目录
1 网络规划
1.1 拓扑图设计
1.2 VLAN划分
1.3 IP地址规划
2 实验要求
3 设备配置
3.1 接入层配置
3.1.1 vlan划分及改名
3.1.2 设置端口模式
3.1.3 MSTP配置
3.2 汇聚层配置
3.2.1 VLAN划分及改名
3.2.2 设置端口类型
3.2.3 MSTP配置
3.2.4 ACL配置
3.3核心层配置
3.3.1 VLAN划分及改名
3.3.2 链路聚合配置
3.3.3 设置端口类型
3.3.4 VRRP配置
3.3.6 DHCP配置
3.3.7 OSPF配置
3.4 路由器配置
3.4.1 设置接口地址
3.4.2 OSPF配置
3.4.3 设置默认路由
3.4.4 NAPT配置
4 测试
4.1 DHCP与内外的连通性测试
4.2 mstp+负载均衡是否成功
4.3 VRRP状态检测
4.4 链路聚合状态查看
4.5 nat测试
4.6 ACL测试
公司技术部、销售部、普通办公区、财务部、人事部、总经理办公区、服务器区分别划分为 VLAN10、VLAN20、VLAN30、VLAN50、VLAN60,VLAN100,交换机与路由器之间用 VLAN 接口作地址通信,具体 vlan 和 IP 地址规划如表1所示
表1 vlan地址划分表
描述 |
VLAN 号 |
网段 |
子网掩码 |
网关 IP 地址 |
技术部 |
10 |
10.0.10.0 |
255.255.255.0 |
10.0.10.254 |
销售部 |
20 |
10.0.20.0 |
255.255.255.0 |
10.0.20.254 |
普通办公区 |
30 |
10.0.30.0 |
255.255.255.0 |
10.0.30.254 |
财务部 |
40 |
10.0.40.0 |
255.255.255.0 |
10.0.40.254 |
人事部 |
50 |
10.0.50.0 |
255.255.255.0 |
10.0.50.254 |
总经理办公区 |
60 |
10.0.60.0 |
255.255.255.0 |
10.0.60.254 |
服务器区 |
100 |
10.0.100.0 |
255.255.255.0 |
10.0.100.254 |
各设备接口具体的IP地址如表 2 所示:
表2 设备接口IP地址配置表
描述 |
端口号 |
IP 地址 |
子网掩码 |
HX_SW1 |
Vlan 10 |
10.0.10.1 |
255.255.255.0 |
Vlan 20 |
10.0.20.1 |
255.255.255.0 |
|
Vlan 30 |
10.0.30.1 |
255.255.255.0 |
|
Vlan 40 |
10.0.40.1 |
255.255.255.0 |
|
Vlan 50 |
10.0.50.1 |
255.255.255.0 |
|
Vlan 60 |
10.0.60.1 |
255.255.255.0 |
|
Vlan 100 |
10.0.100.1 |
255.255.255.0 |
|
Vlan 700 |
10.0.1.2 |
255.255.255.252 |
|
HX_SW2 |
Vlan 10 |
10.0.10.2 |
255.255.255.0 |
Vlan 20 |
10.0.20.2 |
255.255.255.0 |
|
Vlan 30 |
10.0.30.2 |
255.255.255.0 |
|
Vlan 40 |
10.0.40.2 |
255.255.255.0 |
|
Vlan 50 |
10.0.50.2 |
255.255.255.0 |
|
Vlan 60 |
10.0.60.2 |
255.255.255.0 |
|
Vlan 100 |
10.0.100.2 |
255.255.255.0 |
|
Vlan 800 |
10.0.1.4 |
255.255.255.252 |
|
R1 |
G0/0/0 |
12.1.1.1 |
255.255.255.0 |
G0/0/1 |
10.0.1.1 |
255.255.255.252 |
|
G0/0/2 |
10.0.1.5 |
255.255.255.252 |
|
ISP |
G0/0/0 |
7.7.7.1 |
255.255.255.0 |
G0/0/1 |
12.1.1.254 |
255.255.255.0 |
|
各部门pc机 |
DHCP 动态获取 |
255.255.255.0 |
接入LSW6配置,需要进行VLAN划分、设置端口类型、以及MSTP配置。
system-view
[Huawei]vlan batch 10 20 30 40 50 60 100 //批量创建vlan
[Huawei]sysname JR_SW6 //给交换机命名
[JR_SW6]port-group group-member e0/0/3 to e0/0/22 //创建组进行批量操作
[JR_SW6-port-group]port link-type access //将接口模式设为access
[JR_SW6-port-group]port default vlan 30 //将接口划分到vlan30
[JR_SW6-port-group]quit //返回上一级页面
[JR_SW6]int g0/0/1
[JR_SW6-GigabitEthernet0/0/1]port link-type trunk
[JR_SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all //允许所有vlan通过
[JR_SW6-GigabitEthernet0/0/1]quit
[JR_SW6]stp mode mstp
[JR_SW6]stp region-configuration //进入MSTP配置模式
[JR_SW6-mst-region]region-name MSTP //配置域名为MSTP
[JR_SW6-mst-region]revision-level 0
[JR_SW6-mst-region]instance 1 vlan 10 20 30 //将vlan10、20、30加入实例1中
[JR_SW6-mst-region]instance 2 vlan 40 50 60 100
[JR_SW6-mst-region]active region-configuration //激活配置
[JR_SW6-mst-region]quit
[JR_SW6]quit
save //保存配置
接入层LSW5,LSW7,LSW8配置与LSW6配置基本相同,此处不再一一说明。
汇聚LSW4配置,需要进行VLAN划分、设置端口类型、设置MSTP、和acl的配置。
system-view
[Huawei]un in en //关闭泛洪的信息
[Huawei]sysname HJ_SW4
[HJ_SW4]vlan batch 10 20 30 40 50 60 100
[HJ_SW4]port-group group-member g0/0/1 to g0/0/4
[HJ_SW4-port-group]port link-type trunk
[HJ_SW4-port-group]port trunk allow-pass vlan all
[HJ_SW4-port-group]quit
[HJ_SW4]stp mode mstp
[HJ_SW4]stp region-configuration
[HJ_SW4-mst-region]region-name MSTP
[HJ_SW4-mst-region]revision-level 0
[HJ_SW4-mst-region]instance 1 vlan 10 20 30
[HJ_SW4-mst-region]instance 2 vlan 40 50 60 100
[HJ_SW4-mst-region]active region-configuration
[HJ_SW4-mst-region]quit
//配置acl,禁止除总经理办公室外的其它部门访问财务部
[HJ_SW4]acl 3000
[HJ_SW4-acl-adv-3000]rule deny ip source 10.0.10.0 0.0.0.255 destination 10.0.40.0 0.0.0.255 //禁止技术部(10.0.10.0/24网段)访问财务部
[HJ_SW4-acl-adv-3000]rule deny ip source 10.0.20.0 0.0.0.255 destination 10.0.40.0 0.0.0.255
[HJ_SW4-acl-adv-3000]rule deny ip source 10.0.30.0 0.0.0.255 destination 10.0.40.0 0.0.0.255
[HJ_SW4-acl-adv-3000]rule deny ip source 10.0.50.0 0.0.0.255 destination 10.0.40.0 0.0.0.255
[HJ_SW4-acl-adv-3000]rule permit ip destination 10.0.40.0 0.0.0.255
[HJ_SW4-acl-adv-3000]quit
[HJ_SW4]int g0/0/3
[HJ_SW4-GigabitEthernet0/0/3]traffic-filter outbound acl 3000 //在g0/0/3接口的出口方向应用acl3000
[HJ_SW4-GigabitEthernet0/0/3]quit
[HJ_SW4]quit
save
汇聚层LSW3的配置与LSW4配置基本相同(注:LSW不用配ACL),此处不再一一说明。
核心LSW1配置,需要进行VLAN划分、链路聚合、设置端口类型、VRRP、MSTP、DHCP、和OSPF的配置。
system-view
[Huawei]un in en
[Huawei]sysname HX_SW1
[HX_SW1]vlan batch 10 20 30 40 50 60 100 700 800
[HX_SW1]int Eth-Trunk 1 //组名
[HX_SW1-Eth-Trunk1]mode lacp-static //模式为静态的lacp
[HX_SW1-Eth-Trunk1]trunkport g0/0/23
[HX_SW1-Eth-Trunk1]trunkport g0/0/24 //将两个接口进行捆绑
[HX_SW1-Eth-Trunk1]port link-type trunk
[HX_SW1-Eth-Trunk1]port trunk allow-pass vlan all
[HX_SW1-Eth-Trunk1]quit
[HX_SW1]int g0/0/1
[HX_SW1-GigabitEthernet0/0/1]port link-type access
[HX_SW1-GigabitEthernet0/0/1]port default vlan 700
[HX_SW1-GigabitEthernet0/0/1]quit
[HX_SW1]port-group group-member g0/0/2 to g0/0/4
[HX_SW1-port-group]port link-type trunk
[HX_SW1-port-group]port trunk allow-pass vlan all
[HX_SW1-port-group]quit
[HX_SW1]int vlanif 700
[HX_SW1-Vlanif700]ip address 10.0.1.2 30
[HX_SW1-Vlanif700]q
//将SW1设为 VLAN10、VLAN20、VLAN30的实际网关;VLAN40、VLAN50、VLAN60、VLAN100的备份网关。SW2则正好相反。
[HX_SW1]int vlanif 10 //进入vlan10网段
[HX_SW1-Vlanif10]ip address 10.0.10.1 24 //配置vlan10 的ip
[HX_SW1-Vlanif10]vrrp vrid 10 virtual-ip 10.0.10.254 192.168.10.1 //创建VRRP虚拟路由器的标识vrid为10,并配置vrid 10的虚拟IP地址
[HX_SW1-Vlanif10]vrrp vrid 10 priority 120 //设置设备SW1的优先级为120(缺省值为100),数值越大越优先
[HX_SW1-Vlanif10]vrrp vrid 10 preempt-mode timer delay 6 //配置Master设备的抢占时延为6秒(缺省值为0,立即抢占),以防频繁地进行状态切换
[HX_SW1-Vlanif10]vrrp vrid 10 track interface g0/0/1 reduced 30
//跟踪上行接口g0/0/1的状态,如端口故障则Master优先级降低30(缺省值为10)
[HX_SW1-Vlanif10]int vlanif 20
[HX_SW1-Vlanif20]ip address 10.0.20.1 24
[HX_SW1-Vlanif20]vrrp vrid 20 virtual-ip 10.0.20.254
[HX_SW1-Vlanif20]vrrp vrid 20 priority 120
[HX_SW1-Vlanif20]vrrp vrid 20 preempt-mode timer delay 6
[HX_SW1-Vlanif20]vrrp vrid 20 track interface g0/0/1 reduced 30
[HX_SW1-Vlanif20]int vlanif 30
[HX_SW1-Vlanif30]ip address 10.0.30.1 24
[HX_SW1-Vlanif30]vrrp vrid 30 virtual-ip 10.0.30.254
[HX_SW1-Vlanif30]vrrp vrid 30 priority 120
[HX_SW1-Vlanif30]vrrp vrid 30 preempt-mode timer delay 6
[HX_SW1-Vlanif30]vrrp vrid 30 track interface g0/0/1 reduced 30
[HX_SW1-Vlanif30]int vlanif 40
[HX_SW1-Vlanif40]ip address 10.0.40.1 24
[HX_SW1-Vlanif40]vrrp vrid 40 virtual-ip 10.0.40.254
[HX_SW1-Vlanif40]int vlanif 50
[HX_SW1-Vlanif50]ip address 10.0.50.1 24
[HX_SW1-Vlanif50]vrrp vrid 50 virtual-ip 10.0.50.254
[HX_SW1-Vlanif50]int vlanif 60
[HX_SW1-Vlanif60]ip address 10.0.60.1 24
[HX_SW1-Vlanif60]vrrp vrid 60 virtual-ip 10.0.60.254
[HX_SW1-Vlanif60]int vlanif 100
[HX_SW1-Vlanif100]ip address 10.0.100.1 24
[HX_SW1-Vlanif100]vrrp vrid 100 virtual-ip 10.0.100.254
[HX_SW1-Vlanif100]quit
3.3.5 MSTP配置
[HX_SW1]stp mode mstp
[HX_SW1]stp region-configuration
