PART1 部署思路 (从下往上)
在全部的acc、agg和core设备上开启lldp
1、ACC设备
1、在ACC1和ACC2上部署 vlan 100
vlan 100
2、创建Eth-trunk,设置模式为lacp,添加对应的端口,设置eth-trunk的端口模式为trunk,允许vlan 100 通过,并且在eth-trunk里面设置l2准入透传
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100
l2protocol-tunnel user-defined-protocol dot1x enable
l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002(注意:0100-0000-0002 如果不出效果再尝试 0100-0ccd-0002)
3、选中1-20口,设置2层dot1x透传
interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/20
l2protocol-tunnel user-defined-protocol dot1x enable
4、如果下面有AP的话则需要在,AP连接的接口部署access vlan 100
interface GigabitEthernet0/0/22
port link-type access
port default vlan 100
2、AGG设备
1、创建vlan 11-15(wire_market1-5) 21-25(wire_procue1-5) 208 (与core互联)
vlan batch 11 to 15 21 to 25 100 208
vlan batch 31 to 35 41 to 45 100 209
2、根据对应部门创建vlan pool 并且开启dhcp
vlan pool market
vlan 11 to 15
vlan pool procure
vlan 21 to 25
dhcp enable
vlan pool finance
vlan 31 to 35
vlan pool hr
vlan 41 to 45
dhcp enable
3、创建eth-trunk,与acc互联的设置为hybrid,允许11-15,21-25,31-35,41-45,100vlan通过,与core互联的设置为trunk模式,允许100,208和209通过
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 208
mode lacp-static
interface Eth-Trunk2
port link-type hybrid
port hybrid tagged vlan 11 to 15 21 to 25 100
mode lacp-static
interface Eth-Trunk3
port link-type hybrid
port hybrid tagged vlan 11 to 15 21 to 25 100
mode lacp-static
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 209
mode lacp-static
interface Eth-Trunk2
port link-type hybrid
port hybrid tagged vlan 31 to 35 41 to 45 100
mode lacp-static
interface Eth-Trunk3
port link-type hybrid
port hybrid tagged vlan 31 to 45 41 to 45 100
mode lacp-static
4、设置loopback0地址、业务vlan和vlan208/9的地址。
interface LoopBack0
ip address 10.1.0.6 255.255.255.255
interface Vlanif208
ip address 10.1.200.30 255.255.255.252
interface Vlanif11
ip address 10.1.11.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif12
ip address 10.1.12.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif13
ip address 10.1.13.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif14
ip address 10.1.14.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif15
ip address 10.1.15.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif21
ip address 10.1.21.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif22
ip address 10.1.22.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif23
ip address 10.1.23.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif24
ip address 10.1.24.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif25
ip address 10.1.25.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface LoopBack0
ip address 10.1.0.7 255.255.255.255
interface Vlanif209
ip address 10.1.200.34 255.255.255.252
interface Vlanif31
ip address 10.1.31.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif32
ip address 10.1.32.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif33
ip address 10.1.33.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif34
ip address 10.1.34.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif35
ip address 10.1.35.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif41
ip address 10.1.41.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif42
