PART1 部署思路 (从下往上)

已于 2023-09-15 11:01:38 修改
阅读量279 收藏 8
点赞数
文章标签: 网络 网络协议 wireshark 华为
于 2023-09-15 00:49:40 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44065668/article/details/132893449
版权

PART1 部署思路 (从下往上)

在全部的acc、agg和core设备上开启lldp

1、ACC设备

1、在ACC1和ACC2上部署 vlan 100

vlan 100

2、创建Eth-trunk,设置模式为lacp,添加对应的端口,设置eth-trunk的端口模式为trunk,允许vlan 100 通过,并且在eth-trunk里面设置l2准入透传

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100
l2protocol-tunnel user-defined-protocol dot1x enable 
l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002(注意:0100-0000-0002 如果不出效果再尝试 0100-0ccd-0002)

3、选中1-20口,设置2层dot1x透传

interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/20
l2protocol-tunnel user-defined-protocol dot1x enable

4、如果下面有AP的话则需要在,AP连接的接口部署access vlan 100

interface GigabitEthernet0/0/22
port link-type access
port default vlan 100

2、AGG设备

1、创建vlan 11-15(wire_market1-5) 21-25(wire_procue1-5) 208 (与core互联)

vlan batch 11 to 15 21 to 25 100 208

vlan batch 31 to 35 41 to 45 100 209

2、根据对应部门创建vlan pool 并且开启dhcp

vlan pool market
vlan 11 to 15
vlan pool procure
vlan 21 to 25
dhcp enable 

vlan pool finance
vlan 31 to 35
vlan pool hr
vlan 41 to 45
dhcp enable

3、创建eth-trunk,与acc互联的设置为hybrid,允许11-15,21-25,31-35,41-45,100vlan通过,与core互联的设置为trunk模式,允许100,208和209通过

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 208
mode lacp-static 
interface Eth-Trunk2
port link-type hybrid 
port hybrid tagged vlan 11 to 15 21 to 25 100
mode lacp-static 
interface Eth-Trunk3
port link-type hybrid 
port hybrid tagged vlan 11 to 15 21 to 25 100
mode lacp-static 

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 209
mode lacp-static 
interface Eth-Trunk2
port link-type hybrid 
port hybrid tagged vlan 31 to 35 41 to 45 100
mode lacp-static 
interface Eth-Trunk3
port link-type hybrid 
port hybrid tagged vlan 31 to 45 41 to 45 100
mode lacp-static

4、设置loopback0地址、业务vlan和vlan208/9的地址。

interface LoopBack0
ip address 10.1.0.6 255.255.255.255
interface Vlanif208
ip address 10.1.200.30 255.255.255.252

interface Vlanif11 
ip address 10.1.11.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif12 
ip address 10.1.12.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif13 
ip address 10.1.13.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif14 
ip address 10.1.14.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif15 
ip address 10.1.15.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif21 
ip address 10.1.21.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif22 
ip address 10.1.22.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif23 
ip address 10.1.23.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif24 
ip address 10.1.24.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29
interface Vlanif25 
ip address 10.1.25.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface LoopBack0
ip address 10.1.0.7 255.255.255.255
interface Vlanif209
ip address 10.1.200.34 255.255.255.252

interface Vlanif31 
ip address 10.1.31.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif32 
ip address 10.1.32.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif33 
ip address 10.1.33.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif34 
ip address 10.1.34.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif35 
ip address 10.1.35.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif41 
ip address 10.1.41.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif42 
ip address 10.1.42.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif43 
ip address 10.1.43.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif44 
ip address 10.1.44.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33
interface Vlanif45 
ip address 10.1.45.254 255.255.255.0 
dhcp select relay
dhcp relay server-ip 10.1.200.33

5、ospf 1 area1 宣告环回还有与core互联接口,业务网段

ospf 1 router-id 10.1.0.6 
area 0.0.0.1 
 network 10.1.0.6 0.0.0.0
 network 10.1.200.30 0.0.0.0
 network 10.1.11.254 0.0.0.0 
 network 10.1.12.254 0.0.0.0
 network 10.1.13.254 0.0.0.0 
 network 10.1.14.254 0.0.0.0 
 network 10.1.15.254 0.0.0.0 
 network 10.1.21.254 0.0.0.0 
 network 10.1.22.254 0.0.0.0 
 network 10.1.23.254 0.0.0.0 
 network 10.1.24.254 0.0.0.0 
 network 10.1.25.254 0.0.0.0 

ospf 1 router-id 10.1.0.7 
area 0.0.0.1 
 network 10.1.0.7 0.0.0.0 
 network 10.1.200.34 0.0.0.0 
 network 10.1.31.254 0.0.0.0 
 network 10.1.32.254 0.0.0.0 
 network 10.1.33.254 0.0.0.0 
 network 10.1.34.254 0.0.0.0 
 network 10.1.35.254 0.0.0.0 
 network 10.1.41.254 0.0.0.0 
 network 10.1.42.254 0.0.0.0 
 network 10.1.43.254 0.0.0.0 
 network 10.1.44.254 0.0.0.0 
 network 10.1.45.254 0.0.0.0

