当前位置:   article > 正文

HCIA-Datacom园区网络项目实战 华为认证实验手册 ENSP配置_园区网络项目实战ensp

园区网络项目实战ensp

HCIA-Datacom园区网络项目实战
在这里插入图片描述

配置步骤

一、 二层配置
背景信息:
• 有线网络VLAN划分
▪ 一楼核心机房的接入交换机GE0/0/2~GE0/0/10连接服务器,属于同一个VLAN。
▪ 二楼除F2-ACC2连接总经理办公室外,其他交换机连接行政部,两个部门属于不同的VLAN。
▪ 三楼的F3-ACC1和F3-ACC3的E0/0/1E0/0/10属于市场部,E0/0/11E0/0/20属于研发部。
▪ F3-ACC2的E0/0/1~E0/0/19属于市场部。
无线网络VLAN划分:
▪ 各个楼层的无线终端需要属于不同的VLAN。
▪ 各个楼层的无线管理VLAN不同。
注:需要预留设备互联VLAN、设备管理VLAN等。
1.F1-ACC1二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F1-ACC1
[F1-ACC1]vlan batch 100 105 205
[F1-ACC1]port-group group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/10
[F1-ACC1-port-group]port link-type access
[F1-ACC1-port-group]port default vlan 100
[F1-ACC1]interface GigabitEthernet 0/0/1
[F1-ACC1-GigabitEthernet0/0/1]port link-type trunk
[F1-ACC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 105 205
[F1-ACC1]interface GigabitEthernet 0/0/20
[F1-ACC1-GigabitEthernet0/0/20]port link-type trunk
[F1-ACC1-GigabitEthernet0/0/20]port trunk pvid vlan 205
[F1-ACC1-GigabitEthernet0/0/20]port trunk allow-pass vlan 105 205

2.F2-ACC1二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F2-ACC1
[F2-ACC1]vlan batch 2 102
[F2-ACC1]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/22
[F2-ACC1-port-group]port link-type access
[F2-ACC1-port-group]port default vlan 102
[F2-ACC1]interface GigabitEthernet 0/0/1
[F2-ACC1-GigabitEthernet0/0/1]port link-type trunk
[F2-ACC1-GigabitEthernet0/0/1]port trunk pvid vlan 2
[F2-ACC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 102

3.F2-ACC2二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F2-ACC2
[F2-ACC2]vlan batch 2 101 106 206
[F2-ACC2]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/19
[F2-ACC2-port-group]port link-type access
[F2-ACC2-port-group]port default vlan 101
[F2-ACC2]interface GigabitEthernet 0/0/1
[F2-ACC2-GigabitEthernet0/0/1]port link-type trunk
[F2-ACC2-GigabitEthernet0/0/1]port trunk pvid vlan 2
[F2-ACC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 101 106 206
[F2-ACC2]interface Ethernet 0/0/20
[F2-ACC2-Ethernet 0/0/20]port link-type trunk
[F2-ACC2-Ethernet 0/0/20]port trunk pvid vlan 206
[F2-ACC2-Ethernet 0/0/20]port trunk allow-pass vlan 106 206

4.F2-ACC3二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F2-ACC3
[F2-ACC3]vlan batch 2 102
[F2-ACC3]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/22
[F2-ACC3-port-group]port link-type access
[F2-ACC3-port-group]port default vlan 102
[F2-ACC3]interface GigabitEthernet 0/0/1
[F2-ACC3-GigabitEthernet0/0/1]port link-type trunk
[F2-ACC3-GigabitEthernet0/0/1]port trunk pvid vlan 2
[F2-ACC3-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 102

