作者信息:苗浩15515026488微信同号
本文摘抄自《华为ICT大赛-网络赛道学习空间(中国区)》,如有侵权,请及时联系作者删除文章
比赛模拟了某大型公司企业网通过广域网连接数据中心的场景。
考虑到网络冗余和流量负载均衡的需求,企业网部署MSTP、防火墙双机热备用于承载web业务和Internet访问业务。同时,为了满足员工的无线办公需求,工程师需要部署WLAN设备于企业网内,用于访问Internet。
在使用丰富的网络资源建设企业网络和数据中心网络的时代大背景下,工程师们证面临严峻的安全问题,NGFW可以部署于企业网络和数据中心网络出口有利于降低安全风险,以帮助实现安全且高效的网络管理。
该企业的私有云部署在总部数据中心机房,企业的各类业务系统都部署在其私有云上,其中企业的OA系统所在的web服务器部署在总部的数据中心,企业各分支需要通过MPLS VPN访问远端数据中心的Web-Server,并且出于安全因素,Web-Server的私网地址不通告到广域网,而是通过一个外部公网地址100.1.1.1提供访问,Web-Client到Web-Server的流量需要在防火墙FW3上做目的地址转换,转换成Web-Server私有地址实现访问。
为实现数据中心租户位于不用子网的业务虚拟机互通,这里业务虚拟机为VM1和VM2,需要在数据中心部署GRE隧道,以打通VM1和VM2的三层通道。
广域网为企业的内网和远端总部数据中心提供链接,提供在广域网上部署MPLS VPN实现企业的互联网专线功能,以确保在广域网上的业务隔离的效果。
实验环境使用如下设备:
根据2-2规划,配置网络设备名称,在SW1、SW2、SW3上配置VLAN链路类型和VLAN参数、在PE1、FW1和FW2上配置子接口和子接口ID。
根据图2-1和表2-3配置网络设备名称和接口IP地址。
配置过程:
任务1/2:设备命名/VLAN/IP地址
#SW1
system-view
[Huawei]sysname SW1
[SW1]vlan batch 2 to 20
[SW1]interface Ethernet0/0/1
[SW1-Ethernet0/0/1]port link-type access
[SW1-Ethernet0/0/1]port default vlan 10
[SW1]interface Ethernet0/0/2
[SW1-Ethernet0/0/2]port link-type access
[SW1-Ethernet0/0/2]port default vlan 19
[SW1]port-group group-member GigabitEthernet 0/0/1 GigabitEthernet 0/0/2
[SW1-port-group]port link-type trunk
[SW1-port-group]undo port trunk allow-pass vlan 1
[SW1-port-group]port trunk allow-pass vlan 2 to 20
#SW2
system-view
[Huawei]sysname SW2
[SW2]vlan batch 2 to 20
[SW2]port-group group-member GigabitEthernet 0/0/1 GigabitEthernet 0/0/3 GigabitEthernet 0/0/5
[SW2-port-group]port link-type trunk
[SW2-port-group]undo port trunk allow-pass vlan 1
[SW2-port-group]port trunk allow-pass vlan 2 to 20
#SW3
system-view
[Huawei]sysname SW3
[SW3]vlan batch 2 to 20
[SW3]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/3 GigabitEthernet 0/0/5
[SW3-port-group]port link-type trunk
[SW3-port-group]undo port trunk allow-pass vlan 1
[SW3-port-group]port trunk allow-pass vlan 2 to 20
#FW1
system-view
[USG6000V1]sysname FW1
[FW1]interface GigabitEthernet 1/0/5.1
[FW1-GigabitEthernet1/0/5.1]vlan-type dot1q 10
[FW1-GigabitEthernet1/0/5.1]ip address 192.168.1.2 24
[FW1]interface GigabitEthernet 1/0/5.2
[FW1-GigabitEthernet1/0/5.2]vlan-type dot1q 20
[FW1-GigabitEthernet1/0/5.2]ip address 192.168.2.2 24
[FW1]interface GigabitEthernet 1/0/3.1
[FW1-GigabitEthernet1/0/3.1]vlan-type dot1q 1
[FW1-GigabitEthernet1/0/3.1]ip address 10.2.2.1 30
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 15.1.1.1 24
[FW1]interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3]ip address 10.2.1.1 30
#FW2
system-view
[USG6000V1]sysname FW2
[FW2]interface GigabitEthernet 1/0/5.1
[FW2-GigabitEthernet1/0/5.1]vlan-type dot1q 10
