计算机网络基础及局域网构建实习案例六

计算机网络基础及局域网构建实习案例计算机技术系二〇一七年五月目录一、项目背景 1二、现状拓扑 2三、规划后拓扑 3四、网络可靠性设计 3五、路由选择 5六、IP地址规划 6七、网络边界区设计 137.1. SSLVPN配置 13八、核心交换机区设计 258.1. 核心配置 26九、服务器区设计 369.1. 服务器交换机配置 36十、安全管理区设计 56十一、内网办公区设计 5611.1. 内网汇聚交换机配置 5711.2. 内网接入交换机配置 74一、 77实习案例六、北京市丰台某医院信息化设计方案项目背景全面推进北京市丰台某三甲医院向数字化医院迈进。推进北京市丰台某三甲医院的信息化建设，建立和完善符合现代化医院发展要求的计算机网络和管理信息系统，达到模式先进、流程优化、管理配套、支撑有力、运作高效；实现人、财、物、信息的管理一体化，实现信息资源共享；重点为有信息化基础的北京市丰台某三甲医院建立和完善HIS等系统，初步建设成基于整体医院信息平台的现代信息化医院。改善北京市丰台某三甲医院就医环境，保障医疗质量，控制医疗费用，提高服务和管理水平。推进北京市丰台某三甲医院信息系统的互联互通和数据共享，为实现未来的医疗信息区域共享打下基础。现状拓扑规划后拓扑网络可靠性设计本项目涉及设备较多，建议采用IRF方式做设备冗余。IRF是IntelligentResilientFramework的简称，即智能弹性架构。是杭州华三通信技术有限公司（简称：H3C公司）融合高端HYPERLINK交换机的技术，在中低端交换机上推出的创新性建设网络核心的新技术。它将帮助用户设计和实施高可用性、高可扩展性和高可靠性的HYPERLINK万兆以太网核心和汇聚主干。在使用上，IRF和传统的三层HYPERLINK堆叠技术有一点类似。简单来说，就是支持IRF的多台交换设备可以互相连接起来形成一个“联合设备”，我们将这台“联合设备”称为一个Fabric，而将组成Fabric的每个设备称为一个Unit。多个Unit组成Fabric后，无论在管理还是在使用上，就成为了一个整体。也就是说，用户可以将这多台设备看成一台单一设备进行管理和使用。这样既可以通过增加设备来扩展HYPERLINK端口数量和交换能力，同时也通过多台设备之间的互相备份增强了设备的可靠性。使用IRF堆叠时候HYPERLINK交换机无需启用STP。优势：简化管理IRF架构形成之后，可以连接到任何一台设备的任何一个端口就以登录统一的逻辑设备，通过对单台设备的配置达到管理整个智能弹性系统以及系统内所有成员设备的效果，而不用物理连接到每台成员设备上分别对它们进行配置和管理。简化业务IRF形成的逻辑设备中运行的各种控制协议也是作为单一设备统一运行的，例如路由协议会作为单一设备统一计算，而随着跨设备链路聚合技术的应用，可以替代原有的生成树协议，这样就可以省去了设备间大量协议报文的交互，简化了网络运行，缩短了网络动荡时的收敛时间。弹性扩展可以按照用户需求实现弹性扩展，保证用户投资。并且新增的设备加入或离开IRF架构时可以实现“热插拔”，不影响其他设备的正常运行。高可靠IRF的高可靠性体现在链路，设备和协议三个方面。成员设备之间物理端口支持聚合功能，IRF系统和上、下层设备之间的物理连接也支持聚合功能，这样通过多链路备份提高了链路的可靠性；IRF系统由多台成员设备组成，一旦Master设备故障，系统会迅速自动选举新的Master，以保证通过系统的业务不中断，从而实现了设备级的1：N备份；IRF系统会有实时的协议热备份功能负责将协议的配置信息备份到其他所有成员设备，从而实现1：N的协议可靠性。高性能对于高端交换机来说，性能和端口密度的提升会受到硬件结构的限制。而IRF系统的性能和端口密度是IRF内部所有设备性能和端口数量的总和。因此，IRF技术能够轻易的将设备的交换能力、用户端口的密度扩大数倍，从而大幅度提高了设备的性能。此次方案中将2台核心7506E交换机做一个IRF区域，将2台楼层接入汇聚LS-5560-30F-EI交换机做一个IRF区域，将2台服务器接入LS-5130-52S-EI交换机做一个IRF区域，这样能大大提高的设备的冗余性和传输高效性。楼层汇聚交换机到楼层接入也采用千兆双链路下联，并且链路汇聚可以实现数据负载与硬件及链路热备。路由选择由于本次项目设计将采用IRF虚拟化技术，所以全网采用静态路由即可，静态路由方便管理，易维护，排错容易，并且协议稳定。

IP地址规划序号使用名称VLAN号IP地址段子网掩码网关1老服务器区2192.168.0.0-192.168.1.0255.255.254.0192.168.0.2541.1新服务器区13192.168.13.0255.255.255.0192.168.13.2542分诊屏终端3192.168.3.0255.255.255.0192.168.3.2543门诊楼1、2层内网PC终端4192.168.4.0255.255.255.0192.168.4.2543.1门诊楼挂号收费一半人41192.168.41.0255.255.255.0192.168.41.2543.2药房一半人42192.168.42.0255.255.255.0192.168.42.2544门诊楼3、4层内网PC终端5192.168.5.0255.255.255.0192.168.5.2545住院楼1、2、3、4层内网PC终端6192.168.6.0255.255.255.0192.168.6.2546办公楼内网PC终端7192.168.7.0255.255.255.0192.168.7.2547康复楼内网PC终端8192.168.8.0255.255.255.0192.168.8.2548网络中心平房内网PC终端9192.168.9.0255.255.255.0192.168.9.2549住院老楼内网PC终端10192.168.10.0255.255.255.0192.168.10.25410后库内网PC终端11192.168.11.0255.255.255.0192.168.11.25411传染病中心楼内网PC终端12192.168.12.0255.255.255.0192.168.12.25412备份一体机地址14192.168.14.3255.255.255.0192.168.14.25413SSLVPN终端PC地址43192.168.43.0255.255.255.0192.168.14.25414核心与服务器交换机互联101（聚合组5）192.168.2.0–192.168.2.7255.255.255.248核心交换机192.168.2.1主服务器防火墙192.168.13.252备服务器防火墙192.168.13.253服务器交换机192.168.2.615核心与内网汇聚交换机互联102（聚合组10）192.168