ip address 10.1.42.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif43
ip address 10.1.43.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif44
ip address 10.1.44.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif45
ip address 10.1.45.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.200.33
5、ospf 1 area1 宣告环回还有与core互联接口,业务网段
ospf 1 router-id 10.1.0.6
area 0.0.0.1
network 10.1.0.6 0.0.0.0
network 10.1.200.30 0.0.0.0
network 10.1.11.254 0.0.0.0
network 10.1.12.254 0.0.0.0
network 10.1.13.254 0.0.0.0
network 10.1.14.254 0.0.0.0
network 10.1.15.254 0.0.0.0
network 10.1.21.254 0.0.0.0
network 10.1.22.254 0.0.0.0
network 10.1.23.254 0.0.0.0
network 10.1.24.254 0.0.0.0
network 10.1.25.254 0.0.0.0
ospf 1 router-id 10.1.0.7
area 0.0.0.1
network 10.1.0.7 0.0.0.0
network 10.1.200.34 0.0.0.0
network 10.1.31.254 0.0.0.0
network 10.1.32.254 0.0.0.0
network 10.1.33.254 0.0.0.0
network 10.1.34.254 0.0.0.0
network 10.1.35.254 0.0.0.0
network 10.1.41.254 0.0.0.0
network 10.1.42.254 0.0.0.0
network 10.1.43.254 0.0.0.0
network 10.1.44.254 0.0.0.0
network 10.1.45.254 0.0.0.0
6、准入认证
radius-server template Employee
radius-server shared-key cipher Huawei@123
radius-server authentication 10.1.60.2 1812
radius-server accounting 10.1.60.2 1813
radius-server authorization 10.1.60.2 shared-key cipher Huawei@123
aaa
authentication-scheme Employee
authentication-mode radius
accounting-scheme Employee
accounting-mode radius
domain employee
authentication-scheme Employee
accounting-scheme Employee
radius-server Employee
dot1x-access-profile name Employee
mac-access-profile name Employee
authentication-profile name Employee
dot1x-access-profile Employee
mac-access-profile Employee
access-domain employee force
authentication dot1x-mac-bypass
interface Eth-Trunk2
authentication-profile Employee
interface Eth-Trunk3
authentication-profile Employee
aaa
authentication-scheme ap_auth1
authentication-mode none
domain ap_noauthen
authentication-scheme ap_auth1
domain ap_noauthen mac-authen force mac-address … mask ffff-ffff-ffff
7、准入注释版
radius-server template Employee // 创建一个名为Employee的Radius服务器模板。
radius-server shared-key cipher Huawei@123 // 配置Radius服务器的共享密钥,用于与Radius客户端之间的安全通信。
radius-server authentication 10.1.60.2 1812 // 配置Radius服务器的IP地址(10.1.60.2)和端口号(1812)用于身份验证。
radius-server accounting 10.1.60.2 1813 // 配置Radius服务器的IP地址(10.1.60.2)和端口号(1813)用于会计(记录用户活动)。
radius-server authorization 10.1.60.2 shared-key cipher Huawei@123 // 配置Radius服务器的IP地址(10.1.60.2)和共享密钥(Huawei@123)用于授权(确定用户是否有权访问资源)。
aaa // 进入AAA(认证、授权、会计)配置模式。
authentication-scheme Employee // 创建一个名为Employee的认证方案。
authentication-mode radius // 配置认证模式为Radius,这表示用户身份验证将通过Radius服务器进行。
accounting-scheme Employee // 创建一个名为Employee的会计方案。
accounting-mode radius // 配置会计模式为Radius,这表示用户的活动将通过Radius服务器进行记录。
domain employee // 创建一个名为employee的域(用于指定AAA配置的范围)。
authentication-scheme Employee // 在employee域中指定使用名为Employee的认证方案。
accounting-scheme Employee // 在employee域中指定使用名为Employee的会计方案。
radius-server Employee // 在employee域中指定使用名为Employee的Radius服务器模板。
dot1x-access-profile name Employee // 创建一个名为Employee的802.1X访问配置文件。
mac-access-profile name Employee // 创建一个名为Employee的MAC访问配置文件。
authentication-profile name Employee // 创建一个名为Employee的认证配置文件。