[FW2-GigabitEthernet1/0/5.1]ip address 192.168.1.3 24
[FW2]interface GigabitEthernet 1/0/5.2
[FW2-GigabitEthernet1/0/5.2]vlan-type dot1q 20
[FW2-GigabitEthernet1/0/5.2]ip address 192.168.2.3 24
[FW2]interface GigabitEthernet 1/0/3.1
[FW2-GigabitEthernet1/0/3.1]vlan-type dot1q 1
[FW2-GigabitEthernet1/0/3.1]ip address 10.3.2.1 30
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 15.1.1.2 24
[FW2]interface GigabitEthernet 1/0/3
[FW2-GigabitEthernet1/0/3]ip address 10.3.1.1 30
#PE1
system-view
[Huawei]sysname PE1
[PE1]interface GigabitEthernet 0/0/1.1
[PE1-GigabitEthernet0/0/1.1]dot1q termination vid 1
[PE1-GigabitEthernet0/0/1.1]arp broadcast enable
[PE1-GigabitEthernet0/0/1.1]ip address 10.2.2.2 30
[PE1]interface GigabitEthernet 0/0/3.1
[PE1-GigabitEthernet0/0/3.1]dot1q termination vid 1
[PE1-GigabitEthernet0/0/3.1]arp broadcast enable
[PE1-GigabitEthernet0/0/3.1]ip address 10.3.2.2 30
[PE1]interface LoopBack 0
[PE1-LoopBack0]ip address 1.1.1.1 32
[PE1]interface GigabitEthernet0/0/1
[PE1-GigabitEthernet0/0/1]ip address 10.2.1.2 30
[PE1]interface GigabitEthernet0/0/2
[PE1-GigabitEthernet0/0/2]ip address 20.1.1.1 30
[PE1]interface GigabitEthernet0/0/3
[PE1-GigabitEthernet0/0/3]ip address 10.3.1.2 30
#AC1
system-view
[AC6605]sysname AC
[AC]vlan batch 19 20
[AC]interface GigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1]port link-type trunk
[AC-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[AC-GigabitEthernet0/0/1]port trunk allow-pass vlan 19 20
#FW3
system-view
[USG6000V1]sysname FW3
[FW3]interface GigabitEthernet 1/0/1
[FW3-GigabitEthernet1/0/1]ip address 30.1.1.1 30
[FW3]interface GigabitEthernet 1/0/2
[FW3-GigabitEthernet1/0/2]ip address 20.1.3.2 30
#P
system-view
[Huawei]sysname P
[P]interface LoopBack 0
[P-LoopBack0]ip address 2.2.2.2 32
[P]interface GigabitEthernet0/0/1
[P-GigabitEthernet0/0/1]ip address 20.1.2.1 30
[P]interface GigabitEthernet0/0/2
[P-GigabitEthernet0/0/2]ip address 20.1.1.2 30
#PE2
system-view
[Huawei]sysname PE2
[PE2]interface LoopBack 0
[PE2-LoopBack0]ip address 3.3.3.3 32
[PE2]interface GigabitEthernet0/0/1
[PE2-GigabitEthernet0/0/1]ip address 20.1.2.2 30
[PE2]interface GigabitEthernet0/0/2
[PE2-GigabitEthernet0/0/2]ip address 20.1.3.1 30
[PE2]interface GigabitEthernet0/0/3
[PE2-GigabitEthernet0/0/3]ip address 20.1.4.1 30
#Internet
system-view
[Huawei]sysname Internet
[Internet]interface LoopBack 0
[Internet-LoopBack0]ip address 16.16.16.16 32
[Internet]interface GigabitEthernet0/0/3
[Internet-GigabitEthernet0/0/3]ip address 20.1.4.2 30
#DC-GW
system-view
[Huawei]sysname DC-GW
[DC-GW]interface LoopBack 0
