0}40lhvQfQRZ9\\9WH<.V$E@%@% service-type web terminal level 15 role system-admin role device-admin role device-admin(monitor) role audit-admin bind manager-user audit-admin role audit-admin bind manager-user admin role system-admin#l2tp-group default-lns#interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default alias GE0/METH service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit#interface GigabitEthernet1/0/0 undo shutdown ip address 46.35.88.1 255.255.255.240 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit#interface GigabitEthernet1/0/1 undo shutdown ip address 192.168.90.254 255.255.255.0 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit#interface GigabitEthernet1/0/2 undo shutdown ip address 192.168.80.22 255.255.255.252 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit#interface GigabitEthernet1/0/3 undo shutdown ip address 192.168.80.26 255.255.255.252 service-manage http permit service-manage https permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit#interface GigabitEthernet1/0/4 undo shutdown#interface GigabitEthernet1/0/5 undo shutdown#interface GigabitEthernet1/0/6 undo shutdown#interface Virtual-if0#interface NULL0#firewall zone local set priority 100#firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/3#firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0#firewall zone dmz set priority 50 add interface GigabitEthernet1/0/1#ospf 50 default-route-advertise always area 0.0.0.0 network 192.168.80.20 0.0.0.3 network 192.168.80.24 0.0.0.3 network 192.168.90.0 0.0.0.255#ip route-static 0.0.0.0 0.0.0.0 46.35.88.2#undo ssh server compatible-ssh1x enablessh authentication-type default passwordssh server cipher aes256_ctr aes128_ctrssh server hmac sha2_256 sha1ssh client cipher aes256_ctr aes128_ctrssh client hmac sha2_256 sha1#firewall detect ftp#user-interface con 0 authentication-mode aaauser-interface vty 0 4 authentication-mode aaa protocol inbound sshuser-interface vty 16 20#pki realm default#sa#location#multi-linkif mode proportion-of-weight#right-manager server-group#device-classification device-group pc device-group mobile-terminal device-group undefined-group#user-manage server-sync tsm#security-policy rule name tr-untr source-zone trust destination-zone untrust source-address 192.168.0.0 0.0.255.255 action permit rule name tr-dmz source-zone trust destination-zone dmz source-address 192.168.0.0 0.0.255.255 destination-address 192.168.90.0 0.0.0.255 action permit rule name lo-untr source-zone local destination-zone untrust action permit rule name lo-dmz source-zone local destination-zone dmz action permit rule name lo-tr source-zone local destination-zone trust action permit rule name untr-tr source-zone untrust destination-zone trust action permit rule name untr-lo source-zone untrust destination-zone local action permit rule name un-dmz source-zone untrust destination-zone dmz action permit#auth-policy#traffic-policy#policy-based-route#nat-policy rule name easy-ip source-zone trust source-address 192.168.0.0 0.0.255.255 action source-nat easy-ip#quota-policy#pcp-policy#dns-transparent-policy#rightm-policy#return 

5.3.5 LSW1

#sysname LSW1#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface Ethernet0/0/2 port link-type access port default vlan 10#interface Ethernet0/0/3 port link-type access port default vlan 10#interface Ethernet0/0/4#interface Ethernet0/0/5#interface Ethernet0/0/6#interface Ethernet0/0/7#interface Ethernet0/0/8#interface Ethernet0/0/9#interface Ethernet0/0/10#interface Ethernet0/0/11#interface Ethernet0/0/12#interface Ethernet0/0/13#interface Ethernet0/0/14#interface Ethernet0/0/15#interface Ethernet0/0/16#interface Ethernet0/0/17#interface Ethernet0/0/18#interface Ethernet0/0/19#interface Ethernet0/0/20#interface Ethernet0/0/21#interface Ethernet0/0/22#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.6 LSW2

#sysname LSW2#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface Ethernet0/0/2 port link-type access port default vlan 20#interface Ethernet0/0/3 port link-type access port default vlan 20#interface Ethernet0/0/4#interface Ethernet0/0/5#interface Ethernet0/0/6#interface Ethernet0/0/7#interface Ethernet0/0/8#interface Ethernet0/0/9#interface Ethernet0/0/10#interface Ethernet0/0/11#interface Ethernet0/0/12#interface Ethernet0/0/13#interface Ethernet0/0/14#interface Ethernet0/0/15#interface Ethernet0/0/16#interface Ethernet0/0/17#interface Ethernet0/0/18#interface Ethernet0/0/19#interface Ethernet0/0/20#interface Ethernet0/0/21#interface Ethernet0/0/22#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.7 LSW3

