华为eNSP中型园区网络配置（上）

10.出口防火墙，要配置必要的NAT技术，使得内网能够访问ISP&internet。g0/0/0 10.1.102.2/24(.与SW1vlanif200互联)g0/0/0 10.1.100.1/24(与SW1vlanif100互联)配置链路类型，ap先不看，连接pc的access，sw间互联的trunk。SW1设置为instance1的root，instance2的备份。SW2设置为instan

五那几诺火库洛，火库洛！！

2757人浏览 · 2024-05-03 16:48:48

五那几诺火库洛，火库洛！！ · 2024-05-03 16:48:48 发布

→b站直通车，感谢大佬事无巨细的讲解←
→华为eNSP中型园区网络配置（下）←

在这里插入图片描述

甲方技术要求：
1.做必要的隔离，并且防止环路产生。
2.终端接口接入网络后无延迟转发。
3.汇聚层交换机之间要增加带宽。
4.网关配置在汇聚层上，要保证网关冗余。
5.内部使用可靠的IGP进行路由学习和发布，并保证设备的身份合法性。
6.通过BGP协议跟总部进行路由学习，实现互访，要求缺省互访流量都经过AR1访问总部。当AR1出现故障，切换到AR2。
7.要求园区网内所有PC终端都通过公司统一的DHCP服务器完成地址分发。
8.使用FIT AP+AC进行无线网络组网。
9.出口防火墙，需要做必要的安全策略，只能内网主动发起访问到外网。
10.出口防火墙，要配置必要的NAT技术，使得内网能够访问ISP&internet。
组网方案中涉及的技术点：
1、VLAN技术、边缘端口技术
2.Trunk、Eth-trunk技术
3.MSTP与VRRP技术结合场景
4.OSPF技术、OSPF认证技术
5.BGP技术、BGP选路技术。
6.协议引入技术
7.DHCP、DHCP中继技术
8.WLAN组网技术(瘦AP+AC)
9.防火墙安全策略技术
10.NAT技术
扩展知识点：
1.防火墙双机热备技术
2.堆叠技术
3.WLAN高可靠性技术
地址规划：
AR1
e3/0/0 10.1.14.1/24
g0/0/0 10.1.100.1/24(与SW1vlanif100互联)
g0/0/2 10.1.12.1/24
g0/0/1 10.1.103.1/24(与SW2vlanif300互联)
pos2/0/0 10.1.13.1/24
Loopback0 10.1.1.1/32

AR2
g0/0/2 10.1.12.2/24
g0/0/0 10.1.102.2/24(.与SW1vlanif200互联)
g0/0/1 10.1.104.2/24(与SW2vlanif400互联)
pos2/0/0 10.1.23.2/24
Loopbacko 10.1.2.2/32

AR3
pos2/0/0 10.1.13.3/24
pos5/0/0 10.1.23.3/24
Loopback200 200.200.200.200/32

AR4
g0/0/0 10.1.14.4/24
Loopback0 10.1.4.4/24

SW1
vlanif100 10.1.100.10/24
vlanif200 10.1.102.10/24

SW2
vlanif300 10.1.103.10/24
vlanif400 10.1.104.10/24

vlan地址规划
vlan10-192.168.10.0/24
vlan20-192.168.20.0/24
vlan30-192.168.30.0/24
vlan40-192.168.40.0/24
配置vlan和链路

SW1 SW2 SW3 SW4
```
#
vlan batch 10 20 30 40
#
```

配置链路类型，ap先不看，连接pc的access，sw间互联的trunk
SW1

//配置trunk端口组
[SW1]port-group trunkport
[SW1-port-group-trunkport]group-member g0/0/2 g0/0/3
[SW1-port-group-trunkport]p l t
[SW1-port-group-trunkport]p t a v 10 20 30 40

//配置链路聚合
[SW1]int Eth-Trunk 12
[SW1-Eth-Trunk12]mode lacp-static
[SW1-Eth-Trunk12]trunkport g 0/0/19 to 0/0/20
[SW1-Eth-Trunk12]port link-type trunk
[SW1-Eth-Trunk12]port trunk allow-pass vlan 10 20 30 40

SW2

[SW2]port-group trunkport
[SW2-port-group-trunkport]group-member g0/0/2 g0/0/4
[SW2-port-group-trunkport]p l t
[SW2-port-group-trunkport]p t a v 10 20 30 40

//配置链路聚合
[SW2]int Eth-Trunk 12
[SW2-Eth-Trunk12]mode lacp-static
[SW2-Eth-Trunk12]trunkport g 0/0/19 to 0/0/20
[SW2-Eth-Trunk12]p l t
[SW2-Eth-Trunk12]p t a v 10 20 30 40

