一万字！中大形企业网络部署架构（链路聚合 mstp+vrrp ap+ac 防火墙 ospf ）

最新推荐文章于 2024-05-28 22:13:44 发布

吃饭就用盆

最新推荐文章于 2024-05-28 22:13:44 发布

阅读量3.2k

点赞数 2

分类专栏：网络搭建文章标签：网络

本文链接：https://blog.csdn.net/zzixwx/article/details/126513503

版权

网络搭建专栏收录该内容

3 篇文章 0 订阅

订阅专栏

一，接入层-汇聚层

a.vlan配置

b.互联链路trunk eth-trunk

c.STP-MSTP

d.网关和vrrp-mstp配合

两个实列

Instance1 -vlan10 vlan30

instance2-vlan20 vlan40

地址规划

1.每个交换机创建vlan ，修改链路类型。

[Huawei-GigabitEthernet0/0/1]int g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 30
[Huawei-GigabitEthernet0/0/3]stp edged-port enable
[Huawei-GigabitEthernet0/0/3]int g0/0/4
[Huawei-GigabitEthernet0/0/4] port link-type trunk
[Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4094
[Huawei-GigabitEthernet0/0/4]int g0/0/5
[Huawei-GigabitEthernet0/0/5] port link-type trunk
[Huawei-GigabitEthernet0/0/5] port trunk allow-pass vlan 2 to 4094

同理类推

lsw1 和lsw3 做链路聚合
[lsw1]int Eth-Trunk 12 //进入聚合口12
[lsw1-Eth-Trunk12]mode lacp-static //配置lacp模式
[lsw1-Eth-Trunk12]trunkport GigabitEthernet 0/0/23 to 0/0/24
//将接口23 24加入
[lsw1-Eth-Trunk12]port link-type trunk
[lsw1-Eth-Trunk12]port trunk allow-pass vlan all

2.配置生成树

[lsw2]stp region-configuration
[lsw2-mst-region] region-name ceshi
[lsw2-mst-region] revision-level 1
[lsw2-mst-region] instance 1 vlan 10 30
[lsw2-mst-region] instance 2 vlan 20 40
[lsw2-mst-region] active region-configuration

同理推推导
[lsw1]stp instance 1 root primary   //lsw1作为实例1的主根
[lsw1]stp instance 2 root secondary //lsw1作为实例2的副根
[lsw3]stp instance 2 root primary
[lsw3]stp instance 1 root secondary

3.配置网关

[lsw1-Vlanif10]ip address 192.168.10.251 24
[lsw1-Vlanif10]int vlan 20
[lsw1-Vlanif20]ip address 192.168.20.251 24
[lsw1-Vlanif20]int vlan 30
[lsw1-Vlanif30]ip address 192.168.30.251 24
[lsw1-Vlanif30]int vlan 40
[lsw1-Vlanif40]ip address 192.168.40.251 24

lsw2配置同理网关252

4.配置vrrp

[lsw1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 //虚拟的网关地址是30.254
[lsw1-Vlanif30]vrrp vrid 30 priority 120 //调高优先级

[lsw3-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 //配置备

配置类推

二，汇聚层-核心层

a.ip配置

b.ospf与认证

1.配置交换机地址

[ar2]di ip int br
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 1

Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.1.23.2/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 10.1.12.2/24 up up
GigabitEthernet1/0/0 10.1.104.2/24 up up
GigabitEthernet2/0/0 10.1.102.2/24 up up
NULL0 unassigned up up(s)

[ar1]dis ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 1

Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.1.14.1/24 up up
GigabitEthernet0/0/1 10.1.15.1/24 up up
GigabitEthernet0/0/2 10.1.12.1/24 down down
GigabitEthernet1/0/0 10.1.100.1/24 up up
GigabitEthernet2/0/0 10.1.103.1/24 up up
NULL0 unassigned up

交换机配置接口

Enter system view, return user view with Ctrl+Z.
[lsw3]vlan batch 300 400
Info: This operation may take a few seconds. Please wait for a moment...done.
[lsw3]int vlan 300
[lsw3-Vlanif300]ip address 10.1.103..2，24
[lsw3-Vlanif400]ip address 10.1.104.2 24
[lsw3-Vlanif400]int vlan 300
[lsw3-Vlanif300]ip address 10.1.103.2 24
[lsw3-Vlanif300]int g0/0/1
[lsw3-GigabitEthernet0/0/1]port link-type access
[lsw3-GigabitEthernet0/0/1]port default vlan 4100
[lsw3-GigabitEthernet0/0/1]port default vlan 400
[lsw3-GigabitEthernet0/0/1]int g0/0/2
[lsw3-GigabitEthernet0/0/2]port link-type access
[lsw3-GigabitEthernet0/0/2]port default vlan 300

