实验拓扑
实验要求
- VLAN创建与划分
- 实现VALN间的通信
- 通过AC配置AP。(隧道转发)
- 链路集合(LSW1与LSW2之间完成链路聚合)
- 私网1内部(LSW1、LSW2以及AR1)运行0SPF
- DHCP(PC1、PC2通过DHCP获取IP地址,其中VLAN30基于全局地址池,VLAN50基于接口,VLAN60基于接口)
- ACL流量过滤(禁止VLAN50内的流量访问VLAN40内的服务器,其他的流量放行)
- NAT配置(私网1、私网2可以访问公网),NAT Server配置(私网2内客户端可以访问私网1内服务器)
实验配置与分析
VLAN配置
# SW1
sys
sys SW1
vlan batch 30 40 50
int G 0/0/2
port link-type access
port default vlan 30
int G 0/0/3
port link-type access
port default vlan 30
int G 0/0/6
port link-type access
port default vlan 40
# SW2
sys
sys SW2
vlan batch 30 40 50 60 100
int G 0/0/2
port link-type access
port default vlan 50
int G 0/0/3
port link-type access
port default vlan 50
VLAN间通信
# SW1
int VLANIF 30
ip address 10.1.3.254 24
int VLANIF 40
ip address 10.1.4.254 24
# SW2
int VLANIF 50
ip address 10.1.5.254 24
链路聚合
# SW1
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan all
trunkport G 0/0/4 to 0/0/5
# SW2
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan all
trunkport G 0/0/4 to 0/0/5
WLAN配置
# SW2
int G 0/0/6
port link-type trunk
port trunk allow-pass vlan 60 100
int G 0/0/7
port link-type access
port default vlan 100
# AC
sys
sys AC
dhcp enable
vlan batch 100 60
int G 0/0/1
port link-type trunk
port trunk allow-pass vlan 100 60
int vlanif 100
ip address 10.1.10.1 24
dhcp select int
capwap source interface vlanif 100
wlan
ap-id 1 ap-mac 00e0-fc62-2f10
ap-name AP1
display ap all
wlan
ssid-profile name huawei
ssid huawei
vap-profile name huawei
service-vlan vlan-id 60
ssid-profile huawei
security-profile huawei_PWD
forward-mode tunnel
security-profile name huawei_PWD
security wpa2 psk pass-phrase huawei@123 aes
ap-group name huawei
vap-profile huawei wlan 1 radio 0
ap-id 1
ap-group huawei
# SW2
dhcp enable
int vlanif 60
ip address 10.1.6.254 24
dhcp select int
OSPF
# SW1
ospf 1 router-id 2.2.2.2
area 0
int VLANIF 30
ospf enable 1 area 0
int VLANIF 40
ospf enable 1 area 0
# 主要用于建立OSPF邻居
int VLANIF 1
ip address 10.1.1.254 24
int G 0/0/1
port link-type access
ospf enable 1 area 0
ip route-static 0.0.0.0 0 10.1.1.1
# SW2
ospf 1 router-id 3.3.3.3
area 0
int VLANIF 50
ospf enable 1 area 0
int VLANIF 60
ospf enable 1 area 0
int VLANIF 1
ip address 10.1.2.254 24
ospf enable 1 area 0
int G 0/0/1
port link-type access
ip route-static 0.0.0.0 0 10.1.2.1
# AR1
sys
sys AR1
ospf 1 router-id 1.1.1.1
area 0
int G 0/0/1
ip address 10.1.1.1 24
ospf enable 1 area 0
int G 0/0/2
ip address 10.1.2.1 24
ospf enable 1 area 0
int G 0/0/0
ip address 12.1.1.1 24
ospf enable 1 area 0
DHCP
# SW1
dhcp enable
ip pool pool30
network 10.1.3.0 mask 24
gateway-list 10.1.3.254
int VLANIF 30
dhcp select global
# SW2
int VLANIF 50
dhcp select int
ACL流量过滤
# SW1
acl 3000
rule 5 deny ip source 10.1.5.0 0.0.0.255
rule 10 permit ip
int G 0/0/6
traffic-filter outbound acl 3000
NAT配置
# AR1
acl 2000
rule 5 permit
int G 0/0/0
nat outbound 2000
ip route-static 0.0.0.0 0 12.1.1.2
# AR2
sys
sys AR2
int G 0/0/1
ip address 12.1.1.2 24
int G 0/0/0
ip address 23.1.1.2 24
# AR3
sys
sys AR3
int G 0/0/1
ip address 23.1.1.3 24
int G 0/0/0
ip address 10.1.1.254 24
acl 2000
rule 5 permit
int G 0/0/1
nat outbound 2000
ip route-static 0.0.0.0 0 23.1.1.2
# AR1
# 配置NAT server
int G 0/0/0
nat server protocol tcp global 12.1.1.254 any inside 10.1.4.1 any