6、准入认证

radius-server template Employee
  radius-server shared-key cipher Huawei@123
  radius-server authentication 10.1.60.2 1812
  radius-server accounting 10.1.60.2 1813
radius-server authorization 10.1.60.2 shared-key cipher Huawei@123

aaa 
authentication-scheme Employee
 authentication-mode radius
accounting-scheme Employee 
 accounting-mode radius
domain employee 
 authentication-scheme Employee 
 accounting-scheme Employee 
 radius-server Employee 
dot1x-access-profile name Employee
mac-access-profile name Employee
authentication-profile name Employee
  dot1x-access-profile Employee
  mac-access-profile Employee
  access-domain employee force
  authentication dot1x-mac-bypass
interface Eth-Trunk2
authentication-profile Employee
interface Eth-Trunk3
authentication-profile Employee
aaa
authentication-scheme ap_auth1
 authentication-mode none
 domain ap_noauthen
 authentication-scheme ap_auth1
domain ap_noauthen mac-authen force mac-address … mask ffff-ffff-ffff

7、准入注释版

radius-server template Employee // 创建一个名为Employee的Radius服务器模板。

	radius-server shared-key cipher Huawei@123 // 配置Radius服务器的共享密钥,用于与Radius客户端之间的安全通信。

	radius-server authentication 10.1.60.2 1812 // 配置Radius服务器的IP地址(10.1.60.2)和端口号(1812)用于身份验证。

	radius-server accounting 10.1.60.2 1813 // 配置Radius服务器的IP地址(10.1.60.2)和端口号(1813)用于会计(记录用户活动)。

radius-server authorization 10.1.60.2 shared-key cipher Huawei@123 // 配置Radius服务器的IP地址(10.1.60.2)和共享密钥(Huawei@123)用于授权(确定用户是否有权访问资源)。

aaa // 进入AAA(认证、授权、会计)配置模式。

	authentication-scheme Employee // 创建一个名为Employee的认证方案。

		authentication-mode radius // 配置认证模式为Radius,这表示用户身份验证将通过Radius服务器进行。

	accounting-scheme Employee // 创建一个名为Employee的会计方案。

		accounting-mode radius // 配置会计模式为Radius,这表示用户的活动将通过Radius服务器进行记录。

	domain employee // 创建一个名为employee的域(用于指定AAA配置的范围)。

		authentication-scheme Employee // 在employee域中指定使用名为Employee的认证方案。

		accounting-scheme Employee // 在employee域中指定使用名为Employee的会计方案。

		radius-server Employee // 在employee域中指定使用名为Employee的Radius服务器模板。

	dot1x-access-profile name Employee // 创建一个名为Employee的802.1X访问配置文件。

	mac-access-profile name Employee // 创建一个名为Employee的MAC访问配置文件。

	authentication-profile name Employee // 创建一个名为Employee的认证配置文件。

		dot1x-access-profile Employee // 在接口上应用名为Employee的802.1X访问配置文件。

		mac-access-profile Employee // 在接口上应用名为Employee的MAC访问配置文件。

		access-domain employee force // 强制将接口绑定到名为employee的域,确保所有流量都要经过AAA配置。

		authentication dot1x-mac-bypass // 配置802.1X身份验证失败后允许MAC绕过身份验证。

interface Eth-Trunk2 和 interface Eth-Trunk3 // 进入以太通道2和以太通道3的接口配置模式。

	authentication-profile Employee // 在接口上应用名为Employee的认证配置文件。

aaa // 进入AAA配置模式。

	authentication-scheme ap_auth1 // 创建一个名为ap_auth1的认证方案。

		authentication-mode none // 将ap_auth1认证方案的认证模式设置为none,表示不使用任何认证。

	domain ap_noauthen // 创建一个名为ap_noauthen的域。

		authentication-scheme ap_auth1 // 在ap_noauthen域中指定使用名为ap_auth1的认证方案。

domain ap_noauthen mac-authen force mac-address … mask ffff-ffff-ffff // 配置ap_noauthen域,强制要求MAC地址与指定的掩码匹配以进行身份验证。

3、core设备

1、创建vlan51-55 101-105 201-209

vlan batch 51 to 55 60 100 to 105 201 to 209

2、创建VPN实例,并开启DHCP

ip vpn-instance Employee
ipv4-family
 route-distinguisher 65001:1
ip vpn-instance Guest
ipv4-family
 route-distinguisher 65001:2
dhcp enable

3、创建Eth-trunk

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 100 208
mode lacp-static //前面已配置
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 100 209
mode lacp-static //前面已配置

4、创建地址池

ip pool wire_market1
vpn-instance Employee
gateway-list 10.1.11.254 
network 10.1.11.0 mask 255.255.255.0 
ip pool wire_market2
vpn-instance Employee
gateway-list 10.1.12.254 
network 10.1.12.0 mask 255.255.255.0 
ip pool wire_market3
vpn-instance Employee
gateway-list 10.1.13.254 
network 10.1.13.0 mask 255.255.255.0 
ip pool wire_market4
vpn-instance Employee
gateway-list 10.1.14.254 
network 10.1.14.0 mask 255.255.255.0 
ip pool wire_market5
vpn-instance Employee
gateway-list 10.1.15.254 
network 10.1.15.0 mask 255.255.255.0 


