华为综合实验01-大型企业网络设计与实验（DHCP、VRRP、OSPF、PPP、PPPoE等）——傅老师eNSP经典实验系列_ensp项目一答辩

作者：运维傅老师（TeacherFu）

特别提示：未经作者允许，不得转载任何内容。违者必究！

大型企业经典网络架构实验

《傅老师eNSP经典综合实验系列之项目01》——原创

---

==前言==

傅老师文档特点：

1、必须能做通；

2、很强的易读性；

3、有以上2点就够了（曾主刀10+年相关教材编纂，放心看）。

（文章尾部有傅老师的二维码，欢迎沟通交流：）

适合人群：

1、有网络基础，希望短期内完成综合项目或写毕业设计同时提升能力的在校生；

2、有网络基础，用业余时间提升的在职小白；

3、可用于教学，例如综合网络项目实训。

资源下载：

同学们可根据文档内容自行完成实验，也可打包下载本实验的整个eNSP环境（包括拓扑和所有设备的配置，是已经完成的哦~~在eNSP中启动就是全通的）+完整清晰的拓扑图和文档。资源链接如下：

傅老师eNSP经典综合实验系列之“项目01-大型企业经典网络架构”

---

一、项目概述

    随着全球对环保和可持续发展的日益重视，新能源汽车行业正在迅速崛起。作为该行业的重要一环，新能源汽车电池制造商在推动技术创新和绿色能源应用方面扮演着关键角色。本项目旨在为某知名新能源汽车电池制造商建设一个高效、安全、可靠的网络系统，以满足其总部办公区和工厂区日益增长的网络需求。

    该制造商位于一个科技园区内，拥有总部办公区和工厂区两部分。其中，总部办公区包括1号楼和2号楼，是公司日常运营和管理的重要场所，集中了项目部、研发部、财务部和业务部等多个关键部门。工厂区则是电池生产的核心区域，设有生产部和产品展厅等场所。

二、拓扑图与需求

1、拓扑图

     总部办公区1号楼和2号楼的信息点各自汇聚到SW1和SW2，再上行至路由器R1和R2，并由SW8连接至互联网路由器Internet，总部路由器ZB通过串行链路与工厂路由器GC相连，工厂路由器GC通过PPPoE拨号至Internet。

     总部办公区有VLAN 10、20、30、40、50和300，其中VLAN300是远程管理网络设备专用；另外SW1和SW2还配置有VLAN11和12，用于VRRP的上行接口。

     详细网络拓扑如下图所示：

2、需求

• 解决总部内网二层环路（对应步骤1-2）；
• 为总部内网自动分配IP地址（对应步骤3）；
• 实现汇聚层出方向主备负载分担（对应步骤4）；
• 实现Internet至总部入方向主备（对应步骤5）；
• 实现总部内网互通（对应步骤6）；
• 实现工厂与总部的连通（对应步骤7-9）；
• 实现与Internet的连通（对应步骤10-11）；
• 实现远程管理网络设备（对应步骤12）；
• 拒绝工厂展厅访问总部内网服务器区（对应步骤13）；

 三、实施步骤OBO（one by one）

1、配置总部内部二层接口

（1）SW4

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW4
[SW4]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW4]interface e0/0/1
[SW4-Ethernet0/0/1]port link-type trunk
[SW4-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
//很多同学图省事这里允许all或者2 to 4094，这在生产环境中是不允许的，也不专业哦~
[SW4-Ethernet0/0/1]quit
[SW4]interface e0/0/3
[SW4-Ethernet0/0/3]port link-type trunk
[SW4-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW4-Ethernet0/0/3]quit
[SW4]interface e0/0/2
[SW4-Ethernet0/0/2]port link-type access
[SW4-Ethernet0/0/2]port default vlan 10
[SW4-Ethernet0/0/2]quit

