实验拓扑
实验要求
交换部分
- S1,R1互联链路部置LACP链路聚合,采用基于IP地址负载分担,设置活动接口为R1-G0/0/1作为备份接口,由R1决定活动接口数量。
- S1、S2和S3互联部署Trunk,放行除VLAN1以外所有VLAN。S1和AC1互联仅放行必要VLAN,保障VLAN 10,VLAN 20的业务上行链路无阻塞接口(不需要MST技术)
- 设置VLAN10的网关位于S1 地址为10.1.10.7/24
VLAN20的网关位于S1 地址为10.1.20.7/24
- S4部署Hybrid端口类型,实现R2,R4不能互通,但是能够都与R3通信。
IP服务
S1对AP1与STA1分配地址
- STA1通过S1获取地址
STA1地址为10.1.10.10/24
网关为10.1.10.7/24
DNS为155.1.2.10 - AP地址总是自动获取为10.1.254.1/24,网关:10.1.254.7
WLAN部分
-
LAN业务
管理VLAN:VLAN254
业务VLAN:VLAN10
转发模式:隧道模式
SSiD:HUAWEI
安全策略:WPA2
密码:Huawei@123
加密算法:AES -
HLAN组网方式
AP,AC位于相同子网
路由部分
- R1,S1互联部署oSPF区域
- R1上使用最少路由配置访问互联网
- R2,R3,R4互联接口与Loopbacke加入osPF区域e,其他接口视情况加入减少不必要的OSPF报文通告
- 保障远程用户访问公网web优先使用以太网链路,若R3故障使用R2,R4之间PPP链路
WAN部分
-
部署PPP
R2,R4互联部署PPP PAP认证,其中R4作为认证方,R2作为被认证方
账户密码:USER/HUAWEI -
部署PPPoE
其中AR5作为PPPoE客户端,AR4作为PPPoE服务端
采用CHAP认证
拨号账户:USER/HUAWEI
避免数据分配,精确调整接口MTU
客户端根据拨号情况自动生成缺省路由
ACL与NAT
- R1禁止外网用户ping或tracert
- 仅充许10.1.10.0/24的用户能够网管R1
- R1获取公网地址155.1.12.11-155.1.12.20
部署NAPT实现10.1.10.0/24的任意用户可以访向公网
- 发布SERVER1的WEB服务到公网,
实现client可以使用以下方式访问server 1
http://www.huawei.com:10080
DNS配置 www.huawei.com 对应155.1.12.10
- 远程用户部署访问公网使用接口地址做地址转换
网络设备维护
-
配需R1仅接收STELNET网管
添加登录提示与登陆成功提示语
Stelnet登录闲置时间为15min
登录账户(USER/HUAWEI) -
使用FTP备份配置到SERVER1
-
R1部署SNMPV3实现最高安全方式管理
用户名:USER 用户组:USER_GROUP
密码:Huawei123
对于接口UP/Down主动发送Trap信息
到主机10.1.20.10
实验配置
交换部分
1.第一小问
# R1
sys
sys R1
int Eth-trunk 1
undo portswitch
mode lacp-static
trunkport G 0/0/0 to 0/0/2
max active-linknumber 2
lacp preempt enable
load-balance src-dst-ip
lacp priority 1
int G 0/0/1
lacp priority 65535
# S1
sys
sys S1
int Eth-trunk 1
mode lacp-static
trunkport G 0/0/10 to 0/0/12
load-balance src-dst-ip
# 检查配置
dis Eth-trunk 1
# 第二小问
# S1
vlan batch 254 10 20
int G 0/0/23
port link-type trunk
port trunk allow-pass vlan 2 to 4094
int G 0/0/22
port link-type trunk
port trunk allow-pass vlan 2 to 4094
int G 0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
# S2
sys
sys S2
vlan batch 254 10 20
int G 0/0/1
port link-type access
port default vlan 254
int G 0/0/23
port link-type trunk
port trunk allow-pass vlan 2 to 4094
int G 0/0/21
port link-type trunk
port trunk allow-pass vlan 2 to 4094
int G 0/0/20
port link-type trunk
port trunk allow-pass vlan 2 to 4094
# S3
sys
sys S3
vlan batch 254 10 20
int G 0/0/10
port link-type access
port default vlan 20
int G 0/0/24
port link-type trunk
port trunk allow-pass vlan 2 to 4094
int G 0/0/21
port link-type trunk
port trunk allow-pass vlan 2 to 4094
int G 0/0/20