dot1x-access-profile Employee // 在接口上应用名为Employee的802.1X访问配置文件。
mac-access-profile Employee // 在接口上应用名为Employee的MAC访问配置文件。
access-domain employee force // 强制将接口绑定到名为employee的域,确保所有流量都要经过AAA配置。
authentication dot1x-mac-bypass // 配置802.1X身份验证失败后允许MAC绕过身份验证。
interface Eth-Trunk2 和 interface Eth-Trunk3 // 进入以太通道2和以太通道3的接口配置模式。
authentication-profile Employee // 在接口上应用名为Employee的认证配置文件。
aaa // 进入AAA配置模式。
authentication-scheme ap_auth1 // 创建一个名为ap_auth1的认证方案。
authentication-mode none // 将ap_auth1认证方案的认证模式设置为none,表示不使用任何认证。
domain ap_noauthen // 创建一个名为ap_noauthen的域。
authentication-scheme ap_auth1 // 在ap_noauthen域中指定使用名为ap_auth1的认证方案。
domain ap_noauthen mac-authen force mac-address … mask ffff-ffff-ffff // 配置ap_noauthen域,强制要求MAC地址与指定的掩码匹配以进行身份验证。
3、core设备
1、创建vlan51-55 101-105 201-209
vlan batch 51 to 55 60 100 to 105 201 to 209
2、创建VPN实例,并开启DHCP
ip vpn-instance Employee
ipv4-family
route-distinguisher 65001:1
ip vpn-instance Guest
ipv4-family
route-distinguisher 65001:2
dhcp enable
3、创建Eth-trunk
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 208
mode lacp-static //前面已配置
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 100 209
mode lacp-static //前面已配置
4、创建地址池
ip pool wire_market1
vpn-instance Employee
gateway-list 10.1.11.254
network 10.1.11.0 mask 255.255.255.0
ip pool wire_market2
vpn-instance Employee
gateway-list 10.1.12.254
network 10.1.12.0 mask 255.255.255.0
ip pool wire_market3
vpn-instance Employee
gateway-list 10.1.13.254
network 10.1.13.0 mask 255.255.255.0
ip pool wire_market4
vpn-instance Employee
gateway-list 10.1.14.254
network 10.1.14.0 mask 255.255.255.0
ip pool wire_market5
vpn-instance Employee
gateway-list 10.1.15.254
network 10.1.15.0 mask 255.255.255.0
ip pool wire_procue1
vpn-instance Employee
gateway-list 10.1.21.254
network 10.1.21.0 mask 255.255.255.0
ip pool wire_procue2
vpn-instance Employee
gateway-list 10.1.22.254
network 10.1.22.0 mask 255.255.255.0
ip pool wire_procue3
vpn-instance Employee
gateway-list 10.1.23.254
network 10.1.23.0 mask 255.255.255.0
ip pool wire_procue4
vpn-instance Employee
gateway-list 10.1.24.254
network 10.1.24.0 mask 255.255.255.0
ip pool wire_procue5
vpn-instance Employee
gateway-list 10.1.25.254
network 10.1.25.0 mask 255.255.255.0
ip pool wire_finance1
vpn-instance Employee
gateway-list 10.1.31.254
network 10.1.31.0 mask 255.255.255.0
ip pool wire_finance2
vpn-instance Employee
gateway-list 10.1.32.254
network 10.1.32.0 mask 255.255.255.0
ip pool wire_finance3
vpn-instance Employee
gateway-list 10.1.33.254
network 10.1.33.0 mask 255.255.255.0
ip pool wire_finance4
vpn-instance Employee
gateway-list 10.1.34.254
network 10.1.34.0 mask 255.255.255.0
ip pool wire_finance5
vpn-instance Employee
gateway-list 10.1.35.254
network 10.1.35.0 mask 255.255.255.0
ip pool wire_hr1
vpn-instance Employee
gateway-list 10.1.41.254
network 10.1.41.0 mask 255.255.255.0
ip pool wire_hr2
vpn-instance Employee
gateway-list 10.1.42.254
network 10.1.42.0 mask 255.255.255.0
ip pool wire_hr3
vpn-instance Employee
gateway-list 10.1.43.254
network 10.1.43.0 mask 255.255.255.0
ip pool wire_hr4
vpn-instance Employee
gateway-list 10.1.44.254
network 10.1.44.0 mask 255.255.255.0
ip pool wire_hr5
vpn-instance Employee