#sysname LSW3#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface Ethernet0/0/2 port link-type access port default vlan 30#interface Ethernet0/0/3 port link-type access port default vlan 30#interface Ethernet0/0/4#interface Ethernet0/0/5#interface Ethernet0/0/6#interface Ethernet0/0/7#interface Ethernet0/0/8#interface Ethernet0/0/9#interface Ethernet0/0/10#interface Ethernet0/0/11#interface Ethernet0/0/12#interface Ethernet0/0/13#interface Ethernet0/0/14#interface Ethernet0/0/15#interface Ethernet0/0/16#interface Ethernet0/0/17#interface Ethernet0/0/18#interface Ethernet0/0/19#interface Ethernet0/0/20#interface Ethernet0/0/21#interface Ethernet0/0/22#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.8 LSW4

#sysname LSW4#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface Ethernet0/0/2 port link-type access port default vlan 40#interface Ethernet0/0/3 port link-type access port default vlan 40#interface Ethernet0/0/4#interface Ethernet0/0/5#interface Ethernet0/0/6#interface Ethernet0/0/7#interface Ethernet0/0/8#interface Ethernet0/0/9#interface Ethernet0/0/10#interface Ethernet0/0/11#interface Ethernet0/0/12#interface Ethernet0/0/13#interface Ethernet0/0/14#interface Ethernet0/0/15#interface Ethernet0/0/16#interface Ethernet0/0/17#interface Ethernet0/0/18#interface Ethernet0/0/19#interface Ethernet0/0/20#interface Ethernet0/0/21#interface Ethernet0/0/22#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.9 LSW5

#sysname LSW5#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface Ethernet0/0/2 port link-type access port default vlan 50#interface Ethernet0/0/3 port link-type access port default vlan 50#interface Ethernet0/0/4#interface Ethernet0/0/5#interface Ethernet0/0/6#interface Ethernet0/0/7#interface Ethernet0/0/8#interface Ethernet0/0/9#interface Ethernet0/0/10#interface Ethernet0/0/11#interface Ethernet0/0/12#interface Ethernet0/0/13#interface Ethernet0/0/14#interface Ethernet0/0/15#interface Ethernet0/0/16#interface Ethernet0/0/17#interface Ethernet0/0/18#interface Ethernet0/0/19#interface Ethernet0/0/20#interface Ethernet0/0/21#interface Ethernet0/0/22#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.10 LSW6

#sysname LSW6#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface Ethernet0/0/2 port link-type access port default vlan 60#interface Ethernet0/0/3 port link-type access port default vlan 60#interface Ethernet0/0/4#interface Ethernet0/0/5#interface Ethernet0/0/6#interface Ethernet0/0/7#interface Ethernet0/0/8#interface Ethernet0/0/9#interface Ethernet0/0/10#interface Ethernet0/0/11#interface Ethernet0/0/12#interface Ethernet0/0/13#interface Ethernet0/0/14#interface Ethernet0/0/15#interface Ethernet0/0/16#interface Ethernet0/0/17#interface Ethernet0/0/18#interface Ethernet0/0/19#interface Ethernet0/0/20#interface Ethernet0/0/21#interface Ethernet0/0/22#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.11 LSW7

#sysname LSW7#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#stp region-configuration region-name huawei revision-level 5 instance 1 vlan 10 20 30 instance 2 vlan 40 50 60 active region-configuration#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21#interface GigabitEthernet0/0/22#interface GigabitEthernet0/0/23#interface GigabitEthernet0/0/24#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.12 LSW8

#sysname LSW8#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#stp region-configuration region-name huawei revision-level 5 instance 1 vlan 10 20 30 instance 2 vlan 40 50 60 active region-configuration#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21#interface GigabitEthernet0/0/22#interface GigabitEthernet0/0/23#interface GigabitEthernet0/0/24#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.13 LSW9

#sysname LSW9#undo info-center enable#vlan batch 10 20 30 40 50 60 100 to 101#cluster enablentdp enablendp enable#drop illegal-mac alarm#diffserv domain default#stp region-configuration region-name huawei revision-level 5 instance 1 vlan 10 20 30 instance 2 vlan 40 50 60 active region-configuration#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface MEth0/0/1#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/5 port link-type trunk port trunk pvid vlan 101 port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21#interface GigabitEthernet0/0/22#interface GigabitEthernet0/0/23#interface GigabitEthernet0/0/24#interface NULL0#user-interface con 0user-interface vty 0 4#return 