SW3

//配置trunk端口组
[SW3]port-group trunkport
[SW3-port-group-trunkport]group-member g0/0/2 g0/0/4
[SW3-port-group-trunkport]p l t
[SW3-port-group-trunkport]p t a v 10 20 30 40

//配置access端口组
[SW3]port-group accessport
[SW3-port-group-accessport]group-member g0/0/1 g0/0/3
[SW3-port-group-accessport]p l a

//配置g0/0/1 vlan10
[SW3]i g0/0/1
[SW3-GigabitEthernet0/0/1]p d v 10
//配置边缘端口
[SW3-GigabitEthernet0/0/1]stp edged-port en

//配置g0/0/3 vlan30
[SW3]i g0/0/3
[SW3-GigabitEthernet0/0/3]p d v 30
//配置边缘端口
[SW3-GigabitEthernet0/0/3]stp edged-port en

SW4

//配置trunk端口组
[SW4]port-group trunkport
[SW4-port-group-trunkport]group-member g0/0/2 g0/0/3
[SW4-port-group-trunkport]p l t
[SW4-port-group-trunkport]p t a v 10 20 30 40

//配置access端口组
[SW4]port-group accessport
[SW4-port-group-accessport]group-member g0/0/4 g0/0/1
[SW4-port-group-accessport]p l a
//配置边缘端口
[SW4-port-group-accessport]stp edged-port en

//配置g0/0/4 vlan 40
[SW4]i g0/0/4
[SW4-GigabitEthernet0/0/4]p d v 40

//配置g0/0/1 vlan 20
[SW4]i g0/0/1
[SW4-GigabitEthernet0/0/1]p d v 20

配置mstp
instance1-vlan10 vlan30 root sw1 备份sw2
instance2-vlan20 vlan40 root sw2 备份sw1

SW1 SW2 SW3 SW4

#
stp region-configuration
 region-name yeslab
 revision-level 1
 instance 1 vlan 10 30
 instance 2 vlan 20 40
 active region-configuration
#

SW1设置为instance1的root，instance2的备份

[SW1]stp instance 1 root primary 
[SW1]stp instance 2 root secondary

SW2设置为instance2的root，instance1的备份

[SW2]stp instance 2 root primary 
[SW2]stp instance 1 root secondary

配置vlanif

SW1

#
interface Vlanif10
 ip address 192.168.10.251 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.251 255.255.255.0
#
interface Vlanif30
 ip address 192.168.30.251 255.255.255.0
#
interface Vlanif40
 ip address 192.168.40.251 255.255.255.0
#

SW2

#
interface Vlanif10
 ip address 192.168.10.252 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.252 255.255.255.0
#
interface Vlanif30
 ip address 192.168.30.252 255.255.255.0
#
interface Vlanif40
 ip address 192.168.40.252 255.255.255.0
#

配置VRRP网关

SW1为10 30 的 master，20 40的slave

#
interface Vlanif10
 ip address 192.168.10.251 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.10.254
 vrrp vrid 10 priority 120
#
interface Vlanif20
 ip address 192.168.20.251 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif30
 ip address 192.168.30.251 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.30.254
 vrrp vrid 30 priority 120
#
interface Vlanif40
 ip address 192.168.40.251 255.255.255.0
 vrrp vrid 40 virtual-ip 192.168.40.254
#

SW2为10 30的slave 20 40的master

#
interface Vlanif10
 ip address 192.168.10.252 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlanif20
 ip address 192.168.20.252 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.20.254
 vrrp vrid 20 priority 120
#
interface Vlanif30
 ip address 192.168.30.252 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.30.254
#
interface Vlanif40
 ip address 192.168.40.252 255.255.255.0
 vrrp vrid 40 virtual-ip 192.168.40.254
 vrrp vrid 40 priority 120
#

配置路由

AR1

#
interface Ethernet3/0/0
 ip address 10.1.14.1 255.255.255.0 
#
interface Ethernet3/0/1
 ip address 10.1.15.1 255.255.255.0 
#
interface GigabitEthernet0/0/0
 ip address 10.1.100.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.1.103.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.1.12.1 255.255.255.0 
#
interface Pos2/0/0
 link-protocol ppp
 ip address 10.1.13.1 255.255.255.0 
#
interface LoopBack0
 ip address 10.1.1.1 255.255.255.255 
#