[HX_SW1-mst-region]region-name MSTP
[HX_SW1-mst-region]revision-level 0
[HX_SW1-mst-region]instance 1 vlan 10 20 30
[HX_SW1-mst-region]instance 2 vlan 40 50 60 100
[HX_SW1-mst-region]active region-configuration
[HX_SW1-mst-region]quit
[HX_SW1]stp instance 1 root primary //设为实例1根桥
[HX_SW1]stp instance 2 root secondary //设为实例2的备份根桥
[HX_SW1]quit
[HX_SW1] dhcp enable //启动DHCP服务
[HX_SW1]ip pool vlan10 //创建一个名为vlan10的地址池
[HX_SW1-ip-pool-vlan10]gateway-list 10.0.10.254 //设置网关
[HX_SW1-ip-pool-vlan10]network 10.0.10.0 mask 24 //分配10.0.10.0/24这个网段的地址
[HX_SW1-ip-pool-vlan10]dns-list 114.114.114.114 //默认dns
[HX_SW1-ip-pool-vlan10]excluded-ip-address 10.0.10.1 10.0.10.2 //设置排除地址
[HX_SW1-ip-pool-vlan10]int vlan 10
[HX_SW1-Vlanif10]dhcp select global
[HX_SW1-Vlanif10]quit
[HX_SW1]ip pool vlan20
[HX_SW1-ip-pool-vlan20]gateway-list 10.0.20.254
[HX_SW1-ip-pool-vlan20]network 10.0.20.0 mask 24
[HX_SW1-ip-pool-vlan20]dns-list 114.114.114.114
[HX_SW1-ip-pool-vlan20]excluded-ip-address 10.0.20.1 10.0.20.2
[HX_SW1-ip-pool-vlan20]int vlan 20
[HX_SW1-Vlanif20]dhcp select global
[HX_SW1-Vlanif20]quit
[HX_SW1]ip pool vlan30
[HX_SW1-ip-pool-vlan30]gateway-list 10.0.30.254
[HX_SW1-ip-pool-vlan30]network 10.0.30.0 mask 24
[HX_SW1-ip-pool-vlan30]dns-list 114.114.114.114
[HX_SW1-ip-pool-vlan30]excluded-ip-address 10.0.30.1 10.0.30.2
[HX_SW1-ip-pool-vlan30]int vlan 30
[HX_SW1-Vlanif30]dhcp select global
[HX_SW1-Vlanif30]quit
[HX_SW1]ip pool vlan40
[HX_SW1-ip-pool-vlan40]gateway-list 10.0.40.254
[HX_SW1-ip-pool-vlan40]network 10.0.40.0 mask 24
[HX_SW1-ip-pool-vlan40]dns-list 114.114.114.114
[HX_SW1-ip-pool-vlan40]excluded-ip-address 10.0.40.1 10.0.40.2
[HX_SW1-ip-pool-vlan40]int vlan 40
[HX_SW1-Vlanif40]dhcp select global
[HX_SW1-Vlanif40]quit
[HX_SW1]ip pool vlan50
[HX_SW1-ip-pool-vlan50]gateway-list 10.0.50.254
[HX_SW1-ip-pool-vlan50]network 10.0.50.0 mask 24
[HX_SW1-ip-pool-vlan50]dns-list 114.114.114.114
[HX_SW1-ip-pool-vlan50]excluded-ip-address 10.0.50.1 10.0.50.2
[HX_SW1-ip-pool-vlan50]int vlan 50
[HX_SW1-Vlanif50]dhcp select global
[HX_SW1-Vlanif50]quit
[HX_SW1]ip pool vlan60
[HX_SW1-ip-pool-vlan60]gateway-list 10.0.60.254
[HX_SW1-ip-pool-vlan60]network 10.0.60.0 mask 24
[HX_SW1-ip-pool-vlan60]dns-list 114.114.114.114
[HX_SW1-ip-pool-vlan60]excluded-ip-address 10.0.60.1 10.0.60.2
[HX_SW1-ip-pool-vlan60]int vlan 60
[HX_SW1-Vlanif60]dhcp select global
[HX_SW1-Vlanif60]quit
[HX_SW1]ospf
[HX_SW1-ospf-1]area 0 //区域0
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 //宣告直连的网段
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.30.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.40.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.50.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.60.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.100.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.3
[HX_SW1-ospf-1-area-0.0.0.0]quit
[HX_SW1-ospf-1]quit
[HX_SW1]quit
save
核心层LSW2的配置与LSW1的配置基本相同,此处不再一一说明。
R1配置,需配置接口地址、ospf、默认路由以及NAPT。(ISP只需设置接口地址以及默认路由)
system-view
[Huawei]sysname R1
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.0.1.1 30
[R1-GigabitEthernet0/0/1]q
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip address 10.0.1.5 30
[R1-GigabitEthernet0/0/2]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 12.1.1.1 24
[R1-GigabitEthernet0/0/0]q
[R1]ospf
[R1-ospf-1]
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.3
[R1-ospf-1-area-0.0.0.0]network 10.0.1.4 0.0.0.3
[R1-ospf-1-area-0.0.0.0]q
[R1-ospf-1]q
[R1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.254
[R1]ospf
[R1-ospf-1]default-route-advertise
[R1-ospf-1]q
[R1]nat address-group 1 12.1.1.2 12.1.1.10 //设置地址池
[R1]acl 2000
[R1-acl-basic-2000]rule 5 permit //对内网所有地址进行转换
[R1-acl-basic-2000]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 //在g0/0/0的出口方向应用napt
[R1-GigabitEthernet0/0/0]q
[R1]q
save
测试终端用户能否通过DHCP自动获取地址,如图1所示
图1 技术部自动获取IP地址
进行设备配置后,网络为连通状态,通过ping命令在部门之间进行互通性检测,结果如图2、图3所示:
图2 技术部与销售部之间的连通性测试
图3 技术部与ISP之间的连通性
图4 汇聚层交换机LSW3生成树状态图
上图可以看出实例1阻塞了g0/0/2端口,即实例1的数据往HX_SW1走,实例2阻塞了g0/0/1端口,即实例2的数据往HX_SW2走
图5 核心层交换机HX_SW1生成树状态图
通过上图可以看出在HX_SW1上在实例1上所有端口皆为指定端口,即HX_SW1为实例1的根桥
测试核心层交换机HSRP状态是否正常,查看vrrp主备状态
图6 HX_SW1/HX_SW2VRRP主备状态
在 SW1和SW2 上查看可以发现,SW1 是 VLAN10、VLAN20、VLAN30的实际网关;VLAN40、VLAN50、VLAN60、VLAN100的备份网关。SW2则正好相反。
图7 HX_SW1
测试内网用户有没有通过NAPT转换访问公网,下面以技术部某主机进行访问测试为例。
图8 技术部某主机pingInternet
图9 用wireshark在R1路由器的g0/0/1接口上抓包截图
通过抓包发现已成功将内网地址10.0.10.253转换为地址池里的地址12.1.1.2
图10 财务部主机与网关连通性测试
图11 技术部某主机ping财务部
图12 总经理办公室某主机ping财务部
经过测试发现财务部能正常访问网关,而且限制了除总经理办公室外的其他部门对财务部的访问。