ip pool wire_procue1
vpn-instance Employee
gateway-list 10.1.21.254 
network 10.1.21.0 mask 255.255.255.0 
ip pool wire_procue2
vpn-instance Employee
gateway-list 10.1.22.254 
network 10.1.22.0 mask 255.255.255.0 
ip pool wire_procue3
vpn-instance Employee
gateway-list 10.1.23.254 
network 10.1.23.0 mask 255.255.255.0 
ip pool wire_procue4
vpn-instance Employee
gateway-list 10.1.24.254 
network 10.1.24.0 mask 255.255.255.0 
ip pool wire_procue5
vpn-instance Employee
gateway-list 10.1.25.254 
network 10.1.25.0 mask 255.255.255.0 


ip pool wire_finance1
vpn-instance Employee
gateway-list 10.1.31.254 
network 10.1.31.0 mask 255.255.255.0 
ip pool wire_finance2
vpn-instance Employee
gateway-list 10.1.32.254 
network 10.1.32.0 mask 255.255.255.0 
ip pool wire_finance3
vpn-instance Employee
gateway-list 10.1.33.254 
network 10.1.33.0 mask 255.255.255.0 
ip pool wire_finance4
vpn-instance Employee
gateway-list 10.1.34.254 
network 10.1.34.0 mask 255.255.255.0 
ip pool wire_finance5
vpn-instance Employee
gateway-list 10.1.35.254 
network 10.1.35.0 mask 255.255.255.0 



ip pool wire_hr1
vpn-instance Employee
gateway-list 10.1.41.254 
network 10.1.41.0 mask 255.255.255.0 
ip pool wire_hr2
vpn-instance Employee
gateway-list 10.1.42.254 
network 10.1.42.0 mask 255.255.255.0 
ip pool wire_hr3
vpn-instance Employee
gateway-list 10.1.43.254 
network 10.1.43.0 mask 255.255.255.0 
ip pool wire_hr4
vpn-instance Employee
gateway-list 10.1.44.254 
network 10.1.44.0 mask 255.255.255.0 
ip pool wire_hr5
vpn-instance Employee
gateway-list 10.1.45.254 
network 10.1.45.0 mask 255.255.255.0 



ip pool wireless_employee1
vpn-instance Employee
gateway-list 10.1.51.254 
network 10.1.51.0 mask 255.255.255.0 
ip pool wireless_employee2
vpn-instance Employee
gateway-list 10.1.52.254 
network 10.1.52.0 mask 255.255.255.0 
ip pool wireless_employee3
vpn-instance Employee
gateway-list 10.1.53.254 
network 10.1.53.0 mask 255.255.255.0 
ip pool wireless_employee4
vpn-instance Employee
gateway-list 10.1.54.254 
network 10.1.54.0 mask 255.255.255.0 
ip pool wireless_employee5
vpn-instance Employee
gateway-list 10.1.55.254 
network 10.1.55.0 mask 255.255.255.0 



ip pool wireless_guest1
vpn-instance Guest
gateway-list 10.1.101.254 
network 10.1.101.0 mask 255.255.255.0 
ip pool wireless_guest2
vpn-instance Guest
gateway-list 10.1.102.254 
network 10.1.102.0 mask 255.255.255.0 
ip pool wireless_guest3
vpn-instance Guest
gateway-list 10.1.103.254 
network 10.1.103.0 mask 255.255.255.0 
ip pool wireless_guest4
vpn-instance Guest
gateway-list 10.1.104.254 
network 10.1.104.0 mask 255.255.255.0 
ip pool wireless_guest5
vpn-instance Guest
gateway-list 10.1.105.254 
network 10.1.105.0 mask 255.255.255.0

5、设置业务、环回、和互联vlan的地址

interface Vlanif51 
ip binding vpn-instance Employee
ip address 10.1.51.254 255.255.255.0 
dhcp select global
interface Vlanif52 
ip binding vpn-instance Employee
ip address 10.1.52.254 255.255.255.0 
dhcp select global
interface Vlanif53 
ip binding vpn-instance Employee
ip address 10.1.53.254 255.255.255.0 
dhcp select global
interface Vlanif54 
ip binding vpn-instance Employee
ip address 10.1.54.254 255.255.255.0 
dhcp select global
interface Vlanif55 
ip binding vpn-instance Employee
ip address 10.1.55.254 255.255.255.0 
dhcp select global


interface Vlanif101 
ip binding vpn-instance Guest
ip address 10.1.101.254 255.255.255.0 
dhcp select global
interface Vlanif102 
ip binding vpn-instance Guest
ip address 10.1.102.254 255.255.255.0 
dhcp select global
interface Vlanif103 
ip binding vpn-instance Guest
ip address 10.1.103.254 255.255.255.0 
dhcp select global
interface Vlanif104 
ip binding vpn-instance Guest
ip address 10.1.104.254 255.255.255.0 
dhcp select global
interface Vlanif105 
ip binding vpn-instance Guest
ip address 10.1.105.254 255.255.255.0 
dhcp select global



interface LoopBack0
ip address 10.1.0.3 255.255.255.255 
#
interface LoopBack1
ip binding vpn-instance Employee
ip address 10.1.0.4 255.255.255.255 
#
interface LoopBack2
ip binding vpn-instance Guest
ip address 10.1.0.5 255.255.255.255 



interface Vlanif201
ip address 10.1.200.2 255.255.255.252 
#
interface Vlanif202
ip address 10.1.200.6 255.255.255.252 
#
interface Vlanif203
ip address 10.1.200.9 255.255.255.252 
#
interface Vlanif204
ip address 10.1.200.13 255.255.255.252 
#
interface Vlanif205
ip address 10.1.200.17 255.255.255.252 
#
interface Vlanif206
ip binding vpn-instance Employee
ip address 10.1.200.21 255.255.255.252 
#
interface Vlanif207
ip binding vpn-instance Guest
ip address 10.1.200.25 255.255.255.252 
#
interface Vlanif208
ip binding vpn-instance Employee
ip address 10.1.200.29 255.255.255.252 
dhcp select global
#
interface Vlanif209
ip binding vpn-instance Employee
ip address 10.1.200.33 255.255.255.252 
dhcp select global