gateway-list 10.1.45.254
network 10.1.45.0 mask 255.255.255.0
ip pool wireless_employee1
vpn-instance Employee
gateway-list 10.1.51.254
network 10.1.51.0 mask 255.255.255.0
ip pool wireless_employee2
vpn-instance Employee
gateway-list 10.1.52.254
network 10.1.52.0 mask 255.255.255.0
ip pool wireless_employee3
vpn-instance Employee
gateway-list 10.1.53.254
network 10.1.53.0 mask 255.255.255.0
ip pool wireless_employee4
vpn-instance Employee
gateway-list 10.1.54.254
network 10.1.54.0 mask 255.255.255.0
ip pool wireless_employee5
vpn-instance Employee
gateway-list 10.1.55.254
network 10.1.55.0 mask 255.255.255.0
ip pool wireless_guest1
vpn-instance Guest
gateway-list 10.1.101.254
network 10.1.101.0 mask 255.255.255.0
ip pool wireless_guest2
vpn-instance Guest
gateway-list 10.1.102.254
network 10.1.102.0 mask 255.255.255.0
ip pool wireless_guest3
vpn-instance Guest
gateway-list 10.1.103.254
network 10.1.103.0 mask 255.255.255.0
ip pool wireless_guest4
vpn-instance Guest
gateway-list 10.1.104.254
network 10.1.104.0 mask 255.255.255.0
ip pool wireless_guest5
vpn-instance Guest
gateway-list 10.1.105.254
network 10.1.105.0 mask 255.255.255.0
5、设置业务、环回、和互联vlan的地址
interface Vlanif51
ip binding vpn-instance Employee
ip address 10.1.51.254 255.255.255.0
dhcp select global
interface Vlanif52
ip binding vpn-instance Employee
ip address 10.1.52.254 255.255.255.0
dhcp select global
interface Vlanif53
ip binding vpn-instance Employee
ip address 10.1.53.254 255.255.255.0
dhcp select global
interface Vlanif54
ip binding vpn-instance Employee
ip address 10.1.54.254 255.255.255.0
dhcp select global
interface Vlanif55
ip binding vpn-instance Employee
ip address 10.1.55.254 255.255.255.0
dhcp select global
interface Vlanif101
ip binding vpn-instance Guest
ip address 10.1.101.254 255.255.255.0
dhcp select global
interface Vlanif102
ip binding vpn-instance Guest
ip address 10.1.102.254 255.255.255.0
dhcp select global
interface Vlanif103
ip binding vpn-instance Guest
ip address 10.1.103.254 255.255.255.0
dhcp select global
interface Vlanif104
ip binding vpn-instance Guest
ip address 10.1.104.254 255.255.255.0
dhcp select global
interface Vlanif105
ip binding vpn-instance Guest
ip address 10.1.105.254 255.255.255.0
dhcp select global
interface LoopBack0
ip address 10.1.0.3 255.255.255.255
#
interface LoopBack1
ip binding vpn-instance Employee
ip address 10.1.0.4 255.255.255.255
#
interface LoopBack2
ip binding vpn-instance Guest
ip address 10.1.0.5 255.255.255.255
interface Vlanif201
ip address 10.1.200.2 255.255.255.252
#
interface Vlanif202
ip address 10.1.200.6 255.255.255.252
#
interface Vlanif203
ip address 10.1.200.9 255.255.255.252
#
interface Vlanif204
ip address 10.1.200.13 255.255.255.252
#
interface Vlanif205
ip address 10.1.200.17 255.255.255.252
#
interface Vlanif206
ip binding vpn-instance Employee
ip address 10.1.200.21 255.255.255.252
#
interface Vlanif207
ip binding vpn-instance Guest
ip address 10.1.200.25 255.255.255.252
#
interface Vlanif208
ip binding vpn-instance Employee
ip address 10.1.200.29 255.255.255.252
dhcp select global
#
interface Vlanif209
ip binding vpn-instance Employee
ip address 10.1.200.33 255.255.255.252
dhcp select global
