園區網絡搭建實驗

跟著B站上的老師，用華為ensp模擬搭建了一個園區網絡，感覺挺好玩的

雖然老師說這個很簡單，但還是比我公司里的拓撲復雜

LSW3配置

上行端口3/4配置為串口，下行端口1/2為access口用于連接終端

[Huawei]vlan batch 10 20  --創建vlan
[Huawei]port-group  group-member e0/0/3 e0/0/4  --端口組
[Huawei-port-group]p l t   --串口
[Huawei-port-group]p t a v 10 20  --放行vlan
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]p l a   --A口
[Huawei-Ethernet0/0/1]p d v 20  --默認vlan
[Huawei-Ethernet0/0/1]int e0/0/2
[Huawei-Ethernet0/0/2]p l a
[Huawei-Ethernet0/0/2]p d v 10

LSW4配置

[Huawei]sys LSW4  --重命名
[LSW4]vlan batch 30 40 50  --創建vlan
[LSW4]port-group group-member e0/0/3 e0/0/4  --端口組
[LSW4-port-group]p l t  --串口
[LSW4-port-group]p t a v 30 40 50 --放行vlan
[LSW4]int e0/0/1
[LSW4-Ethernet0/0/1]p l a  --A口
[LSW4-Ethernet0/0/1]p d v 30  --默認vlan
[LSW4-Ethernet0/0/1]int e0/0/2
[LSW4-Ethernet0/0/2]p l a
[LSW4-Ethernet0/0/2]p d v 40
[LSW4-Ethernet0/0/2]int e0/0/5
[LSW4-Ethernet0/0/5]p l a
[LSW4-Ethernet0/0/5]p d v 50

LSW5配置

[LSW5]port-group group-member g0/0/1 g0/0/2 g0/0/3
[LSW5-port-group]p l a
[LSW5-port-group]p d v 70
[LSW5]int vlan70
[LSW5-Vlanif70]ip address 10.20.70.2 24

LSW1配置

[Huawei]sys LSW1
[LSW1]vlan batch 10 20 30 40 50 60 70 80 90 --創建vlan
[LSW1]port-group group-member g0/0/1 g0/0/4  --端口組
[LSW1-port-group]p l t  
[LSW1-port-group]p t a v 10 20 30 40 50 70 80
[LSW1-Eth-Trunk1]trunkport g 0/0/2 0/0/3  --鏈路聚合
[LSW1-Eth-Trunk1]p l t
[LSW1-Eth-Trunk1]p t a v 10 20 30 40 50 70 80
[LSW1-Eth-Trunk1]int g0/0/5
[LSW1-GigabitEthernet0/0/5]p l a
[LSW1-GigabitEthernet0/0/5]p d v 90  --vlan90為邊界，連接出口路由器
[LSW1-GigabitEthernet0/0/5]int g0/0/6
[LSW1-GigabitEthernet0/0/6]p l a 
[LSW1-GigabitEthernet0/0/6]p d v 70
[LSW1]int vlan80
[LSW1-Vlanif80]ip address 10.20.80.1 24  --創建vlanif 用于ospf連接
[LSW1]int vlan70
[LSW1-Vlanif70]ip address 10.20.70.1 24  --創建vlanif 用于數據中心連接
[LSW1-Vlanif70]int vlan90
[LSW1-Vlanif90]ip address 10.20.90.1 24  --創建vlanif 用于邊界路由連接

LSW2配置

[Huawei]sys LSW2
[LSW2]vlan batch 10 20 30 40 50 60 70 80  --創建vlan
[LSW2]port-group group-member g0/0/1 g0/0/4  --端口組
[LSW2-port-group]p l t  --串口
[LSW2-port-group]p t a v 10 20 30 40 50 60 70 80  --放行vlan
[LSW2]int g0/0/5
[LSW2-GigabitEthernet0/0/5]p l t
[LSW2-GigabitEthernet0/0/5]p t a v 50 60  --放行無線vlan
[LSW2]int Eth-Trunk 1  --鏈路聚合
[LSW2-Eth-Trunk1]trunkport g 0/0/2  0/0/3
[LSW2-Eth-Trunk1]p t a v 10 20 30 40 50 60 70 80 
[LSW2]int vlan 50
[LSW2-Vlanif50]ip address 10.20.50.1 24 --50用于連接AC
[LSW2-Vlanif50]int vlan 80
[LSW2-Vlanif80]ip address  10.20.80.2 24  --80用于ospf
[LSW2-Vlanif60]ip address 10.20.60.2 24  --AC的業務VLAN