6、放行二层端口的vlan,上联出口路由器的两个接口为access,vlan201,202,连接AC的接口为trunk,放行51to55,101to105.100,203,连接防火墙的接口放行204to205,206to207,并且UNDOvlan1,连接服务器集群的为access,默认60

interface GigabitEthernet0/0/1
port link-type access
port default vlan 201
stp edged-port enable //可配可不配,看预配情况
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 202
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 51 to 55 100 to 105 203
#
interface GigabitEthernet0/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 204 to 205
#
interface GigabitEthernet0/0/5
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 206 to 207
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 60
#

7、配置OSPF1 ,也就是公网的ospf,区域0为core的loopback0和上联出口路由器的接口,区域1对接防火墙的vlanif204,属于Employee实例,并且通过ip-prefix拒绝Guest实例的路由。区域2对接防火墙的vlanif205,属于Guest实例,并且通过ip-prefix拒绝Employee实例的路由。

ip ip-prefix denyEmployee deny 10.1.60.0 24 
ip ip-prefix denyEmployee deny 10.1.11.0 24 
ip ip-prefix denyEmployee deny 10.1.12.0 24 
ip ip-prefix denyEmployee deny 10.1.13.0 24 
ip ip-prefix denyEmployee deny 10.1.14.0 24 
ip ip-prefix denyEmployee deny 10.1.15.0 24 
ip ip-prefix denyEmployee deny 10.1.21.0 24 
ip ip-prefix denyEmployee deny 10.1.22.0 24 
ip ip-prefix denyEmployee deny 10.1.23.0 24 
ip ip-prefix denyEmployee deny 10.1.24.0 24 
ip ip-prefix denyEmployee deny 10.1.25.0 24 
ip ip-prefix denyEmployee deny 10.1.31.0 24 
ip ip-prefix denyEmployee deny 10.1.32.0 24 
ip ip-prefix denyEmployee deny 10.1.33.0 24 
ip ip-prefix denyEmployee deny 10.1.34.0 24 
ip ip-prefix denyEmployee deny 10.1.35.0 24 
ip ip-prefix denyEmployee deny 10.1.41.0 24 
ip ip-prefix denyEmployee deny 10.1.42.0 24 
ip ip-prefix denyEmployee deny 10.1.43.0 24 
ip ip-prefix denyEmployee deny 10.1.44.0 24 
ip ip-prefix denyEmployee deny 10.1.45.0 24
ip ip-prefix denyEmployee deny 10.1.51.0 24 
ip ip-prefix denyEmployee deny 10.1.52.0 24 
ip ip-prefix denyEmployee deny 10.1.53.0 24 
ip ip-prefix denyEmployee deny 10.1.54.0 24 
ip ip-prefix denyEmployee deny 10.1.55.0 24 
ip ip-prefix denyEmployee permit 0.0.0.0 0 less 32



ip ip-prefix denyGuest deny 10.1.101.0 24 
ip ip-prefix denyGuest deny 10.1.102.0 24 
ip ip-prefix denyGuest deny 10.1.103.0 24 
ip ip-prefix denyGuest deny 10.1.104.0 24 
ip ip-prefix denyGuest deny 10.1.105.0 24 
ip ip-prefix denyGuest permit 0.0.0.0 0 less 32



ospf 1 router-id 10.1.0.3 
area 0.0.0.0 
 network 10.1.0.3 0.0.0.0 
 network 10.1.200.2 0.0.0.0 
 network 10.1.200.6 0.0.0.0 
area 0.0.0.1 
 filter ip-prefix denyGuest import //后面配置
network 10.1.200.13 0.0.0.0 
area 0.0.0.2 
 nssa 
filter ip-prefix denyEmployee import //后面配置
network 10.1.200.17 0.0.0.0

8、配置OSPF2,Employee实例的OSPF,在区域1 宣告Employee实例的环回地址,还有vlanif206、208、209、内部无线用户和服务器的网段

ospf 2 router-id 10.1.0.4 vpn-instance Employee
vpn-instance-capability simple
area 0.0.0.1 //10 个网段
 network 10.1.0.4 0.0.0.0
network 10.1.200.21 0.0.0.0
network 10.1.200.29 0.0.0.0 
 network 10.1.200.33 0.0.0.0 
 network 10.1.60.254 0.0.0.0
network 10.1.51.254 0.0.0.0 
 network 10.1.52.254 0.0.0.0 
 network 10.1.53.254 0.0.0.0 
 network 10.1.54.254 0.0.0.0 
 network 10.1.55.254 0.0.0.0