.2.8–192.168.2.15255.255.255.248核心交换机192.168.2.9内网汇聚交换机192.168.2.1416核心与边界网闸互联103192.168.2.16–192.168.2.23255.255.255.248核心交换机192.168.2.17主边界防火墙192.168.2.18备边界防火墙192.168.2.19边界网闸192.168.2.2217边界网闸与边界路由器互联192.168.2.24–192.168.2.31255.255.255.248边界网闸192.168.2.25边界路由器192.168.2.3018主核心与远程办公SSLVPN互联105192.168.2.32–192.168.2.39255.255.255.248主核心交换机192.168.2.38远程SSLVPN192.168.2.3319预留106192.168.2.40--192.168.2.47255.255.255.24820预留107192.168.2.48--192.168.2.55255.255.255.24821预留108192.168.2.56--192.168.2.63255.255.255.24822预留109192.168.2.64--192.168.2.71255.255.255.24823预留110192.168.2.72--192.168.2.79255.255.255.24824预留111192.168.2.80--192.168.2.87255.255.255.24825预留112192.168.2.88--192.168.2.95255.255.255.24826预留113192.168.2.96--192.168.2.103255.255.255.24827预留114192.168.2.104--192.168.2.111255.255.255.24828预留115192.168.2.112--192.168.2.119255.255.255.24829预留116192.168.2.120--192.168.2.127255.255.255.24830预留117192.168.2.128--192.168.2.135255.255.255.24831预留118192.168.2.136--192.168.2.143255.255.255.24832预留119192.168.2.144--192.168.2.151255.255.255.24833预留120192.168.2.152--192.168.2.159255.255.255.24834预留121192.168.2.160--192.168.2.167255.255.255.24835预留122192.168.2.168--192.168.2.175255.255.255.24836预留123192.168.2.176--192.168.2.183255.255.255.24837预留124192.168.2.184--192.168.2.191255.255.255.24838预留125192.168.2.192--192.168.2.199255.255.255.24839预留126192.168.2.200--192.168.2.207255.255.255.24840预留127192.168.2.208--192.168.2.215255.255.255.24841预留128192.168.2.216--192.168.2.223255.255.255.24842预留129192.168.2.224--192.168.2.231255.255.255.24843预留130192.168.2.232--192.168.2.239255.255.255.24844预留131192.168.2.240--192.168.2.247255.255.255.24845医保服务器专用132192.168.2.248--192.168.2.255255.255.255.248主备核心交换机192.168.2.254医保服务器主192.168.2.249医保服务器备192.168.2.25046安全管理区网段200192.168.15.0255.255.255.0192.168.15.25447核心交换机IRF地址4001.1.1.0255.255.255.0主核心交换机1.1.1.1备核心交换机1.1.1.248内网汇聚交换机IRF地址5002.2.2.0255.255.255.0主内网汇聚交换机2.2.2.1备内网汇聚交换机2.2.2.249服务器交换机IRF地址6003.3.3.0255.255.255.0主服务交换机3.3.3.1备服务交换机3.3.3.250防火墙HA地址111.111.111.0255.255.255.0主防火墙111.111.111.111备防火墙111.111.111.11251HIS数据库服务器HA地址55.55.55.0255.255.255.0主HIS数据服务器55.55.55.2备HIS数据服务器55.55.55.152PACS服务器HA地址100055.55.55.0255.255.255.0PACS服务器13.2155.55.55.1155.55.55.21PACS服务器13.2255.55.55.1255.55.55.22PACS服务器13.2355.55.55.1355.55.55.23PACS服务器13.2455.55.55.1455.55.55.2453PACS服务器虚拟化漂移地址1001192.168.100.0255.255.255.0PACS服务器13.21192.168.100.11PACS服务器13.22192.168.100.12PACS服务器13.23192.168.100.13PACS服务器13.24192.168.100.14网络边界区设计由于医院应用系统需要开发人员进行远程调试，所以为了提高安全性需在边界区部署一台SSLVPN与内部互通，采用单链路上联方式连接至主核心。