前言
前几天完成了一个律师事务所的网络调试,组网很简单,但是他们使用了华为和华三的设备,又恰好最近在研究华为的 eNSP 模拟器和华三的 HCL 模拟器。于是,刚好使用这两个模拟器复现一下这个组网。
组网拓扑需求及规划
组网拓扑
这个并不是真实的网络拓扑图,做了一下简化,去掉了很多接入设备和终端,设备型号进行了修改替换,同时组网需求也进行了简化。
组网需求
R1、R2 为出口路由器接入不同的运营商,办公业务(桌面云和办公 Wi-Fi)走 R1 作为出口(R1 侧有上网行为管理此处省略了),非办公业务走 R2 作为出口;通过 PPPoE 接入运营商这里省略 PPPoE 的配置。
组网规划
两台 H3C 交换机堆叠作为核心层,网关和 DHCP 均配置在核心层,无线使用二层直连组网。
桌面云需要规划三个 VLAN 分别为 VLAN 101、VLAN 102、VLAN 10,VLAN 999 作为设备管理 VLAN。
| VLAN | 用途 | 网段 | 网关 |
|---|---|---|---|
| VLAN 101 | 服务器管理 | 10.2.101.0/24 | 10.2.101.254 |
| VLAN 102 | 桌面云管理 | 10.2.102.0/24 | 10.2.102.254 |
| VLAN 10 | 桌面云业务 | 10.2.10.0/24 | 10.2.10.0.254 |
| VLAN 999 | 管理VLAN | 10.2.255.111/24 | 10.2.255.254 |
TC 接入端规划一个 VLAN 为 VLAN 20 需要和桌面云管理 VLAN 互通,VLAN 999 作为设备管理 VLAN。
| VLAN | 用途 | 网段 | 网关 |
|---|---|---|---|
| VLAN 20 | TC 接入端 | 10.2.20.0/24 | 10.2.20.254 |
| VLAN 999 | 管理VLAN | 10.2.255.121/24 | 10.2.255.254 |
PoE 交换机上三个 VLAN,为 VLAN 30、VLAN 100、VLAN 201,VLAN 999 作为设备管理 VLAN。
| VLAN | 用途 | 网段 | 网关 |
|---|---|---|---|
| VLAN 30 | 无线办公业务 | 10.2.30.0/24 | 10.2.30.254 |
| VLAN 201 | 无线非办公业务 | 10.2.201.0/24 | 10.2.201.254 |
| VLAN 100 | AP 管理网段 | 10.2.100.0/24 | 10.2.100.254 |
| VLAN 999 | 管理VLAN | 10.2.255.131/24 | 10.2.255.254 |
模拟器拓扑图搭建
eNSP 中绘制拓扑
在 eNSP 中正常拖入其他设备,使用 Cloud1 和 Cloud2 设备替代 H3C 的两台设备。
在 Cloud1 中添加 5 个开放 UDP 端口的接口,和 5 个不开放 UDP 端口的接口,并将他们之间两两建立双向映射关系。
| 端口编号 | 监听UDP端口 | 对端端口(H3C) | 映射UDP端口 | 连接设备 |
|---|---|---|---|---|
| 1 | 35001 | 127.0.0.1:55001 | 6(G0/0/6) | R1 G0/0/0 |
| 2 | 35002 | 127.0.0.1:55002 | 7(G0/0/7) | Cloud_S1 G0/0/1 |
| 3 | 35003 | 127.0.0.1:55003 | 8(G0/0/8) | Acc_S1 G0/0/1 |
| 4 | 35004 | 127.0.0.1:55004 | 9(G0/0/9) | PoE1 G0/0/1 |
| 5 | 35005 | 127.0.0.1:55005 | 10(G0/0/10) | AC1 G0/0/1 |
在 Cloud2 中添加 5 个开放 UDP 端口的接口,和 5 个不开放 UDP 端口的接口,并将他们之间两两建立双向映射关系。
| 端口编号 | 监听UDP端口 | 对端端口(H3C) | 映射UDP端口 | 连接设备 |
|---|---|---|---|---|
| 1 | 36001 | 127.0.0.1:56001 | 6(G0/0/6) | R2 G0/0/0 |
| 2 | 36002 | 127.0.0.1:56002 | 7(G0/0/7) | Cloud_S1 G0/0/2 |
| 3 | 36003 | 127.0.0.1:56003 | 8(G0/0/8) | Acc_S1 G0/0/2 |
| 4 | 36004 | 127.0.0.1:56004 | 9(G0/0/9) | PoE1 G0/0/2 |
| 5 | 36005 | 127.0.0.1:56005 | 10(G0/0/10) | AC1 G0/0/2 |
HCL 中绘制拓扑
在 HCL 中正常拖入两台支持堆叠的交换机设备,使用 Cloud1 和 Cloud2 设备替代 Huawei 的设备。
在 Cloud1 中添加 5 个 UDP 隧道。
| 端口名称 | 监听UDP端口 | 对端端口(Huawei) | 连接设备 | 对端设备 |
|---|---|---|---|---|
| UDP_Tunnel_1 | 55001 | 127.0.0.1:35001 | S1 G0/1 | R1 G0/0/0 |