[DC-GW-LoopBack0]ip address 11.11.11.11 32
[DC-GW]interface GigabitEthernet0/0/1
[DC-GW-GigabitEthernet0/0/1]ip address 30.1.1.2 30
[DC-GW]interface GigabitEthernet0/0/2
[DC-GW-GigabitEthernet0/0/2]ip address 30.1.2.1 30
[DC-GW]interface GigabitEthernet0/0/3
[DC-GW-GigabitEthernet0/0/3]ip address 30.1.3.1 30
#Leaf1
system-view
[Huawei]sysname Leaf1
[Leaf1]interface LoopBack 0
[Leaf1-LoopBack0]ip address 12.12.12.12 32
[Leaf1]interface GigabitEthernet0/0/1
[Leaf1-GigabitEthernet0/0/1]ip address 172.16.3.254 24
[Leaf1]interface GigabitEthernet0/0/2
[Leaf1-GigabitEthernet0/0/2]ip address 30.1.2.2 30
[Leaf1]interface GigabitEthernet0/0/3
[Leaf1-GigabitEthernet0/0/3]ip address 172.16.1.254 24
#Leaf2
system-view
[Huawei]sysname Leaf2
[Leaf2]interface LoopBack 0
[Leaf2-LoopBack0]ip address 13.13.13.13 32
[Leaf2]interface GigabitEthernet0/0/1
[Leaf2-GigabitEthernet0/0/1]ip address 172.16.2.254 24
[Leaf2]interface GigabitEthernet0/0/3
[Leaf2-GigabitEthernet0/0/3]ip address 30.1.3.2 30
验证:
为了实现二层网络的防环功能和流量负载均衡的目的,需要在SW1、SW2、SW3上配置 MSTP功能
配置过程:
任务3:MSTP
#SW2
[SW2]stp region-configuration
[SW2-mst-region]region-name RG1
[SW2-mst-region]instance 1 vlan 2 to 10
[SW2-mst-region]instance 2 vlan 11 to 20
[SW2-mst-region]active region-configuration
[SW2]stp instance 1 root primary
[SW2]stp instance 2 root secondary
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]stp root-protection
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]stp disable
#SW3
[SW3]stp region-configuration
[SW3-mst-region]region-name RG1
[SW3-mst-region]instance 1 vlan 2 to 10
[SW3-mst-region]instance 2 vlan 11 to 20
[SW3-mst-region]active region-configuration
[SW3]stp instance 1 root secondary
[SW3]stp instance 2 root primary
[SW3]interface GigabitEthernet 0/0/2
[SW3-GigabitEthernet0/0/2]stp root-protection
[SW3]interface GigabitEthernet 0/0/1
[SW3-GigabitEthernet0/0/1]stp edged-port enable
[SW3]interface GigabitEthernet 0/0/5
[SW3-GigabitEthernet0/0/5]stp disable
#SW1
[SW1]stp region-configuration
[SW1-mst-region]region-name RG1
[SW1-mst-region]instance 1 vlan 2 to 10
[SW1-mst-region]instance 2 vlan 11 to 20
[SW1-mst-region]active region-configuration
[SW1]port-group group-member Ethernet 0/0/1 Ethernet 0/0/2
[SW1-port-group]stp edged-port enable
验证:
为实现网络安全的需求,需要部署防火墙,按要求规划安全区域,并且按照最小权限原则放开必要的端口权限,确保业务的正常通信。
请按照如下表格2-4的数据规划完成防火墙的安全区域配置。
验证:
为了避免防火墙单点故障,且充分利用网络资源,采用负载均衡模式部署防火墙双机热备,以增加网络健壮性。
安全策略禁止全放通,要求所有安全策略按照实际细化配置。
配置过程:
任务4:防火墙安全区域配置
#FW1
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/5.1
[FW1-zone-trust]add interface GigabitEthernet 1/0/5.2
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/3
