企业案例（1）中央美术学院网络改造方案

1、企业案例H3C高性能园区网所在系别： 计算机技术系 所属专业： 计算机网络技术 指导教师： 董科鹏 专业负责人： 孙志成 中央美术学院网络改造方案1、 项目来源中央美术学院网络改造方案2、 项目主要内容学校计划对出口设备改造，满足整个校园网3万用户的上网需求；同时客户校园网出口有6条千兆链路，需要在校园网出口实现负载均衡；学校希望实现整个校园网的大二层，便于维护管理。整个央美本院，采用有线、无线一体化组网。办公楼以及篮球场采用的是面板式AP进行有线网络的部署以及无线信号的覆盖（此时有线终端与无线AP在同一网段）；其它场馆无线采用室分的方式进行部署，有线采用原有设备保持不变（网段基本不变，详见I

2、P地址规划）。3、 项目知识点1、网络设计原则 本方案将设计主干网负责各个子网和应用服务的连接，网络协议采用TCP/IP协议，核心交换机采用三层交换机，能较好解决突发数据量和密集服务请求的实时响应问题，数据交换时交换引擎不会出现过载现象和数据包碰撞、丢失的现象。2、IP地址规划IP地址空间分配，要与网络拓扑层次结构相适应，既要有效地利用地址空间，又要体现出网络的可扩展性和灵活性，同时能满足路由协议的要求，以便于网络中的路由聚类，减少路由器中路由表的长度，减少对路由器CPU、内存的消耗，提高路由算法的效率，加快路由变化的收敛速度，同时还要考虑到网络地址的可管理性。3、无线规划 无线终端的迅猛发展

3、，原有网络设计无法满足现有需求，此次网络改造方案设计主要对体育中心进行无线覆盖，包括行政楼、美术馆、设计学院中心、石膏雕塑陈列馆、综合楼、图书馆等室内区域以及篮球场等的外部区域。 4、QOS 保证网络的正常运行，对内网端口限速配置；对指定网段进行上网行为限定。4、 项目技能点1、 IP地址正确配置X X X X X网段规划楼宇范围IP规划网关SSID接入密码行政楼有线（旧有）综合楼有线（新增）美术馆有线图书馆无线LibraryYmcont1设计学院中心无线Design CenYmcont2其它无线ZJZXYmcont3篮球馆无线BasYmcont42、DHCP配置3、QOS配置4、无线规划及A

4、P配置5、 附录：出口防火墙关键配置：# version 7.1.064, Ess 9311P02# sysname F1050# firewall packet-filter enable firewall packet-filter default permit# firewall statistic system enable# qos carl 1 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address qos carl 2 destination-ip-address range 192.168.20.1

5、to 192.168.20.254 per-address qos carl 3 source-ip-address range 10.0.1.1 to 10.0.1.254 per-address qos carl 4 destination-ip-address range 10.0.1.1 to 10.0.1.254 per-address qos carl 5 source-ip-address range 10.0.2.1 to 10.0.2.254 per-address qos carl 6 destination-ip-address range 10.0.2.1 to 10.

6、0.2.254 per-address#radius scheme system server-type extended#domain system#local-user admin password simple admin service-type telnet level 3#acl advanced 3000acl advanced 3001#interface Aux0 async mode flow#interface GigabitEthernet0/0#interface GigabitEthernet0/1 description to core qos car inbou

7、nd carl 1 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car inbound carl 3 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car inbound carl 5 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car outbound carl 2 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car

8、outbound carl 4 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car outbound carl 6 cir 3072000 cbs 3072000 ebs 0 green pass red discard#interface GigabitEthernet1/0#interface GigabitEthernet1/1 ip address 124.205.152.70 255.255.255.224 sub nat outbound 3000 address-group 1 qos car inbound

9、carl 1 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car inbound carl 3 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car inbound carl 5 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car inbound acl 3001 cir 4096000 cbs 4096000 ebs 0 green pass red discard qos car ou

10、tbound carl 2 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car outbound carl 6 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car outbound carl 4 cir 3072000 cbs 3072000 ebs 0 green pass red discard qos car outbound acl 3001 cir 4096000 cbs 4096000 ebs 0 green pass red discard#