AR2

#
interface GigabitEthernet0/0/0
 ip address 10.1.102.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.1.104.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.1.12.2 255.255.255.0 
#
interface Pos2/0/0
 link-protocol ppp
 ip address 10.1.23.2 255.255.255.0 
#
interface LoopBack0
 ip address 10.1.2.2 255.255.255.255 
#

配置SW与AR互联

SW1

[SW1]v b 100 200
#
interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 100
 stp edged-port enable
#
interface GigabitEthernet0/0/11
 port link-type access
 port default vlan 200
 stp edged-port enable
#
interface Vlanif100
 ip address 10.1.100.10 255.255.255.0
#
interface Vlanif200
 ip address 10.1.102.10 255.255.255.0
#

SW2

[SW2]v b 300 400

#
interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 400
 stp edged-port enable
#
interface GigabitEthernet0/0/11
 port link-type access
 port default vlan 300
 stp edged-port enable
#
interface Vlanif300
 ip address 10.1.103.10 255.255.255.0
#
interface Vlanif400
 ip address 10.1.104.10 255.255.255.0
#

配置ospf

(可以dis ip int bri 命令看当前的网络）

AR1

//配置ospf 宣告网络
[AR1]ospf 1 router-id 1.1.1.1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]net 10.1.14.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]net 10.1.15.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]net 10.1.100.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]net 10.1.103.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]net 10.1.12.1 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]net 10.1.1.1 0.0.0.0

//配置认证
[AR1-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123

AR2

//配置ospf 宣告网络
[AR2]ospf 1 router-id 2.2.2.2
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]net 10.1.102.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]net 10.1.104.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]net 10.1.12.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]net 10.1.2.2 0.0.0.0

//配置认证
[AR2-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123

AR4

//配置ospf 宣告网络
[AR-DHCP]ospf 1 router-id 111.111.111.111
[AR-DHCP-ospf-1]area 0
[AR-DHCP-ospf-1-area-0.0.0.0]net 10.1.14.4 0.0.0.0

//配置认证
[AR-DHCP-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123

SW1

//配置ospf 宣告网络
[SW1]ospf 1 router-id 11.11.11.11
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]net 10.1.100.10 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]net 10.1.102.10 0.0.0.0

//配置认证
[SW1-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123

//引入直连网段
[SW2-ospf-1]import-route direct

SW2

//配置ospf 宣告网络
[SW2]ospf 1 router-id 22.22.22.22
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]net 10.1.103.10 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]net 10.1.104.10 0.0.0.0

//配置认证
[SW2-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher Huawei@123

//引入直连网段
[SW2-ospf-1]import-route direct

配置dhcp

AR4

[AR-DHCP]dhcp enable

#
ip pool VLAN10
 gateway-list 192.168.10.254 
 network 192.168.10.0 mask 255.255.255.0 
 dns-list 114.114.114.114 
 domain-name yeslab.net
#
ip pool VLAN20
 gateway-list 192.168.20.254 
 network 192.168.20.0 mask 255.255.255.0 
 dns-list 114.114.114.114 
 domain-name yeslab.net
#
ip pool VLAN30
 gateway-list 192.168.30.254 
 network 192.168.30.0 mask 255.255.255.0 
 dns-list 114.114.114.114 
 domain-name yeslab.net
#
ip pool VLAN40
 gateway-list 192.168.40.254 
 network 192.168.40.0 mask 255.255.255.0 
 dns-list 114.114.114.114 
 domain-name yeslab.net
#
interface GigabitEthernet0/0/0
 ip address 10.1.14.4 255.255.255.0 
 dhcp select global
#

下配置dhcp中继

SW1

//使能dhcp
[SW1]dhcp enable 

//vlanif 10下配dhcp中继
[SW1]int Vlanif 10
[SW1-Vlanif10]dhcp select relay 
//一定要能ping通！上面ar-dhcp没加入ospf时也可以指一条静态路由到AR1的e3/0/0口
[SW1-Vlanif10]dhcp relay server-ip 10.1.14.4

//vlanif 30下配dhcp中继
[SW1]int Vlanif 30
[SW1-Vlanif30]dhcp select relay
[SW1-Vlanif30]dhcp relay server-ip 10.1.14.4

SW2

//使能dhcp
[SW2]dhcp enable

//vlanif 20下配dhcp中继
[SW2]int Vlanif 20
[SW2-Vlanif20]dhcp select relay
[SW2-Vlanif20] dhcp relay server-ip 10.1.14.4

//vlanif 40下配dhcp中继
[SW2]int vlanif 40
[SW2-Vlanif40]dhcp select relay
[SW2-Vlanif40] dhcp relay server-ip 10.1.14.4