6、放行二层端口的vlan,上联出口路由器的两个接口为access,vlan201,202,连接AC的接口为trunk,放行51to55,101to105.100,203,连接防火墙的接口放行204to205,206to207,并且UNDOvlan1,连接服务器集群的为access,默认60
interface GigabitEthernet0/0/1
port link-type access
port default vlan 201
stp edged-port enable //可配可不配,看预配情况
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 202
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 51 to 55 100 to 105 203
#
interface GigabitEthernet0/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 204 to 205
#
interface GigabitEthernet0/0/5
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 206 to 207
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 60
#
7、配置OSPF1 ,也就是公网的ospf,区域0为core的loopback0和上联出口路由器的接口,区域1对接防火墙的vlanif204,属于Employee实例,并且通过ip-prefix拒绝Guest实例的路由。区域2对接防火墙的vlanif205,属于Guest实例,并且通过ip-prefix拒绝Employee实例的路由。
ip ip-prefix denyEmployee deny 10.1.60.0 24
ip ip-prefix denyEmployee deny 10.1.11.0 24
ip ip-prefix denyEmployee deny 10.1.12.0 24
ip ip-prefix denyEmployee deny 10.1.13.0 24
ip ip-prefix denyEmployee deny 10.1.14.0 24
ip ip-prefix denyEmployee deny 10.1.15.0 24
ip ip-prefix denyEmployee deny 10.1.21.0 24
ip ip-prefix denyEmployee deny 10.1.22.0 24
ip ip-prefix denyEmployee deny 10.1.23.0 24
ip ip-prefix denyEmployee deny 10.1.24.0 24
ip ip-prefix denyEmployee deny 10.1.25.0 24
ip ip-prefix denyEmployee deny 10.1.31.0 24
ip ip-prefix denyEmployee deny 10.1.32.0 24
ip ip-prefix denyEmployee deny 10.1.33.0 24
ip ip-prefix denyEmployee deny 10.1.34.0 24
ip ip-prefix denyEmployee deny 10.1.35.0 24
ip ip-prefix denyEmployee deny 10.1.41.0 24
ip ip-prefix denyEmployee deny 10.1.42.0 24
ip ip-prefix denyEmployee deny 10.1.43.0 24
ip ip-prefix denyEmployee deny 10.1.44.0 24
ip ip-prefix denyEmployee deny 10.1.45.0 24
ip ip-prefix denyEmployee deny 10.1.51.0 24
ip ip-prefix denyEmployee deny 10.1.52.0 24
ip ip-prefix denyEmployee deny 10.1.53.0 24
ip ip-prefix denyEmployee deny 10.1.54.0 24
ip ip-prefix denyEmployee deny 10.1.55.0 24
ip ip-prefix denyEmployee permit 0.0.0.0 0 less 32
ip ip-prefix denyGuest deny 10.1.101.0 24
ip ip-prefix denyGuest deny 10.1.102.0 24
ip ip-prefix denyGuest deny 10.1.103.0 24
ip ip-prefix denyGuest deny 10.1.104.0 24
ip ip-prefix denyGuest deny 10.1.105.0 24
ip ip-prefix denyGuest permit 0.0.0.0 0 less 32
ospf 1 router-id 10.1.0.3
area 0.0.0.0
network 10.1.0.3 0.0.0.0
network 10.1.200.2 0.0.0.0
network 10.1.200.6 0.0.0.0
area 0.0.0.1
filter ip-prefix denyGuest import //后面配置
network 10.1.200.13 0.0.0.0
area 0.0.0.2
nssa
filter ip-prefix denyEmployee import //后面配置
network 10.1.200.17 0.0.0.0
8、配置OSPF2,Employee实例的OSPF,在区域1 宣告Employee实例的环回地址,还有vlanif206、208、209、内部无线用户和服务器的网段
ospf 2 router-id 10.1.0.4 vpn-instance Employee
vpn-instance-capability simple
area 0.0.0.1 //10 个网段
network 10.1.0.4 0.0.0.0
network 10.1.200.21 0.0.0.0
network 10.1.200.29 0.0.0.0
network 10.1.200.33 0.0.0.0
network 10.1.60.254 0.0.0.0
network 10.1.51.254 0.0.0.0
network 10.1.52.254 0.0.0.0
network 10.1.53.254 0.0.0.0
network 10.1.54.254 0.0.0.0
network 10.1.55.254 0.0.0.0
9、配置OSPF3,Guest实例的OSPF,在区域2 宣告Guest实例的环回地址,还有vlanif207以及外部无线用户的网段
ospf 3 router-id 10.1.0.5 vpn-instance Guest
vpn-instance-capability simple
area 0.0.0.2 //7 个网段
nssa
network 10.1.0.5 0.0.0.0