AC配置

配置通過隧道轉發的WLAN

[AC6005]vlan batch 50 60  --創建vlan
[AC6005]dhcp enable   --啟用dhcp
[AC6005]int g0/0/1
[AC6005-GigabitEthernet0/0/1]p l t
[AC6005-GigabitEthernet0/0/1]p t a v 50 60 
[AC6005]int vlan 50
[AC6005-Vlanif50]ip address 10.20.50.2 24 
[AC6005-Vlanif50]dhcp select interface  --基于接口的dhcp
[AC6005-Vlanif50]dhcp server gateway-list 10.20.50.1  
[AC6005-Vlanif50]dhcp server lease  day 0 hour 8
[AC6005]capwap source interface vlanif 50   --指定capwap源
[AC6005]wlan
[AC6005-wlan-view]ssid-profile name jd  --創建ssid模板
[AC6005-wlan-ssid-prof-jd]ssid jd  --定義wifi名稱
[AC6005-wlan-view]security-profile name jd  --創建sec模版
[AC6005-wlan-sec-prof-jd]security wpa2 psk  pass-phrase Lyu123!! aes --定義密碼
[AC6005-wlan-view]vap-profile name jd  --創建vap模板
[AC6005-wlan-vap-prof-jd]ssid-profile jd
[AC6005-wlan-vap-prof-jd]security-profile jd
[AC6005-wlan-vap-prof-jd]forward-mode tunnel  --配置轉發模式
[AC6005-wlan-vap-prof-jd]service-vlan vlan-id 60  --定義業務vlan
[AC6005-wlan-view]ap-id 0 ap-mac 00e0-fcfe-2c00  --綁定AP
[AC6005-wlan-ap-0]ap-name AP1  --AP命名
[AC6005-wlan-ap-group-jd]vap-profile jd  --創建AP組
[AC6005-wlan-ap-group-jd]vap-profile jd wlan 1 radio 1 --領用vap模板 配置射頻
[AC6005-wlan-ap-group-jd]ap-id 0
[AC6005-wlan-ap-0]ap-group jd --AP加組
[AC6005-Vlanif60]ip address 10.20.60.1 24 --創建業務vlan的dhcp
[AC6005-Vlanif60]dhcp select interface

DHCP配置

#LSW1
[LSW1]dhcp enable 
[LSW1]ip pool vlan10  --創建地址池
[LSW1-ip-pool-vlan10]network 10.20.10.0 mask 24
[LSW1-ip-pool-vlan10]gateway-list 10.20.10.1
[LSW1-ip-pool-vlan10]lease day 0 hour 8
[LSW1-ip-pool-vlan10]dns-list 8.8.8.8
[LSW1]int Vlanif 10
[LSW1-Vlanif10]ip address  10.20.10.1 24
[LSW1-Vlanif10]dhcp select global  --啟用全局dhcp[LSW1]ip pool vlan20
[LSW1-ip-pool-vlan20]network 10.20.20.0 mask 24
[LSW1-ip-pool-vlan20]gateway-list 10.20.20.1
[LSW1-ip-pool-vlan20]dns-list 202.96.128.86
[LSW1-ip-pool-vlan20]lease day 0 hour 8
[LSW1]int vlan20
[LSW1-Vlanif20]ip address 10.20.20.1 24
[LSW1-Vlanif20]dhcp select global#LSW2
[LSW2]dhcp enable 
[LSW2]int vlan30
[LSW2-Vlanif30]ip address 10.20.30.1 24
[LSW2-Vlanif30]dhcp select interface 
[LSW2-Vlanif30]dhcp server dns-list 114.114.114.114
[LSW2-Vlanif30]dhcp server lease day 0 hour 8[LSW2]int vlan40
[LSW2-Vlanif40]ip address 10.20.40.1 24
[LSW2-Vlanif40]dhcp select interface 
[LSW2-Vlanif40]dhcp server  dns-list 202.96.128.86
[LSW2-Vlanif40]dhcp server lease day 0 hour 8

