本文详细介绍了如何在华为eNSP环境中进行中型园区网络的配置,包括VLAN划分、链路聚合、MSTP/VRRP、OSPF/BGP路由、DHCP服务、无线网络、防火墙安全策略以及NAT技术,确保网络隔离、无延迟转发和冗余设计。
→b站直通车,感谢大佬事无巨细的讲解←
→华为eNSP中型园区网络配置(下)←
-
甲方技术要求:
1.做必要的隔离,并且防止环路产生。
2.终端接口接入网络后无延迟转发。
3.汇聚层交换机之间要增加带宽。
4.网关配置在汇聚层上,要保证网关冗余。
5.内部使用可靠的IGP进行路由学习和发布,并保证设备的身份合法性。
6.通过BGP协议跟总部进行路由学习,实现互访,要求缺省互访流量都经过AR1访问总部。当AR1出现故障,切换到AR2。
7.要求园区网内所有PC终端都通过公司统一的DHCP服务器完成地址分发。
8.使用FIT AP+AC进行无线网络组网。
9.出口防火墙,需要做必要的安全策略,只能内网主动发起访问到外网。
10.出口防火墙,要配置必要的NAT技术,使得内网能够访问ISP&internet。 -
组网方案中涉及的技术点:
1、VLAN技术、边缘端口技术
2.Trunk、Eth-trunk技术
3.MSTP与VRRP技术结合场景
4.OSPF技术、OSPF认证技术
5.BGP技术、BGP选路技术。
6.协议引入技术
7.DHCP、DHCP中继技术
8.WLAN组网技术(瘦AP+AC)
9.防火墙安全策略技术
10.NAT技术 -
扩展知识点:
1.防火墙双机热备技术
2.堆叠技术
3.WLAN高可靠性技术 -
地址规划:
AR1
e3/0/0 10.1.14.1/24
g0/0/0 10.1.100.1/24(与SW1vlanif100互联)
g0/0/2 10.1.12.1/24
g0/0/1 10.1.103.1/24(与SW2vlanif300互联)
pos2/0/0 10.1.13.1/24
Loopback0 10.1.1.1/32AR2
g0/0/2 10.1.12.2/24
g0/0/0 10.1.102.2/24(.与SW1vlanif200互联)
g0/0/1 10.1.104.2/24(与SW2vlanif400互联)
pos2/0/0 10.1.23.2/24
Loopbacko 10.1.2.2/32AR3
pos2/0/0 10.1.13.3/24
pos5/0/0 10.1.23.3/24
Loopback200 200.200.200.200/32AR4
g0/0/0 10.1.14.4/24
Loopback0 10.1.4.4/24SW1
vlanif100 10.1.100.10/24
vlanif200 10.1.102.10/24SW2
vlanif300 10.1.103.10/24
vlanif400 10.1.104.10/24vlan地址规划
vlan10-192.168.10.0/24
vlan20-192.168.20.0/24
vlan30-192.168.30.0/24
vlan40-192.168.40.0/24 -
配置vlan和链路
SW1 SW2 SW3 SW4
# vlan batch 10 20 30 40 # -
配置链路类型,ap先不看,连接pc的access,sw间互联的trunk
SW1//配置trunk端口组 [SW1]port-group trunkport [SW1-port-group-trunkport]group-member g0/0/2 g0/0/3 [SW1-port-group-trunkport]p l t [SW1-port-group-trunkport]p t a v 10 20 30 40 //配置链路聚合 [SW1]int Eth-Trunk 12 [SW1-Eth-Trunk12]mode lacp-static [SW1-Eth-Trunk12]trunkport g 0/0/19 to 0/0/20 [SW1-Eth-Trunk12]port link-type trunk [SW1-Eth-Trunk12]port trunk allow-pass vlan 10 20 30 40SW2
[SW2]port-group trunkport [SW2-port-group-trunkport]group-member g0/0/2 g0/0/4 [SW2-port-group-trunkport]p l t [SW2-port-group-trunkport]p t a v 10 20 30 40 //配置链路聚合 [SW2]int Eth-Trunk 12 [SW2-Eth-Trunk12]mode lacp-static [SW2-Eth-Trunk12]trunkport g 0/0/19 to 0/0/20 [SW2-Eth-Trunk12]p l t [SW2-Eth-Trunk12]p t a v 10 20 30 40SW3
//配置trunk端口组 [SW3]port-group trunkport [SW3-port-group-trunkport]group-member g0/0/2 g0/0/4 [SW3-port-group-trunkport]p l t [SW3-port-group-trunkport]p t a v 10 20 30 40 //配置access端口组 [SW3]port-group accessport [SW3-port-group-accessport]group-member g0/0/1 g0/0/3 [SW3-port-group-accessport]p l a //配置g0/0/1 vlan10 [SW3]i g0/0/1 [SW3-GigabitEthernet0/0/1]p d v 10 //配置边缘端口 [SW3-GigabitEthernet0/0/1]stp edged-port en //配置g0/0/3 vlan30 [SW3]i g0/0/3 [SW3-GigabitEthernet0/0/3]p d v 30 //配置边缘端口 [SW3-GigabitEthernet0/0/3]stp edged-port enSW4
//配置trunk端口组 [SW4]port-group trunkport [SW4-port-group-trunkport]group-member g0/0/2 g0/0/3 [SW4-port-group-trunkport]p l t [SW4-port-group-trunkport]p t a v 10 20 30 40 //配置access端口组 [SW4]port-group accessport [SW4-port-group-accessport]group-member g0/0/4 g0/0/1 [SW4-port-group-accessport]p l a //配置边缘端口 [SW4-port-group-accessport]stp edged-port en //配置g0/0/4 vlan 40 [SW4]i g0/0/4 [SW4-GigabitEthernet0/0/4]p d v 40 //配置g0/0/1 vlan 20 [SW4]i g0/0/1 [SW4-GigabitEthernet0/0/1]p d v 20 -