network 10.1.200.25 0.0.0.0
network 10.1.101.254 0.0.0.0
network 10.1.102.254 0.0.0.0
network 10.1.103.254 0.0.0.0
network 10.1.104.254 0.0.0.0
network 10.1.105.254 0.0.0.0
10、在不使用策略路由的前提下,跨OSPF区域的流量必须经过防火墙,所以使用ACL抓取对应的路由更改其下一跳。
acl number 3000 //匹配流量(源为内部无线用户,目的为服务器网段)
rule 5 permit ip source 10.1.51.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule 10 permit ip source 10.1.52.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule 15 permit ip source 10.1.53.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule 20 permit ip source 10.1.54.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule 25 permit ip source 10.1.55.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
interface Vlanif51
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif52
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif53
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif54
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif55
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
4、AC设备
1、创建内部外部用户和与核心互联的vlan,以及内外部用户的vlan池,在接口上放行对应的vlan
vlan batch 51 to 55 100 to 105 203
vlan pool vlan51-55
vlan 51 to 55
vlan pool vlan101-105
vlan 101 to 105
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 51 to 55 100 to 105 203
2、创建loopback接口 以及隧道源
interface LoopBack0 //一般已预配
ip address 10.1.0.11 255.255.255.255
interface Vlanif100 //一般已预配
ip address 10.1.100.254 255.255.255.0
dhcp select interface
interface Vlanif203 //一般已预配
ip address 10.1.200.10 255.255.255.252
capwap source interface vlanif203
3、创建安全模板
security-profile name guest
security wpa-wpa2 psk pass-phrase Huawei@123 aes
security-profile name employee
security wpa-wpa2 psk pass-phrase Huawei@123 aes
4、创建ssid模板
ssid-profile name guest
ssid X_Guest_001
ssid-profile name employee
ssid X_Employee_001
5、创建vap模板,并且绑定之前的安全模板以及ssid模板
vap-profile name guest
forward-mode tunnel
service-vlan vlan-pool vlan101-105
ssid-profile guest
security-profile guest
vap-profile name employee
forward-mode tunnel
service-vlan vlan-pool vlan51-55
ssid-profile employee
security-profile employee
6、创建管理域模板、AP组,绑定管理域模板和VAP模板到AP组
regulatory-domain-profile name datacom //不配置也可以,默认是 CN
ap-group name X
regulatory-domain-profile datacom //不配也可以,默认用 default 域模板
vap-profile employee wlan 1 radio all
vap-profile guest wlan 2 radio all
7、在ap组中绑定AP
ap-id 0 ap-mac … //AP 的 MAC 在 ACC 下查 MAC 地址表可知
ap-name X_T1_AP1
ap-group X
ap-id 1 ap-mac … //AP 的 MAC 在 ACC 下查 MAC 地址表可知
ap-name X_T2_AP1
ap-group X
5、防火墙
1、创建vlan204-207 ,开启虚拟系统,创建环回口
vlan 204 to 207
vsys enable
int loopback1
int loopback2
2、创建虚拟系统,并且添加环回口和vlan
vsys name Employee 1
assign interface LoopBack1
assign vlan 204
assign vlan 206
vsys name Guest 2
assign interface LoopBack2
assign vlan 205
assign vlan 207
3、将互联核心交换机的接口改成二层口,并且放行对应vlan,1/0/1放行vlan204-205,1/0/2放行vlan206-207
interface GigabitEthernet1/0/1
portswitch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 204 to 205
#
interface GigabitEthernet1/0/2
portswitch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 206 to 207
4、设置环回口和vlanif地址
interface LoopBack1
ip address 10.1.0.8 255.255.255.255
#
interface LoopBack2
ip address 10.1.0.9 255.255.255.255
#
interface Vlanif204
ip address 10.1.200.14 255.255.255.252