考虑到医院未来的发展需求，比如微信平台的搭建，需要公众人员访问到内部服务器部分资源，所以为了提高安全性及数据的快速转发，需在边界部署一台路由器做为数据转发处理，在路由器连接至内网链路中部署网闸及防火墙、IPS、AV设备实现安全访问，路由器采用千兆电口单链路方式连接至网闸，网闸通过千兆光纤双链路聚合方式连接至两台内网核心H3CS7506交换机（此计划为二期建设规划）SSLVPN配置第一步：升级版本为V7版本第二步：设备名称、配置接口地址、路由、定义区域间放行ACL、区域之间开放sysnamesslvpninterfaceGigabitEthernet1/0/1内网接口portlink-moderoutedescriptionInside描述自己定义ipinterfaceGigabitEthernet1/0/2外网接口portlink-moderoutedescriptionOutside描述自己定义ipipipipaclbasic2000定义aclrule10permit放行所有security-zonenameTrust定义信任区域中的接口importinterfaceGigabitEthernet1/0/1#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/2zone-pairsecuritysourceLocaldestinationAny定义local区域间到any规则（这里any指其它区域）packet-filter2000匹配acl2000#zone-pairsecuritysourceTrustdestinationAnypacket-filter2000#zone-pairsecuritysourceUntrustdestinationAnypacket-filter2000第三步：配置管理用户名、密码及开启telnetlocal-useradminclassmanagepasswordsimpleadminservice-typetelnetterminalauthorization-attributeuser-rolelevel-3authorization-attributeuser-rolenetwork-adminauthorization-attributeuser-rolenetwork-operatorquitlinevty04定义远程访问及方式authentication-modeschemeuser-rolenetwork-adminprotocolinboundtelnettelnetserverenable第四步：配置PKI域sslvpn<Sysname>system-view

[Sysname]pkidomainsslvpn

定义pki域名称sslvpn

[Sysname-pki-domain-sslvpn]public-keyrsageneralnamesslvpn公钥名称sslvpn

[Sysname-pki-domain-sslvpn]undocrlcheckenable

crl不检查

[Sysname-pki-domain-sslvpn]quit第五步：导入CA证书ca.cer和服务器证书server.pfx，输入服务器证书密码[Sysname]pkiimportdomainsslvpnpemcafilenameXXX.cer

注意后缀（网络中没有ca服务器、附件中有证书）

[Sysname]pkiimportdomainsslvpnp12localfilenameserver.pfx

pkiimportdomainsslvpnp12localfilenameXXXX.pfx第六步：配置SSL服务端策略ssl[Sysname]sslserver-policyssl

定义名称

[Sysname-ssl-server-policy-ssl]pki-domainsslvpn调用上pki-domain[Sysname-ssl-server-policy-ssl]ciphersuitersa_aes_128_cbc_sha[Sysname-ssl-server-policy-ssl]client-verifyenable客户端开启

[Sysname-ssl-server-policy-ssl]quit第七部：配置SSLVPN网关gwssl，并开启服务sslvpngatewaygwipsslserver-policysslserviceenable第八步：创建ACL3000（端口转发使用），配置SSLVPN访问实例ctx1引用SSLVPN网关gw，指定域名为domain1，并配置端口转发列表及创建SSLVPN策略组，并引用端口转发列表plist。acladvanced3000rule0permittcprule5permittcpdestination-porteq3389sslvpncontextctx1gatewaygwdomaindomain1port-forwardplistquitport-forwardplist1quitport-forwardplist2quitpolicy-groupchuainingresourcesport-forwardplist2filtertcp-access3000policy-grouphisgroupresourcesport-forwardplist1filtertcp-access3000policy-grouppacsgroupresourcesport-forwardplistfiltertcp-access3000serviceenable第九步：定义用户组名称及将SSLVPN策略组授权给此用户组。user-groupchuainingauthorization-attributesslvpn-policy-groupchuaininguser-grouphisgroupauthorization-attributesslvpn-policy-grouphisgroupuser-grouppacsgroupauthorization-attributesslvpn-policy-grouppacsgroup第十步：创建本地用户名、密码，服务应用给SSLVPN，用户角色为network-operator，设置用户所属的组local-userbjftzxy001classnetworkpasswordcipher$c$3$5OY4awX6TeFiA0dX50PK2V39zjPFj4pPBw0=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy002classnetworkpasswordcipher$c$3$jJ4SphV+Sk1O5P7BwblWJ4cGgmEpGjlDtSg=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy003classnetworkpasswordcipher$c$3$LzEaO2qapvbM6xw9JdcB4UCbpEwhH6TeMGY=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy004classnetworkpasswordcipher$c$3$2EQZnUsjxXuhz0bEZJcgkcP241RqKWRg+a8=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy005classnetworkpasswordcipher$c$3$kR8