[FW1-zone-untrust]add interface GigabitEthernet 1/0/3.1
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/1
#FW2
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/5.1
[FW2-zone-trust]add interface GigabitEthernet 1/0/5.2
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/3
[FW2-zone-untrust]add interface GigabitEthernet 1/0/3.1
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface GigabitEthernet 1/0/1
#FW3
[FW3]firewall zone trust
[FW3-zone-trust]add interface GigabitEthernet 1/0/1
[FW3]firewall zone untrust
[FW3-zone-untrust]add interface GigabitEthernet 1/0/2
任务5:防火墙VRRP、双机热备和安全策略配置
防火墙VRRP
#FW1
[FW1]interface GigabitEthernet 1/0/5.1
[FW1-GigabitEthernet1/0/5.1]vrrp vrid 1 virtual-ip 192.168.1.254 active
[FW1]interface GigabitEthernet 1/0/5.2
[FW1-GigabitEthernet1/0/5.2]vrrp vrid 2 virtual-ip 192.168.2.254 standby
#FW2
[FW2]interface GigabitEthernet 1/0/5.1
[FW2-GigabitEthernet1/0/5.1]vrrp vrid 1 virtual-ip 192.168.1.254 standby
[FW2]interface GigabitEthernet 1/0/5.2
[FW2-GigabitEthernet1/0/5.2]vrrp vrid 2 virtual-ip 192.168.2.254 active
HRP
#FW1
[FW1]hrp interface GigabitEthernet 1/0/1 remote 15.1.1.2
[FW1]hrp enable
HRP_M[FW1]hrp mirror session enable
HRP_M[FW1]hrp auto-sync config static-route (+B)
#FW2
[FW2]hrp interface GigabitEthernet 1/0/1 remote 15.1.1.1
[FW2]hrp enable
HRP_S[FW2]hrp mirror session enable
安全策略
#FW1
HRP_M[FW1]security-policy (+B)
HRP_M[FW1-policy-security]rule name web (+B)
HRP_M[FW1-policy-security-rule-web]source-zone trust (+B)
HRP_M[FW1-policy-security-rule-web]destination-zone untrust (+B)
HRP_M[FW1-policy-security-rule-web]source-address 192.168.1.1 32 (+B)
HRP_M[FW1-policy-security-rule-web]destination-address 172.16.1.1 32 (+B)
HRP_M[FW1-policy-security-rule-web]service http (+B)
HRP_M[FW1-policy-security-rule-web]service https (+B)
HRP_M[FW1-policy-security-rule-web]action permit (+B)
HRP_M[FW1-policy-security]rule name Wireless (+B)
HRP_M[FW1-policy-security-rule-Wireless]source-zone trust (+B)
HRP_M[FW1-policy-security-rule-Wireless]source-zone local (+B)
HRP_M[FW1-policy-security-rule-Wireless]source-zone untrust (+B)
HRP_M[FW1-policy-security-rule-Wireless]destination-zone untrust (+B)
HRP_M[FW1-policy-security-rule-Wireless]destination-zone trust (+B)
HRP_M[FW1-policy-security-rule-Wireless]destination-zone local (+B)
HRP_M[FW1-policy-security-rule-Wireless]source-address 192.168.2.0 24 (+B)
HRP_M[FW1-policy-security-rule-Wireless]action permit (+B)
HRP_M[FW1]int g1/0/5.1 (+B)
HRP_M[FW1-GigabitEthernet1/0/5.1]service-manage ping permit (+B)
HRP_M[FW1]int g1/0/5.2 (+B)
HRP_M[FW1-GigabitEthernet1/0/5.2]service-manage ping permit (+B)