| UDP_Tunnel_2 | 55002 | 127.0.0.1:35002 | S1 G0/2 | Cloud_S1 G0/0/1 |
| UDP_Tunnel_3 | 55003 | 127.0.0.1:35003 | S1 G0/3 | Acc_S1 G0/0/1 |
| UDP_Tunnel_4 | 55004 | 127.0.0.1:35004 | S1 G0/4 | PoE1 G0/0/1 |
| UDP_Tunnel_5 | 55005 | 127.0.0.1:35005 | S1 G0/5 | AC1 G0/0/1 |
在 Cloud2 中添加 5 个 UDP 隧道。
| 端口名称 | 监听UDP端口 | 对端端口(Huawei) | 连接设备 | 对端设备 |
|---|---|---|---|---|
| UDP_Tunnel_1 | 56001 | 127.0.0.1:36001 | S2 G0/0/1 | R2 G0/0/0 |
| UDP_Tunnel_2 | 56002 | 127.0.0.1:36002 | S2 G0/0/2 | Cloud_S1 G0/0/2 |
| UDP_Tunnel_3 | 56003 | 127.0.0.1:36003 | S2 G0/0/3 | Acc_S1 G0/0/2 |
| UDP_Tunnel_4 | 56004 | 127.0.0.1:36004 | S2 G0/0/4 | PoE1 G0/0/2 |
| UDP_Tunnel_5 | 56005 | 127.0.0.1:36005 | S2 G0/0/5 | AC1 G0/0/2 |
二层网络和设备管理配置
开始配置前请注意,将所有设备关闭,配置一台再开启一台,不要同时开启所有设备配置,因为模拟器原因有成环的可能。
AP 留到最后开机,AP 会持续主动发送 DHCP Discover 报文是造成环路的主要诱因。
Telnet 配置
此处以 Cloud-HW-S5736-S1 设备为例配置,其他设备同理配置省略。
[Cloud-HW-S5736-S1] telnet server enable
[Cloud-HW-S5736-S1] user-interface vty 0 4
[Cloud-HW-S5736-S1-ui-vty0-4] user privilege level 15
[Cloud-HW-S5736-S1-ui-vty0-4] authentication-mode aaa
[Cloud-HW-S5736-S1-ui-vty0-4] quit
[Cloud-HW-S5736-S1] aaa
[Cloud-HW-S5736-S1-aaa] local-user admin password cipher Huawei@123
[Cloud-HW-S5736-S1-aaa] local-user admin privilege level 15
[Cloud-HW-S5736-S1-aaa] local-user admin service-type telnet
[Cloud-HW-S5736-S1-aaa] quit 堆叠配置
修改 Core-H3C-S5820-S2 的 IRF 设备 ID 为 2,保存配置,并重启。
[Core-H3C-S5820-S2] irf member 1 renumber 2
[Core-H3C-S5820-S2] quit
<Core-H3C-S5820-S2> reboot将 Core-H3C-S5820-S2 的 XGE_2/0/49 和 XGE_2/0/50 口 shutdown,并加入到堆叠口。
[Core-H3C-S5820-S2] interface range Ten-GigabitEthernet 2/0/49 to Ten-GigabitEthernet 2/0/50
[Core-H3C-S5820-S2-if-range] shutdown
[Core-H3C-S5820-S2-if-range] quit
[Core-H3C-S5820-S2] irf-port 2/2
[Core-H3C-S5820-S2-irf-port2/2] port group interface Ten-GigabitEthernet 2/0/49
[Core-H3C-S5820-S2-irf-port2/2] port group interface Ten-GigabitEthernet 2/0/50
[Core-H3C-S5820-S2-if-range] quit启用 Core-H3C-S5820-S2 的 XGE_2/0/49 和 XGE_2/0/50 口,并激活 IRF。
[Core-H3C-S5820-S2] interface range Ten-GigabitEthernet 2/0/49 to Ten-GigabitEthernet 2/0/50
[Core-H3C-S5820-S2-if-range] undo shutdown
[Core-H3C-S5820-S2-if-range] quit
[Core-H3C-S5820-S2] save force
[Core-H3C-S5820-S2] irf-port-configuration active修改 Core-H3C-S5820-S1 IRF 的优先级,使其成为主设备。
[Core-H3C-S5820-S1] irf member 1 priority 32将 Core-H3C-S5820-S1 的 XGE_1/0/49 和 XGE_1/0/50 口 shutdown,并加入到堆叠口。
