实验拓扑
实验要求
1. 链路聚合配置:
SW1 和 SW2 分别通过 GE0/0/3,GE0/0/4 和 GE0/0/5 接口相互连接, 把这三个接口捆绑成一个逻辑接口,使用的模式为 static-lacp。 l SW2 为主劢端,两台设备之间最大可用的带宽为 2G。
2. VLAN 配置:
在每台交换机创建 VLAN,VLAN ID 分别为 10、11、13、20、30 将 VLAN 划分相应的接口,部门 A---vlan10,部门 B---vlan20, LSW1 G0/0/2---vlan11,LSW2 G0/0/1---vlan13
3. Trunk 配置:
所有交换机互连接口划分配置为 trunk 接口,只允许 VLAN1、10、11、13、20、30 的 VLAN 通过;
4. STP 配置:
所有的交换运行 MSTP,MSTP 域名为 huawei,修订等级为 1。
额外创建两个实例,将 VLAN10、11、30 划分进实例 1,VLAN13、20 划分 进实例 2;
要求 LSW1 为实例 1 的根桥,实例 2 的备份根桥;LSW2 为实例 2 的根 桥,实例 1 的备份根桥;
在交换机进行相应的配置,使 PC 或者路由器接入立即能进入转发状态, 并且配置相应的保护功能,收到 BPDU 接口会被关闭。
5. IP 地址配置:
按照如图所示配置 SITEA 的 IP 地址。
6. VRRP 配置:
LSW1 和 LSW2 分别存在 Vlanif10、20,分别作为部门 A、B 的网关, 要求使用 VRRP 技术实现网关的冗余备份。
Vlanif10 使 用 的 VRRP 虚 拟 ID 为 1 , 虚 拟 IP 地 址 为 192.168.10.254,LSW1 作为 master 路由,LSW2 作为 backup,master 路由器优先级为 200。
Vlanif20 使 用 的 VRRP 虚 拟 ID 为 2 , 虚 拟 IP 地 址 为 192.168.20.254,LSW2 作为 master 路由,LSW1 作为 backup,master 路由器优先级为 200。
在 Vlanif10 和 20 的 master 路由器分别使用 BFD 技术跟踪上行接口, 当上行链路断开时,能自动切换到备份路由器。
7. IGP 配置
LSW1,LSW2,AR1 运行 OSPF,进程号为 1,处于区域 0
8. DHCP 配置
AR1 为 DHCP 服务器,为部门 A 和部门 B 的主机分配 IP 地址,采用基 于全局地址池的分配方式,创建 ip pool A 为部门 A 分配 IP 地址:网段 为 192.168.10.0/24,网关为:192.168.10.254,DNS 为:8.8.8.8;创 建 ip pool B 为部门 B 分配 IP 地址:网段为 192.168.20.0/24,网关为: 192.168.20.254,DNS 为:114.114.114.114;
LSW1 和 LSW2 为 DHCP 中继器,VLANif10 指向的 DHCP 服务器的地 址为:192.168.11.1, VLANif20 指向的 DHCP 服务器的地址为: 192.168.13.1。
AC为DHCP服务器,为AP分配IP地址
9.AP上线
创建AP组,名称为AP;AP认证方式为MAC认证;按拓扑为各AP命名,并添加到AP组下;配置capwap隧道地址为192.168.30.1,查看AP上线情况。
10.WLAN配置
AP采用2.4G射频,为实现二层漫游功能,要求使用相同的安全模板和SSID模板,模板名称自定义,安全策略采用WPA/WPA2 PSK,预共享秘钥为huawei123,加密算法为AES;SSID为huawei,转发方式为直接转发;采用VLAN-POOL分配VLAN10和VLAN20,VLAN分配方式为HASH;为防止AP信号干扰,AP1使用信道1,AP2使用5号信道。
实验配置
全局配置
SW1
[SW1]dis current-configuration
#
sysname SW1
#
vlan batch 10 to 11 13 20 30
#
stp instance 1 root primary
stp instance 2 root secondary
stp bpdu-protection
#
lacp e-trunk priority 1
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 1
instance 1 vlan 10 to 11
instance 2 vlan 20 30
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254
vrrp vrid 1 priority 200
vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 120
dhcp select relay
dhcp relay server-ip 192.168.11.1
#
interface Vlanif11
ip address 192.168.11.11 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.20.254
dhcp select relay
dhcp relay server-ip 192.168.13.1
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
mode lacp-static
max active-linknumber 2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 11
stp edged-port enable
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
eth-trunk 1
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 192.168.11.11 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
#
SW2
[SW2]dis current-configuration
#
sysname SW2
#
vlan batch 10 to 11 13 20 30
#
stp instance 1 root secondary
stp bpdu-protection
#
lacp priority 1000
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 1
instance 1 vlan 10 to 11
instance 2 vlan 20 30
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254
dhcp select relay
dhcp relay server-ip 192.168.11.1
#
interface Vlanif13
ip address 192.168.13.12 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.20.254
vrrp vrid 2 priority 200
vrrp vrid 2 track interface GigabitEthernet0/0/1 reduced 120
dhcp select relay
dhcp relay server-ip 192.168.13.1
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
mode lacp-static
max active-linknumber 2
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 13
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
shutdown
eth-trunk 1