#
interface Vlanif205
ip address 10.1.200.18 255.255.255.252
#
interface Vlanif206
ip address 10.1.200.22 255.255.255.252
#
interface Vlanif207
ip address 10.1.200.26 255.255.255.252
5、设置Employee和Guest的OSPF,ospf2区域1宣告Employee的环回、vlan204和206的地址,ospf3区域2宣告Guest的环回、vlan205和207,并且设置为nssa区域
ospf 2 router-id 10.1.0.8 vpn-instance Employee
vpn-instance-capability simple
area 0.0.0.1
network 10.1.0.8 0.0.0.0
network 10.1.200.14 0.0.0.0
network 10.1.200.22 0.0.0.0
ospf 3 router-id 10.1.0.9 vpn-instance Guest
vpn-instance-capability simple
area 0.0.0.2
nssa
network 10.1.0.9 0.0.0.0
network 10.1.200.18 0.0.0.0
network 10.1.200.26 0.0.0.0
6、创建两个虚拟系统
interface Virtual-if1 //默认属于 Employee 防火墙
ip address 10.1.200.253 255.255.255.255 //地址可能有变化
interface Virtual-if2 //默认属于 Guest 防火墙
ip address 10.1.200.254 255.255.255.255 //地址可能有变化
#
ip route-static vpn-in Guest 10.1.60.99 255.255.255.255 vpn-in Employee
ip route-static vpn-in Employee 10.1.101.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.102.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.103.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.104.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.105.0 255.255.255.0 vpn-in Guest
7、在虚拟防火墙Employee上设置地址和服务集,安全区域vlan206是trust,vlan204是untrust,安全策略
switch vsys Employee
ip address-set market type group
address 0 10.1.11.0 mask 24
address 1 10.1.12.0 mask 24
address 2 10.1.13.0 mask 24
address 3 10.1.14.0 mask 24
address 4 10.1.15.0 mask 24
#
ip address-set purchase type group
address 0 10.1.21.0 mask 24
address 1 10.1.22.0 mask 24
address 2 10.1.23.0 mask 24
address 3 10.1.24.0 mask 24
address 4 10.1.25.0 mask 24
#
ip address-set inWlan type group
address 0 10.1.51.0 mask 24
address 1 10.1.52.0 mask 24
address 2 10.1.53.0 mask 24
address 3 10.1.54.0 mask 24
address 4 10.1.55.0 mask 24
#
ip address-set outWlan type group
address 0 10.1.101.0 mask 24
address 1 10.1.102.0 mask 24
address 2 10.1.103.0 mask 24
address 3 10.1.104.0 mask 24
address 4 10.1.105.0 mask 24
#
ip service-set Guest_Service type object 16
service 0 protocol tcp destination-port 3389
firewall zone trust
add interface Vlanif206
firewall zone untrust
add interface Virtual-if1
add interface Vlanif204
security-policy
rule name per_ospf_in
source-zone trust
source-zone untrust
destination-zone local
service ospf
action permit
rule name per_ospf_out
source-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
rule name per_unt_tS101 //公网用户能访问 101 的 HTTP 服务
source-zone untrust
destination-zone trust
destination-address 10.1.60.101 mask 255.255.255.255
service http
action permit
rule name per_untIW_tS100 //内部无线用户能访问 100
source-zone untrust
destination-zone trust
source-address address-set inWlan
destination-address 10.1.60.100 mask 255.255.255.255
action permit
rule name per_untOW_tS99 //外部无线用户能访问 99
source-zone untrust
destination-zone trust
source-address address-set outWlan
destination-address 10.1.60.99 mask 255.255.255.255
service Guest_Service
action permit
rule name deny_untIWOW_tS //内无外无不能访问服务器
source-zone untrust
destination-zone trust
source-address address-set inWlan
source-address address-set outWlan
destination-address 10.1.60.0 mask 255.255.255.0
action deny
rule name per_tMPIW_untInter //MPIW 能访问互联网