配置ospf

[ar1]ospf
[ar1-ospf-1]ar
[ar1-ospf-1]area 0
[ar1-ospf-1-area-0.0.0.0]netw
[ar1-ospf-1-area-0.0.0.0]network 10.1.14.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.15.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.100.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.103.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]int p5/0/0
[ar1-Pos5/0/0]ip ad
[ar1-Pos5/0/0]ip address 10.1.13.1

authentication-mode md5 1 cipher huawei@123

//配置ospf的区间密码

配置同理

配置DHCP服务器
[Huawei]dhcp enable
[Huawei]ip p
[Huawei]ip pool 10
Info: It's successful to create an IP address pool.
[Huawei-ip-pool-10]netw
[Huawei-ip-pool-10]network 192.168.10.0
[Huawei-ip-pool-10]gat
[Huawei-ip-pool-10]gateway-list 192.168.10.254
[Huawei-ip-pool-10]dis this
[Huawei]in pool 20
[Huawei-ip-pool-20]network 192.168.20.0
[Huawei-ip-pool-20]gateway-list 192.168.20.254
[Huawei-ip-pool-20]ip pool 30
Info: It's successful to create an IP address pool.
[Huawei-ip-pool-30]network 192.168.30.0
[Huawei-ip-pool-30]gateway-list 192.168.30.25
[Huawei]ip pool 40
Info: It's successful to create an IP address pool.
[Huawei-ip-pool-1]network 192.168.40.0
[Huawei-ip-pool-1]gateway-list 192.168.40.254

[dhcp-GigabitEthernet0/0/0]dhcp select global
[dhcp]ip route-static 0.0.0.0 0.0.0.0 10.1.14.1

此时lsw1 能ping 通DHCP服务器

配置lsw1和lsw2相同

此时pc1 pc2 pc3 pc4 都可以拿到地址

常见错误：

接口未划分，vlan没配置，交换机和dhcp服务器不通

四台主机全网互通

三，fw的配置

1.IP地址

2.zone的划分

3.安全策略放行

4.ospf

[fw1]firewall zone trust
22:33:04 2022/08/25
[fw1-zone-trust]ad
[fw1-zone-trust]add t
[fw1-zone-trust]add in
[fw1-zone-trust]add interface g0/0/1
[fw1-GigabitEthernet0/0/1]service-manage ping permit

//允许ping

[fw1-zone-untrust]add
[fw1-zone-untrust]add in
[fw1-zone-untrust]add interface g0/0/0
Info: The interface has been added to trust security zone.

防火墙配置允许untrunt可以去安全区域

同时允许ospf流量过去

在0/0/0接口做nat策略

四，无线ap

AP的管理vlan为101

在接入层交换机创建vlan101

[lsw4-GigabitEthernet0/0/2]port link-type trunk

[lsw4-GigabitEthernet0/0/2]port trunk pvid vlan 101

AC配置

[AC6005]int g0/0/4
[AC6005-GigabitEthernet0/0/4]port link-type trunk
[AC6005-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[AC6005-vlan101]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.

[AC6005-Vlanif101]ip address 192.168.101.254 24
[AC6005-Vlanif101]dhcp s
[AC6005-Vlanif101]dhcp select in
[AC6005-Vlanif101]dhcp select interface

此时ap设备可以ping通ac

创建wifi

[AC6005-Vlanif101]wlan

[AC6005-wlan-ap-0]q

[AC6005-wlan-view]ap-id 1
[AC6005-wlan-ap-1]ap-g
[AC6005-wlan-ap-1]ap-group ap2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.
Error: The AP group does not exist.
[AC6005-wlan-ap-1]ap-name
[AC6005-wlan-ap-1]ap-name ap2
[AC6005-wlan-ap-1]ap
[AC6005-wlan-ap-1]ap-group ap-g
[AC6005-wlan-ap-1]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6005-wlan-ap-1]
[AC6005-wlan-ap-1]
[AC6005-wlan-ap-1]q
[AC6005-wlan-view]dis this
#
wlan
traffic-profile name default
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid-profile name default
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name defatlt
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap auth-mode no-auth
ap-group name default
ap-group name ap-group1
regulatory-domain-profile defatlt
ap-id 0 type-id 45 ap-mac 00e0-fc4d-67a0 ap-sn 210235448310630E1214
ap-name ap1
ap-group ap-group1
ap-id 1 type-id 45 ap-mac 00e0-fc30-2d10 ap-sn 210235448310DF71C467
ap-name ap2
ap-group ap-group1
provision-ap
#
return