#FW3
[FW3]security-policy
[FW3-policy-security]rule name web
[FW3-policy-security-rule-web]source-zone untrust
[FW3-policy-security-rule-web]destination-zone trust
[FW3-policy-security-rule-web]source-address 192.168.1.1 32
[FW3-policy-security-rule-web]destination-address 172.16.1.1 32
[FW3-policy-security-rule-web]service http
[FW3-policy-security-rule-web]service https
[FW3-policy-security-rule-web]action permit
[FW3-policy-security]rule name BGP
[FW3-policy-security-rule-BGP]source-zone untrust
[FW3-policy-security-rule-BGP]destination-zone local
[FW3-policy-security-rule-BGP]source-address 20.1.3.1 mask 255.255.255.255
[FW3-policy-security-rule-BGP]destination-address 20.1.3.2 mask 255.255.255.255
[FW3-policy-security-rule-BGP]service bgp
[FW3-policy-security-rule-BGP]service tcp
[FW3-policy-security-rule-BGP]action permit
[FW3]security-policy
[FW3-policy-security]rule name OSPF
[FW3-policy-security-rule-OSPF]source-zone trust
[FW3-policy-security-rule-OSPF]destination-zone local
[FW3-policy-security-rule-OSPF]source-address 30.1.1.2
[FW3-policy-security-rule-OSPF]service ospf
[FW3-policy-security-rule-OSPF]action permit
NAT Server
#FW3
[FW3]nat server nat_server zone untrust protocol tcp global 100.1.1.1 8080 inside 172.16.1.1 www
验证:
配置过程:
#FW1
[FW1]ip route-static 0.0.0.0 0.0.0.0 10.2.1.2
[FW1]ip route-static 100.1.1.1 255.255.255.255 10.2.2.2
#FW2
[FW2]ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
#FW3
[FW3]ip route-static 100.1.1.1 32 NULL 0
[FW3]ip route-static 100.1.1.1 255.255.255.255 10.3.2.2
[FW3]ip route-static 0.0.0.0 0.0.0.0 20.1.3.1
#PE1
[PE1]ip route-static 192.168.2.0 24 10.2.1.1
[PE1]ip route-static 192.168.2.0 24 10.3.1.1
验证:
配置过程:
任务7:公网动态路由配置
ISIS
#PE1
[PE1]isis 1
[PE1-isis-1]network-entity 01.0000.0000.0001.00
[PE1-isis-1]is-level level-2
[PE1-isis-1]domain-authentication-mode md5 ICTEXAM
[PE1]interface LoopBack 0
[PE1-LoopBack0]isis enable 1
[PE1]interface GigabitEthernet0/0/2
[PE1-GigabitEthernet0/0/2]isis enable 1
#P
[P]isis 1
[P-isis-1]network-entity 01.0000.0000.0002.00
[P-isis-1]is-level level-2
[PE1-isis-1]domain-authentication-mode md5 ICTEXAM
[P]interface LoopBack 0
[P-LoopBack0]isis enable 1
[P]interface GigabitEthernet0/0/1
[P-GigabitEthernet0/0/1]isis enable 1
[P]interface GigabitEthernet0/0/2
[P-GigabitEthernet0/0/2]isis enable 1
#PE2
[PE2]isis 1
[PE2-isis-1]network-entity 01.0000.0000.0003.00
[PE2-isis-1]is-level level-2
[PE1-isis-1]domain-authentication-mode md5 ICTEXAM
[PE2]interface LoopBack 0
[PE2-LoopBack0]isis enable 1
[PE2]interface GigabitEthernet0/0/1
[PE2-GigabitEthernet0/0/1]isis enable 1
OSPF
#FW3