[Core-H3C-S5820-S1] interface range Ten-GigabitEthernet 1/0/49 to Ten-GigabitEthernet 1/0/50
[Core-H3C-S5820-S1-if-range] shutdown
[Core-H3C-S5820-S1-if-range] quit
[Core-H3C-S5820-S1] irf-port 1/1
[Core-H3C-S5820-S1-irf-port1/1] port group interface Ten-GigabitEthernet 1/0/49
[Core-H3C-S5820-S1-irf-port1/1] port group interface Ten-GigabitEthernet 1/0/50
[Core-H3C-S5820-S1-if-range] quit启用 Core-H3C-S5820-S1 的 XGE_2/0/49 和 XGE_2/0/50 口,并激活 IRF。
[Core-H3C-S5820-S1] interface range Ten-GigabitEthernet 1/0/49 to Ten-GigabitEthernet 1/0/50
[Core-H3C-S5820-S1-if-range] undo shutdown
[Core-H3C-S5820-S1-if-range] quit
[Core-H3C-S5820-S1] save force
[Core-H3C-S5820-S1] irf-port-configuration active等待堆叠配置成功,在 Core-H3C-S5820-S1 使用 display irf 命令查看堆叠状态,能看到两个设备上线,说明堆叠配置成功。
[Core-H3C-S5820-S1] display irf
桌面云接入配置
在 Cloud-HW-S5736-S1 上创建 VLAN 并配置管理 IP。
[Cloud-HW-S5736-S1] vlan batch 10 101 102 999
[Cloud-HW-S5736-S1] ip vpn-instance manage
[Cloud-HW-S5736-S1-vpn-instance-manage] ipv4-family
[Cloud-HW-S5736-S1-vpn-instance-manage-af-ipv4] quit
[Cloud-HW-S5736-S1-vpn-instance-manage] quit
[Cloud-HW-S5736-S1] interface Vlanif 999
[Cloud-HW-S5736-S1-Vlanif999] ip binding vpn-instance manage
[Cloud-HW-S5736-S1-Vlanif999] ip address 10.2.255.111 24
[Cloud-HW-S5736-S1-Vlanif999] quit
[Cloud-HW-S5736-S1] ip route-static vpn-instance manage 0.0.0.0 0 10.2.255.254在 Cloud-HW-S5736-S1 上将 G0/0/1 和 G0/0/2 口加入到链路聚合口 Eth-Trunk0,并配置模式为 lacp。
[Cloud-HW-S5736-S1] interface Eth-Trunk0
[Cloud-HW-S5736-S1-Eth-Trunk0] mode lacp-static
[Cloud-HW-S5736-S1-Eth-Trunk0] trunkport GigabitEthernet 0/0/1 to 0/0/2在 Cloud-HW-S5736-S1 上为链路聚合口放行对应 VLAN。
[Cloud-HW-S5736-S1-Eth-Trunk0] port link-type trunk
[Cloud-HW-S5736-S1-Eth-Trunk0] port trunk allow-pass vlan 10 101 102 999
[Cloud-HW-S5736-S1-Eth-Trunk0] quit在 Core-H3C-S5820-S1 上创建 VLAN。
[Core-H3C-S5820-S1] vlan 10
[Core-H3C-S5820-S1-vlan10] quit
[Core-H3C-S5820-S1] vlan 101
[Core-H3C-S5820-S1-vlan101] quit
[Core-H3C-S5820-S1] vlan 102
[Core-H3C-S5820-S1-vlan102] quit
[Core-H3C-S5820-S1] vlan 999
[Core-H3C-S5820-S1-vlan999] quit在 Core-H3C-S5820-S1 将 GE1/0/2 和 GE2/0/2 口加入到链路聚合口 Bridge-Aggregation 1,并配置模式为 lacp。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 1
[Core-H3C-S5820-S1-Bridge-Aggregation1] link-aggregation mode dynamic