kdcCKtwyU+c+WNzz8g7rPFl82yK0uGYg=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy006classnetworkpasswordcipher$c$3$OVHEI4XydsPKc8NPxYZdqt98Z0nkPcgVwaE=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy007classnetworkpasswordcipher$c$3$RcRt2RjIxYk2K7O/2TheLq35NM9C2R+F9k8=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy008classnetworkpasswordcipher$c$3$M1QeUFxxPQEGN7lNwvq+Nc8zvdUpS8WWptc=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy009classnetworkpasswordcipher$c$3$Yy4K8ikBS4k104y2ud7H1FJOFWbl8Q87xUU=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy010classnetworkpasswordcipher$c$3$ph46/m4sAKcteilecCMfebtoC5Pu534EU1k=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy011classnetworkpasswordcipher$c$3$cCNB7Hp3nGr8RmPr3quKJK2JtPz2GzM1nwc=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy012classnetworkpasswordcipher$c$3$gYqFB+n2FLqfPHYGkwFloImjc6SBjyr7ZMg=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userbjftzxy013classnetworkpasswordcipher$c$3$gNej+bakHZcESfDPmrBmPv2lOHSEH9I7Uxk=service-typesslvpngrouphisgroupauthorization-attributeuser-rolenetwork-operator#local-userchuainingclassnetworkpasswordcipher$c$3$nEB+b/ka/3X9IpuP4LcCsLwfIob+NBl/Mw==service-typesslvpngroupchuainingauthorization-attributeuser-rolenetwork-operator#local-userkodak01classnetworkpasswordcipher$c$3$wE9CABSGkdiEf4DNEM9xfXI8ugrov44f1EA=service-typesslvpngrouppacsgroupauthorization-attributeuser-rolenetwork-operator#local-userkodak02classnetworkpasswordcipher$c$3$gK8p/t/VwM9nSbyi6AbZ6lh5+ZtjJZjY9EY=service-typesslvpngrouppacsgroupauthorization-attributeuser-rolenetwork-operator第十一步：SNMP配置snmp-agentsnmp-agentcommunityreadpublicsnmp-agentcommunitywriteprivatesnmp-agentsys-infoversionallsnmp-agenttarget-hosttrapaddressudpparamssecuritynamepublicv2c核心交换机区设计本次核心交换区采用两台H3CS7506交换机进行IRF虚拟化配置，实现设备、链路冗余负载，路由采用静态路由方式与各区域之间互通。采用万兆光纤双链路聚合方式连接至两台内网楼层汇聚H3C5560交换机；采用千兆光纤双链路聚合方式连接至两台内网服务器H3C5130交换机；采用以太网单链路方式由主核心交换机上联至一台远程办公SSLVPN设备；采用千兆光纤双链路聚合方式连接至一台边界网闸设备，并在此两条链路上分别部署一台带有IPS、AV功能的防火墙设备，（此计划为二期建设规划，并且计划将服务器区防火墙放在此位置，购置两台万兆光口带有AV、IPS的防火墙放在服务器区，提高性能转发性）；采用千兆光纤双链路聚合方式连接至一台内网安全管理区交换机（此计划为二期建设规划）。核心配置第一步：搭建IRF虚拟化主核心配置：[H3C]irfmember1配置成员Info:MemberIDchangewilltakeeffectafterthememberrebootsandoperatesinIRFmode.[H3C]irfpriority10配置优先级[H3C]intrangTen-GigabitEthernet2/0/7toTen-GigabitEthernet2/0/8[H3C-if-range]shutdown关闭接口[H3C-if-range]quit[H3C]irf-port2配置堆叠端口[H3C-irf-port2]portgroupinterfaceTen-GigabitEthernet2/0/7加入堆叠接口[H3C-irf-port2]portgroupinterfaceTen-GigabitEthernet2/0/8加入堆叠接口[H3C-irf-port2]quit[H3C]intrangTen-GigabitEthernet2/0/7toTen-GigabitEthernet2/0/8[H3C-if-range]undoshutdown激活接口[H3C-if-range]quit[H3C]save保存Thecurrentconfigurationwillbewrittentothedevice.Areyousure?[Y/N]:yPleaseinputthefilename(*.cfg)[flash:/startup.cfg](Toleavetheexistingfilenameunchanged,presstheenterkey):Validatingfile.PleasewaitThecurrentconfigurationissavedtotheactivemainboardsuccessfully.Configurationissavedtodevicesuccessfully.