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 192.168.13.12 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
#
Return
SW3
[SW3]dis cu
#
sysname SW3
#
vlan batch 10 to 11 13 20 30
#
stp bpdu-protection
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 1
instance 1 vlan 10 to 11
instance 2 vlan 20 30
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
stp edged-port enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 30
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
SW4
[SW4]dis current-configuration
#
sysname SW4
#
vlan batch 10 to 11 13 20 30
#
stp bpdu-protection
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name huawei
revision-level 1
instance 1 vlan 10 to 11
instance 2 vlan 20 30
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
stp edged-port enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 30
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
Return
AR1
[AR1]dis cu
[V200R003C00]
#
sysname AR1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
dhcp enable
#
ip pool a
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool b
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
dns-list 114.114.114.114
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.13.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
ip address 192.168.11.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.11.1 0.0.0.0
network 192.168.13.1 0.0.0.0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
Return
AC1
[AC1]dis current-configuration
#
sysname AC1
#
set memory-usage threshold 0
#
ssl renegotiation-rate 1
#
vlan batch 10 to 11 13 20 30
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
vlan pool 1
vlan 10 20
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
rsa local-key-pair default
enrollment self-signed
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user admin password irreversible-cipher $1a$K~R,Q-s^!6$GPg3#J:nS+w0'<.~2-
l3s[V#9;Snv>)*`#+N/EtB$
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
dhcp select interface
#
interface MEth0/0/1
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 11 13 20 30
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/22
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/23
undo negotiation auto
duplex half
#
interface GigabitEthernet0/0/24
undo negotiation auto
duplex half
#
interface XGigabitEthernet0/0/1
#
interface XGigabitEthernet0/0/2
#
interface NULL0
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
capwap source ip-address 192.168.30.1
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
protocol inbound all
user-interface vty 16 20
protocol inbound all
#
wlan
traffic-profile name default
security-profile name HW
security wpa-wpa2 psk pass-phrase %^%#d(JE;1;s^9EL\-)8$Ja8q;'}4_2Jt=!<%DTKUhvM
%^%# aes
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid-profile name HW
ssid huawei
ssid-profile name default
vap-profile name HW
service-vlan vlan-pool 1
ssid-profile HW
security-profile HW
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name 0
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name ap
radio 0
vap-profile HW wlan 1
ap-group name default
ap-id 1 type-id 60 ap-mac 00e0-fcf6-7a40 ap-sn 2102354483103736826E
ap-name ap1
ap-group ap
radio 0
channel 20mhz 1
ap-id 2 type-id 60 ap-mac 00e0-fcdd-6910 ap-sn 210235448310EE5F5459
ap-name ap2
ap-group ap
radio 0
channel 20mhz 5
provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return
效果展示
链路聚合配置
VLAN 配置
Sw4
Sw1
Sw3
Sw2
STP 配置
Sw3
Sw4
边缘端口保护
IP 地址配置
AC
AR
Sw1
Sw2
VRRP 配置
IGP 配置
DHCP 配置
AP上线
WLAN配置
