目录
一,接入层-汇聚层
二,汇聚层-核心层
三,fw的配置
四, 无线ap
一,接入层-汇聚层
a.vlan配置
b.互联链路trunk eth-trunk
c.STP-MSTP
d.网关和vrrp-mstp配合
两个实列
Instance1 -vlan10 vlan30
instance2-vlan20 vlan40
地址规划
1.每个交换机创建vlan ,修改链路类型。
[Huawei-GigabitEthernet0/0/1]int g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 30
[Huawei-GigabitEthernet0/0/3]stp edged-port enable
[Huawei-GigabitEthernet0/0/3]int g0/0/4
[Huawei-GigabitEthernet0/0/4] port link-type trunk
[Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4094
[Huawei-GigabitEthernet0/0/4]int g0/0/5
[Huawei-GigabitEthernet0/0/5] port link-type trunk
[Huawei-GigabitEthernet0/0/5] port trunk allow-pass vlan 2 to 4094同理类推
lsw1 和lsw3做链路聚合
[lsw1]int Eth-Trunk 12 //进入聚合口12
[lsw1-Eth-Trunk12]mode lacp-static //配置lacp模式
[lsw1-Eth-Trunk12]trunkport GigabitEthernet 0/0/23 to 0/0/24
//将接口23 24加入
[lsw1-Eth-Trunk12]port link-type trunk
[lsw1-Eth-Trunk12]port trunk allow-pass vlan all
2.配置生成树
[lsw2]stp region-configuration
[lsw2-mst-region] region-name ceshi
[lsw2-mst-region] revision-level 1
[lsw2-mst-region] instance 1 vlan 10 30
[lsw2-mst-region] instance 2 vlan 20 40
[lsw2-mst-region] active region-configuration同理推推导
[lsw1]stp instance 1 root primary //lsw1作为实例1的主根
[lsw1]stp instance 2 root secondary //lsw1作为实例2的副根
[lsw3]stp instance 2 root primary
[lsw3]stp instance 1 root secondary
3.配置网关
[lsw1-Vlanif10]ip address 192.168.10.251 24
[lsw1-Vlanif10]int vlan 20
[lsw1-Vlanif20]ip address 192.168.20.251 24
[lsw1-Vlanif20]int vlan 30
[lsw1-Vlanif30]ip address 192.168.30.251 24
[lsw1-Vlanif30]int vlan 40
[lsw1-Vlanif40]ip address 192.168.40.251 24lsw2配置同理 网关252
4.配置vrrp
[lsw1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 //虚拟的网关地址是30.254
[lsw1-Vlanif30]vrrp vrid 30 priority 120 //调高优先级[lsw3-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 //配置备
配置类推
二,汇聚层-核心层
a.ip配置
b.ospf与认证
1.配置交换机地址
[ar2]di ip int br
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 1Interface IP Address/Mask PhysicalProtocol
GigabitEthernet0/0/0 10.1.23.2/24 up up
GigabitEthernet0/0/1 unassigneddowndown
GigabitEthernet0/0/2 10.1.12.2/24 up up
GigabitEthernet1/0/0 10.1.104.2/24up up
GigabitEthernet2/0/0 10.1.102.2/24up up
NULL0 unassignedup up(s)[ar1]dis ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 1Interface IP Address/Mask PhysicalProtocol
GigabitEthernet0/0/0 10.1.14.1/24 up up
GigabitEthernet0/0/1 10.1.15.1/24 up up
GigabitEthernet0/0/2 10.1.12.1/24 downdown
GigabitEthernet1/0/0 10.1.100.1/24up up
GigabitEthernet2/0/0 10.1.103.1/24up up
NULL0 unassignedup
交换机配置接口
Enter system view, return user view with Ctrl+Z.
[lsw3]vlan batch 300 400
Info: This operation may take a few seconds. Please wait for a moment…done.