[H3C]chassisconvertmodeirf将设备的运行模式切换到IRF模式下ThedevicewillswitchtoIRFmodeandreboot.Youarerecommendedtosavethecurrentrunningconfigurationandspecifytheconfigurationfileforthenextstartup.Continue?[Y/N]:yDoyouwanttoconvertthecontentofthenextstartupconfigurationfileflash:/startup.cfgtomakeitavailableinIRFmode?[Y/N]:yPleasewait备核心配置：system-view[H3C]irfmember2Info:MemberIDchangewilltakeeffectafterthememberrebootsandoperatesinIRFmode.[H3C]irfpriority2[H3C]intrangTen-GigabitEthernet2/0/7toTen-GigabitEthernet2/0/8[H3C-if-range]shutdown[H3C-if-range]quit[H3C]irf-port1[H3C-irf-port1]portgroupinterfaceTen-GigabitEthernet2/0/7[H3C-irf-port1]portgroupinterfaceTen-GigabitEthernet2/0/8[H3C-irf-port1]quit[H3C]intrangTen-GigabitEthernet2/0/7toTen-GigabitEthernet2/0/8[H3C-if-range]undoshutdown[H3C-if-range]quit[H3C]saveThecurrentconfigurationwillbewrittentothedevice.Areyousure?[Y/N]:yPleaseinputthefilename(*.cfg)[flash:/startup.cfg](Toleavetheexistingfilenameunchanged,presstheenterkey):Validatingfile.PleasewaitThecurrentconfigurationissavedtotheactivemainboardsuccessfully.Configurationissavedtodevicesuccessfully.注：此时将两台设备之间的万兆光纤线连接好[H3C]chassisconvertmodeirfThedevicewillswitchtoIRFmodeandreboot.Youarerecommendedtosavethecurrentrunningconfigurationandspecifytheconfigurationfileforthenextstartup.Continue?[Y/N]:yDoyouwanttoconvertthecontentofthenextstartupconfigurationfileflash:/startup.cfgtomakeitavailableinIRFmode?[Y/N]:y堆叠成功后改变域值及开启MAC地址更新[H3C]irfdomain10加入域10中irfmac-addresspersistentalwaysirfauto-updateenable第二部：配置IRF检测线interfaceVlan-interface400descriptionBFDJCmadbfdenablemadipmadipinterfaceGigabitEthernet1/3/0/32（端口不要开生成树）portlink-modebridgeportaccessvlan400interfaceGigabitEthernet2/3/0/32（端口不要开生成树）portlink-modebridgeportaccessvlan400第三步：核心交换机命名、配置vlan、ip地址、路由SysnameHeXinvlan101to102vlan105vlan132vlan400interfaceVlan-interface101descriptionFuWuQiHuiJuipinterfaceVlan-interface102descriptionLouCengHuiJuipinterfaceVlan-interface105descriptionSSLVPNipinterfaceVlan-interface132descriptionyibaofuwuqiipipipipipipipipipipipipipipipipip第四步：核心交换机上配置链路聚合及相应的端口划分到链路聚合interfaceBridge-Aggregation5descriptionFuWuQiHuiJuinterfaceBridge-Aggregation10descriptionLouCengHuiJuinterfaceGigabitEthernet1/5/0/1portlink-modebridgedescriptionFuWuQiHuiJu-zhuportlink-aggregationgroup5interfaceGigabitEthernet2/4/0/1portlink-modebridgedescriptionFuWuQiHuiJu-Backportlink-aggregationgroup5interfaceTen-GigabitEthernet1/2/0/1portlink-modebridgedescriptionLouCenHuiJu-Masterportlink-aggregationgroup10interfaceTen-GigabitEthernet2/2/0/1portlink-modebridgedescriptionLouCenHuiJu-Backportlink-aggregationgroup10interfaceBridge-Aggregation5portaccessvlan101interfaceBridge-Aggregation10portaccessvlan102第五步：相应的端口划分到VLANinterfaceGigabitEthernet1/3/0/30portlink-modebridgeportaccessvlan132interfaceGigabitEthernet1/3/0/31portlink-modebridgeportaccessvlan105interfaceGigabitEthernet2/3/0/30portlink-modebridgeportaccessvlan132interfaceGigabitEthernet2/3/0/31portlink-modebridgeportaccessvlan105第六步：配置SNMPsnmp-agentsnmp-agentcommunityreadpublicsnmp-agentcommunitywriteprivatesnmp-agentsys-infoversionallsnmp-agenttarget-hosttrapaddressudpparamssecuritynamepublicv2c第七步：配置远程管理及本地管理认证user-interfaceaux1/0authentication-modeschemeuser-interfaceaux2/0authentication-modeschemeuser-interfacevty04authentication-modeschemelocal-useradminpasswordcipherxxxxxxxxxauthorization-attributelevel3service-typetelnetterminaltelnetserverenable服务器区设计服务器区采用两台H3CS5600交换机做IRF虚拟化配置，实现设备、链路冗余负载，路由采用静态路由方式与核心交换机之间互通。采用千兆光纤双链路聚合方式连接至两台内网核心H3CS7506交换机，并在此两条链路中分别部署一台带有IPS、AV功能的防火墙设备，提高服务器区的数据安全。服务器交换机配置第一步：配置IRF主服务器交换机：<H3C>system-view[H3C]irfmember1priority10设置成员优先级（默认成员是1）[H3C]intrangeTen-GigabitEthernet1/0/51toTen-GigabitEthernet1/0/52[H3C-if-range]shutdown[H3C-if-range]quit[H3C]irf-port1/2[H3C-irf-port1/2]portgroupinterfaceTen-GigabitEthernet1/0/51[H3C-irf-port1/2]portgroupinterfaceTen-GigabitEthernet1/0/52[H3C-irf-port1/2]quit[H3C]intrangeTen-GigabitEthernet1/0/51toTen-GigabitEthernet1/0/52[H3C-if-range]undoshutdown[H3C-if-range]quit[H3C]irf-port-configurationactiveirf端口配置激活[H3C]save[H3C]reboot备服务器交换机：<H3C>system-view[H3C]irfmember1renumber2(y)[H3C]reboot<H3C>system-viewSystemView:returntoUserViewwithCtrl+Z.[H3C]irfmember2[H3C]intrangeTen-GigabitEthernet2/0/51toTen-GigabitEthernet2/0/52[H3C-if-range]shutdown[H3C-if-range]quit[H3C]irf-port2/1[H3C-irf-port2/1]portgroupinterfaceTen-GigabitEthernet2/0/51[H3C-irf-port2/1]portgroupinterfaceTen-GigabitEthernet2/0/52[H3C-irf-port2/1]quit[H3C]intrangeTen-GigabitEthernet2/0/51toTen-GigabitEthernet2/0/52[H3C-if-range]undoshutdown[H3C-if-range]quit[H3C]irf-port-configurationactive[H3C]save注：重启之前将设备之间万兆光纤连好[H3C]reboot堆叠成功后改变域值及MAC地址更新[H3C]irfdomain5加入域5中irfmac-addresspersistentalwaysirfauto-updateenable第二部：配置IRF检测线interfaceVlan-interface600madbfdenablemadipmadipinterfaceGigabitEthernet1/0/48（关闭STP）portaccessvlan600undostpenableinterfaceGigabitEthernet2/0/48（关闭STP）portaccessvlan600undostpenable第三步：核心交换机命名、配置vlan、ip地址、路由Sysnamefuwuqijiaohuanjivlan2vlan13vlan101vlan600vlan1000to1001interfaceVlan-interface2ipinterfaceVlan-interface13ipinterfaceVlan-interface101descriptiontohexinipip第四步：核心交换机上配置链路聚合及相应的端口划分到链路聚合interfaceBridge-Aggregation5interfaceBridge-Aggregation201interfaceBridge-Aggregation202interfaceBridge-Aggregation203interfaceBridge-Aggregation204interfaceBridge-Aggregation205interfaceBridge-Aggregation206interfaceBridge-Aggregation207interfaceBridge-Aggregation208interfaceBridge-Aggregation209interfaceBridge-Aggregation210interfaceBridge-Aggregation211interfaceBridge-Aggregation212interfaceBridge-Aggregation213interfaceBridge-Aggregation214interfaceBridge-Aggregation215interfaceBridge-Aggregation216interfaceBridge-Aggregation217interfaceBridge-Aggregation218interfaceBridge-Aggregation219interfaceBridge-Aggregation220