配置mstp
instance1-vlan10 vlan30 root sw1 备份sw2
instance2-vlan20 vlan40 root sw2 备份sw1SW1 SW2 SW3 SW4
# stp region-configuration region-name yeslab revision-level 1 instance 1 vlan 10 30 instance 2 vlan 20 40 active region-configuration #SW1设置为instance1的root,instance2的备份
[SW1]stp instance 1 root primary [SW1]stp instance 2 root secondarySW2设置为instance2的root,instance1的备份
[SW2]stp instance 2 root primary [SW2]stp instance 1 root secondary -
配置vlanif
SW1
# interface Vlanif10 ip address 192.168.10.251 255.255.255.0 # interface Vlanif20 ip address 192.168.20.251 255.255.255.0 # interface Vlanif30 ip address 192.168.30.251 255.255.255.0 # interface Vlanif40 ip address 192.168.40.251 255.255.255.0 #SW2
# interface Vlanif10 ip address 192.168.10.252 255.255.255.0 # interface Vlanif20 ip address 192.168.20.252 255.255.255.0 # interface Vlanif30 ip address 192.168.30.252 255.255.255.0 # interface Vlanif40 ip address 192.168.40.252 255.255.255.0 # -
配置VRRP网关
SW1为10 30 的 master,20 40的slave
# interface Vlanif10 ip address 192.168.10.251 255.255.255.0 vrrp vrid 10 virtual-ip 192.168.10.254 vrrp vrid 10 priority 120 # interface Vlanif20 ip address 192.168.20.251 255.255.255.0 vrrp vrid 20 virtual-ip 192.168.20.254 # interface Vlanif30 ip address 192.168.30.251 255.255.255.0 vrrp vrid 30 virtual-ip 192.168.30.254 vrrp vrid 30 priority 120 # interface Vlanif40 ip address 192.168.40.251 255.255.255.0 vrrp vrid 40 virtual-ip 192.168.40.254 #SW2为10 30的slave 20 40的master
# interface Vlanif10 ip address 192.168.10.252 255.255.255.0 vrrp vrid 10 virtual-ip 192.168.10.254 # interface Vlanif20 ip address 192.168.20.252 255.255.255.0 vrrp vrid 20 virtual-ip 192.168.20.254 vrrp vrid 20 priority 120 # interface Vlanif30 ip address 192.168.30.252 255.255.255.0 vrrp vrid 30 virtual-ip 192.168.30.254 # interface Vlanif40 ip address 192.168.40.252 255.255.255.0 vrrp vrid 40 virtual-ip 192.168.40.254 vrrp vrid 40 priority 120 # -
配置路由
AR1
# interface Ethernet3/0/0 ip address 10.1.14.1 255.255.255.0 # interface Ethernet3/0/1 ip address 10.1.15.1 255.255.255.0 # interface GigabitEthernet0/0/0 ip address 10.1.100.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 10.1.103.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.1.12.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 10.1.13.1 255.255.255.0 # interface LoopBack0 ip address 10.1.1.1 255.255.255.255 #AR2
# interface GigabitEthernet0/0/0 ip address 10.1.102.2 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 10.1.104.2 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.1.12.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 10.1.23.2 255.255.255.0 # interface LoopBack0 ip address 10.1.2.2 255.255.255.255 # -
配置SW与AR互联
SW1
[SW1]v b 100 200 # interface GigabitEthernet0/0/10 port link-type access port default vlan 100 stp edged-port enable # interface GigabitEthernet0/0/11 port link-type access port default vlan 200 stp edged-port enable # interface Vlanif100 ip address 10.1.100.10 255.255.255.0 # interface Vlanif200 ip address 10.1.102.10 255.255.255.0 #SW2