IPS配置

模擬運營商設備

#創建地址池
[IPS]ip pool BH  --創建地址池
[IPS-ip-pool-BH]network 10.20.100.0 mask 24  --宣告地址池網段
[IPS-ip-pool-BH]gateway-list 10.20.100.1#創建3A認證用戶
[IPS]aaa
[IPS-aaa]local-user huawei password cipher 123  --創建本地用戶
[IPS-aaa]local-user huawei service-type ppp   --創建服務模式為ppp 
[IPS]int Virtual-Template 1   --進入虛擬模板
[IPS-Virtual-Template1]ip address 10.20.100.2 24
[IPS-Virtual-Template1]ppp authentication-mode chap --挑戰握手，密碼通過哈希計算，安全性高 
[IPS-Virtual-Template1]remote address pool BH#進入接口綁定vt
[IPS-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1

AR1配置-NAT-PPP

配置ospf 與NAT地址轉換

只允許10 40 50 訪問網絡

#配置ospf
[Huawei]sys AR1
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip address 10.20.90.2 24#配置NAT
[AR1]acl 2000  --創建acl
[AR1-acl-basic-2000]rule permit source 10.20.10.0 0.0.0.255
[AR1-acl-basic-2000]rule permit source 10.20.40.0 0.0.0.255
[AR1-acl-basic-2000]rule permit source 10.20.50.0 0.0.0.255
[AR1-acl-basic-2000]rule deny source any
[AR1]int Dialer 0  --在撥號端口領用acl 2000
[AR1-Dialer0]nat outbound 2000
[AR1-Dialer0]ip address 10.20.100.1 24  --對端IPS網段為100
[AR1]ip route-static 0.0.0.0 0 Dialer 0  --配置缺省路由
[AR1-ospf-1]default-route-advertise   --下發缺省路由#配置撥號上網
[AR1]int Dialer 0
[AR1-Dialer0]dialer  user  user1
[AR1-Dialer0]dialer  bundle 1
[AR1-Dialer0]ppp chap user huawei
[AR1-Dialer0]ppp chap password cipher 123
[AR1-Dialer0]ip address ppp-negotiate  ---ppp協商獲取IP
[AR1-Dialer0]int g0/0/0  --進入物理接口
[AR1-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1  --綁定bundle[AR1]dis ip int brief  --查看接口IP，驗證是否撥號成功
Interface                         IP Address/Mask      Physical   Protocol  
Dialer0                           10.20.100.254/32     up

OSPF配置

用于設備之間互相學習路由

#創建OSPF
[LSW1]ospf 1  --LSW1
[LSW1-ospf-1]a	
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]  network 10.20.80.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]  network 10.20.70.0 0.0.0.255 --宣告接口IP
[LSW1-ospf-1-area-0.0.0.0]  network 10.20.20.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]  network 10.20.10.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]  network 10.20.90.0 0.0.0.255 
-- LSW2配置
[LSW2]ospf 1
[LSW2-ospf-1]ar	
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 10.20.80.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.20.30.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.20.40.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.20.50.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]network 10.20.60.0 0.0.0.255
--AR1配置
[AR1]ospf 1
[AR1-ospf-1-area-0.0.0.0]network 10.20.90.0 0.0.0.255

STP配置

通過STP阻塞LSW3的4接口和 LSW4的3接口


[LSW1]stp root primary  --設置為根網橋
[LSW2]stp root  secondary  --設置為備用網橋[LSW3]dis stp brief MSTID  Port                        Role  STP State     Protection0    Ethernet0/0/1               DESI  FORWARDING      NONE0    Ethernet0/0/2               DESI  FORWARDING      NONE0    Ethernet0/0/3               ROOT  FORWARDING      NONE0    Ethernet0/0/4               ALTE  DISCARDING      NONE[LSW4]dis stp brief MSTID  Port                        Role  STP State     Protection0    Ethernet0/0/1               DESI  FORWARDING      NONE0    Ethernet0/0/2               DESI  FORWARDING      NONE0    Ethernet0/0/3               **ALTE  DISCARDING**      NONE0    Ethernet0/0/4               ROOT  FORWARDING      NONE0    Ethernet0/0/5               DESI  FORWARDING      NONE