5.3.14 LSW 10

#sysname LSW10#undo info-center enable#vlan batch 5 9 to 10 20 30 40 50 60 100 to 101#stp instance 1 root primarystp instance 2 root secondary#cluster enablentdp enablendp enable#drop illegal-mac alarm#dhcp enable#diffserv domain default#stp region-configuration region-name huawei revision-level 5 instance 1 vlan 10 20 30 instance 2 vlan 40 50 60 active region-configuration#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface Vlanif5 ip address 192.168.80.5 255.255.255.252 #interface Vlanif9 ip address 192.168.80.9 255.255.255.252 #interface Vlanif10 ip address 192.168.10.254 255.255.255.0 vrrp vrid 10 virtual-ip 192.168.10.252 vrrp vrid 10 priority 101 vrrp vrid 10 track interface GigabitEthernet0/0/1 vrrp vrid 10 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif20 ip address 192.168.20.254 255.255.255.0 vrrp vrid 20 virtual-ip 192.168.20.252 vrrp vrid 20 priority 101 vrrp vrid 20 track interface GigabitEthernet0/0/1 vrrp vrid 20 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif30 ip address 192.168.30.254 255.255.255.0 vrrp vrid 30 virtual-ip 192.168.30.252 vrrp vrid 30 priority 101 vrrp vrid 30 track interface GigabitEthernet0/0/1 vrrp vrid 30 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif40 ip address 192.168.40.254 255.255.255.0 vrrp vrid 40 virtual-ip 192.168.40.252 vrrp vrid 40 track interface GigabitEthernet0/0/1 vrrp vrid 40 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif50 ip address 192.168.50.254 255.255.255.0 vrrp vrid 50 virtual-ip 192.168.50.252 vrrp vrid 50 track interface GigabitEthernet0/0/1 vrrp vrid 50 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif60 ip address 192.168.60.254 255.255.255.0 vrrp vrid 60 virtual-ip 192.168.60.252 vrrp vrid 60 track interface GigabitEthernet0/0/1 vrrp vrid 60 track interface GigabitEthernet0/0/2 dhcp select interface#interface MEth0/0/1#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/1 port link-type access port default vlan 5#interface GigabitEthernet0/0/2 port link-type access port default vlan 9#interface GigabitEthernet0/0/3 eth-trunk 1#interface GigabitEthernet0/0/4 eth-trunk 1#interface GigabitEthernet0/0/5 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/7 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/8#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21#interface GigabitEthernet0/0/22#interface GigabitEthernet0/0/23#interface GigabitEthernet0/0/24#interface NULL0#ospf 10  area 0.0.0.0 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 network 192.168.30.0 0.0.0.255 network 192.168.40.0 0.0.0.255 network 192.168.50.0 0.0.0.255 network 192.168.60.0 0.0.0.255 network 192.168.80.4 0.0.0.3 network 192.168.80.8 0.0.0.3 #user-interface con 0user-interface vty 0 4#return 

5.3.15 LSW11

#sysname LSW11#undo info-center enable#vlan batch 10 to 11 13 20 30 40 50 60 100 to 101#stp instance 1 root secondarystp instance 2 root primary#cluster enablentdp enablendp enable#drop illegal-mac alarm#dhcp enable#diffserv domain default#stp region-configuration region-name huawei revision-level 5 instance 1 vlan 10 20 30 instance 2 vlan 40 50 60 active region-configuration#drop-profile default#aaa  authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif1#interface Vlanif10 ip address 192.168.10.253 255.255.255.0 vrrp vrid 10 virtual-ip 192.168.10.252 vrrp vrid 10 track interface GigabitEthernet0/0/1 vrrp vrid 10 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif11 ip address 192.168.80.1 255.255.255.252 #interface Vlanif13 ip address 192.168.80.13 255.255.255.252 #interface Vlanif20 ip address 192.168.20.253 255.255.255.0 vrrp vrid 20 virtual-ip 192.168.20.252 vrrp vrid 20 track interface GigabitEthernet0/0/1 vrrp vrid 20 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif30 ip address 192.168.30.253 255.255.255.0 vrrp vrid 30 virtual-ip 192.168.30.252 vrrp vrid 30 track interface GigabitEthernet0/0/1 vrrp vrid 30 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif40 ip address 192.168.40.253 255.255.255.0 vrrp vrid 40 virtual-ip 192.168.40.252 vrrp vrid 40 priority 101 vrrp vrid 40 track interface GigabitEthernet0/0/1 vrrp vrid 40 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif50 ip address 192.168.50.253 255.255.255.0 vrrp vrid 50 virtual-ip 192.168.50.252 vrrp vrid 50 priority 101 vrrp vrid 50 track interface GigabitEthernet0/0/1 vrrp vrid 50 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif60 ip address 192.168.60.253 255.255.255.0 vrrp vrid 60 virtual-ip 192.168.60.252 vrrp vrid 60 priority 101 vrrp vrid 60 track interface GigabitEthernet0/0/1 vrrp vrid 60 track interface GigabitEthernet0/0/2 dhcp select interface#interface Vlanif100 ip address 192.168.100.254 255.255.255.0 #interface MEth0/0/1#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/1 port link-type access port default vlan 13#interface GigabitEthernet0/0/2 port link-type access port default vlan 11#interface GigabitEthernet0/0/3 eth-trunk 1#interface GigabitEthernet0/0/4 eth-trunk 1#interface GigabitEthernet0/0/5 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/7 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/8 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21#interface GigabitEthernet0/0/22#interface GigabitEthernet0/0/23#interface GigabitEthernet0/0/24#interface NULL0#ospf 20  area 0.0.0.0 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 network 192.168.30.0 0.0.0.255 network 192.168.40.0 0.0.0.255 network 192.168.50.0 0.0.0.255 network 192.168.60.0 0.0.0.255 network 192.168.80.0 0.0.0.3 network 192.168.80.12 0.0.0.3 network 192.168.100.0 0.0.0.255 #user-interface con 0user-interface vty 0 4#return 

5.3.16 AC1

[V200R007C10SPC300]# sysname AC1# set memory-usage threshold 0#ssl renegotiation-rate 1 #vlan batch 100 to 101#authentication-profile name default_authen_profileauthentication-profile name dot1x_authen_profileauthentication-profile name mac_authen_profileauthentication-profile name portal_authen_profileauthentication-profile name macportal_authen_profile#dhcp enable#diffserv domain default#radius-server template default#pki realm default rsa local-key-pair default enrollment self-signed#ike proposal default encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 #free-rule-template name default_free_rule#portal-access-profile name portal_access_profile#aaa authentication-scheme default authentication-scheme radius authentication-mode radius authorization-scheme default accounting-scheme default domain default authentication-scheme radius radius-server default domain default_admin authentication-scheme default local-user admin password irreversible-cipher $1a$&yLp9%<W{1$DmVx<tTL10yhw.=@uUo~;6NEKt8Q2UvbR9\"KvI{L$ local-user admin privilege level 15 local-user admin service-type http#interface Vlanif100 ip address 192.168.100.3 255.255.255.0 dhcp select global#interface Vlanif101 ip address 192.168.101.1 255.255.255.0 dhcp select interface#interface MEth0/0/1 undo negotiation auto duplex half#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/2#interface GigabitEthernet0/0/3#interface GigabitEthernet0/0/4#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10#interface GigabitEthernet0/0/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19#interface GigabitEthernet0/0/20#interface GigabitEthernet0/0/21 undo negotiation auto duplex half#interface GigabitEthernet0/0/22 undo negotiation auto duplex half#interface GigabitEthernet0/0/23 undo negotiation auto duplex half#interface GigabitEthernet0/0/24 undo negotiation auto duplex half#interface XGigabitEthernet0/0/1#interface XGigabitEthernet0/0/2#interface NULL0# undo info-center enable# snmp-agent local-engineid 800007DB03000000000000 snmp-agent #ssh server secure-algorithms cipher aes256_ctr aes128_ctrssh server key-exchange dh_group14_sha1ssh client secure-algorithms cipher aes256_ctr aes128_ctrssh client secure-algorithms hmac sha2_256ssh client key-exchange dh_group14_sha1#capwap source interface vlanif101#user-interface con 0 authentication-mode passworduser-interface vty 0 4 protocol inbound alluser-interface vty 16 20 protocol inbound all#wlan traffic-profile name default security-profile name sec security wpa2 psk pass-phrase %^%#VwyvDRU2gY4{/`>o$YEK-Xn33WMC05!b8(WdJovD%^%# aes security-profile name default security-profile name default-wds security-profile name default-mesh ssid-profile name ssid ssid huawei ssid-profile name default vap-profile name vap forward-mode tunnel service-vlan vlan-id 100 ssid-profile ssid security-profile sec vap-profile name default wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name default regulatory-domain-profile name domain1 air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-profile name default wireless-access-specification ap-system-profile name default port-link-profile name default wired-port-profile name default serial-profile name preset-enjoyor-toeap ap-group name ap regulatory-domain-profile domain1 radio 0 vap-profile vap wlan 1 radio 1 vap-profile vap wlan 1 radio 2 vap-profile vap wlan 1 ap-group name default ap-id 0 type-id 56 ap-mac 00e0-fc5d-67d0 ap-sn 210235448310DF1C2420 ap-name area1 ap-group ap provision-ap#dot1x-access-profile name dot1x_access_profile#mac-access-profile name mac_access_profile#return

六、系统测试

公司内部DHCP自动获取IP地址

各部门之间相互访问

搭建防火墙以及防火墙策略

搭建DNS域名解析

搭建HTTP服务器

搭建FTP服务器

搭建部门客户端通过防火墙策略访问HTTP服务器，DNS服务器，FTP服务器

公司内部通过防火墙访问外网

公司内部通过防火墙访问外网HTTP

公司内部通过防火墙访问dmz（受保护区域的服务器集群）

DNS服务器解析公司内部IP

无线网区域

设备连接无线网

DHCP分配IP地址

无线区域访问企业外网

结束语

需要完整的项目，文档，配置等等，评论区留言