5.F3-ACC1二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F3-ACC1
[F3-ACC1]vlan batch 3 103 104
[F3-ACC1]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/10
[F3-ACC1-port-group]port link-type access
[F3-ACC1-port-group]port default vlan 103
[F3-ACC1]port-group group-member Ethernet 0/0/11 to Ethernet 0/0/20
[F3-ACC1-port-group]port link-type access
[F3-ACC1-port-group]port default vlan 104
[F3-ACC1]interface GigabitEthernet 0/0/1
[F3-ACC1-GigabitEthernet0/0/1]port link-type trunk
[F3-ACC1-GigabitEthernet0/0/1]port trunk pvid vlan 3
[F3-ACC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 3 103 104

6.F3-ACC2二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F3-ACC2
[F3-ACC2]vlan batch 3 103 107 207
[F3-ACC2]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/19
[F3-ACC2-port-group]port link-type access
[F3-ACC2-port-group]port default vlan 103
[F3-ACC2]interface GigabitEthernet 0/0/1
[F3-ACC2-GigabitEthernet0/0/1]port link-type trunk
[F3-ACC2-GigabitEthernet0/0/1]port trunk pvid vlan 3
[F3-ACC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 3 103 107 207
[F3-ACC2]interface Ethernet 0/0/20
[F3-ACC2-Ethernet 0/0/20]port link-type trunk
[F3-ACC2-Ethernet 0/0/20]port trunk pvid vlan 207
[F3-ACC2-Ethernet 0/0/20]port trunk allow-pass vlan 107 207

7.F3-ACC3二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F3-ACC3
[F3-ACC3]vlan batch 3 103 104
[F3-ACC3]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/10
[F3-ACC3-port-group]port link-type access
[F3-ACC3-port-group]port default vlan 103
[F3-ACC3]port-group group-member Ethernet 0/0/11 to Ethernet 0/0/20
[F3-ACC3-port-group]port link-type access
[F3-ACC3-port-group]port default vlan 104
[F3-ACC3]interface GigabitEthernet 0/0/1
[F3-ACC3-GigabitEthernet0/0/1]port link-type trunk
[F3-ACC3-GigabitEthernet0/0/1]port trunk pvid vlan 3
[F3-ACC3-GigabitEthernet0/0/1]port trunk allow-pass vlan 3 103 104

8.F2-AGG1二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F2-AGG1
[F2-AGG1]vlan batch 2 101 102 106 206 201 203
[F2-AGG1]interface GigabitEthernet0/0/1
[F2-AGG1-GigabitEthernet0/0/1] port link-type access
[F2-AGG1-GigabitEthernet0/0/1] port default vlan 201
[F2-AGG1-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[F2-AGG1-GigabitEthernet0/0/2] port link-type access
[F2-AGG1-GigabitEthernet0/0/2] port default vlan 203
[F2-AGG1-GigabitEthernet0/0/2]interface GigabitEthernet0/0/11
[F2-AGG1-GigabitEthernet0/0/11] port link-type trunk
[F2-AGG1-GigabitEthernet0/0/11] port trunk pvid vlan 2
[F2-AGG1-GigabitEthernet0/0/11] port trunk allow-pass vlan 2 102
[F2-AGG1-GigabitEthernet0/0/11]interface GigabitEthernet0/0/12
[F2-AGG1-GigabitEthernet0/0/12] port link-type trunk
[F2-AGG1-GigabitEthernet0/0/12] port trunk pvid vlan 2
[F2-AGG1-GigabitEthernet0/0/12] port trunk allow-pass vlan 2 101 106 206
[F2-AGG1-GigabitEthernet0/0/12]interface GigabitEthernet0/0/13
[F2-AGG1-GigabitEthernet0/0/13] port link-type trunk
[F2-AGG1-GigabitEthernet0/0/13] port trunk pvid vlan 2
[F2-AGG1-GigabitEthernet0/0/13] port trunk allow-pass vlan 2 102