[Core-H3C-S5820-S1-Bridge-Aggregation1] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 1/0/2
[Core-H3C-S5820-S1-GigabitEthernet1/0/2] port link-aggregation group 1
[Core-H3C-S5820-S1-GigabitEthernet1/0/2] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 2/0/2
[Core-H3C-S5820-S1-GigabitEthernet2/0/2] port link-aggregation group 1
[Core-H3C-S5820-S1-GigabitEthernet2/0/2] quit在 Core-H3C-S5820-S1 上为链路聚合口放行对应 VLAN。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 1
[Core-H3C-S5820-S1-Bridge-Aggregation1] port link-type trunk
[Core-H3C-S5820-S1-Bridge-Aggregation1] port trunk permit vlan 10 101 102 999
[Core-H3C-S5820-S1-Bridge-Aggregation1] quit在 Core-H3C-S5820-S1 上配置管理网关。
[Core-H3C-S5820-S1] interface Vlan-interface 999
[Core-H3C-S5820-S1-Vlan-interface999] ip address 10.2.255.254 255.255.255.0
[Core-H3C-S5820-S1-Vlan-interface999] quit在 Core-H3C-S5820-S1 上查看链路聚合状态。
[Core-H3C-S5820-S1] display link-aggregation verbose
在 Cloud-HW-S5736-S1 上查看链路聚合状态。
[Cloud-HW-S5736-S1] display interface Eth-Trunk 0
TC 接入配置
在 Acc-HW-S5736-S1 上创建 VLAN 并配置管理 IP。
[Acc-HW-S5736-S1] vlan batch 20 999
[Acc-HW-S5736-S1] ip vpn-instance manage
[Acc-HW-S5736-S1-vpn-instance-manage] ipv4-family
[Acc-HW-S5736-S1-vpn-instance-manage-af-ipv4] quit
[Acc-HW-S5736-S1-vpn-instance-manage] quit
[Acc-HW-S5736-S1] interface Vlanif 999
[Acc-HW-S5736-S1-Vlanif999] ip binding vpn-instance manage
[Acc-HW-S5736-S1-Vlanif999] ip address 10.2.255.121 24
[Acc-HW-S5736-S1-Vlanif999] quit
[Acc-HW-S5736-S1] ip route-static vpn-instance manage 0.0.0.0 0 10.2.255.254在 Acc-HW-S5736-S1 上将 G0/0/1 和 G0/0/2 口加入到链路聚合口 Eth-Trunk0,并配置模式为 lacp。
[Acc-HW-S5736-S1] interface Eth-Trunk0
[Acc-HW-S5736-S1-Eth-Trunk0] mode lacp-static
[Acc-HW-S5736-S1-Eth-Trunk0] trunkport GigabitEthernet 0/0/1 to 0/0/2在 Acc-HW-S5736-S1 上为链路聚合口放行对应 VLAN。
[Acc-HW-S5736-S1-Eth-Trunk0] port link-type trunk
[Acc-HW-S5736-S1-Eth-Trunk0] port trunk allow-pass vlan 20 999
[Acc-HW-S5736-S1-Eth-Trunk0] quit在 Core-H3C-S5820-S1 上创建 VLAN。
[Core-H3C-S5820-S1] vlan 20
[Core-H3C-S5820-S1-vlan20] quit在 Core-H3C-S5820-S1 将 GE1/0/3 和 GE2/0/3 口加入到链路聚合口 Bridge-Aggregation 2,并配置模式为 lacp。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 2
[Core-H3C-S5820-S1-Bridge-Aggregation2] link-aggregation mode dynamic
[Core-H3C-S5820-S1-Bridge-Aggregation2] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 1/0/3
[Core-H3C-S5820-S1-GigabitEthernet1/0/3] port link-aggregation group 2