9、配置OSPF3,Guest实例的OSPF,在区域2 宣告Guest实例的环回地址,还有vlanif207以及外部无线用户的网段

ospf 3 router-id 10.1.0.5 vpn-instance Guest
vpn-instance-capability simple
area 0.0.0.2 //7 个网段
 nssa 
network 10.1.0.5 0.0.0.0
network 10.1.200.25 0.0.0.0
 network 10.1.101.254 0.0.0.0 
 network 10.1.102.254 0.0.0.0 
 network 10.1.103.254 0.0.0.0 
 network 10.1.104.254 0.0.0.0 
 network 10.1.105.254 0.0.0.0

10、在不使用策略路由的前提下,跨OSPF区域的流量必须经过防火墙,所以使用ACL抓取对应的路由更改其下一跳。

acl number 3000 //匹配流量(源为内部无线用户,目的为服务器网段)
rule 5 permit ip source 10.1.51.0 0.0.0.255 destination 10.1.60.0 0.0.0.255 
rule 10 permit ip source 10.1.52.0 0.0.0.255 destination 10.1.60.0 0.0.0.255 
rule 15 permit ip source 10.1.53.0 0.0.0.255 destination 10.1.60.0 0.0.0.255 
rule 20 permit ip source 10.1.54.0 0.0.0.255 destination 10.1.60.0 0.0.0.255 
rule 25 permit ip source 10.1.55.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

interface Vlanif51
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif52
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif53
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif54
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14
interface Vlanif55
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14

4、AC设备

1、创建内部外部用户和与核心互联的vlan,以及内外部用户的vlan池,在接口上放行对应的vlan

vlan batch 51 to 55 100 to 105 203
vlan pool vlan51-55
vlan 51 to 55
vlan pool vlan101-105
vlan 101 to 105


interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 51 to 55 100 to 105 203

2、创建loopback接口 以及隧道源

interface LoopBack0 //一般已预配
ip address 10.1.0.11 255.255.255.255
interface Vlanif100 //一般已预配
ip address 10.1.100.254 255.255.255.0
dhcp select interface
interface Vlanif203 //一般已预配
ip address 10.1.200.10 255.255.255.252


capwap source interface vlanif203

3、创建安全模板

security-profile name guest
 security wpa-wpa2 psk pass-phrase Huawei@123 aes
 
security-profile name employee
 security wpa-wpa2 psk pass-phrase Huawei@123 aes

4、创建ssid模板

ssid-profile name guest
 ssid X_Guest_001
 
ssid-profile name employee
 ssid X_Employee_001

5、创建vap模板,并且绑定之前的安全模板以及ssid模板

vap-profile name guest
 forward-mode tunnel
 service-vlan vlan-pool vlan101-105
 ssid-profile guest
 security-profile guest
 
vap-profile name employee
 forward-mode tunnel
 service-vlan vlan-pool vlan51-55
 ssid-profile employee
 security-profile employee

6、创建管理域模板、AP组,绑定管理域模板和VAP模板到AP组

regulatory-domain-profile name datacom //不配置也可以,默认是 CN
 ap-group name X
 regulatory-domain-profile datacom //不配也可以,默认用 default 域模板
 vap-profile employee wlan 1 radio all
 vap-profile guest wlan 2 radio all

7、在ap组中绑定AP

ap-id 0 ap-mac … //AP 的 MAC 在 ACC 下查 MAC 地址表可知
 ap-name X_T1_AP1
 ap-group X
 
ap-id 1 ap-mac … //AP 的 MAC 在 ACC 下查 MAC 地址表可知
 ap-name X_T2_AP1
 ap-group X

5、防火墙

1、创建vlan204-207 ,开启虚拟系统,创建环回口

vlan 204 to 207
vsys enable
int loopback1 
int loopback2

2、创建虚拟系统,并且添加环回口和vlan

vsys name Employee 1
assign interface LoopBack1
assign vlan 204
assign vlan 206

vsys name Guest 2
assign interface LoopBack2
assign vlan 205
assign vlan 207

3、将互联核心交换机的接口改成二层口,并且放行对应vlan,1/0/1放行vlan204-205,1/0/2放行vlan206-207

interface GigabitEthernet1/0/1
portswitch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 204 to 205
#
interface GigabitEthernet1/0/2
portswitch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 206 to 207

4、设置环回口和vlanif地址

interface LoopBack1
ip address 10.1.0.8 255.255.255.255
#
interface LoopBack2
ip address 10.1.0.9 255.255.255.255
#
interface Vlanif204
ip address 10.1.200.14 255.255.255.252
#
interface Vlanif205
ip address 10.1.200.18 255.255.255.252
#
interface Vlanif206
ip address 10.1.200.22 255.255.255.252
#
interface Vlanif207
ip address 10.1.200.26 255.255.255.252

5、设置Employee和Guest的OSPF,ospf2区域1宣告Employee的环回、vlan204和206的地址,ospf3区域2宣告Guest的环回、vlan205和207,并且设置为nssa区域

ospf 2 router-id 10.1.0.8 vpn-instance Employee
vpn-instance-capability simple
area 0.0.0.1
 network 10.1.0.8 0.0.0.0
 network 10.1.200.14 0.0.0.0
 network 10.1.200.22 0.0.0.0
 
 
 
ospf 3 router-id 10.1.0.9 vpn-instance Guest
vpn-instance-capability simple
area 0.0.0.2
 nssa
 network 10.1.0.9 0.0.0.0
 network 10.1.200.18 0.0.0.0
 network 10.1.200.26 0.0.0.0