9.F3-AGG1二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname F3-AGG1
[F3-AGG1]vlan batch 3 103 to 104 107 202 to 203 207
[F3-AGG1]interface GigabitEthernet0/0/1
[F3-AGG1-GigabitEthernet0/0/1] port link-type access
[F3-AGG1-GigabitEthernet0/0/1] port default vlan 202
[F3-AGG1-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[F3-AGG1-GigabitEthernet0/0/2] port link-type access
[F3-AGG1-GigabitEthernet0/0/2] port default vlan 203
[F3-AGG1-GigabitEthernet0/0/2]interface GigabitEthernet0/0/11
[F3-AGG1-GigabitEthernet0/0/11] port link-type trunk
[F3-AGG1-GigabitEthernet0/0/11] port trunk pvid vlan 3
[F3-AGG1-GigabitEthernet0/0/11] port trunk allow-pass vlan 3 103 to 104
[F3-AGG1-GigabitEthernet0/0/11]interface GigabitEthernet0/0/12
[F3-AGG1-GigabitEthernet0/0/12] port link-type trunk
[F3-AGG1-GigabitEthernet0/0/12] port trunk pvid vlan 3
[F3-AGG1-GigabitEthernet0/0/12] port trunk allow-pass vlan 3 103 107 207
[F3-AGG1-GigabitEthernet0/0/12]interface GigabitEthernet0/0/13
[F3-AGG1-GigabitEthernet0/0/13] port link-type trunk
[F3-AGG1-GigabitEthernet0/0/13] port trunk pvid vlan 3
[F3-AGG1-GigabitEthernet0/0/13] port trunk allow-pass vlan 3 103 to 104

10.CORE1二层配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname CORE1
[CORE1]vlan batch 100 105 201 to 202 204 to 205
[CORE1]interface GigabitEthernet0/0/1
[CORE1-GigabitEthernet0/0/1] port link-type trunk
[CORE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 105 205
[CORE1-GigabitEthernet0/0/1]#
[CORE1-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[CORE1-GigabitEthernet0/0/2] port link-type access
[CORE1-GigabitEthernet0/0/2] port default vlan 201
[CORE1-GigabitEthernet0/0/2]#
[CORE1-GigabitEthernet0/0/2]interface GigabitEthernet0/0/3
[CORE1-GigabitEthernet0/0/3] port link-type access
[CORE1-GigabitEthernet0/0/3] port default vlan 202
[CORE1-GigabitEthernet0/0/3]#
[CORE1-GigabitEthernet0/0/3]interface GigabitEthernet0/0/4
[CORE1-GigabitEthernet0/0/4] port link-type access
[CORE1-GigabitEthernet0/0/4] port default vlan 205
[CORE1-GigabitEthernet0/0/4]#
[CORE1-GigabitEthernet0/0/4]interface GigabitEthernet0/0/5
[CORE1-GigabitEthernet0/0/5] port link-type access
[CORE1-GigabitEthernet0/0/5] port default vlan 204

11.AC二层配置
system-view
[AC6605]undo info-center enable
[AC6605] sysname AC
[AC]vlan 205
[AC]interface GigabitEthernet0/0/1
[AC-GigabitEthernet0/0/1] port link-type access
[AC-GigabitEthernet0/0/1] port default vlan 205
二、 三层配置
背景信息:
• 地址配置,采用192.168.0.0/16地址段,具体需求如下:
▪ 一楼:
▫ 服务器采用静态IP地址。无线客户端和无线AP由CORE1通过DHCP分配地址,网关均在CORE1上。
▫ 接入交换机管理IP采用静态地址配置,网关在CORE1上。
▪ 二楼和三楼:
▫ 所有有线终端、无线终端、无线AP的地址均由对应楼层汇聚交换机通过DHCP分配,网关在汇聚交换机上。
▫ 接入交换机管理IP采用静态地址配置,网关在各自楼层汇聚交换机上。
• 全网采用OSPF动态路由协议实现业务网段之间的互联互通,所有终端通过Router访问Internet。

(一)接口ip地址和静态配置:

  1. 一楼接入,静态配置,网关在CORE1上,默认路由指向CORE1
    [F1-ACC1]interface Vlanif1
    [F1-ACC1-Vlanif1] ip address 192.168.1.1 255.255.255.0

2.二楼接入,静态配置,网关在F2-AGG1上,默认路由指向F2-AGG1
[F2-ACC1]interface Vlanif2
[F2-ACC1-Vlanif2] ip address 192.168.2.1 255.255.255.0
[F2-ACC2]interface Vlanif2
[F2-ACC2-Vlanif2] ip address 192.168.2.2 255.255.255.0
[F2-ACC3]interface Vlanif2
[F2-ACC3-Vlanif2] ip address 192.168.2.3 255.255.255.0

3.三楼接入,静态配置,网关在F3-AGG1上,默认路由指向F3-AGG1
[F3-ACC1]interface Vlanif3
[F3-ACC1-Vlanif3] ip address 192.168.3.1 255.255.255.0
[F3-ACC2]interface Vlanif3
[F3-ACC2-Vlanif3] ip address 192.168.3.2 255.255.255.0
[F3-ACC3]interface Vlanif3
[F3-ACC3-Vlanif3] ip address 192.168.3.3 255.255.255.0

4.手动配置两个服务器的IP地址
server1:192.168.100.1/24 网关:192.168.100.254(网关在CORE1上的vlanif 100接口)
server2:192.168.100.2/24 网关:192.168.100.254(网关在CORE1上的vlanif 100接口)

5.核心交换机CORE1逻辑接口IP配置
[CORE1]interface Vlanif1
[CORE1-Vlanif1] ip address 192.168.1.254 255.255.255.0
[CORE1-Vlanif1]interface Vlanif100
[CORE1-Vlanif100] ip address 192.168.100.254 255.255.255.0
[CORE1-Vlanif100]interface Vlanif105
[CORE1-Vlanif105] ip address 192.168.105.254 255.255.255.0
[CORE1-Vlanif105]interface Vlanif201
[CORE1-Vlanif201] ip address 192.168.201.1 255.255.255.252
[CORE1-Vlanif201]interface Vlanif202
[CORE1-Vlanif202] ip address 192.168.202.1 255.255.255.252
[CORE1-Vlanif202]interface Vlanif204
[CORE1-Vlanif204] ip address 192.168.204.2 255.255.255.252
[CORE1-Vlanif204]interface Vlanif205
[CORE1-Vlanif205] ip address 192.168.205.254 255.255.255.0

6.二楼F2-AGG1逻辑接口配置
[F2-AGG1]interface Vlanif2
[F2-AGG1-Vlanif2] ip address 192.168.2.254 255.255.255.0
[F2-AGG1-Vlanif2]interface Vlanif101
[F2-AGG1-Vlanif101] ip address 192.168.101.254 255.255.255.0
[F2-AGG1-Vlanif101]interface Vlanif102
[F2-AGG1-Vlanif102] ip address 192.168.102.254 255.255.255.0
[F2-AGG1-Vlanif102]interface Vlanif106
[F2-AGG1-Vlanif106] ip address 192.168.106.254 255.255.255.0
[F2-AGG1-Vlanif106]interface Vlanif201
[F2-AGG1-Vlanif201] ip address 192.168.201.2 255.255.255.252
[F2-AGG1-Vlanif201]interface Vlanif203
[F2-AGG1-Vlanif203] ip address 192.168.203.1 255.255.255.252
[F2-AGG1-Vlanif203]interface Vlanif206
[F2-AGG1-Vlanif206] ip address 192.168.206.254 255.255.255.0