（2）SW5

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW5
[SW5]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW5]interface e0/0/1
[SW5-Ethernet0/0/1]port link-type trunk
[SW5-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW5-Ethernet0/0/1]quit
[SW5]interface e0/0/3
[SW5-Ethernet0/0/3]port link-type trunk
[SW5-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW5-Ethernet0/0/3]quit
[SW5]interface e0/0/2
[SW5-Ethernet0/0/2]port link-type access
[SW5-Ethernet0/0/2]port default vlan 20
[SW5-Ethernet0/0/2]quit

（3）SW6

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW6
[SW6]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW6]interface e0/0/1
[SW6-Ethernet0/0/1]port link-type trunk
[SW6-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW6-Ethernet0/0/1]quit
[SW6]interface e0/0/3
[SW6-Ethernet0/0/3]port link-type trunk
[SW6-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW6-Ethernet0/0/3]quit
[SW6]interface e0/0/2
[SW6-Ethernet0/0/2]port link-type access
[SW6-Ethernet0/0/2]port default vlan 30
[SW6-Ethernet0/0/2]quit

（4）SW7

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW7
[SW7]vlan batch 10 20 30 40 50 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW7]interface e0/0/1
[SW7-Ethernet0/0/1]port link-type trunk
[SW7-Ethernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
//开始复制粘贴了吗？老老实实敲命令可是高级网工的灵魂吼吼~~
[SW7-Ethernet0/0/1]quit
[SW7]interface e0/0/3
[SW7-Ethernet0/0/3]port link-type trunk
[SW7-Ethernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300
[SW7-Ethernet0/0/3]quit
[SW7]interface e0/0/2
[SW7-Ethernet0/0/2]port link-type access
[SW7-Ethernet0/0/2]port default vlan 40
[SW7-Ethernet0/0/2]quit

（5）SW1

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW1
[SW1]vlan batch 10 20 30 40 50 300 11 12
Info: This operation may take a few seconds. Please wait for a moment...done.
//这里开始有VLAN11和12了，后面VRRP会用到
[SW1]interface g0/0/2
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW1-GigabitEthernet0/0/2]quit
[SW1]interface g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW1-GigabitEthernet0/0/3]quit

（6）SW2

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW2
[SW2]vlan batch 10 20 30 40 50 300 11 12
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2]interface g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW2-GigabitEthernet0/0/2]quit
[SW2]interface g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW2-GigabitEthernet0/0/3]quit
[SW2]interface g0/0/6
[SW2-GigabitEthernet0/0/6]port link-type trunk
[SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan 10 20 30 40 50 300 11 12
[SW2-GigabitEthernet0/0/6]quit

（7）SW1和SW2之间的链路聚合

[SW1]interface eth-trunk 1
[SW1-Eth-Trunk1]port link-type trunk 
[SW1-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW1-Eth-Trunk1]quit
[SW1]interface g0/0/4
[SW1-GigabitEthernet0/0/4]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1-GigabitEthernet0/0/4]quit
[SW1]interface g0/0/14
[SW1-GigabitEthernet0/0/14]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1-GigabitEthernet0/0/14]quit
 
[SW2]interface eth-trunk 1
[SW2-Eth-Trunk1]port link-type trunk
[SW2-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW2-Eth-Trunk1]quit
[SW2]interface g0/0/4
[SW2-GigabitEthernet0/0/4]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2-GigabitEthernet0/0/4]quit
[SW2]interface g0/0/14
[SW2-GigabitEthernet0/0/14]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2-GigabitEthernet0/0/14]quit

（8）SW3

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW3
[SW3]vlan batch 10 20 30 40 50 300 
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW3]interface g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30 40 50 300
[SW3-GigabitEthernet0/0/1]quit
[SW3]interface e0/0/3
[SW3-Ethernet0/0/3]port link-type access
[SW3-Ethernet0/0/3]port default vlan 50
[SW3-Ethernet0/0/3]quit

2、配置总部生成树

（1）SW3

[SW3]stp enable
[SW3]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
//华为默认启用MSTP，关于它的应用，我陆续会发其他网络项目中会有的。

（2）SW4

[SW4]stp enable
[SW4]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW4]interface e0/0/2
[SW4-Ethernet0/0/2]stp edged-port enable   
//配置为边缘接口，该接口不会主动发送BPDU报文、不参与生成树计算，仅处于转发状态，
//所以，接入层交换机连接终端的接口最适合配置为边缘接口。
[SW4-Ethernet0/0/2]quit
[SW4]stp bpdu-protection       
 //启用BPDU保护。防止攻击者仿造BPDU报文导致边缘端口属性变成非边缘端口

（3）SW5

[SW5]stp enable
[SW5]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW5]interface e0/0/2
[SW5-Ethernet0/0/2]stp edged-port enable
[SW5-Ethernet0/0/2]quit
[SW5]stp bpdu-protection

（4）SW6

[SW6]stp enable
[SW6]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW6]interface e0/0/2
[SW6-Ethernet0/0/2]stp edged-port enable
[SW6-Ethernet0/0/2]quit
[SW6]stp bpdu-protection

（5）SW7

[SW7]stp enable
[SW7]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW7]interface e0/0/2
[SW7-Ethernet0/0/2]stp edged-port enable
[SW7-Ethernet0/0/2]quit
[SW7]stp bpdu-protection

（6）SW1

[SW1]stp enable
[SW1]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]stp priority 4096 
//配置SW1为根网桥。有的同学直接把优先级设置为0，这在生产环境中也是禁止的，
//试想一下，如果你要换个根网桥怎么办？

（7）SW2

[SW2]stp enable
[SW2]stp mode rstp
Info: This operation may take a few seconds. Please wait for a moment...done.

3、配置总部DHCP

（1）SW1为VLAN10和VLAN20分配IP地址

[SW1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW1]interface vlanif 10
[SW1-Vlanif10]ip address 10.1.10.1 24
[SW1-Vlanif10]dhcp select interface
[SW1-Vlanif10]quit
[SW1]interface vlanif 20
[SW1-Vlanif20]ip address 10.1.20.1 24
[SW1-Vlanif20]dhcp select interface
[SW1-Vlanif20]quit

（2）SW2为VLAN30和VLAN40分配IP地址

[SW2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW2]dhcp snooping enable
[SW2]interface vlanif 30
[SW2-Vlanif30]ip address 10.1.30.1 24
[SW2-Vlanif30]dhcp select interface
[SW2-Vlanif30]quit
[SW2]interface vlanif 40
[SW2-Vlanif40]ip address 10.1.40.1 24
[SW2-Vlanif40]dhcp select interface
[SW2-Vlanif40]quit
[SW2]interface vlanif 50
[SW2-Vlanif50]ip address 10.1.50.1 24
[SW2-Vlanif50]quit

此时总部客户端已经可以获取IP地址，以项目部和财务部为例-->

4、配置总部出方向VRRP

（1）配置SW1上行接口

[SW1]interface g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 11
[SW1-GigabitEthernet0/0/1]quit
[SW1]interface g0/0/5
[SW1-GigabitEthernet0/0/5]port link-type access
[SW1-GigabitEthernet0/0/5]port default vlan 11
[SW1-GigabitEthernet0/0/5]quit
[SW1]interface vlanif 11
[SW1-Vlanif11]ip address 10.1.11.1 24
[SW1-Vlanif11]quit

（2）配置SW2上行接口

[SW2]interface g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 12
[SW2-GigabitEthernet0/0/1]quit
[SW2]interface g0/0/5
[SW2-GigabitEthernet0/0/5]port link-type access
[SW2-GigabitEthernet0/0/5]port default vlan 12
[SW2-GigabitEthernet0/0/5]quit
[SW2]interface vlanif 12
[SW2-Vlanif12]ip address 10.1.12.1 24
[SW2-Vlanif12]quit

（3）配置路由器R1的VRRP下行接口

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R1
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.1.11.11 24
[R1-GigabitEthernet0/0/0]quit
[R1]interface g0/0/2
[R1-GigabitEthernet0/0/2]ip address 10.1.12.11 24
[R1-GigabitEthernet0/0/2]quit

（4）配置路由器R2的VRRP下行接口

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname R2
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]ip address 10.1.12.12 24
[R2-GigabitEthernet0/0/0]quit
[R2]interface g0/0/2
[R2-GigabitEthernet0/0/2]ip address 10.1.11.12 24
[R2-GigabitEthernet0/0/2]quit

（5）配置R1为VRRP11的主路由器、VRRP12的备份路由器

[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]vrrp vrid 11 virtual-ip 10.1.11.10
//VIP一定要与路由器下行接口IP同属一个网段
[R1-GigabitEthernet0/0/0]vrrp vrid 11 priority 120
//默认优先级100，谁高谁是Master
[R1-GigabitEthernet0/0/0]vrrp vrid 11 preempt-mode timer delay 3
//延迟抢占时间，默认为0秒。Backup设备可以默认0秒表示立即抢占，
//但Master通常要设置非0值，避免因网络偶尔不稳定导致的VRRP状态频繁切换。
[R1-GigabitEthernet0/0/0]quit
[R1]interface g0/0/2
[R1-GigabitEthernet0/0/2]vrrp vrid 12 virtual-ip 10.1.12.10
[R1-GigabitEthernet0/0/2]quit

（6）配置R2为VRRP11的备份路由器、VRRP12的主路由器

[R2]interface g0/0/2
[R2-GigabitEthernet0/0/2]vrrp vrid 11 virtual-ip 10.1.11.10
[R2-GigabitEthernet0/0/2]quit
[R2]interface g0/0/0
[R2-GigabitEthernet0/0/0]vrrp vrid 12 virtual-ip 10.1.12.10
[R2-GigabitEthernet0/0/0]vrrp vrid 12 priority 120
[R2-GigabitEthernet0/0/0]vrrp vrid 12 preempt-mode timer delay 3
[R2-GigabitEthernet0/0/0]quit

查看VRRP主备状态正常

5、配置互联网到总部入方向VRRP

这次是反过来配，也必须得行哦~各种蹂躏VRRP便于加深理解，这在生产环境用的太多了

（1）配置R1上行接口

[R1]interface g1/0/0
[R1-GigabitEthernet1/0/0]ip address 8.1.1.9 24
[R1-GigabitEthernet1/0/0]quit

（2）配置R2上行接口

[R2]interface g1/0/0
[R2-GigabitEthernet1/0/0]ip address 8.1.1.10 24
[R2-GigabitEthernet1/0/0]quit

（3）配置Internet路由器与R1和R2相连的接口

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname Internet
[Internet]interface g0/0/1
[Internet-GigabitEthernet0/0/1]ip address 8.1.1.1 24
[Internet-GigabitEthernet0/0/1]quit

（4）配置R1为VRRP8的主路由器

[R1]interface g1/0/0
[R1-GigabitEthernet1/0/0]vrrp vrid 8 virtual-ip 8.1.1.2
[R1-GigabitEthernet1/0/0]vrrp vrid 8 priority 120
[R1-GigabitEthernet1/0/0]vrrp vrid 8 preempt-mode timer delay 3
[R1-GigabitEthernet1/0/0]quit

（5）配置R2为VRRP8的备份路由器

[R2]interface g1/0/0
[R2-GigabitEthernet1/0/0]vrrp vrid 8 virtual-ip 8.1.1.2
[R2-GigabitEthernet1/0/0]quit

查看VRRP状态正常

6、配置总部OSPF（Area 0）

（1）配置R1与总部边界路由器相连的接口

[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.12.1.9 24
[R1-GigabitEthernet0/0/1]quit

（2）配置R2与总部边界路由器相连的接口

[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip address 10.23.1.9 24
[R2-GigabitEthernet0/0/1]quit

（3）配置总部边界路由器与R1和R2相连的接口

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname ZB
[ZB]interface g0/0/1
[ZB-GigabitEthernet0/0/1]ip address 10.12.1.10 24
[ZB-GigabitEthernet0/0/1]quit
[ZB]interface g0/0/2
[ZB-GigabitEthernet0/0/2]ip address 10.23.1.10 24
[ZB-GigabitEthernet0/0/2]quit

（4）SW1启动OSPF并宣告网段

[SW1]ospf 1 router-id 10.1.11.1
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.1.10.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 10.1.11.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]quit
[SW1-ospf-1]quit

（5）SW2启动OSPF并宣告网段

[SW2]ospf 1 router-id 10.1.12.1
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 10.1.30.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 10.1.40.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]network 10.1.50.0 0.0.0.255
[SW2-ospf-1-area-0.0.0.0]quit
[SW2-ospf-1]quit

（6）R1启动OSPF并宣告网段

[R1]interface loopback 0             
[R1-LoopBack0]ip address 192.168.1.3 24
//配置Loopback口IP，用于OSPF Router-ID
[R1-LoopBack0]quit
[R1]ospf 1 router-id 192.168.1.3
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.1.11.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.12.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.1.3 0.0.0.0
[R1-ospf-1-area-0.0.0.0]quit
[R1-ospf-1]quit

（7）R2启动OSPF并宣告网段

[R2]interface loopback 0
[R2-LoopBack0]ip address 192.168.1.4 24
[R2-LoopBack0]quit
[R2]ospf 1 router-id 192.168.1.4
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.1.11.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.23.1.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 192.168.1.4 0.0.0.0
[R2-ospf-1-area-0.0.0.0]quit
[R2-ospf-1]quit
//想一想：R1和R2为什么不宣告与Internet相连的网段？

（8）ZB启动OSPF并宣告网段

[ZB]interface loopback 0
[ZB-LoopBack0]ip address 192.168.1.12 24
[ZB-LoopBack0]quit
[ZB]ospf 1 router-id 192.168.1.12
[ZB-ospf-1]area 0
[ZB-ospf-1-area-0.0.0.0]network 10.12.1.0 0.0.0.255
[ZB-ospf-1-area-0.0.0.0]network 10.23.1.0 0.0.0.255
[ZB-ospf-1-area-0.0.0.0]network 192.168.1.12 0.0.0.0
[ZB-ospf-1-area-0.0.0.0]quit
[ZB-ospf-1]quit

（9）测试总部内网连通性

在路由器ZB查看路由表，可看到内网各网段路由条目-->

用项目部PC测试与各网段连通性-->

7、配置工厂内部通信

（1）配置SW10二层接口

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname SW10
[SW10]vlan batch 5 6
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW10]interface e0/0/1
[SW10-Ethernet0/0/1]port link-type trunk
[SW10-Ethernet0/0/1]port trunk allow-pass vlan 5 6
[SW10-Ethernet0/0/1]quit
[SW10]interface e0/0/2
[SW10-Ethernet0/0/2]port link-type access
[SW10-Ethernet0/0/2]port default vlan 5
[SW10-Ethernet0/0/2]quit
[SW10]interface e0/0/3
[SW10-Ethernet0/0/3]port link-type access
[SW10-Ethernet0/0/3]port default vlan 6
[SW10-Ethernet0/0/3]quit

（2）路由器GC配置单臂路由

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname GC
[GC]interface g0/0/1.5
[GC-GigabitEthernet0/0/1.5]dot1q termination vid 5
[GC-GigabitEthernet0/0/1.5]ip address 10.2.5.1 24
[GC-GigabitEthernet0/0/1.5]arp broadcast enable
//启动子接口的ARP广播功能，以便于IP报文的正常转发
[GC-GigabitEthernet0/0/1.5]quit
[GC]interface g0/0/1.6
[GC-GigabitEthernet0/0/1.6]dot1q termination vid 6
[GC-GigabitEthernet0/0/1.6]ip address 10.2.6.1 24
[GC-GigabitEthernet0/0/1.6]arp broadcast enable
[GC-GigabitEthernet0/0/1.6]quit

测试工厂内部通信OK-->

8、配置总部与工厂间的PPP链路

（1）配置GC串口IP与协议

[GC]interface s1/0/0
[GC-Serial1/0/0]ip address 22.2.2.2 24
[GC-Serial1/0/0]link-protocol ppp
[GC-Serial1/0/0]quit

（2）配置ZB串口IP与协议

[ZB]interface s1/0/0
[ZB-Serial1/0/0]ip address 22.2.2.1 24
[ZB-Serial1/0/0]link-protocol ppp
[ZB-Serial1/0/0]quit

（3）配置ZB认证方

[ZB]interface s1/0/0
[ZB-Serial1/0/0]ppp authentication-mode chap
[ZB-Serial1/0/0]quit
[ZB]aaa
[ZB-aaa]local-user chap-gc password cipher gc123456
Info: Add a new user.
[ZB-aaa]local-user chap-gc service-type ppp
[ZB-aaa]quit
[ZB]interface s1/0/0
[ZB-Serial1/0/0]shutdown
[ZB-Serial1/0/0]undo shutdown
[ZB-Serial1/0/0]quit

（4）配置GC被认证方

[GC]interface s1/0/0
[GC-Serial1/0/0]ppp chap user chap-gc
[GC-Serial1/0/0]ppp chap password cipher gc123456
[GC-Serial1/0/0]quit

9、配置工厂OSPF（Area1）

这里假设工厂与总部之间的链路不稳定或者很远。。。很慢，所以将工厂创建Area1

（1）ZB路由器宣告网段

[ZB]ospf 1 router-id 192.168.1.12
[ZB-ospf-1]area 1
[ZB-ospf-1-area-0.0.0.1]network 22.2.2.0 0.0.0.255
[ZB-ospf-1-area-0.0.0.1]quit
[ZB-ospf-1]quit

（2）GC路由器宣告网段

[GC]ospf 1 router-id 192.168.1.11
[GC-ospf-1]area 1
[GC-ospf-1-area-0.0.0.1]network 10.2.5.0 0.0.0.255
[GC-ospf-1-area-0.0.0.1]network 10.2.6.0 0.0.0.255
[GC-ospf-1-area-0.0.0.1]network 22.2.2.0 0.0.0.255
[GC-ospf-1-area-0.0.0.1]quit
[GC-ospf-1]quit

（3）测试总部与工厂的连通性

10、配置总部内网到Internet的通信

（1）配置Internet路由器G0/0/2接口

[Internet]interface g0/0/2
[Internet-GigabitEthernet0/0/2]ip address 100.1.1.1 24
[Internet-GigabitEthernet0/0/2]quit

（2）配置Internet到总部内网的路由

[Internet]ip route-static 10.1.0.0 255.255.0.0 8.1.1.2

（3）配置R1到Internet的路由

[R1]ip route-static 0.0.0.0 0.0.0.0 8.1.1.1
[R1]ospf 1
[R1-ospf-1]default-route-advertise type 1    //引入静态路由至OSPF
[R1-ospf-1]quit

（4）配置R2到Internet的路由

[R2]ip route-static 0.0.0.0 0.0.0.0 8.1.1.1
[R2]ospf 1
[R2-ospf-1]default-route-advertise type 1
[R2-ospf-1]quit

（5）测试总部内网到Internet的连通性

11、配置工厂到Internet的PPPoE链路

（1）配置Internet路由器为PPPoE服务器

[Internet]ip pool GC
//创建全局地址池
Info: Its successful to create an IP address pool
[Internet-ip-pool-GC]network 12.1.1.0 mask 24
[Internet-ip-pool-GC]gateway-list 12.1.1.1
[Internet-ip-pool-GC]quit
[Internet]
[Internet]interface virtual-template 1
//配置虚拟模板接口并关联地址池
[Internet-Virtual-Template1]ip address 12.1.1.1 24
[Internet-Virtual-Template1]remote address pool GC
[Internet-Virtual-Template1]quit
[Internet]
[Internet]interface g0/0/0
[Internet-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1
//在接口上启用PPPoE服务器功能
[Internet-GigabitEthernet0/0/0]quit
[Internet]
[Internet]interface virtual-template 1
//配置认证
[Internet-Virtual-Template1]ppp authentication-mode chap
[Internet-Virtual-Template1]quit
[Internet]aaa
[Internet-aaa]local-user gcuser password cipher Aa123456
Info: Add a new user.
[Internet-aaa]local-user gcuser service-type ppp
[Internet-aaa]quit

（2）配置GC路由器为PPPoE客户端

[GC]acl 2001
[GC-acl-basic-2001]rule permit source 10.2.0.0 0.0.255.255
//ACL配合后面的EasyIP
[GC-acl-basic-2001]quit
[GC]dialer-rule              //创建拨号规则
[GC-dialer-rule]dialer-rule 1 ip permit
[GC-dialer-rule]quit
[GC]
[GC]interface dialer 1        //配置虚拟拨号接口
[GC-Dialer1]ip address ppp-negotiate
[GC-Dialer1]dialer user gcuser
[GC-Dialer1]dialer-group 1
[GC-Dialer1]dialer bundle 1
[GC-Dialer1]
[GC-Dialer1]ppp chap user gcuser        //配置客户端认证
[GC-Dialer1]ppp chap password cipher Aa123456
[GC-Dialer1]nat outbound 2001       //配置EasyIP
 Info: The NAT address pool is empty 
[GC-Dialer1]quit
[GC]interface g0/0/0
[GC-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1  //接口绑定虚拟拨号
[GC-GigabitEthernet0/0/0]quit
[GC]ip route-static 0.0.0.0 0.0.0.0 dialer 1 preference 85 
//创建到Internet的默认路由

（3）测试PPPoE

查看PPPoE服务器状态，已经UP-->

查看地址池，已经分配出去1个-->

查看PPPoE客户端状态，已经UP-->

查看Dialer1接口，获取了IP地址12.1.1.254-->

查看EasyIP已配好-->

测试工厂客户端与互联网的连通性-->

12、配置远程管理网络设备

以远程管理交换机SW1为例

（1）配置管理IP（VLANIF300）

[SW1]interface vlanif 300
[SW1-Vlanif300]ip address 192.168.1.1 24
[SW1-Vlanif300]quit

（2）配置认证和Telnet

[SW1]aaa
[SW1-aaa]local-user TeacherFu privilege level 3 password cipher Aa123456
Info: Add a new user.
[SW1-aaa]local-user TeacherFu service-type telnet
[SW1-aaa]quit
[SW1]user-interface vty 0 4
[SW1-ui-vty0-4]authentication-mode aaa
[SW1-ui-vty0-4]protocol inbound telnet
[SW1-ui-vty0-4]quit

（3）测试远程管理

在本实验中，用另一台网络设备SW2充当Telnet客户端

[SW2]interface vlanif 300
[SW2-Vlanif300]ip address 192.168.1.2 24
//先配置管理网段的IP地址
[SW2-Vlanif300]quit

测试可以成功登录-->

13、配置访问控制

禁止工厂展厅的客户端访问总部内网服务器区

（1）配置ACL之前，展厅是可以访问总部内网服务器的

（2）配置路由器GC的ACL

[GC]acl 3000
[GC-acl-adv-3000]rule 5 deny ip source 10.2.5.0 0.0.0.255 destination 10.1.50.0 0.0.0.255
[GC-acl-adv-3000]rule 10 permit ip source any destination any
[GC-acl-adv-3000]quit
[GC]interface g0/0/1.5
[GC-GigabitEthernet0/0/1.5]traffic-filter inbound acl 3000
//在入方向应用ACL效率更高
[GC-GigabitEthernet0/0/1.5]quit

（3）配置ACL之后再次测试连通性

四、傅老师的微信名片

欢迎沟通交流：）