interfaceBridge-Aggregation221interfaceBridge-Aggregation222interfaceBridge-Aggregation223interfaceBridge-Aggregation224interfaceBridge-Aggregation241interfaceBridge-Aggregation242interfaceBridge-Aggregation243interfaceBridge-Aggregation244interfaceGigabitEthernet1/0/1portlink-aggregationgroup201interfaceGigabitEthernet1/0/2portlink-aggregationgroup202interfaceGigabitEthernet1/0/3portlink-aggregationgroup203interfaceGigabitEthernet1/0/4portlink-aggregationgroup204interfaceGigabitEthernet1/0/5portlink-aggregationgroup205interfaceGigabitEthernet1/0/6portlink-aggregationgroup206interfaceGigabitEthernet1/0/7portlink-aggregationgroup207interfaceGigabitEthernet1/0/8portlink-aggregationgroup208interfaceGigabitEthernet1/0/9portlink-aggregationgroup209interfaceGigabitEthernet1/0/10portlink-aggregationgroup210interfaceGigabitEthernet1/0/11portlink-aggregationgroup211interfaceGigabitEthernet1/0/12portlink-aggregationgroup212interfaceGigabitEthernet1/0/13portlink-aggregationgroup213interfaceGigabitEthernet1/0/14portlink-aggregationgroup214interfaceGigabitEthernet1/0/15portlink-aggregationgroup215interfaceGigabitEthernet1/0/16portlink-aggregationgroup216interfaceGigabitEthernet1/0/17portlink-aggregationgroup217interfaceGigabitEthernet1/0/18portlink-aggregationgroup218interfaceGigabitEthernet1/0/19portlink-aggregationgroup219interfaceGigabitEthernet1/0/20portlink-aggregationgroup220interfaceGigabitEthernet1/0/21portlink-aggregationgroup221interfaceGigabitEthernet1/0/22portlink-aggregationgroup222interfaceGigabitEthernet1/0/23portlink-aggregationgroup223interfaceGigabitEthernet1/0/24portlink-aggregationgroup224interfaceGigabitEthernet1/0/35portlink-aggregationgroup241interfaceGigabitEthernet2/0/1portlink-aggregationgroup201interfaceGigabitEthernet2/0/2portlink-aggregationgroup202interfaceGigabitEthernet2/0/3portlink-aggregationgroup203interfaceGigabitEthernet2/0/4portlink-aggregationgroup204interfaceGigabitEthernet2/0/5portlink-aggregationgroup205interfaceGigabitEthernet2/0/6portlink-aggregationgroup206interfaceGigabitEthernet2/0/7portlink-aggregationgroup207interfaceGigabitEthernet2/0/8portlink-aggregationgroup208interfaceGigabitEthernet2/0/9portlink-aggregationgroup209interfaceGigabitEthernet2/0/10portlink-aggregationgroup210interfaceGigabitEthernet2/0/11portlink-aggregationgroup211interfaceGigabitEthernet2/0/12portlink-aggregationgroup212interfaceGigabitEthernet2/0/13portlink-aggregationgroup213interfaceGigabitEthernet2/0/14portlink-aggregationgroup214interfaceGigabitEthernet2/0/15portlink-aggregationgroup215interfaceGigabitEthernet2/0/16portlink-aggregationgroup216interfaceGigabitEthernet2/0/17portlink-aggregationgroup217interfaceGigabitEthernet2/0/18portlink-aggregationgroup218interfaceGigabitEthernet2/0/19portlink-aggregationgroup219interfaceGigabitEthernet2/0/20portlink-aggregationgroup220interfaceGigabitEthernet2/0/21portlink-aggregationgroup221interfaceGigabitEthernet2/0/22portlink-aggregationgroup222interfaceGigabitEthernet2/0/23portlink-aggregationgroup223interfaceGigabitEthernet2/0/24portlink-aggregationgroup224interfaceGigabitEthernet2/0/35portlink-aggregationgroup241interfaceTen-GigabitEthernet1/0/49descriptionLink-ZHXportlink-aggregationgroup5interfaceTen-GigabitEthernet2/0/49descriptionLink-BHXportlink-aggregationgroup5interfaceBridge-Aggregation5portaccessvlan101interfaceBridge-Aggregation201portaccessvlan13interfaceBridge-Aggregation202portaccessvlan13interfaceBridge-Aggregation203portaccessvlan13interfaceBridge-Aggregation204portaccessvlan13interfaceBridge-Aggregation205portaccessvlan13interfaceBridge-Aggregation206portaccessvlan13interfaceBridge-Aggregation207portaccessvlan13interfaceBridge-Aggregation208portaccessvlan13interfaceBridge-Aggregation209portaccessvlan13interfaceBridge-Aggregation210portaccessvlan13interfaceBridge-Aggregation211portaccessvlan13interfaceBridge-Aggregation212portaccessvlan13interfaceBridge-Aggregation213portaccessvlan13interfaceBridge-Aggregation214portaccessvlan13interfaceBridge-Aggregation215portaccessvlan13interfaceBridge-Aggregation216portaccessvlan13interfaceBridge-Aggregation217portaccessvlan13interfaceBridge-Aggregation218portaccessvlan13interfaceBridge-Aggregation219portaccessvlan13interfaceBridge-Aggregation220portaccessvlan13interfaceBridge-Aggregation221portaccessvlan13interfaceBridge-Aggregation222portaccessvlan13interfaceBridge-Aggregation223portaccessvlan13interfaceBridge-Aggregation224portaccessvlan13interfaceBridge-Aggregation241portaccessvlan2interfaceBridge-Aggregation242portaccessvlan2interfaceBridge-Aggregation243portaccessvlan2interfaceBridge-Aggregation244portaccessvlan2第五步：相应的端口划分到VLANinterfaceGigabitEthernet1/0/25portaccessvlan13interfaceGigabitEthernet1/0/26portaccessvlan13interfaceGigabitEthernet1/0/27portaccessvlan2interfaceGigabitEthernet1/0/28portaccessvlan2interfaceGigabitEthernet1/0/29portaccessvlan2interfaceGigabitEthernet1/0/30portaccessvlan2interfaceGigabitEthernet1/0/31portaccessvlan13interfaceGigabitEthernet1/0/32portaccessvlan2interfaceGigabitEthernet1/0/33portaccessvlan2interfaceGigabitEthernet1/0/34portaccessvlan2interfaceGigabitEthernet1/0/36portaccessvlan2interfaceGigabitEthernet1/0/37portaccessvlan2interfaceGigabitEthernet1/0/38portaccessvlan2interfaceGigabitEthernet1/0/39portaccessvlan2interfaceGigabitEthernet1/0/40portaccessvlan2interfaceGigabitEthernet1/0/41descriptionLink-PACS-HCHportaccessvlan1000interfaceGigabitEthernet1/0/42descriptionLink-PACS-HCHportaccessvlan1000interfaceGigabitEthernet1/0/43descriptionLink-PACS-HCHportaccessvlan1000interfaceGigabitEthernet1/0/44descriptionLink-PACS-HCHportaccessvlan1000interfaceGigabitEthernet1/0/45portaccessvlan2interfaceGigabitEthernet1/0/46portaccessvlan13interfaceGigabitEthernet1/0/47portaccessvlan13interfaceGigabitEthernet2/0/25portaccessvlan13interfaceGigabitEthernet2/0/26portac