[Core-H3C-S5820-S1-GigabitEthernet1/0/3] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 2/0/3
[Core-H3C-S5820-S1-GigabitEthernet2/0/3] port link-aggregation group 2
[Core-H3C-S5820-S1-GigabitEthernet2/0/3] quit在 Core-H3C-S5820-S1 上为链路聚合口放行对应 VLAN。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 2
[Core-H3C-S5820-S1-Bridge-Aggregation2] port link-type trunk
[Core-H3C-S5820-S1-Bridge-Aggregation2] port trunk permit vlan 20 999
[Core-H3C-S5820-S1-Bridge-Aggregation2] quit在 Core-H3C-S5820-S1 上查看链路聚合状态。
[Core-H3C-S5820-S1] display link-aggregation verbose
在 Acc-HW-S5736-S1 上查看链路聚合状态。
[Acc-HW-S5736-S1] display interface Eth-Trunk 0
PoE 交换机配置
在 Acc-HW-S5735-PoE1 上创建 VLAN 并配置管理 IP。
[Acc-HW-S5735-PoE1] vlan batch 30 100 201 999
[Acc-HW-S5735-PoE1] ip vpn-instance manage
[Acc-HW-S5735-PoE1-vpn-instance-manage] ipv4-family
[Acc-HW-S5735-PoE1-vpn-instance-manage-af-ipv4] quit
[Acc-HW-S5735-PoE1-vpn-instance-manage] quit
[Acc-HW-S5735-PoE1] interface Vlanif 999
[Acc-HW-S5735-PoE1-Vlanif999] ip binding vpn-instance manage
[Acc-HW-S5735-PoE1-Vlanif999] ip address 10.2.255.131 24
[Acc-HW-S5735-PoE1-Vlanif999] quit
[Acc-HW-S5735-PoE1] ip route-static vpn-instance manage 0.0.0.0 0 10.2.255.254在 Acc-HW-S5735-PoE1 上将 G0/0/1 和 G0/0/2 口加入到链路聚合口 Eth-Trunk0,并配置模式为 lacp。
[Acc-HW-S5735-PoE1] interface Eth-Trunk0
[Acc-HW-S5735-PoE1-Eth-Trunk0] mode lacp-static
[Acc-HW-S5735-PoE1-Eth-Trunk0] trunkport GigabitEthernet 0/0/1 to 0/0/2在 Acc-HW-S5735-PoE1 上为链路聚合口放行对应 VLAN。
[Acc-HW-S5735-PoE1-Eth-Trunk0] port link-type trunk
[Acc-HW-S5735-PoE1-Eth-Trunk0] port trunk allow-pass vlan 30 100 201 999
[Acc-HW-S5735-PoE1-Eth-Trunk0] quit在 Acc-HW-S5735-PoE1 上为连接 AP 的接口 G0/0/4 和 G0/0/5 放行对应的 VLAN。
[Acc-HW-S5735-PoE1] port-group group-member GigabitEthernet 0/0/3 to GigabitEthernet 0/0/4
[Acc-HW-S5735-PoE1-port-group] port link-type trunk
[Acc-HW-S5735-PoE1-port-group] port trunk pvid vlan 100
[Acc-HW-S5735-PoE1-port-group] port trunk allow-pass vlan 30 100 201在 Core-H3C-S5820-S1 上创建 VLAN。
[Core-H3C-S5820-S1] vlan 30
[Core-H3C-S5820-S1-vlan30] quit
[Core-H3C-S5820-S1] vlan 100
[Core-H3C-S5820-S1-vlan100] quit
[Core-H3C-S5820-S1] vlan 201
[Core-H3C-S5820-S1-vlan201] quit在 Core-H3C-S5820-S1 将 GE1/0/4 和 GE2/0/4 口加入到链路聚合口 Bridge-Aggregation 3,并配置模式为 lacp。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 3
[Core-H3C-S5820-S1-Bridge-Aggregation3] link-aggregation mode dynamic