6、创建两个虚拟系统

interface Virtual-if1 //默认属于 Employee 防火墙
ip address 10.1.200.253 255.255.255.255 //地址可能有变化
interface Virtual-if2 //默认属于 Guest 防火墙
ip address 10.1.200.254 255.255.255.255 //地址可能有变化
#
ip route-static vpn-in Guest 10.1.60.99 255.255.255.255 vpn-in Employee
ip route-static vpn-in Employee 10.1.101.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.102.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.103.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.104.0 255.255.255.0 vpn-in Guest
ip route-static vpn-in Employee 10.1.105.0 255.255.255.0 vpn-in Guest

7、在虚拟防火墙Employee上设置地址和服务集,安全区域vlan206是trust,vlan204是untrust,安全策略

switch vsys Employee
ip address-set market type group
address 0 10.1.11.0 mask 24
address 1 10.1.12.0 mask 24
address 2 10.1.13.0 mask 24
address 3 10.1.14.0 mask 24
address 4 10.1.15.0 mask 24
#
ip address-set purchase type group
address 0 10.1.21.0 mask 24
address 1 10.1.22.0 mask 24
address 2 10.1.23.0 mask 24
address 3 10.1.24.0 mask 24
address 4 10.1.25.0 mask 24
#
ip address-set inWlan type group
address 0 10.1.51.0 mask 24
address 1 10.1.52.0 mask 24
address 2 10.1.53.0 mask 24
address 3 10.1.54.0 mask 24
address 4 10.1.55.0 mask 24
#
ip address-set outWlan type group
address 0 10.1.101.0 mask 24
address 1 10.1.102.0 mask 24
address 2 10.1.103.0 mask 24
address 3 10.1.104.0 mask 24
address 4 10.1.105.0 mask 24
#
ip service-set Guest_Service type object 16
service 0 protocol tcp destination-port 3389



firewall zone trust
add interface Vlanif206
firewall zone untrust
add interface Virtual-if1
add interface Vlanif204




security-policy
rule name per_ospf_in
 source-zone trust
 source-zone untrust
 destination-zone local
 service ospf
 action permit
rule name per_ospf_out
 source-zone local
 destination-zone trust
 destination-zone untrust
 service ospf
 action permit
rule name per_unt_tS101 //公网用户能访问 101 的 HTTP 服务
 source-zone untrust
 destination-zone trust
 destination-address 10.1.60.101 mask 255.255.255.255
 service http
 action permit
rule name per_untIW_tS100 //内部无线用户能访问 100
 source-zone untrust
 destination-zone trust
 source-address address-set inWlan
 destination-address 10.1.60.100 mask 255.255.255.255
 action permit
rule name per_untOW_tS99 //外部无线用户能访问 99
 source-zone untrust
 destination-zone trust
 source-address address-set outWlan
 destination-address 10.1.60.99 mask 255.255.255.255
 service Guest_Service
 action permit
rule name deny_untIWOW_tS //内无外无不能访问服务器
 source-zone untrust
 destination-zone trust
 source-address address-set inWlan
 source-address address-set outWlan
 destination-address 10.1.60.0 mask 255.255.255.0
 action deny
rule name per_tMPIW_untInter //MPIW 能访问互联网
 source-zone trust
 destination-zone untrust
 source-address address-set inWlan
 source-address address-set market
 source-address address-set purchase
 action permit

8、在虚拟防火墙Guest上设置地址和服务集,安全区域vlan207是trust,vlan205是untrust,安全策略

switch vsys Guest
ip address-set outWlan type group
address 0 10.1.101.0 mask 24
address 1 10.1.102.0 mask 24
address 2 10.1.103.0 mask 24
address 3 10.1.104.0 mask 24
address 4 10.1.105.0 mask 24
#
ip service-set Guest_Service type object 17
service 0 protocol tcp destination-port 3389




firewall zone trust
add interface Vlanif207
firewall zone untrust
add interface Virtual-if2
add interface Vlanif205





security-policy
rule name per_ospf_in
 source-zone trust
 source-zone untrust
 destination-zone local
 service ospf
 action permit
rule name per_ospf_out
 source-zone local
 destination-zone trust
 destination-zone untrust
 service ospf
 action permit
rule name per_tOW_untS99 //外部无线用户能访问 99
 source-zone trust
 destination-zone untrust
 source-address address-set outWlan
 destination-address 10.1.60.99 mask 255.255.255.255
 service Guest_Service
 action permit
rule name deny_tOW_untS //外部无线用户不能访问服务器
 source-zone trust
 destination-zone untrust
 source-address address-set outWlan
 destination-address 10.1.60.0 mask 255.255.255.0
 action deny
rule name per_tOW_untInter //外部无线用户能访问互联网
 source-zone trust
 destination-zone untrust
 source-address address-set outWlan
 action permit

6、出口设备

Export1

1、Export1,创建vlan201

vlan 201

2、创建acl,放行所有

acl 2000
rule permit

3、设置下行口为2层口,access,pvid201,设置loop0地址和vlanif201地址

interface GigabitEthernet6/0/1 //考试时一般为 G0/0/1,一般已预配
port link-type access
port default vlan 201
interface LoopBack0
ip address 10.1.0.1 255.255.255.255
interface Vlanif201
ip address 10.1.200.1 255.255.255.252