port link-type trunk
port trunk allow-pass vlan 2 to 4094
# 第三小问
# SW1
int vlanif 10
ip address 10.1.10.7 24
int vlanif 20
ip address 10.1.20.7 24
# 第四小问
# R2
sys
sys R2
int G 0/0/1
ip address 155.1.0.2 24
int Loopback 0
ip address 150.1.2.2 32
# R3
sys
sys R3
int G 0/0/1
ip address 155.1.0.3 24
int Loopback 0
ip address 150.1.3.3 32
# R4
sys
sys R4
int G 0/0/1
ip address 155.1.0.4 24
int Loopback 0
ip address 150.1.4.4 32
# S4
sys
sys S4
vlan batch 2 3
int G 0/0/2
port hybrid pvid vlan 2
port hybrid untagged vlan 2
int G 0/0/4
port hybrid pvid vlan 3
port hybrid untagged vlan 3
int G 0/0/3
port hybrid untagged vlan 2 3
IP部分
# S1
dhcp enable
ip pool pool10
network 10.1.10.0 mask 255.255.255.0
gateway-list 10.1.10.7
dns-list 155.1.2.10
static-bind ip-address 10.1.10.10 mac-address 5489-9875-7960
int vlanif 10
ip address 10.1.10.7 24
dchp select global
ip pool pool254
network 10.1.254.0 mask 255.255.255.0
gateway-list 10.1.254.7
static-bind ip-address 10.1.254.1 mac-address 00e0-fc33-6ba0
int vlanif 254
ip address 10.1.254.7 24
dhcp select global
int vlanif 20
ip address 10.1.20.7 24
WLAN部分
# AC
sys
sys AC
vlan batch 10 254
int G 0/0/1
port link-type trunk
port trunk allow-pass vlan 10 254
quit
int vlanif 254
ip address 10.1.254.10 24
capwap source interface vlanif 254
wlan
ap-id 1 ap-mac 00e0-fc33-6ba0
ap-name AP
quit
ssid-profile name HUAWEI
ssid HUAWEI
security-profile name HUAWEI_PWD
security wpa2 psk pass-phrase huawei@123 aes
vap-profile name HUAWEI
service-vlan vlan-id 10
ssid-profile HUAWEI
security-profile HUAWEI_PWD
forward-mode tunnel
ap-id 1
vap-profile HUAWEI wlan 1 radio 0
路由服务
# 第一、二小问
# S1
vlan batch 17
int vlanif 17
ip address 10.1.17.254 24
int Eth-trunk 1
port hybrid pvid vlan 17
port hybrid untagged vlan 17
ospf 1 router-id 17.17.17.17
area 0
network 10.1.17.254 0.0.0.0
network 10.1.10.7 0.0.0.0
# R1
int Eth-trunk
ip address 10.1.17.1 24
ospf 1 router-id 1.1.1.1
area 0
network 10.1.17.1 0.0.0.0
int E 1/0/0
ip address 155.1.12.1 24
ip route-static 0.0.0.0 0 155.1.12.2
# 第三小问
# R3
ospf 1 router-id 3.3.3.3
area 0
network 155.1.0.3 0.0.0.0
network 150.1.3.3 0.0.0.0
int G 0/0/1
# 设置为R3为DR,因为R2和R4二层之间不能通信。
ospf dr-priority 100
# R2
ospf 1 router-id 2.2.2.2
area 0
network 155.1.0.2 0.0.0.0
network 150.1.2.2 0.0.0.0
network 155.1.12.2 0.0.0.0
arp static 155.1.0.4 00e0-fcdb-50d5
# R4
ospf 1 router-id 4.4.4.4
area 0
network 155.1.0.4 0.0.0.0
network 150.1.4.4 0.0.0.0
network 155.1.45.4 0.0.0.0