[AC6005-wlan-view]ap -au
[AC6005-wlan-view]dis ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
fault: fault [1]
nor : normal [1]
--------------------------------------------------------------------------------
-------------
ID MAC Name Group IP Type State STA Upti
me
--------------------------------------------------------------------------------
-------------
0 00e0-fc4d-67a0 ap1 ap-group1 192.168.101.79 AP3030DN nor 0 4S
1 00e0-fc30-2d10 ap2 ap-group1 - AP3030DN fault 0 -
--------------------------------------------------------------------------------
-------------
Total: 2

[AC6005-wlan-view]security-profile name wlan-net

[AC6005-wlan-sec-prof-wlan-net]security ?
open Open system
wapi WLAN authentication and privacy infrastructure
wep Wired equivalent privacy
wpa Wi-Fi protected access
wpa-wpa2 Wi-Fi protected access version 1&2
wpa2 Wi-Fi protected access version 2
[AC6005-wlan-sec-prof-wlan-net]security open ?
<cr> Please press ENTER to execute command
[AC6005-wlan-sec-prof-wlan-net]security open
[AC6005-wlan-sec-prof-wlan-net]ssid
^
Error: Unrecognized command found at '^' position.
[AC6005-wlan-sec-prof-wlan-net]q

[AC6005-wlan-view]ssid-p
[AC6005-wlan-view]ssid-profile name ceshi
[AC6005-wlan-ssid-prof-ceshi]ssid ceshi
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-ssid-prof-ceshi]q
[AC6005-wlan-view]vap-p

[AC6005-wlan-view]vap-profile name wlan-net
[AC6005-wlan-vap-prof-wlan-net]f
[AC6005-wlan-vap-prof-wlan-net]forward-mode d
[AC6005-wlan-vap-prof-wlan-net]forward-mode direct-forward

[AC6005-wlan-view]q
[AC6005]vlan pp
[AC6005]vlan pool
[AC6005]vlan pool

[AC6005]vlan pool ceshi.
[AC6005-vlan-pool-ceshi]vlan 10 20 40 30
[AC6005-vlan-pool-ceshi]wlan
[AC6005-wlan-view]vap-p
[AC6005-wlan-view]vap-profile
[AC6005-wlan-view]vap-profile name
[AC6005-wlan-view]vap-profile name wlan-net
[AC6005-wlan-vap-prof-wlan-net]serv
[AC6005-wlan-vap-prof-wlan-net]service-v
[AC6005-wlan-vap-prof-wlan-net]service-vlan vlan-p
[AC6005-wlan-vap-prof-wlan-net]service-vlan vlan-pool ?
STRING<1-31> VLAN pool name
[AC6005-wlan-vap-prof-wlan-net]service-vlan vlan-pool ceshi
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wlan-net]se
[AC6005-wlan-vap-prof-wlan-net]security-profile wlan-net
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wlan-net]ssid-p
[AC6005-wlan-vap-prof-wlan-net]ssid-profile vlan-net
Error: The SSID profile does not exist.
[AC6005-wlan-vap-prof-wlan-net]ssid-profile ceshi
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wlan-net]q
[AC6005-wlan-view]q
[AC6005]wlan
[AC6005-wlan-view]ap-group name ap-group1
[AC6005-wlan-ap-group-ap-group1]vap-p
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net waln 1 ra
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net waln-net 1 ra
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 0
Info: This operation may take a few seconds, please wait...done.
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 1
Info: This operation may take a few seconds, please wait...done.
[AC6005-wlan-ap-group-ap-group1]
[AC6005-wlan-ap-group-ap-group1]dis vap ssid ceshi
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
-----------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
-----------------------------------------------------------------------
0 ap1 0 1 00E0-FC4D-67A0 ON Open 0 ceshi
0 ap1 1 1 00E0-FC4D-67B0 ON Open 0 ceshi
1 ap2 0 1 00E0-FC30-2D10 ON Open 1 ceshi
1 ap2 1 1 00E0-FC30-2D20 ON Open 0 ceshi
-----------------------------------------------------------------------
Total: 4