11、interface Encrypt2/0#interface NULL0#security-zone name Trustimport interface GigabitEthernet0/1import interface GigabitEthernet1/0import interface GigabitEthernet1/1#zone-pair security source trust destination untrust packet-filter 3000# ip route-static 0.0.0.0 0.0.0.0 172.30.30.101 preference 60 i

12、p route-static 10.0.0.0 255.0.0.0 192.168.10.2 preference 60 ip route-static 172.16.0.0 255.255.0.0 192.168.10.2 preference 60 ip route-static 192.168.2.0 255.255.255.0 192.168.10.2 preference 60 ip route-static 193.0.0.0 255.0.0.0 192.168.10.2 preference 60#user-interface con 0user-interface aux 0u

13、ser-interface vty 0 4#Return核心交换关键配置：# version 5.20, Release 2202P20# sysname core# irf mac-address persistent timer irf auto-update enable undo irf link-delay# domain default enable system# telnet server enable# undo ip ttl-expires# dhcp-snooping#vlan 1#vlan 10#vlan 20 description to gongyu#vlan 40

14、 description gonggongquyu#vlan 999#vlan 4000 description to chukou#radius scheme system server-type extended primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domain#domain system access-limit disable state active idle-cut disable self-service-url disab

15、le#dhcp server ip-pool gonggong#dhcp server ip-pool gongyu#user-group system#local-user admin password simple admin authorization-attribute level 3 service-type telnet# stp instance 0 root primary#interface NULL0#interface Vlan-interface1#interface Vlan-interface10 ip address 192.168.2.254 255.255.2

16、55.0#interface Vlan-interface20 description to gongyu#interface Vlan-interface40 description gonggong#interface Vlan-interface999#interface Vlan-interface4000 description to chukou#interface GigabitEthernet1/0/1 port access vlan 10#interface GigabitEthernet1/0/2 port access vlan 10#interface Gigabit

17、Ethernet1/0/3 port access vlan 10#interface GigabitEthernet1/0/4 port access vlan 10#interface GigabitEthernet1/0/5 port access vlan 10#interface GigabitEthernet1/0/6 port link-type trunk port trunk permit vlan 1 10 20 port trunk pvid vlan 10#interface GigabitEthernet1/0/7 port link-type trunk port

18、trunk permit vlan 1 10 20 port trunk pvid vlan 10#interface GigabitEthernet1/0/8 port link-type trunk port trunk permit vlan 1 10 20 port trunk pvid vlan 10# interface GigabitEthernet1/0/9#interface GigabitEthernet1/0/10 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 20 dh

19、cp-snooping trust#interface GigabitEthernet1/0/11 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 20 dhcp-snooping trust#interface GigabitEthernet1/0/12 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 20 dhcp-snooping trust#interface GigabitEtherne

20、t1/0/13 port link-type trunk port trunk permit vlan 1 10 20 port trunk pvid vlan 10#interface GigabitEthernet1/0/14 port access vlan 999#interface GigabitEthernet1/0/15 port link-type trunk port trunk permit vlan 1 10 20 port trunk pvid vlan 10#interface GigabitEthernet1/0/16 port link-type trunk po

21、rt trunk permit vlan 1 10 20 port trunk pvid vlan 10#interface GigabitEthernet1/0/17 port link-type trunk port trunk permit vlan 1 10 20 port trunk pvid vlan 10#interface GigabitEthernet1/0/18 port access vlan 10# interface GigabitEthernet1/0/19 port access vlan 10#interface GigabitEthernet1/0/20 de

22、scription to jiaxiao port access vlan 10#interface GigabitEthernet1/0/21#interface GigabitEthernet1/0/22 description to gongyu port access vlan 20 dhcp-snooping trust#interface GigabitEthernet1/0/23 description to chukou port access vlan 4000#interface GigabitEthernet1/0/24 description to AC port li

23、nk-type trunk undo port trunk permit vlan 1 port trunk permit vlan 20#interface GigabitEthernet1/0/25 shutdown#interface GigabitEthernet1/0/26 shutdown#interface GigabitEthernet1/0/27 shutdown#interface GigabitEthernet1/0/28 shutdown# dhcp enable#user-interface aux 0 8user-interface vty 0 4 authenti

