目录
一,接入层-汇聚层
a.vlan配置
b.互联链路trunk eth-trunk
c.STP-MSTP
d.网关和vrrp-mstp配合
两个实列
Instance1 -vlan10 vlan30
instance2-vlan20 vlan40
地址规划
1.每个交换机创建vlan ,修改链路类型。
[Huawei-GigabitEthernet0/0/1]int g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 30
[Huawei-GigabitEthernet0/0/3]stp edged-port enable
[Huawei-GigabitEthernet0/0/3]int g0/0/4
[Huawei-GigabitEthernet0/0/4] port link-type trunk
[Huawei-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4094
[Huawei-GigabitEthernet0/0/4]int g0/0/5
[Huawei-GigabitEthernet0/0/5] port link-type trunk
[Huawei-GigabitEthernet0/0/5] port trunk allow-pass vlan 2 to 4094同理类推
lsw1 和lsw3 做链路聚合
[lsw1]int Eth-Trunk 12 //进入聚合口12
[lsw1-Eth-Trunk12]mode lacp-static //配置lacp模式
[lsw1-Eth-Trunk12]trunkport GigabitEthernet 0/0/23 to 0/0/24
//将接口23 24加入
[lsw1-Eth-Trunk12]port link-type trunk
[lsw1-Eth-Trunk12]port trunk allow-pass vlan all
2.配置生成树
[lsw2]stp region-configuration
[lsw2-mst-region] region-name ceshi
[lsw2-mst-region] revision-level 1
[lsw2-mst-region] instance 1 vlan 10 30
[lsw2-mst-region] instance 2 vlan 20 40
[lsw2-mst-region] active region-configuration同理推推导
[lsw1]stp instance 1 root primary //lsw1作为实例1的主根
[lsw1]stp instance 2 root secondary //lsw1作为实例2的副根
[lsw3]stp instance 2 root primary
[lsw3]stp instance 1 root secondary
3.配置网关
[lsw1-Vlanif10]ip address 192.168.10.251 24
[lsw1-Vlanif10]int vlan 20
[lsw1-Vlanif20]ip address 192.168.20.251 24
[lsw1-Vlanif20]int vlan 30
[lsw1-Vlanif30]ip address 192.168.30.251 24
[lsw1-Vlanif30]int vlan 40
[lsw1-Vlanif40]ip address 192.168.40.251 24lsw2配置同理 网关252
4.配置vrrp
[lsw1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 //虚拟的网关地址是30.254
[lsw1-Vlanif30]vrrp vrid 30 priority 120 //调高优先级[lsw3-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 //配置备
配置类推
二,汇聚层-核心层
a.ip配置
b.ospf与认证
1.配置交换机地址
[ar2]di ip int br
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 1Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.1.23.2/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 10.1.12.2/24 up up
GigabitEthernet1/0/0 10.1.104.2/24 up up
GigabitEthernet2/0/0 10.1.102.2/24 up up
NULL0 unassigned up up(s)[ar1]dis ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 1Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.1.14.1/24 up up
GigabitEthernet0/0/1 10.1.15.1/24 up up
GigabitEthernet0/0/2 10.1.12.1/24 down down
GigabitEthernet1/0/0 10.1.100.1/24 up up
GigabitEthernet2/0/0 10.1.103.1/24 up up
NULL0 unassigned up
交换机配置接口
Enter system view, return user view with Ctrl+Z.
[lsw3]vlan batch 300 400
Info: This operation may take a few seconds. Please wait for a moment...done.
[lsw3]int vlan 300
[lsw3-Vlanif300]ip address 10.1.103..2,24
[lsw3-Vlanif400]ip address 10.1.104.2 24
[lsw3-Vlanif400]int vlan 300
[lsw3-Vlanif300]ip address 10.1.103.2 24
[lsw3-Vlanif300]int g0/0/1
[lsw3-GigabitEthernet0/0/1]port link-type access
[lsw3-GigabitEthernet0/0/1]port default vlan 4100
[lsw3-GigabitEthernet0/0/1]port default vlan 400
[lsw3-GigabitEthernet0/0/1]int g0/0/2
[lsw3-GigabitEthernet0/0/2]port link-type access
[lsw3-GigabitEthernet0/0/2]port default vlan 300
配置ospf
[ar1]ospf
[ar1-ospf-1]ar
[ar1-ospf-1]area 0
[ar1-ospf-1-area-0.0.0.0]netw
[ar1-ospf-1-area-0.0.0.0]network 10.1.14.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.15.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.100.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]network 10.1.103.1 0.0.0.0
[ar1-ospf-1-area-0.0.0.0]int p5/0/0
[ar1-Pos5/0/0]ip ad
[ar1-Pos5/0/0]ip address 10.1.13.1authentication-mode md5 1 cipher huawei@123
//配置ospf的区间密码
配置同理
配置DHCP服务器
[Huawei]dhcp enable
[Huawei]ip p
[Huawei]ip pool 10
Info: It's successful to create an IP address pool.
[Huawei-ip-pool-10]netw
[Huawei-ip-pool-10]network 192.168.10.0
[Huawei-ip-pool-10]gat
[Huawei-ip-pool-10]gateway-list 192.168.10.254
[Huawei-ip-pool-10]dis this
[Huawei]in pool 20
[Huawei-ip-pool-20]network 192.168.20.0
[Huawei-ip-pool-20]gateway-list 192.168.20.254
[Huawei-ip-pool-20]ip pool 30
Info: It's successful to create an IP address pool.
[Huawei-ip-pool-30]network 192.168.30.0
[Huawei-ip-pool-30]gateway-list 192.168.30.25
[Huawei]ip pool 40
Info: It's successful to create an IP address pool.
[Huawei-ip-pool-1]network 192.168.40.0
[Huawei-ip-pool-1]gateway-list 192.168.40.254
[dhcp-GigabitEthernet0/0/0]dhcp select global
[dhcp]ip route-static 0.0.0.0 0.0.0.0 10.1.14.1
此时lsw1 能ping 通DHCP服务器
配置lsw1和lsw2相同
此时pc1 pc2 pc3 pc4 都可以拿到地址
常见错误:
接口未划分,vlan没配置,交换机和dhcp服务器不通
四台主机全网互通
三,fw的配置
1.IP地址
2.zone的划分
3.安全策略放行
4.ospf
[fw1]firewall zone trust
22:33:04 2022/08/25
[fw1-zone-trust]ad
[fw1-zone-trust]add t
[fw1-zone-trust]add in
[fw1-zone-trust]add interface g0/0/1
[fw1-GigabitEthernet0/0/1]service-manage ping permit//允许ping
[fw1-zone-untrust]add
[fw1-zone-untrust]add in
[fw1-zone-untrust]add interface g0/0/0
Info: The interface has been added to trust security zone.
防火墙配置允许untrunt可以去安全区域
同时允许ospf流量过去
在0/0/0接口做nat策略
四, 无线ap
AP的管理vlan为101
在接入层交换机创建vlan101
[lsw4-GigabitEthernet0/0/2]port link-type trunk
[lsw4-GigabitEthernet0/0/2]port trunk pvid vlan 101
AC配置
[AC6005]int g0/0/4
[AC6005-GigabitEthernet0/0/4]port link-type trunk
[AC6005-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[AC6005-vlan101]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.[AC6005-Vlanif101]ip address 192.168.101.254 24
[AC6005-Vlanif101]dhcp s
[AC6005-Vlanif101]dhcp select in
[AC6005-Vlanif101]dhcp select interface此时ap设备可以ping通ac
创建wifi
[AC6005-Vlanif101]wlan
[AC6005-wlan-ap-0]q
[AC6005-wlan-view]ap-id 1
[AC6005-wlan-ap-1]ap-g
[AC6005-wlan-ap-1]ap-group ap2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.
Error: The AP group does not exist.
[AC6005-wlan-ap-1]ap-name
[AC6005-wlan-ap-1]ap-name ap2
[AC6005-wlan-ap-1]ap
[AC6005-wlan-ap-1]ap-group ap-g
[AC6005-wlan-ap-1]ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC6005-wlan-ap-1]
[AC6005-wlan-ap-1]
[AC6005-wlan-ap-1]q
[AC6005-wlan-view]dis this
#
wlan
traffic-profile name default
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid-profile name default
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name defatlt
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap auth-mode no-auth
ap-group name default
ap-group name ap-group1
regulatory-domain-profile defatlt
ap-id 0 type-id 45 ap-mac 00e0-fc4d-67a0 ap-sn 210235448310630E1214
ap-name ap1
ap-group ap-group1
ap-id 1 type-id 45 ap-mac 00e0-fc30-2d10 ap-sn 210235448310DF71C467
ap-name ap2
ap-group ap-group1
provision-ap
#
return
[AC6005-wlan-view]ap -au
[AC6005-wlan-view]dis ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
fault: fault [1]
nor : normal [1]
--------------------------------------------------------------------------------
-------------
ID MAC Name Group IP Type State STA Upti
me
--------------------------------------------------------------------------------
-------------
0 00e0-fc4d-67a0 ap1 ap-group1 192.168.101.79 AP3030DN nor 0 4S
1 00e0-fc30-2d10 ap2 ap-group1 - AP3030DN fault 0 -
--------------------------------------------------------------------------------
-------------
Total: 2
[AC6005-wlan-view]security-profile name wlan-net
[AC6005-wlan-sec-prof-wlan-net]security ?
open Open system
wapi WLAN authentication and privacy infrastructure
wep Wired equivalent privacy
wpa Wi-Fi protected access
wpa-wpa2 Wi-Fi protected access version 1&2
wpa2 Wi-Fi protected access version 2
[AC6005-wlan-sec-prof-wlan-net]security open ?
<cr> Please press ENTER to execute command
[AC6005-wlan-sec-prof-wlan-net]security open
[AC6005-wlan-sec-prof-wlan-net]ssid
^
Error: Unrecognized command found at '^' position.
[AC6005-wlan-sec-prof-wlan-net]q
[AC6005-wlan-view]ssid-p
[AC6005-wlan-view]ssid-profile name ceshi
[AC6005-wlan-ssid-prof-ceshi]ssid ceshi
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-ssid-prof-ceshi]q
[AC6005-wlan-view]vap-p
[AC6005-wlan-view]vap-profile name wlan-net
[AC6005-wlan-vap-prof-wlan-net]f
[AC6005-wlan-vap-prof-wlan-net]forward-mode d
[AC6005-wlan-vap-prof-wlan-net]forward-mode direct-forward
[AC6005-wlan-view]q
[AC6005]vlan pp
[AC6005]vlan pool
[AC6005]vlan pool
[AC6005]vlan pool ceshi.
[AC6005-vlan-pool-ceshi]vlan 10 20 40 30
[AC6005-vlan-pool-ceshi]wlan
[AC6005-wlan-view]vap-p
[AC6005-wlan-view]vap-profile
[AC6005-wlan-view]vap-profile name
[AC6005-wlan-view]vap-profile name wlan-net
[AC6005-wlan-vap-prof-wlan-net]serv
[AC6005-wlan-vap-prof-wlan-net]service-v
[AC6005-wlan-vap-prof-wlan-net]service-vlan vlan-p
[AC6005-wlan-vap-prof-wlan-net]service-vlan vlan-pool ?
STRING<1-31> VLAN pool name
[AC6005-wlan-vap-prof-wlan-net]service-vlan vlan-pool ceshi
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wlan-net]se
[AC6005-wlan-vap-prof-wlan-net]security-profile wlan-net
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wlan-net]ssid-p
[AC6005-wlan-vap-prof-wlan-net]ssid-profile vlan-net
Error: The SSID profile does not exist.
[AC6005-wlan-vap-prof-wlan-net]ssid-profile ceshi
Info: This operation may take a few seconds, please wait.done.
[AC6005-wlan-vap-prof-wlan-net]q
[AC6005-wlan-view]q
[AC6005]wlan
[AC6005-wlan-view]ap-group name ap-group1
[AC6005-wlan-ap-group-ap-group1]vap-p
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net waln 1 ra
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net waln-net 1 ra
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 0
Info: This operation may take a few seconds, please wait...done.
[AC6005-wlan-ap-group-ap-group1]vap-profile wlan-net wlan 1 radio 1
Info: This operation may take a few seconds, please wait...done.
[AC6005-wlan-ap-group-ap-group1]
[AC6005-wlan-ap-group-ap-group1]dis vap ssid ceshi
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
-----------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
-----------------------------------------------------------------------
0 ap1 0 1 00E0-FC4D-67A0 ON Open 0 ceshi
0 ap1 1 1 00E0-FC4D-67B0 ON Open 0 ceshi
1 ap2 0 1 00E0-FC30-2D10 ON Open 1 ceshi
1 ap2 1 1 00E0-FC30-2D20 ON Open 0 ceshi
-----------------------------------------------------------------------
Total: 4
gateway-list 192.168.20.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.20.250 192.168.20.252
dns-list 1.1.1.1
#
WiFi连接不上导致ip地址冲突导致没有拿到地址
关闭dhcp服务器的dhcp功能
清除地址池信息 将地址池信息的250-253参与不分配
在接口设置全局的分配模式