  1. 三楼F3-AGG1逻辑接口配置
    [F3-AGG1]interface Vlanif3
    [F3-AGG1-Vlanif3] ip address 192.168.3.254 255.255.255.0
    [F3-AGG1-Vlanif3]interface Vlanif103
    [F3-AGG1-Vlanif103] ip address 192.168.103.254 255.255.255.0
    [F3-AGG1-Vlanif103]interface Vlanif104
    [F3-AGG1-Vlanif104] ip address 192.168.104.254 255.255.255.0
    [F3-AGG1-Vlanif104]interface Vlanif107
    [F3-AGG1-Vlanif107] ip address 192.168.107.254 255.255.255.0
    [F3-AGG1-Vlanif107]interface Vlanif202
    [F3-AGG1-Vlanif202] ip address 192.168.202.2 255.255.255.252
    [F3-AGG1-Vlanif202]interface Vlanif203
    [F3-AGG1-Vlanif203] ip address 192.168.203.2 255.255.255.252
    [F3-AGG1-Vlanif203]interface Vlanif207
    [F3-AGG1-Vlanif207] ip address 192.168.207.254 255.255.255.0

8.路由器接口IP配置
system-view
[Huawei]undo info-center enable
[Huawei]sysname Router
[Router-GigabitEthernet0/0/0] ip address 1.1.1.1 255.255.255.0
[Router-GigabitEthernet0/0/1] ip address 192.168.204.1 255.255.255.252

(二)路由配置
1.静态路由:
[F1-ACC1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
[F2-ACC1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.254
[F2-ACC2]ip route-static 0.0.0.0 0.0.0.0 192.168.2.254
[F2-ACC3]ip route-static 0.0.0.0 0.0.0.0 192.168.2.254
[F3-ACC1]ip route-static 0.0.0.0 0.0.0.0 192.168.3.254
[F3-ACC2]ip route-static 0.0.0.0 0.0.0.0 192.168.3.254
[F3-ACC3]ip route-static 0.0.0.0 0.0.0.0 192.168.3.254
[Router]ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
[AC]ip route-static 0.0.0.0 0.0.0.0 192.168.205.2542.

2.动态路由OSPF:
路由器:
[Router]ospf 1
[Router-ospf-1] default-route-advertise always
[Router-ospf-1] area 0.0.0.0
[Router-ospf-1-area-0.0.0.0] network 192.168.204.0 0.0.0.3

核心交换机CORE1:
[CORE1]ospf 1
[CORE1-ospf-1] area 0.0.0.0
[CORE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[CORE1-ospf-1-area-0.0.0.0] network 192.168.100.0 0.0.0.255
[CORE1-ospf-1-area-0.0.0.0] network 192.168.105.0 0.0.0.255
[CORE1-ospf-1-area-0.0.0.0] network 192.168.205.0 0.0.0.255
[CORE1-ospf-1-area-0.0.0.0] network 192.168.201.0 0.0.0.3
[CORE1-ospf-1-area-0.0.0.0] network 192.168.202.0 0.0.0.3
[CORE1-ospf-1-area-0.0.0.0] network 192.168.204.0 0.0.0.3

二楼汇聚交换机F2-AGG1:
[F2-AGG1]ospf 1
[F2-AGG1-ospf-1] area 0.0.0.0
[F2-AGG1-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[F2-AGG1-ospf-1-area-0.0.0.0] network 192.168.101.0 0.0.0.255
[F2-AGG1-ospf-1-area-0.0.0.0] network 192.168.102.0 0.0.0.255
[F2-AGG1-ospf-1-area-0.0.0.0] network 192.168.106.0 0.0.0.255
[F2-AGG1-ospf-1-area-0.0.0.0] network 192.168.201.0 0.0.0.3
[F2-AGG1-ospf-1-area-0.0.0.0] network 192.168.203.0 0.0.0.3
[F2-AGG1-ospf-1-area-0.0.0.0] network 192.168.206.0 0.0.0.255

三楼汇聚交换机F3-AGG1:
[F3-AGG1]ospf 1
[F3-AGG1-ospf-1] area 0.0.0.0
[F3-AGG1-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
[F3-AGG1-ospf-1-area-0.0.0.0] network 192.168.103.0 0.0.0.255
[F3-AGG1-ospf-1-area-0.0.0.0] network 192.168.104.0 0.0.0.255
[F3-AGG1-ospf-1-area-0.0.0.0] network 192.168.107.0 0.0.0.255
[F3-AGG1-ospf-1-area-0.0.0.0] network 192.168.202.0 0.0.0.3
[F3-AGG1-ospf-1-area-0.0.0.0] network 192.168.203.0 0.0.0.3
[F3-AGG1-ospf-1-area-0.0.0.0] network 192.168.207.0 0.0.0.255

(三)DHCP配置
1.核心交换机CORE1为一楼的无线终端和管理vlan提供DHCP服务
[CORE1]dhcp enable
[CORE1]ip pool ap-f1
[CORE1-ip-pool-ap-f1] gateway-list 192.168.205.254
[CORE1-ip-pool-ap-f1] network 192.168.205.0 mask 255.255.255.0
[CORE1-ip-pool-ap-f1] excluded-ip-address 192.168.205.253
[CORE1-ip-pool-ap-f1]ip pool sta-f1
[CORE1-ip-pool-sta-f1] gateway-list 192.168.105.254
[CORE1-ip-pool-sta-f1] network 192.168.105.0 mask 255.255.255.0
[CORE1]interface Vlanif105
[CORE1-Vlanif105] dhcp select global
[CORE1]interface Vlanif205
[CORE1-Vlanif205] dhcp select global

2.汇聚交换机F2-AGG1为无线终端、无线管理vlan、总经理办公室、行政部提供DHCP服务
[F2-AGG1]dhcp enable
[F2-AGG1]ip pool admin
[F2-AGG1-ip-pool-admin] gateway-list 192.168.102.254
[F2-AGG1-ip-pool-admin] network 192.168.102.0 mask 255.255.255.0
[F2-AGG1-ip-pool-admin]ip pool ap-f2
[F2-AGG1-ip-pool-ap-f2] gateway-list 192.168.206.254
[F2-AGG1-ip-pool-ap-f2] network 192.168.206.0 mask 255.255.255.0
[F2-AGG1-ip-pool-ap-f2] option 43 sub-option 3 ascii 192.168.205.253
[F2-AGG1-ip-pool-ap-f2]ip pool manager
[F2-AGG1-ip-pool-manager] gateway-list 192.168.101.254
[F2-AGG1-ip-pool-manager] network 192.168.101.0 mask 255.255.255.0
[F2-AGG1-ip-pool-manager]ip pool sta-f2
[F2-AGG1-ip-pool-sta-f2] gateway-list 192.168.106.254
[F2-AGG1-ip-pool-sta-f2] network 192.168.106.0 mask 255.255.255.0
[F2-AGG1]interface Vlanif101
[F2-AGG1-Vlanif101] dhcp select global
[F2-AGG1-Vlanif101]interface Vlanif102
[F2-AGG1-Vlanif102] dhcp select global
[F2-AGG1-Vlanif102]interface Vlanif106
[F2-AGG1-Vlanif106] dhcp select global
[F2-AGG1]interface Vlanif206
[F2-AGG1-Vlanif206] dhcp select global