4、设置上行口地址,以及在上行口上使用easy-ip

interface GigabitEthernet0/0/0 //考试时一般为 G0/0/9,一般已预配
ip address 10.255.1.1 255.255.255.0 
nat outbound 2000 
interface GigabitEthernet0/0/2 //考试时一般为 G0/0/10,一般已预配
ip address 10.255.2.1 255.255.255.0 
nat outbound 2000

5、向上联口的下一跳地址指出默认路由

ip route-static 0.0.0.0 0.0.0.0 10.255.1.254
ip route-static 0.0.0.0 0.0.0.0 10.255.2.254

6、与下联的核心交换机建立ospf邻居,并且宣告环回和直联的地址,下发缺省路由

ospf 1 router-id 10.1.0.1 
default-route-advertise
area 0.0.0.0 
 network 10.1.0.1 0.0.0.0 
 network 10.1.200.1 0.0.0.0

Export2

1、Export1,创建vlan202

vlan 202

2、创建acl,放行所有,并且建立NAT地址池

acl 2000
rule permit

nat address-group 1 10.255.4.2 10.255.4.100

3、设置下行口为2层口,access,pvid201,设置loop0地址和vlanif202地址

interface GigabitEthernet6/0/1 //考试时一般为 G0/0/1
port link-type access
port default vlan 202
interface LoopBack0
ip address 10.1.0.2 255.255.255.255
interface Vlanif202
ip address 10.1.200.5 255.255.255.252

4、设置上行口地址,以及在上行口上使用动态NAT,在第二个上联口设置NAT Server

interface GigabitEthernet0/0/0 //考试时一般为 G0/0/9
ip address 10.255.3.1 255.255.255.0 
nat outbound 2000
interface GigabitEthernet0/0/2 //考试时一般为 G0/0/10
ip address 10.255.4.1 255.255.255.0 
nat server protocol tcp global current-interface 8081 inside 10.1.60.101 www
nat outbound 2000 address-group 1

5、向上联口的下一跳地址指出默认路由

ip route-static 0.0.0.0 0.0.0.0 10.255.3.254
ip route-static 0.0.0.0 0.0.0.0 10.255.4.254