[lsw3]int vlan 300
[lsw3-Vlanif300]ip address 10.1.103..2,24
[lsw3-Vlanif400]ip address 10.1.104.2 24
[lsw3-Vlanif400]int vlan 300
[lsw3-Vlanif300]ip address 10.1.103.2 24
[lsw3-Vlanif300]int g0/0/1
[lsw3-GigabitEthernet0/0/1]port link-type access
[lsw3-GigabitEthernet0/0/1]port default vlan 4100
[lsw3-GigabitEthernet0/0/1]port default vlan 400
[lsw3-GigabitEthernet0/0/1]int g0/0/2
[lsw3-GigabitEthernet0/0/2]port link-type access
[lsw3-GigabitEthernet0/0/2]port default vlan 300
配置ospf
[ar1]ospf
[ar1-ospf-1]ar
[ar1-ospf-1]area 0
[ar1-ospf-1-area-0.0.0.0]netw
[ar1-ospf-1-area-0.0.0.0]network 10.1.14.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.15.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.100.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.103.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]int p5/0/0
[ar1-Pos5/0/0]ip ad
[ar1-Pos5/0/0]ip address 10.1.13.1authentication-mode md5 1 cipher huawei@123
//配置ospf的区间密码
配置同理
配置DHCP服务器
[Huawei]dhcp enable
[Huawei]ip p
[Huawei]ip pool 10
Info: It’s successful to create an IP address pool.
[Huawei-ip-pool-10]netw
[Huawei-ip-pool-10]network 192.168.10.0
[Huawei-ip-pool-10]gat
[Huawei-ip-pool-10]gateway-list 192.168.10.254
[Huawei-ip-pool-10]dis this
[Huawei]in pool 20
[Huawei-ip-pool-20]network 192.168.20.0
[Huawei-ip-pool-20]gateway-list 192.168.20.254
[Huawei-ip-pool-20]ip pool 30
Info: It’s successful to create an IP address pool.
[Huawei-ip-pool-30]network 192.168.30.0
[Huawei-ip-pool-30]gateway-list 192.168.30.25
[Huawei]ip pool 40
Info: It’s successful to create an IP address pool.
[Huawei-ip-pool-1]network 192.168.40.0
[Huawei-ip-pool-1]gateway-list 192.168.40.254[dhcp-GigabitEthernet0/0/0]dhcp select global
[dhcp]ip route-static 0.0.0.0 0.0.0.0 10.1.14.1
此时lsw1 能ping 通DHCP服务器
配置lsw1和lsw2相同
此时pc1 pc2 pc3 pc4 都可以拿到地址
常见错误:
接口未划分,vlan没配置,交换机和dhcp服务器不通
四台主机全网互通
三,fw的配置
1.IP地址
2.zone的划分
3.安全策略放行
4.ospf
[fw1]firewall zone trust
22:33:04 2022/08/25
[fw1-zone-trust]ad
[fw1-zone-trust]add t
[fw1-zone-trust]add in
[fw1-zone-trust]add interface g0/0/1
[fw1-GigabitEthernet0/0/1]service-manage ping permit//允许ping
[fw1-zone-untrust]add
[fw1-zone-untrust]add in
[fw1-zone-untrust]add interface g0/0/0
Info: The interface has been added to trust security zone.
防火墙配置允许untrunt可以去安全区域
同时允许ospf流量过去
在0/0/0接口做nat策略
四, 无线ap
AP的管理vlan为101
在接入层交换机创建vlan101
[lsw4-GigabitEthernet0/0/2]port link-type trunk
[lsw4-GigabitEthernet0/0/2]port trunk pvid vlan 101
AC配置
[AC6005]int g0/0/4
[AC6005-GigabitEthernet0/0/4]port link-type trunk
[AC6005-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[AC6005-vlan101]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.[AC6005-Vlanif101]ip address 192.168.101.254 24
[AC6005-Vlanif101]dhcp s
[AC6005-Vlanif101]dhcp select in
[AC6005-Vlanif101]dhcp select interface此时ap设备可以ping通ac
创建wifi
[AC6005-Vlanif101]wlan
[AC6005-wlan-ap-0]q
[AC6005-wlan-view]ap-id 1
[AC6005-wlan-ap-1]ap-g
[AC6005-wlan-ap-1]ap-group ap2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue” />
gateway-list 192.168.20.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.20.250 192.168.20.252
dns-list 1.1.1.1
#
WiFi连接不上导致ip地址冲突导致没有拿到地址
关闭dhcp服务器的dhcp功能
清除地址池信息 将地址池信息的250-253参与不分配
在接口设置全局的分配模式