  1. 汇聚交换机F2-AGG1为无线终端、无线管理vlan、市场部、研发部提供DHCP服务

[F3-AGG1]dhcp enable
[F3-AGG1]ip pool ap-f3
[F3-AGG1-ip-pool-ap-f3] gateway-list 192.168.207.254
[F3-AGG1-ip-pool-ap-f3] network 192.168.207.0 mask 255.255.255.0
[F3-AGG1-ip-pool-ap-f3] option 43 sub-option 3 ascii 192.168.205.253
[F3-AGG1-ip-pool-ap-f3]ip pool marketing
[F3-AGG1-ip-pool-marketing] gateway-list 192.168.103.254
[F3-AGG1-ip-pool-marketing] network 192.168.103.0 mask 255.255.255.0
[F3-AGG1-ip-pool-marketing]ip pool rd
[F3-AGG1-ip-pool-rd] gateway-list 192.168.104.254
[F3-AGG1-ip-pool-rd] network 192.168.104.0 mask 255.255.255.0
[F3-AGG1-ip-pool-rd]ip pool sta-f3
[F3-AGG1-ip-pool-sta-f3] gateway-list 192.168.107.254
[F3-AGG1-ip-pool-sta-f3] network 192.168.107.0 mask 255.255.255.0

三、 WLAN配置

AC配置wlan配置
[AC]wlan
[AC-wlan-view]
[AC-wlan-view]security-profile name WLAN-F1
[AC-wlan-sec-prof-WLAN-F1] security wpa-wpa2 psk pass-phrase HCIA-Datacom aes
[AC-wlan-sec-prof-WLAN-F1] security-profile name WLAN-F2
[AC-wlan-sec-prof-WLAN-F2] security wpa-wpa2 psk pass-phrase HCIA-Datacom aes
[AC-wlan-sec-prof-WLAN-F2] security-profile name WLAN-F3
[AC-wlan-sec-prof-WLAN-F3] security wpa-wpa2 psk pass-phrase HCIA-Datacom aes
[AC-wlan-sec-prof-WLAN-F3]ssid-profile name WLAN-F1
[AC-wlan-ssid-prof-WLAN-F1] ssid WLAN-F1
[AC-wlan-ssid-prof-WLAN-F1] ssid-profile name WLAN-F2
[AC-wlan-ssid-prof-WLAN-F2] ssid WLAN-F2
[AC-wlan-ssid-prof-WLAN-F2] ssid-profile name WLAN-F3
[AC-wlan-ssid-prof-WLAN-F3] ssid WLAN-F3
[AC-wlan-ssid-prof-WLAN-F3] vap-profile name WLAN-F1
[AC-wlan-vap-prof-WLAN-F1] service-vlan vlan-id 105
[AC-wlan-vap-prof-WLAN-F1] ssid-profile WLAN-F1
[AC-wlan-vap-prof-WLAN-F1] security-profile WLAN-F1
[AC-wlan-vap-prof-WLAN-F1] vap-profile name WLAN-F2
[AC-wlan-vap-prof-WLAN-F2] service-vlan vlan-id 106
[AC-wlan-vap-prof-WLAN-F2] ssid-profile WLAN-F2
[AC-wlan-vap-prof-WLAN-F2] security-profile WLAN-F2
[AC-wlan-vap-prof-WLAN-F2] vap-profile name WLAN-F3
[AC-wlan-vap-prof-WLAN-F3] service-vlan vlan-id 107
[AC-wlan-vap-prof-WLAN-F3] ssid-profile WLAN-F3
[AC-wlan-vap-prof-WLAN-F3] security-profile WLAN-F3
[AC-wlan-vap-prof-WLAN-F3]ap-group name WLAN-F1
[AC-wlan-ap-group-WLAN-F1] radio 0
[AC-wlan-group-radio-WLAN-F1/0] vap-profile WLAN-F1 wlan 1
[AC-wlan-group-radio-WLAN-F1/0] radio 1
[AC-wlan-group-radio-WLAN-F1/1] vap-profile WLAN-F1 wlan 1
[AC-wlan-group-radio-WLAN-F1/1] radio 2
[AC-wlan-group-radio-WLAN-F1/2] vap-profile WLAN-F1 wlan 1
[AC-wlan-group-radio-WLAN-F1/2] ap-group name WLAN-F2
[AC-wlan-ap-group-WLAN-F2] radio 0
[AC-wlan-group-radio-WLAN-F2/0] vap-profile WLAN-F2 wlan 2
[AC-wlan-group-radio-WLAN-F2/0] radio 1
[AC-wlan-group-radio-WLAN-F2/1] vap-profile WLAN-F2 wlan 2
[AC-wlan-group-radio-WLAN-F2/1] radio 2
[AC-wlan-group-radio-WLAN-F2/2] vap-profile WLAN-F2 wlan 2
[AC-wlan-group-radio-WLAN-F2/2] ap-group name WLAN-F3
[AC-wlan-ap-group-WLAN-F3] radio 0
[AC-wlan-group-radio-WLAN-F3/0] vap-profile WLAN-F3 wlan 2
[AC-wlan-group-radio-WLAN-F3/0] radio 1
[AC-wlan-group-radio-WLAN-F3/1] vap-profile WLAN-F3 wlan 2
[AC-wlan-group-radio-WLAN-F3/1] radio 2
[AC-wlan-group-radio-WLAN-F3/2] vap-profile WLAN-F3 wlan 2
[AC-wlan-group-radio-WLAN-F3/2] ap-id 0 type-id 60 ap-mac 00e0-fcce-2ad0 ap-sn 2
10235448310E7552512
[AC-wlan-ap-0] ap-name F1-AP1
[AC-wlan-ap-0] ap-group WLAN-F1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]: 输入Y,回车
[AC-wlan-ap-0] ap-id 1 type-id 60 ap-mac 00e0-fc2e-2d20 ap-sn 2102354483105404F7
54
[AC-wlan-ap-1] ap-name F2-AP1
[AC-wlan-ap-1] ap-group WLAN-F2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]: 输入Y,回车
[AC-wlan-ap-1]ap-id 2 type-id 60 ap-mac 00e0-fcb1-7140 ap-sn 2102354483106439D86
5
[AC-wlan-ap-2] ap-name F3-AP1
[AC-wlan-ap-2] ap-group WLAN-F3
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]: 输入Y,回车