[Core-H3C-S5820-S1-Bridge-Aggregation3] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 1/0/4
[Core-H3C-S5820-S1-GigabitEthernet1/0/4] port link-aggregation group 3
[Core-H3C-S5820-S1-GigabitEthernet1/0/4] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 2/0/4
[Core-H3C-S5820-S1-GigabitEthernet2/0/4] port link-aggregation group 3
[Core-H3C-S5820-S1-GigabitEthernet2/0/4] quit在 Core-H3C-S5820-S1 上为链路聚合口放行对应 VLAN。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 3
[Core-H3C-S5820-S1-Bridge-Aggregation3] port link-type trunk
[Core-H3C-S5820-S1-Bridge-Aggregation3] port trunk permit vlan 30 100 201 999
[Core-H3C-S5820-S1-Bridge-Aggregation3] quit在 Core-H3C-S5820-S1 上查看链路聚合状态。
[Core-H3C-S5820-S1] display link-aggregation verbose
在 Acc-HW-S5735-PoE1 上查看链路聚合状态。
[Acc-HW-S5735-PoE1] display interface Eth-Trunk 0
AC 配置
在 Core-HW-S6000-AC1 上创建 VLAN 并配置设备管理 IP 和 AC、AP 管理 IP。
[Core-HW-S6000-AC1] vlan batch 100 999
[Core-HW-S6000-AC1] interface Vlanif 999
[Core-HW-S6000-AC1-Vlanif999] ip address 10.2.255.130 24
[Core-HW-S6000-AC1-Vlanif999] quit
[Core-HW-S6000-AC1] interface Vlanif 100
[Core-HW-S6000-AC1-Vlanif100] ip address 10.2.100.100 24
[Core-HW-S6000-AC1-Vlanif100] quit
[Core-HW-S6000-AC1] ip route-static 0.0.0.0 0 10.2.255.254在 Core-HW-S6000-AC1 上将 G0/0/1 和 G0/0/2 口加入到链路聚合口 Eth-Trunk0,并配置模式为 lacp。
[Core-HW-S6000-AC1] interface Eth-Trunk0
[Core-HW-S6000-AC1-Eth-Trunk0] mode lacp-static
[Core-HW-S6000-AC1-Eth-Trunk0] trunkport GigabitEthernet 0/0/1 to 0/0/2在 Core-HW-S6000-AC1 上为链路聚合口放行对应 VLAN。
[Core-HW-S6000-AC1-Eth-Trunk0] port link-type trunk
[Core-HW-S6000-AC1-Eth-Trunk0] port trunk allow-pass vlan 100 999
[Core-HW-S6000-AC1-Eth-Trunk0] quit在 Core-H3C-S5820-S1 将 GE1/0/5 和 GE2/0/5 口加入到链路聚合口 Bridge-Aggregation 4,并配置模式为 lacp。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 4
[Core-H3C-S5820-S1-Bridge-Aggregation4] link-aggregation mode dynamic
[Core-H3C-S5820-S1-Bridge-Aggregation4] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 1/0/5
[Core-H3C-S5820-S1-GigabitEthernet1/0/5] port link-aggregation group 4
[Core-H3C-S5820-S1-GigabitEthernet1/0/5] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 2/0/5
[Core-H3C-S5820-S1-GigabitEthernet2/0/5] port link-aggregation group 4
[Core-H3C-S5820-S1-GigabitEthernet2/0/5] quit在 Core-H3C-S5820-S1 上为链路聚合口放行对应 VLAN。