6、与下联的核心交换机建立ospf邻居,并且宣告环回和直联的地址,下发缺省路由

ospf 1 router-id 10.1.0.2 
default-route-advertise
area 0.0.0.0 
 network 10.1.0.2 0.0.0.0 
 network 10.1.200.5 0.0.0.0
stark_PLA
关注
  • 0
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
华为设备二层协议透明传输命令
Tony_long7483的博客
01-25 1354
华为设备二层协议透明传输命令
CZXX 1+X测试
捌拾
10-30 3707
3.2.2任务1:设备命名 为了方便后期维护和故障定位及网络的规范性,需要对网络设备进行规范化命名。 请根据Figure 3-1实验考试拓扑对设备进行命名。 命名规则为:城市-设备的设置地点-设备的功能属性和序号-设备型号。 例如:处于杭州校园的核心层路由器,命名为:HZ-HZCampus-Core01-AR6140。 请注意大小写,务必与Figure3-1实验考试拓扑保持一致。 配置命令: SW1: System-view Sysname HZ-HZCampus-Acc01-S5731 SW2: Syst
云数据中心资料
weixin_42152888的博客
11-14 617
CDC 自己整理的cdc资料 看完 一键三连!!!!!!!
网络实验——双归上行 负载
qq_52074845的博客
03-24 1147
双归上行 负载 给设备命名,其中 AGG代表汇聚层 ACC代表接入层 LSW11的命令 vlan batch 2 3 port-group group-member g0/0/1 to g0/0/9 port link-type access port default vlan 2 上面是将1-9口设置在vlan 2中 port-group group-member g0/0/10 to g0/0/19 port link-type access port default vlan 3 上面是将1-9口
RADIUS协议基础原理
热门推荐
曹世宏的博客
05-31 4万+
RADIUS简介 RADIUS概述: RADIUS(Remote Authentication Dial-In User Server,远程认证拨号用户服务)是一种分布式的、C/S架构的信息交互协议,能包含网络不受未授权访问的干扰,常应用在既要求较高安全性、又允许远程用户访问的各种网络环境中。 协议定义了基于UDP(User Datagram Protocol)的RADIUS报文格式及其传输机制,...
Android开发三剑客_part1
09-29
part1 总共2部分">从整体上来看 一款Android产品分为设计 编码和测试三个阶段 《Android开发三剑客:UML 模式与测试》着眼于Android产品的两个重要环节 设计和测试 分为上篇 中篇和下篇 上篇以Android多线程断点续传...
TAMM40_Part2.rar
04-07
由于没有具体的描述,我们将基于标签和假设的上下文来探讨可能包含的知识点。 标签 "源码" 表明这个压缩包可能包含了编程代码,可能是某个软件、系统或库的一部分。TAMM40可能是项目、模块或者框架的名称,而Part2...
Android开发三剑客_part2
09-29
part2 总共2部分">从整体上来看 一款Android产品分为设计 编码和测试三个阶段 《Android开发三剑客:UML 模式与测试》着眼于Android产品的两个重要环节 设计和测试 分为上篇 中篇和下篇 上篇以Android多线程断点续传...
Visual C++2010开发权威指南(共三部分).part1.rar
11-12
第二部分 Visual C++ 2010下MFC开发 第6章 计算机测控系统概述 267 6.1 Visual C++ 2010 SDI开发简介 267 6.1.1 建立应用程序基本框架 267 6.1.2 处理视图 267 6.1.3 处理文档 271 6.1.4 串行化处理 274 6.1.5 sdi...
Visual C#.NET项目实战开发从入门到精通 Part 2
01-31
然后讲解5个项目的开发实例,每个项目均遵循“需求分析→开发规划→数据库设计及实现→各模块界面设计及功能实现→打包部署”的开发思路做深入讲解,详尽剖析大量源代码,适时讲解开发技巧,从而增长读者的开发阅历...
华为WLAN二层组网及安全认证
Tony_long7483的博客
01-27 1154
1.配置交换机 [SW]vlan batch 10 to 13 [SW-GigabitEthernet0/0/1]port link-type trunk [SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13 [SW-GigabitEthernet0/0/10]port link-type trunk [SW-GigabitEthernet0/0/10]port trunk pvid vlan 10 [SW-GigabitEthernet.
802.1X(Dot1x)认证原理
曹世宏的博客
05-31 4万+
802.1X(dot1x)技术简介 802.1X认证,又称为EAPOE(Extensible Authentication Protocol Over Ethernet)认证,主要目的是为了解决局域网用户接入认证问题。 802.1X认证时采用了RADIUS协议的一种认证方式,典型的C/S结构,包括终端、RADIUS客户端和RADIUS服务器。 802.1x简介: IEEE802 LAN/WAN委员...
HCIE X园区配置详解 (自学用)
最新发布
qq_39224286的博客
02-12 1086
HCIE数通专家考试,解题方法总结与巩固,有更多想法一起交流学习。
国仁猫哥:视频号个人与企业怎么认证;视频号认证后有哪些好处。
公众号:国仁猫哥
10-20 2806
目前,视频号认证分为个人认证和企业(机构)认证两大类。 01:视频号企业认证教程 企业和机构认证适合企业和机构申请。申请之前需要先用实名认证的个人微信号注册,填写完成基本资料。 具体认证分为两种情况: 企业和机构认证适合企业和机构申请。申请之前需要先用实名认证的个人微信号注册,填写完成基本资料。 具体认证分为两种情况: 情况一,已经有已认证的同名主体公众号 这种情况直接用该公众号(订阅号/服务号)来认证。所以你首先需要一个同名并且已经认证过的公众号。需要注意的是视频号名称最长为20个字符,即10个汉字,这
华为1+x网络通信与维护
code袁的博客
01-26 2525
华为1+x网络通信与维护 一、实验拓扑图 二、VLAN信息 三、IP地址规划 四、链路聚合 园区本地服务器区,为校园用户提供内网服务。为了保证链路的稳定性,同时在不升 级硬件设备的前提下最大限度的提升带宽。在Agg01与Agg02之间配置链路聚合。请 通过Lacp模式实现二层链路聚合,成员接口为GE0/0/21、GE0/0/22、G0/0/23,链路聚合接口ID为1,并只允许最大活动链路为1 [HZ-HZxiaoyuan-Agg01-S5731]int eth 1 [HZ-HZxiaoyuan-Ag
171、华为交换机配置手册
qq_43416206的博客
10-25 1585
小伙伴们通过Console口登录后还希望远程登录和管理交换机,就可以在交换机上配置Telnet服务功能并使用AAA验证方式登录。步骤1:从PC1通过交换机Console口登录交换机。步骤2:配置交换机名称和管理IP地址。system-view[Quidway] sysname Server[Server] interface ethernet 0/0/0 //框式和盒式的管理口是不一样的哦,框式和盒式的分别是: Ethernet 0/0/0、MEth 0/0/1。有些盒式设备没有管理口,可使用VLANIF
【交换机在江湖】第十四章 VLAN通信篇
dolphin98629的专栏
09-08 3620
前两期小编介绍了VLAN的基础知识以及如何划分VLAN,之后不断有读者询问: VLAN划分后,同一VLAN用户可以二层互通,不同VLAN用户则二层隔离,可有些场合不同VLAN用户又想互通,肿么办呢? 请大家先回忆一下:VLAN是广播域,而广播域之间来往的数据包一般由路由器中继的。因此,VLAN间的通信通常要用到路由功能,这被称作“VLAN间路由”。VLAN间路由,可以使用普通的路由器,也可以使用
AUC、ROC、ACC区别
上下求索
05-25 1万+
很多时候我们都用到ROC(receiver operating characteristic curve,受试者工作特征曲线)和AUC(Area Under Curve,被定义为ROC曲线下的面积)来评判一个二值分类器的优劣,其实AUC跟ROC息息相关,AUC就是ROC曲线下部分的面积,所以需要首先知道什么是ROC,ROC怎么得来的。然后我们要知道一般分类器会有个准确率ACC,那么既然有了
2018 Kaplan Schweser FRM Part 1备考指南:从入门到实践
FRM 2018 Part 1 是金融风险管理专业认证的重要参考资料,适用于学习者提升在金融风险领域的专业知识。该部分主要由 SchweserNotes™ 提供,这是 Kaplan Schweser 公司为准备 FRM 考试而设计的学习资料。作为 Kaplan...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值