[SW2]v b 300 400 # interface GigabitEthernet0/0/10 port link-type access port default vlan 400 stp edged-port enable # interface GigabitEthernet0/0/11 port link-type access port default vlan 300 stp edged-port enable # interface Vlanif300 ip address 10.1.103.10 255.255.255.0 # interface Vlanif400 ip address 10.1.104.10 255.255.255.0 # -
配置ospf
(可以dis ip int bri 命令看当前的网络)
AR1
//配置ospf 宣告网络 [AR1]ospf 1 router-id 1.1.1.1 [AR1-ospf-1]area 0 [AR1-ospf-1-area-0.0.0.0]net 10.1.14.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]net 10.1.15.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]net 10.1.100.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]net 10.1.103.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]net 10.1.12.1 0.0.0.0 [AR1-ospf-1-area-0.0.0.0]net 10.1.1.1 0.0.0.0 //配置认证 [AR1-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123AR2
//配置ospf 宣告网络 [AR2]ospf 1 router-id 2.2.2.2 [AR2-ospf-1]area 0 [AR2-ospf-1-area-0.0.0.0]net 10.1.102.2 0.0.0.0 [AR2-ospf-1-area-0.0.0.0]net 10.1.104.2 0.0.0.0 [AR2-ospf-1-area-0.0.0.0]net 10.1.12.2 0.0.0.0 [AR2-ospf-1-area-0.0.0.0]net 10.1.2.2 0.0.0.0 //配置认证 [AR2-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123AR4
//配置ospf 宣告网络 [AR-DHCP]ospf 1 router-id 111.111.111.111 [AR-DHCP-ospf-1]area 0 [AR-DHCP-ospf-1-area-0.0.0.0]net 10.1.14.4 0.0.0.0 //配置认证 [AR-DHCP-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123SW1
//配置ospf 宣告网络 [SW1]ospf 1 router-id 11.11.11.11 [SW1-ospf-1]area 0 [SW1-ospf-1-area-0.0.0.0]net 10.1.100.10 0.0.0.0 [SW1-ospf-1-area-0.0.0.0]net 10.1.102.10 0.0.0.0 //配置认证 [SW1-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123 //引入直连网段 [SW2-ospf-1]import-route directSW2
//配置ospf 宣告网络 [SW2]ospf 1 router-id 22.22.22.22 [SW2-ospf-1]area 0 [SW2-ospf-1-area-0.0.0.0]net 10.1.103.10 0.0.0.0 [SW2-ospf-1-area-0.0.0.0]net 10.1.104.10 0.0.0.0 //配置认证 [SW2-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123 //引入直连网段 [SW2-ospf-1]import-route direct -
配置dhcp
AR4
[AR-DHCP]dhcp enable # ip pool VLAN10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 dns-list 114.114.114.114 domain-name yeslab.net # ip pool VLAN20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 dns-list 114.114.114.114 domain-name yeslab.net # ip pool VLAN30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 dns-list 114.114.114.114 domain-name yeslab.net # ip pool VLAN40 gateway-list 192.168.40.254 network 192.168.40.0 mask 255.255.255.0 dns-list 114.114.114.114 domain-name yeslab.net # interface GigabitEthernet0/0/0 ip address 10.1.14.4 255.255.255.0 dhcp select global # -
下配置dhcp中继
SW1
//使能dhcp [SW1]dhcp enable //vlanif 10下配dhcp中继 [SW1]int Vlanif 10 [SW1-Vlanif10]dhcp select relay //一定要能ping通!上面ar-dhcp没加入ospf时也可以指一条静态路由到AR1的e3/0/0口 [SW1-Vlanif10]dhcp relay server-ip 10.1.14.4 //vlanif 30下配dhcp中继 [SW1]int Vlanif 30 [SW1-Vlanif30]dhcp select relay [SW1-Vlanif30]dhcp relay server-ip 10.1.14.4SW2
//使能dhcp [SW2]dhcp enable //vlanif 20下配dhcp中继 [SW2]int Vlanif 20 [SW2-Vlanif20]dhcp select relay [SW2-Vlanif20] dhcp relay server-ip 10.1.14.4 //vlanif 40下配dhcp中继 [SW2]int vlanif 40 [SW2-Vlanif40]dhcp select relay [SW2-Vlanif40] dhcp relay server-ip 10.1.14.4
扫一扫
4万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