[FW3]ospf 1
[FW3-ospf-1]default-route-advertise type 1
[FW3-ospf-1]area 0
[FW3-ospf-1-area-0.0.0.0]network 30.1.1.1 0.0.0.0
#DC-GW
[DC-GW]ospf 1
[DC-GW-ospf-1]area 0
[DC-GW-ospf-1-area-0.0.0.0]network 11.11.11.11 0.0.0.0
[DC-GW-ospf-1-area-0.0.0.0]network 30.1.1.2 0.0.0.0
[DC-GW-ospf-1-area-0.0.0.0]network 30.1.2.1 0.0.0.0
[DC-GW-ospf-1-area-0.0.0.0]network 30.1.3.1 0.0.0.0
#Leaf1
[Leaf1]ospf 1
[Leaf1-ospf-1]area 0
[Leaf1-ospf-1-area-0.0.0.0]network 12.12.12.12 0.0.0.0
[Leaf1-ospf-1-area-0.0.0.0]network 30.1.2.2 0.0.0.0
[Leaf1-ospf-1-area-0.0.0.0]network 172.16.1.254 0.0.0.0
#Leaf2
[Leaf2]ospf 1
[Leaf2-ospf-1]area 0
[Leaf2-ospf-1-area-0.0.0.0]network 30.1.3.2 0.0.0.0
[Leaf2-ospf-1-area-0.0.0.0]network 13.13.13.13 0.0.0.0
BGP
#PE1
[PE1]bgp 100
[PE1-bgp]peer 2.2.2.2 as-number 100
[PE1-bgp]peer 2.2.2.2 connect-interface LoopBack0
#P
[P]bgp 100
[P-bgp]group PE1-PE2 internal
[P-bgp]peer 1.1.1.1 group PE1-PE2
[P-bgp]peer 3.3.3.3 group PE1-PE2
[P-bgp]peer PE1-PE2 connect-interface LoopBack 0
[P-bgp]peer PE1-PE2 reflect-client
#PE2
[PE2]bgp 100
[PE2-bgp]peer 2.2.2.2 as-number 100
[PE2-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[PE2-bgp]peer 20.1.4.2 as-number 200
[PE2-bgp]peer 20.1.3.2 as-number 300
[PE2-bgp]peer 2.2.2.2 next-hop-local
#Internet
[Internet]bgp 200
[Internet-bgp]peer 20.1.4.1 as-number 100
[Internet-bgp]network 16.16.16.16 32
#FW3
[Internet]bgp 300
[Internet-bgp]peer 20.1.3.1 as-number 100
[Internet-bgp]network 100.1.1.1 32
验证:
任务8:MPLS VPN配置
VPN实例
#PE1
[PE1]ip -instance ToDC
[PE1--instance-ToDC]route-distinguisher 100:1
[PE1--instance-ToDC-af-ipv4]-target 200:1 both
[PE1]interface GigabitEthernet0/0/3.1
[PE1-GigabitEthernet0/0/3.1]ip binding -instance ToDC
[PE1-GigabitEthernet0/0/3.1]ip address 10.3.2.2 30
[PE1]interface GigabitEthernet0/0/1.1
[PE1-GigabitEthernet0/0/1.1]ip binding -instance ToDC
[PE1-GigabitEthernet0/0/1.1]ip address 10.2.2.2 30
#PE2
[PE2]ip -instance ToDC
[PE2--instance-ToDC]route-distinguisher 100:1
[PE2--instance-ToDC-af-ipv4]-target 200:1 both
[PE2]interface GigabitEthernet0/0/2
[PE2-GigabitEthernet0/0/2]ip binding -instance ToDC
[PE2-GigabitEthernet0/0/2]ip address 20.1.3.1 30
MPLS
#PE1
[PE1]mpls lsr-id 1.1.1.1
[PE1]mpls
[PE1]mpls ldp
[PE1]interface GigabitEthernet0/0/2
[PE1-GigabitEthernet0/0/2]mpls
[PE1-GigabitEthernet0/0/2]mpls ldp
#P
[P]mpls lsr-id 2.2.2.2
[P]mpls
[P]mpls ldp
[P]interface GigabitEthernet0/0/1
[P-GigabitEthernet0/0/1]mpls
[P-GigabitEthernet0/0/1]mpls ldp
[P]interface GigabitEthernet0/0/2
[P-GigabitEthernet0/0/2]mpls
[P-GigabitEthernet0/0/2]mpls ldp
#PE2
[PE2]mpls lsr-id 3.3.3.3
[PE2]mpls
[PE2]mpls ldp