24、cation-mode scheme user privilege level 3#Return无线控制器关键配置：# version 5.20, Release 2609P30# sysname AC# domain default enable system# telnet server enable# port-security enable# sysnetid AC# password-recovery enable#vlan 1#vlan 20#vlan 100 description bangonglou#vlan 200 description gongyu#vlan 300 d

25、escription gonggongquyu#domain system access-limit disable state active idle-cut disable self-service-url disable#dhcp server ip-pool gonggong#dhcp server ip-pool gongyu#dhcp server ip-pool office#user-group system group-attribute allow-guest#local-user admin password cipher $c$3$7l+ydIMHrQiN/SqGkUB

26、6L38Rpy6MTms6 authorization-attribute level 3 service-type telnet service-type web#wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54#wlan servi

27、ce-template 1 clear ssid office bind WLAN-ESS 1 client-rate-limit direction inbound mode static cir 3072 client-rate-limit direction outbound mode static cir 3072 service-template enable#wlan service-template 2 clear ssid Library bind WLAN-ESS 2 client-rate-limit direction inbound mode static cir 30

28、72 client-rate-limit direction outbound mode static cir 3972 service-template enable#wlan service-template 3 clear ssid Statue bind WLAN-ESS 3 client-rate-limit direction inbound mode static cir 3072 client-rate-limit direction outbound mode static cir 3072 service-template enable#interface NULL0#in

29、terface Vlan-interface20#interface Vlan-interface100 description office#interface Vlan-interface200 description gongyu#interface Vlan-interface300 description ZJZX#interface GigabitEthernet1/0/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 20#interface GigabitEthernet1/0

30、/2#interface GigabitEthernet1/0/3#interface GigabitEthernet1/0/4#interface GigabitEthernet1/0/5#interface GigabitEthernet1/0/6#interface GigabitEthernet1/0/7#interface GigabitEthernet1/0/8#interface M-GigabitEthernet1/0/0#interface Ten-GigabitEthernet1/0/9#interface Ten-GigabitEthernet1/0/10#interfa

31、ce WLAN-ESS1 port access vlan 100#interface WLAN-ESS2 port access vlan 200#interface WLAN-ESS3 port access vlan 300#interface WLAN-ESS30#wlan ap-group default_group ap ap01 ap ap02 ap ap03 ap ap04 ap ap05 ap ap06 ap ap07 ap ap08 ap ap09 ap ap10dot11bg service-template 1 dot11bg service-template 2 do

32、t11bg service-template 3 dot11bg radio enable#wlan ap ap01 model WA2610H-GN id 1 serial-id 219801A0FH914BQ01152 radio 1 service-template 1 service-template 2 radio enable#wlan ap ap02 model WA2610H-GN id 2 serial-id 219801A0FH914BQ01463 radio 1 service-template 1 service-template 2 service-template

33、3 radio enable #wlan ap ap03 model WA2610H-GN id 3 serial-id 219801A0FH914BQ01128 radio 1 service-template 1 service-template 2 service-template 3 radio enable#wlan ap ap04 model WA2610H-GN id 4 serial-id 219801A0FH914BQ01197 radio 1 service-template 1 service-template 2 service-template 3 radio ena

34、ble#wlan ap ap05 model WA2610H-GN id 5 serial-id 219801A0FH914BQ01451 radio 1 service-template 1 service-template 2 service-template 3 radio enable#wlan ap ap06 model WA2610H-GN id 6 serial-id 219801A0FH914BQ01135 radio 1 service-template 1 service-template 2 service-template 3 radio enable#wlan ap

35、ap07 model WA2610H-GN id 7 serial-id 219801A0FH914BQ01452 radio 1 service-template 1 service-template 2 service-template 3 radio enable#wlan ap ap08 model WA2610H-GN id 8 serial-id 219801A0FH914BQ01435 radio 1 service-template 1 service-template 2 service-template 3 radio enable#wlan ap ap09 model WA2610H-GN id 9 serial-id 21980