配置AC
AC1
[AC1]v b 111
[AC1]dh en
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Vlanif111
ip address 192.168.111.254 255.255.255.0
dhcp select interface
#
AP1~3获取到ip地址
AC1
[AC1]capwap source interface Vlanif 111
[AC1]wlan
[AC1-wlan-view]ap-group name ap
[AC1-wlan-view]ap auth-mode mac-auth
//ap加入ap组
[AC1-wlan-ap-view]ap-id 0
[AC1-wlan-ap-0]ap-name ap0
[AC1-wlan-ap-0]ap-group ap
[AC1-wlan-ap-0]ap-id 1
[AC1-wlan-ap-1]ap-name ap1
[AC1-wlan-ap-1]ap-group ap
[AC1-wlan-ap-1]ap-id 2
[AC1-wlan-ap-2]ap-name ap2
[AC1-wlan-ap-2]ap-group ap
//业务vlan池
[AC1]vlan pool pool1
[AC1-vlan-pool-pool1]vlan 100 101
//创建ssid
[AC1-wlan-view]ssid-profile name ssid1
//创建安全策略 sec1/HUAWEI@123
[AC1-wlan-view]security-profile name sec1
//创建vap
[AC1-wlan-view]vap-profile name vap1
//转发模式 直接转发
[AC1-wlan-vap-prof-vap1]forward-mode direct-forward
//绑定ssid
[AC1-wlan-vap-prof-vap1]ssid-profile ssid1
//绑定安全策略
[AC1-wlan-vap-prof-vap1]security-profile sec1
//绑定业务vlan
[AC1-wlan-vap-prof-vap1]service-vlan vlan-pool pool1
//绑定域管理模板
[AC1-wlan-ap-group-ap]regulatory-domain-profile default
//绑定vap模板到所有射频卡
[AC1-wlan-ap-group-ap]vap-profile vap1 wlan 1 radio all
sta连接
配置防火墙
FW1
默认用户 admin/Admin@123,先修改用户密码admin/Huawei@123
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.35.5 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.45.5 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.15.5 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.1.51.5 255.255.255.0
#
//配置区域
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
#
ospf 1
default-route-advertise
area 0.0.0.0
network 10.1.35.5 0.0.0.0
network 10.1.45.5 0.0.0.0
#
//出口默认路由
[FW1]ip route-static 0.0.0.0 0 10.1.51.1
//配置nat
[FW1]nat-policy
#
rule name rule1
source-zone trust
destination-zone untrust
destination-address-exclude 192.168.103.0 mask 255.255.255.0
destination-address-exclude 192.168.104.0 mask 255.255.255.0
destination-address-exclude 192.168.105.0 mask 255.255.255.0
action source-nat easy-ip
#
//配置安全策略
#
security-policy
rule name trust_to_untrust
source-zone trust
destination-zone untrust
action permit
#
配置PE1~3
PE-1
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0/0
ip address 192.168.15.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.13.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.51.1 255.255.255.0
#
//公网配置ospf打通
#
ospf 1 router-id 11.11.11.11
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
P-3
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet0/0/1
ip address 10.1.13.3 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.1.23.3 255.255.255.0
#
#
ospf 1 router-id 33.33.33.33
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
PE-2
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet0/0/0
ip address 10.1.23.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.26.2 255.255.255.0
#
#
ospf 1 router-id 22.22.22.22
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
配置MPLS
PE-1
[PE-1]mpls lsr-id 1.1.1.1
[PE-1]mpls
[PE-1-mpls]mpls ldp
[PE-1-GigabitEthernet0/0/1]mpls
[PE-1-GigabitEthernet0/0/1]mpls ldp
[PE-1]ip vpn-instance vpna
[PE-1-vpn-instance-vpna]route-distinguisher 1:1
[PE-1-vpn-instance-vpna-af-ipv4]vpn-target 100:100
#
interface GigabitEthernet0/0/0
ip binding vpn-instance vpna
ip address 10.1.15.1 255.255.255.0
#
P-3
[P-3]mpls lsr-id 3.3.3.3
[P-3]mpls
[P-3-mpls]mpls ldp
[P-3-GigabitEthernet0/0/1]mpls
[P-3-GigabitEthernet0/0/1]mpls ldp
[P-3-GigabitEthernet0/0/0]mpls
[P-3-GigabitEthernet0/0/0]mpls ldp
PE-2
[PE-2]mpls lsr-id 2.2.2.2
[PE-2]mpls
[PE-2-mpls]mpls ldp
[PE-2-GigabitEthernet0/0/0]mpls
[PE-2-GigabitEthernet0/0/0]mpls ldp
[PE-2]ip vpn-instance vpnb
[PE-2-vpn-instance-vpnb]route-distinguisher 2:2
[PE-2-vpn-instance-vpnb-af-ipv4]vpn-target 100:100
[PE-2-GigabitEthernet0/0/1]undo ip add
#
interface GigabitEthernet0/0/1.26
dot1q termination vid 26
ip address 10.1.26.2 255.255.255.0
arp broadcast enable
#
#
interface GigabitEthernet0/0/0.62
dot1q termination vid 62
ip address 10.1.62.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.26
dot1q termination vid 26
ip binding vpn-instance vpnb
ip address 10.1.26.2 255.255.255.0
arp broadcast enable
#
配置分部端口
CE-6
#
interface GigabitEthernet0/0/0.62
dot1q termination vid 62
ip address 10.1.62.6 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.26
dot1q termination vid 26
ip address 10.1.26.6 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/1
ip address 192.168.104.254 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.69.6 255.255.255.0
#
SW9
[SW9]v b 10 20 69 103 105
#
interface Vlanif69
ip address 10.1.69.9 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 69
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
#
interface Vlanif103
ip address 192.168.103.254 255.255.255.0
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 105
#
SW12
[SW12]v b 105 30 40
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 30
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
stp edged-port enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 40
stp edged-port enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 40
stp edged-port enable
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 105
#
VLAN聚合
SW9
#
vlan 103
aggregate-vlan
access-vlan 10 20
#
//vlanif103口开启dhcp
[SW9]dhcp en
[SW9]int vlan 103
[SW9-Vlanif103]dhcp select interface
#
interface Vlanif105
ip address 192.168.105.254 255.255.255.0
dhcp select interface
#
pc获取到ip地址
MUX-VLAN
SW12
vlan30隔离,vlan40互通internet
[SW12-vlan105]mux-vlan
#
vlan 105
mux-vlan
subordinate separate 30
subordinate group 40
#
[SW12-GigabitEthernet0/0/1]port mux-vlan en
[SW12-GigabitEthernet0/0/2]port mux-vlan en
[SW12-GigabitEthernet0/0/3]port mux-vlan en
[SW12-GigabitEthernet0/0/4]port mux-vlan en
[SW12-GigabitEthernet0/0/5]port mux-vlan en
ISIS
CE6
#
isis 1
network-entity 49.0000.0000.0006.00
#
[CE-6-GigabitEthernet0/0/1]isis en
[CE-6-GigabitEthernet0/0/2]is en
SW9
#
isis 1
network-entity 49.0000.0000.0009.00
#
[SW9-Vlanif69]is en
[SW9-Vlanif103]is en
[SW9-Vlanif105]is en