四、 安全及出口设计
背景信息:
• 禁止从一楼的访客SSID接入的用户访问公司内部网络。
• 仅无线终端可以访问Internet。
• Router采用静态IP地址方式接入互联网,运营商分配了1.1.1.1-1.1.1.10地址段(掩码长度为24),Router到达Internet的下一跳地址为1.1.1.254。
• 公司内部有一台Web服务器需要对外提供服务,其私网IP地址为192.168.100.1,端口号为80。为了保证服务器安全性,只提供Web服务的NAT映射。

1、 禁止从一楼的访客SSID接入的用户访问公司内部网络。
[CORE1]acl name F1ap-neibu 3000
[CORE1-acl-adv-F1ap-neibu]rule 5 deny ip source 192.168.105.0 0.0.0.255 destinat
ion 192.168.0.0 0.0.255.255
[CORE1-acl-adv-F1ap-neibu]rule 10 permit ip
[CORE1-GigabitEthernet0/0/1]traffic-filter inbound acl 3000

2、仅无线终端可以访问Internet。
• Router采用静态IP地址方式接入互联网,运营商分配了1.1.1.1-1.1.1.10地址段(掩码长度为24),Router到达Internet的下一跳地址为1.1.1.254。
[Router]nat address-group 1 1.1.1.2 1.1.1.10
[Router-acl-basic-ap-internet]rule 5 permit source 192.168.105.0 0.0.0.255
[Router-acl-basic-ap-internet]rule 10 permit source 192.168.106.0 0.0.0.255
[Router-acl-basic-ap-internet]rule 15 permit source 192.168.107.0 0.0.0.255
[Router-GigabitEthernet0/0/0]nat outbound 2000 address-group 1

3、公司内部有一台Web服务器需要对外提供服务,其私网IP地址为192.168.100.1,端口号为80。为了保证服务器安全性,只提供Web服务的NAT映射。
[Router-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 80
80 inside 192.168.100.1 www

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/凡人多烦事01/article/detail/607190
推荐阅读
相关标签
  

闽ICP备14008679号