arp static 155.1.0.2 00e0-fcdb-50d5
# 第四小问
# R3
ip route-static 0.0.0.0 0 Serial 1/0/0
ip route-static 0.0.0.0 0 155.1.0.3 preference 15
# R4
ip route-static 0.0.0.0 0 Serial 1/0/0
ip route-static 0.0.0.0 0 155.1.0.3 preference 15
WAN部分
# PPP配置
# R2
int s 1/0/0
ip address 155.1.24.2 24
ppp pap local-user USER password cipher HUAWEI
# R4
int s 1/0/0
ip address 155.1.24.4 24
ppp authentication-mode pap
aaa
local-user USER password cipher HUAWEI
local-user USER service-type ppp
# PPPOE配置
# R5
sys
sys R5
int Dialer1
link-protocol ppp
ppp ipcp default-route
ppp chap user USER
ppp chap password cipher HUAWEI
mtu 1492
ip address ppp-negotiate
dialer user USER
dialer bundle 1
int G 0/0/0
pppoe-client dial-bundle-number 1
# R4
int G 0/0/0
ip address 155.1.45.4 24
aaa
local-user USER password cipher HUAWEI
local-user USER service-type ppp
int virtual-template 0
ppp authentication-mode chap
remote address 155.1.45.5
ip address unnumbered int G 0/0/0
int G 0/0/0
pppoe-server bind virtual-template 0
ACL和NAT
# 第一小问
# R2
int G 0/0/0
ip address 155.1.12.2 24
ospf
area 0
network 155.1.2.2 0.0.0.0
# R1
acl 3000
rule 5 deny icmp icmp-type echo
rule 10 deny udp
int E 1/0/0
traffic-filter inbound acl 3000
# 第二小问
# R1
acl 2000
rule 5 permit source 10.1.10.0 0.0.0.255
rule 10 deny
user-interface vty 0 4
acl 2000 inbound
# 第三小问
# R1
nat address-group 1 155.1.12.11 155.1.12.20
int E 1/0/0
nat outbound 2000 address-group 1
# 第四小问
# R2
int G 0/0/2
ip address 155.1.2.254 24
ospf enable 1 area 0
# R1
int E 1/0/0
nat server protocol tcp global 155.1.12.10 10080 inside 10.1.20.10 www
# 第五小问
# R5
int G 0/0/1
ip address 10.1.5.254 24
acl 2000
rule 5 permit source 10.1.5.0 0.0.0.255
int Dialer1
nat outbound 2000
网络设备维护
# 第一小问
# R1
stelnet server enable
rsa localc -key-pair create
1024
aaa
local-user USER password cipher HUAWEI
local-user USER service-type ssh
local-user USER privilege level 15
quit
ssh user USER authentication-type password
user-int vty 0 4
idle-timeout 15 0
authentication-mode aaa
protocol inbound ssh
# 第二小问
# R1
put vrpcfg.zip
# 第三小问
# R1
snmp-agent sys-info version v3
snmp-agent group v3 USER_GROUP privacy
snmp-agent usm-user v3 USER USER_GROUP authentication-mode md5 Huawei@123 privacy-mode des56 Huawei@123
snmp-agent trap enable feature-name ifnet trap-name linkdown
snmp-agent trap enable feature-name ifnet trap-name linkUP
snmp-agent target-host trap-hostname NMS address 10.1.20.10 trap-paramsname R1