[PE2]interface GigabitEthernet0/0/1
[PE2-GigabitEthernet0/0/1]mpls
[PE2-GigabitEthernet0/0/1]mpls ldp
MP-BGP
#PE1
[PE1]bgp 100
[PE1-bgp]ipv4-family v4
[PE1-bgp-af-v4]peer 2.2.2.2 enable
#P
[P]bgp 100
[P-bgp]ipv4-family v4
[P-bgp-af-v4]undo policy -target
[P-bgp-af-v4]peer 1.1.1.1 enable
[P-bgp-af-v4]peer 3.3.3.3 enable
[P-bgp-af-v4]peer 1.1.1.1 reflect-client
[P-bgp-af-v4]peer 3.3.3.3 reflect-client
#PE2
[PE2-bgp]ipv4-family -instance ToDC
[PE2-bgp-ToDC]peer 20.1.3.2 as-number 300
[PE2-bgp]ipv4-family v4
[PE2-bgp-af-v4]peer 2.2.2.2 enable
[PE2-bgp-af-v4]peer 2.2.2.2 next-hop-local
VPN静态路由
#PE1
[PE1]ip route-static -instance ToDC 192.168.0.0 16 10.2.2.1
[PE1]ip route-static -instance ToDC 192.168.0.0 16 10.3.2.1
[PE1]bgp 100
[PE1-bgp]ipv4-family -instance ToDC
[PE1-bgp-ToDC]network 10.3.2.0 30
[PE1-bgp-ToDC]network 192.168.0.0 16
验证:
配置过程:
任务9:GRE
#Leaf1
[Leaf1]interface Tunnel 0/0/0
[Leaf1-Tunnel0/0/0]tunnel-protocol gre
[Leaf1-Tunnel0/0/0]ip address 173.1.2.1 30
[Leaf1-Tunnel0/0/0]source 12.12.12.12
[Leaf1-Tunnel0/0/0]destination 13.13.13.13
[Leaf1]ip route-static 172.16.2.0 24 173.1.2.2
#Leaf2
[Leaf2]interface Tunnel 0/0/0
[Leaf2-Tunnel0/0/0]tunnel-protocol gre
[Leaf2-Tunnel0/0/0]ip address 173.1.2.2 30
[Leaf2-Tunnel0/0/0]source 13.13.13.13
[Leaf2-Tunnel0/0/0]destination 12.12.12.12
[Leaf2]ip route-static 172.16.3.0 24 173.1.2.1
验证:
配置过程:
任务10:WLAN
DHCP
#AC1
[AC]interface Vlanif 19
[AC-Vlanif19]ip address 192.168.19.254 24
[AC]dhcp enable
[AC]ip pool For_AP
[AC-ip-pool-For_AP]network 192.168.19.0 mask 255.255.255.0
[AC-ip-pool-For_AP]gateway-list 192.168.19.254
[AC]ip pool STA
[AC-ip-pool-STA]network 192.168.2.0 mask 255.255.255.0
[AC-ip-pool-STA]gateway-list 192.168.2.254
[AC]interface Vlanif 19
[AC-Vlanif19]dhcp select global
[AC]interface Vlanif 20
[AC-Vlanif20]dhcp select global
[AC]interface Vlanif 19
[AC-Vlanif19]ip address 192.168.19.254 24
WLAN业务配置
[AC]capwap source interface Vlanif 19
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth
[AC-wlan-view]ap-id 0 ap-mac 00e0-fc52-0650
[AC-wlan-ap-0]ap-name AP
[AC-wlan-ap-0]ap-group default
[AC-wlan-view]ssid-profile name s1
[AC-wlan-ssid-prof-s1]ssid ICT
[AC-wlan-view]security-profile name s1
[AC-wlan-sec-prof-s1]security wpa-wpa2 psk pass-phrase Huawei@123 aes
[AC-wlan-view]vap-profile name p1
[AC-wlan-vap-prof-p1]forward-mode tunnel
[AC-wlan-vap-prof-p1]service-vlan vlan-id 20
[AC-wlan-vap-prof-p1]ssid-profile s1
[AC-wlan-vap-prof-p1]security-profile s1
[AC-wlan-view]ap-group name default
[AC-wlan-ap-group-default]regulatory-domain-profile default
[AC-wlan-ap-group-default]vap-profile p1 wlan 1 radio all
验证: