实验拓扑
实验要求
- 链路聚合配置:
SW1 和 SW2 分别通过 GE0/0/3,GE0/0/4 和 GE0/0/5 接口相互连接, 把这三个接口捆绑成一个逻辑接口,使用的模式为 static-lacp。 l SW2 为主劢端,两台设备之间最大可用的带宽为 2G。
- VLAN 配置:
在每台交换机创建 VLAN,VLAN ID 分别为 10、11、13、20、30 将 VLAN 划分相应的接口,部门 A---vlan10,部门 B---vlan20, LSW1 G0/0/2---vlan11,LSW2 G0/0/1---vlan13
- Trunk 配置:
所有交换机互连接口划分配置为 trunk 接口,只允许 VLAN1、10、11、13、20、30 的 VLAN 通过;
- STP 配置:
所有的交换运行 MSTP,MSTP 域名为 huawei,修订等级为 1。
额外创建两个实例,将 VLAN10、11、30 划分进实例 1,VLAN13、20 划分 进实例 2;
要求 LSW1 为实例 1 的根桥,实例 2 的备份根桥;LSW2 为实例 2 的根 桥,实例 1 的备份根桥;
在交换机进行相应的配置,使 PC 或者路由器接入立即能进入转发状态, 并且配置相应的保护功能,收到 BPDU 接口会被关闭。
- IP 地址配置:
按照如图所示配置 SITEA 的 IP 地址。
- VRRP 配置:
LSW1 和 LSW2 分别存在 Vlanif10、20,分别作为部门 A、B 的网关, 要求使用 VRRP 技术实现网关的冗余备份。
Vlanif10 使 用 的 VRRP 虚 拟 ID 为 1 , 虚 拟 IP 地 址 为 192.168.10.254,LSW1 作为 master 路由,LSW2 作为 backup,master 路由器优先级为 200。
Vlanif20 使 用 的 VRRP 虚 拟 ID 为 2 , 虚 拟 IP 地 址 为 192.168.20.254,LSW2 作为 master 路由,LSW1 作为 backup,master 路由器优先级为 200。
在 Vlanif10 和 20 的 master 路由器分别使用 BFD 技术跟踪上行接口, 当上行链路断开时,能自动切换到备份路由器。
- IGP 配置
LSW1,LSW2,AR1 运行 OSPF,进程号为 1,处于区域 0
- DHCP 配置
AR1 为 DHCP 服务器,为部门 A 和部门 B 的主机分配 IP 地址,采用基 于全局地址池的分配方式,创建 ip pool A 为部门 A 分配 IP 地址:网段 为 192.168.10.0/24,网关为:192.168.10.254,DNS 为:8.8.8.8;创 建 ip pool B 为部门 B 分配 IP 地址:网段为 192.168.20.0/24,网关为: 192.168.20.254,DNS 为:114.114.114.114;
LSW1 和 LSW2 为 DHCP 中继器,VLANif10 指向的 DHCP 服务器的地 址为:192.168.11.1, VLANif20 指向的 DHCP 服务器的地址为: 192.168.13.1。
AC为DHCP服务器,为AP分配IP地址
9.AP上线
创建AP组,名称为AP;AP认证方式为MAC认证;按拓扑为各AP命名,并添加到AP组下;配置capwap隧道地址为192.168.30.1,查看AP上线情况。
10.WLAN配置
AP采用2.4G射频,为实现二层漫游功能,要求使用相同的安全模板和SSID模板,模板名称自定义,安全策略采用WPA/WPA2 PSK,预共享秘钥为huawei123,加密算法为AES;SSID为huawei,转发方式为直接转发;采用VLAN-POOL分配VLAN10和VLAN20,VLAN分配方式为HASH;为防止AP信号干扰,AP1使用信道1,AP2使用5号信道。
实验配置
全局配置
++SW1++
SW1\]dis current-configuration # sysname SW1 # vlan batch 10 to 11 13 20 30 # stp instance 1 root primary stp instance 2 root secondary stp bpdu-protection # lacp e-trunk priority 1 # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # dhcp enable # diffserv domain default # stp region-configuration region-name huawei revision-level 1 instance 1 vlan 10 to 11 instance 2 vlan 20 30 active region-configuration # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface Vlanif10 ip address 192.168.10.1 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.10.254 vrrp vrid 1 priority 200 vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 120 dhcp select relay dhcp relay server-ip 192.168.11.1 # interface Vlanif11 ip address 192.168.11.11 255.255.255.0 # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.20.254 dhcp select relay dhcp relay server-ip 192.168.13.1 # interface MEth0/0/1 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 mode lacp-static max active-linknumber 2 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/2 port link-type access port default vlan 11 stp edged-port enable # interface GigabitEthernet0/0/3 eth-trunk 1 # interface GigabitEthernet0/0/4 eth-trunk 1 # interface GigabitEthernet0/0/5 eth-trunk 1 # interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/7 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/8 # interface GigabitEthernet0/0/9 # interface GigabitEthernet0/0/10 # interface GigabitEthernet0/0/11 # interface GigabitEthernet0/0/12 # interface GigabitEthernet0/0/13 # interface GigabitEthernet0/0/14 # interface GigabitEthernet0/0/15 # interface GigabitEthernet0/0/16 # interface GigabitEthernet0/0/17 # interface GigabitEthernet0/0/18 # interface GigabitEthernet0/0/19 # interface GigabitEthernet0/0/20 # interface GigabitEthernet0/0/21 # interface GigabitEthernet0/0/22 # interface GigabitEthernet0/0/23 # interface GigabitEthernet0/0/24 # interface NULL0 # ospf 1 area 0.0.0.0 network 192.168.11.11 0.0.0.0 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 # user-interface con 0 user-interface vty 0 4 # ### **++SW2++** \[SW2\]dis current-configuration # sysname SW2 # vlan batch 10 to 11 13 20 30 # stp instance 1 root secondary stp bpdu-protection # lacp priority 1000 # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # dhcp enable # diffserv domain default # stp region-configuration region-name huawei revision-level 1 instance 1 vlan 10 to 11 instance 2 vlan 20 30 active region-configuration # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface Vlanif10 ip address 192.168.10.2 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.10.254 dhcp select relay dhcp relay server-ip 192.168.11.1 # interface Vlanif13 ip address 192.168.13.12 255.255.255.0 # interface Vlanif20 ip address 192.168.20.2 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.20.254 vrrp vrid 2 priority 200 vrrp vrid 2 track interface GigabitEthernet0/0/1 reduced 120 dhcp select relay dhcp relay server-ip 192.168.13.1 # interface MEth0/0/1 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 mode lacp-static max active-linknumber 2 # interface GigabitEthernet0/0/1 port link-type access port default vlan 13 stp edged-port enable # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/3 eth-trunk 1 # interface GigabitEthernet0/0/4 eth-trunk 1 # interface GigabitEthernet0/0/5 shutdown eth-trunk 1 # interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface GigabitEthernet0/0/9 # interface GigabitEthernet0/0/10 # interface GigabitEthernet0/0/11 # interface GigabitEthernet0/0/12 # interface GigabitEthernet0/0/13 # interface GigabitEthernet0/0/14 # interface GigabitEthernet0/0/15 # interface GigabitEthernet0/0/16 # interface GigabitEthernet0/0/17 # interface GigabitEthernet0/0/18 # interface GigabitEthernet0/0/19 # interface GigabitEthernet0/0/20 # interface GigabitEthernet0/0/21 # interface GigabitEthernet0/0/22 # interface GigabitEthernet0/0/23 # interface GigabitEthernet0/0/24 # interface NULL0 # ospf 1 area 0.0.0.0 network 192.168.13.12 0.0.0.0 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255 # user-interface con 0 user-interface vty 0 4 # Return ### **++SW3++** \[SW3\]dis cu # sysname SW3 # vlan batch 10 to 11 13 20 30 # stp bpdu-protection # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # dhcp enable # diffserv domain default # stp region-configuration region-name huawei revision-level 1 instance 1 vlan 10 to 11 instance 2 vlan 20 30 active region-configuration # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface MEth0/0/1 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 stp edged-port enable # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable # interface GigabitEthernet0/0/5 port link-type trunk port trunk pvid vlan 30 port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface GigabitEthernet0/0/9 # interface GigabitEthernet0/0/10 # interface GigabitEthernet0/0/11 # interface GigabitEthernet0/0/12 # interface GigabitEthernet0/0/13 # interface GigabitEthernet0/0/14 # interface GigabitEthernet0/0/15 # interface GigabitEthernet0/0/16 # interface GigabitEthernet0/0/17 # interface GigabitEthernet0/0/18 # interface GigabitEthernet0/0/19 # interface GigabitEthernet0/0/20 # interface GigabitEthernet0/0/21 # interface GigabitEthernet0/0/22 # interface GigabitEthernet0/0/23 # interface GigabitEthernet0/0/24 # interface NULL0 # user-interface con 0 user-interface vty 0 4 # return ### **++SW4++** \[SW4\]dis current-configuration # sysname SW4 # vlan batch 10 to 11 13 20 30 # stp bpdu-protection # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # dhcp enable # diffserv domain default # stp region-configuration region-name huawei revision-level 1 instance 1 vlan 10 to 11 instance 2 vlan 20 30 active region-configuration # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface MEth0/0/1 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 stp edged-port enable # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable # interface GigabitEthernet0/0/5 port link-type trunk port trunk pvid vlan 30 port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface GigabitEthernet0/0/9 # interface GigabitEthernet0/0/10 # interface GigabitEthernet0/0/11 # interface GigabitEthernet0/0/12 # interface GigabitEthernet0/0/13 # interface GigabitEthernet0/0/14 # interface GigabitEthernet0/0/15 # interface GigabitEthernet0/0/16 # interface GigabitEthernet0/0/17 # interface GigabitEthernet0/0/18 # interface GigabitEthernet0/0/19 # interface GigabitEthernet0/0/20 # interface GigabitEthernet0/0/21 # interface GigabitEthernet0/0/22 # interface GigabitEthernet0/0/23 # interface GigabitEthernet0/0/24 # interface NULL0 # user-interface con 0 user-interface vty 0 4 # Return ### **++AR1++** \[AR1\]dis cu \[V200R003C00
sysname AR1
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
dhcp enable
ip pool a
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
ip pool b
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
dns-list 114.114.114.114
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %%K8m.Nt84DZ}e#<0`8bmE3Uw}%%
local-user admin service-type http
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 192.168.13.1 255.255.255.0
dhcp select global
interface GigabitEthernet0/0/1
ip address 192.168.11.1 255.255.255.0
dhcp select global
interface GigabitEthernet0/0/2
interface NULL0
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.11.1 0.0.0.0
network 192.168.13.1 0.0.0.0
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wlan ac
Return
++AC1++
AC1\]dis current-configuration # sysname AC1 # set memory-usage threshold 0 # ssl renegotiation-rate 1 # vlan batch 10 to 11 13 20 30 # authentication-profile name default_authen_profile authentication-profile name dot1x_authen_profile authentication-profile name mac_authen_profile authentication-profile name portal_authen_profile authentication-profile name macportal_authen_profile # vlan pool 1 vlan 10 20 # dhcp enable # diffserv domain default # radius-server template default # pki realm default rsa local-key-pair default enrollment self-signed # ike proposal default encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # free-rule-template name default_free_rule # portal-access-profile name portal_access_profile # aaa authentication-scheme default authentication-scheme radius authentication-mode radius authorization-scheme default accounting-scheme default domain default authentication-scheme radius radius-server default domain default_admin authentication-scheme default local-user admin password irreversible-cipher $1a$K\~R,Q-s\^!6$GPg3#J:nS+w0'\<.\~2- l3s\[V#9;Snv\>)\*\`#+N/EtB$ local-user admin privilege level 15 local-user admin service-type http # interface Vlanif30 ip address 192.168.30.1 255.255.255.0 dhcp select interface # interface MEth0/0/1 undo negotiation auto duplex half # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 to 11 13 20 30 # interface GigabitEthernet0/0/2 # interface GigabitEthernet0/0/3 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface GigabitEthernet0/0/9 # interface GigabitEthernet0/0/10 # interface GigabitEthernet0/0/11 # interface GigabitEthernet0/0/12 # interface GigabitEthernet0/0/13 # interface GigabitEthernet0/0/14 # interface GigabitEthernet0/0/15 # interface GigabitEthernet0/0/16 # interface GigabitEthernet0/0/17 # interface GigabitEthernet0/0/18 # interface GigabitEthernet0/0/19 # interface GigabitEthernet0/0/20 # interface GigabitEthernet0/0/21 undo negotiation auto duplex half # interface GigabitEthernet0/0/22 undo negotiation auto duplex half # interface GigabitEthernet0/0/23 undo negotiation auto duplex half # interface GigabitEthernet0/0/24 undo negotiation auto duplex half # interface XGigabitEthernet0/0/1 # interface XGigabitEthernet0/0/2 # interface NULL0 # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # ssh server secure-algorithms cipher aes256_ctr aes128_ctr ssh server key-exchange dh_group14_sha1 ssh client secure-algorithms cipher aes256_ctr aes128_ctr ssh client secure-algorithms hmac sha2_256 ssh client key-exchange dh_group14_sha1 # capwap source ip-address 192.168.30.1 # user-interface con 0 authentication-mode password user-interface vty 0 4 protocol inbound all user-interface vty 16 20 protocol inbound all # wlan traffic-profile name default security-profile name HW security wpa-wpa2 psk pass-phrase %\^%#d(JE;1;s\^9EL\\-)8$Ja8q;'}4_2Jt=!\<%DTKUhvM %\^%# aes security-profile name default security-profile name default-wds security-profile name default-mesh ssid-profile name HW ssid huawei ssid-profile name default vap-profile name HW service-vlan vlan-pool 1 ssid-profile HW security-profile HW vap-profile name default wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name 0 regulatory-domain-profile name default air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-profile name default wireless-access-specification ap-system-profile name default port-link-profile name default wired-port-profile name default serial-profile name preset-enjoyor-toeap ap-group name ap radio 0 vap-profile HW wlan 1 ap-group name default ap-id 1 type-id 60 ap-mac 00e0-fcf6-7a40 ap-sn 2102354483103736826E ap-name ap1 ap-group ap radio 0 channel 20mhz 1 ap-id 2 type-id 60 ap-mac 00e0-fcdd-6910 ap-sn 210235448310EE5F5459 ap-name ap2 ap-group ap radio 0 channel 20mhz 5 provision-ap # dot1x-access-profile name dot1x_access_profile # mac-access-profile name mac_access_profile # return ## 效果展示 ### 链路聚合配置   ### VLAN 配置 Sw4  Sw1  Sw3  Sw2 ### STP 配置 Sw3  Sw4  边缘端口保护  ### IP 地址配置 AC  AR  Sw1  Sw2  ### VRRP 配置   ### IGP 配置  ### DHCP 配置  ### AP上线   ### WLAN配置  