source-zone trust
destination-zone untrust
source-address address-set inWlan
source-address address-set market
source-address address-set purchase
action permit
8、在虚拟防火墙Guest上设置地址和服务集,安全区域vlan207是trust,vlan205是untrust,安全策略
switch vsys Guest
ip address-set outWlan type group
address 0 10.1.101.0 mask 24
address 1 10.1.102.0 mask 24
address 2 10.1.103.0 mask 24
address 3 10.1.104.0 mask 24
address 4 10.1.105.0 mask 24
#
ip service-set Guest_Service type object 17
service 0 protocol tcp destination-port 3389
firewall zone trust
add interface Vlanif207
firewall zone untrust
add interface Virtual-if2
add interface Vlanif205
security-policy
rule name per_ospf_in
source-zone trust
source-zone untrust
destination-zone local
service ospf
action permit
rule name per_ospf_out
source-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
rule name per_tOW_untS99 //外部无线用户能访问 99
source-zone trust
destination-zone untrust
source-address address-set outWlan
destination-address 10.1.60.99 mask 255.255.255.255
service Guest_Service
action permit
rule name deny_tOW_untS //外部无线用户不能访问服务器
source-zone trust
destination-zone untrust
source-address address-set outWlan
destination-address 10.1.60.0 mask 255.255.255.0
action deny
rule name per_tOW_untInter //外部无线用户能访问互联网
source-zone trust
destination-zone untrust
source-address address-set outWlan
action permit
6、出口设备
Export1
1、Export1,创建vlan201
vlan 201
2、创建acl,放行所有
acl 2000
rule permit
3、设置下行口为2层口,access,pvid201,设置loop0地址和vlanif201地址
interface GigabitEthernet6/0/1 //考试时一般为 G0/0/1,一般已预配
port link-type access
port default vlan 201
interface LoopBack0
ip address 10.1.0.1 255.255.255.255
interface Vlanif201
ip address 10.1.200.1 255.255.255.252
4、设置上行口地址,以及在上行口上使用easy-ip
interface GigabitEthernet0/0/0 //考试时一般为 G0/0/9,一般已预配
ip address 10.255.1.1 255.255.255.0
nat outbound 2000
interface GigabitEthernet0/0/2 //考试时一般为 G0/0/10,一般已预配
ip address 10.255.2.1 255.255.255.0
nat outbound 2000
5、向上联口的下一跳地址指出默认路由
ip route-static 0.0.0.0 0.0.0.0 10.255.1.254
ip route-static 0.0.0.0 0.0.0.0 10.255.2.254
6、与下联的核心交换机建立ospf邻居,并且宣告环回和直联的地址,下发缺省路由
ospf 1 router-id 10.1.0.1
default-route-advertise
area 0.0.0.0
network 10.1.0.1 0.0.0.0
network 10.1.200.1 0.0.0.0
Export2
1、Export1,创建vlan202
vlan 202
2、创建acl,放行所有,并且建立NAT地址池
acl 2000
rule permit
nat address-group 1 10.255.4.2 10.255.4.100
3、设置下行口为2层口,access,pvid201,设置loop0地址和vlanif202地址
interface GigabitEthernet6/0/1 //考试时一般为 G0/0/1
port link-type access
port default vlan 202
interface LoopBack0
ip address 10.1.0.2 255.255.255.255
interface Vlanif202
ip address 10.1.200.5 255.255.255.252
4、设置上行口地址,以及在上行口上使用动态NAT,在第二个上联口设置NAT Server
interface GigabitEthernet0/0/0 //考试时一般为 G0/0/9
ip address 10.255.3.1 255.255.255.0
nat outbound 2000
interface GigabitEthernet0/0/2 //考试时一般为 G0/0/10
ip address 10.255.4.1 255.255.255.0
nat server protocol tcp global current-interface 8081 inside 10.1.60.101 www
nat outbound 2000 address-group 1
5、向上联口的下一跳地址指出默认路由
ip route-static 0.0.0.0 0.0.0.0 10.255.3.254
ip route-static 0.0.0.0 0.0.0.0 10.255.4.254
6、与下联的核心交换机建立ospf邻居,并且宣告环回和直联的地址,下发缺省路由
ospf 1 router-id 10.1.0.2
default-route-advertise
area 0.0.0.0
network 10.1.0.2 0.0.0.0
network 10.1.200.5 0.0.0.0