[Core-H3C-S5820-S1] interface Bridge-Aggregation 4
[Core-H3C-S5820-S1-Bridge-Aggregation4] port link-type trunk
[Core-H3C-S5820-S1-Bridge-Aggregation4] port trunk permit vlan 100 999
[Core-H3C-S5820-S1-Bridge-Aggregation4] quit在 Core-H3C-S5820-S1 上查看链路聚合状态。
[Core-H3C-S5820-S1] display link-aggregation verbose
在 Core-HW-S6000-AC1 上查看链路聚合状态。
[Core-HW-S6000-AC1] display interface Eth-Trunk 0
业务配置
核心交换机配置
在 Core-H3C-S5820-S1 上配置 DHCP。
[Core-H3C-S5820-S1] dhcp enable
[Core-H3C-S5820-S1] dhcp server ip-pool vlan10
[Core-H3C-S5820-S1-dhcp-pool-vlan10] network 10.2.10.0 24
[Core-H3C-S5820-S1-dhcp-pool-vlan10] gateway-list 10.2.10.254
[Core-H3C-S5820-S1-dhcp-pool-vlan10] dns-list 114.114.114.114
[Core-H3C-S5820-S1-dhcp-pool-vlan10] quit
[Core-H3C-S5820-S1] dhcp server ip-pool vlan20
[Core-H3C-S5820-S1-dhcp-pool-vlan20] network 10.2.20.0 24
[Core-H3C-S5820-S1-dhcp-pool-vlan20] gateway-list 10.2.20.254
[Core-H3C-S5820-S1-dhcp-pool-vlan20] dns-list 114.114.114.114
[Core-H3C-S5820-S1-dhcp-pool-vlan20] quit
[Core-H3C-S5820-S1] dhcp server ip-pool vlan30
[Core-H3C-S5820-S1-dhcp-pool-vlan30] network 10.2.30.0 24
[Core-H3C-S5820-S1-dhcp-pool-vlan30] gateway-list 10.2.30.254
[Core-H3C-S5820-S1-dhcp-pool-vlan30] dns-list 114.114.114.114
[Core-H3C-S5820-S1-dhcp-pool-vlan30] quit
[Core-H3C-S5820-S1] dhcp server ip-pool vlan100
[Core-H3C-S5820-S1-dhcp-pool-vlan100] network 10.2.100.0 24
[Core-H3C-S5820-S1-dhcp-pool-vlan100] gateway-list 10.2.100.254
[Core-H3C-S5820-S1-dhcp-pool-vlan100] forbidden-ip 10.2.100.100
[Core-H3C-S5820-S1-dhcp-pool-vlan100] dns-list 114.114.114.114
[Core-H3C-S5820-S1-dhcp-pool-vlan100] quit
[Core-H3C-S5820-S1] dhcp server ip-pool vlan201
[Core-H3C-S5820-S1-dhcp-pool-vlan201] network 10.2.201.0 24
[Core-H3C-S5820-S1-dhcp-pool-vlan201] gateway-list 10.2.201.254
[Core-H3C-S5820-S1-dhcp-pool-vlan201] dns-list 114.114.114.114
[Core-H3C-S5820-S1-dhcp-pool-vlan201] quit检查 DHCP 配置。
[Core-H3C-S5820-S1] display dhcp server pool
在 Core-H3C-S5820-S1 上配置业务网关。
[Core-H3C-S5820-S1] interface Vlan-interface 10
[Core-H3C-S5820-S1-Vlan-interface10] ip address 10.2.10.254 24
[Core-H3C-S5820-S1-Vlan-interface10] quit
[Core-H3C-S5820-S1] interface Vlan-interface 20
[Core-H3C-S5820-S1-Vlan-interface20] ip address 10.2.20.254 24
[Core-H3C-S5820-S1-Vlan-interface20] quit
[Core-H3C-S5820-S1] interface Vlan-interface 30
[Core-H3C-S5820-S1-Vlan-interface30] ip address 10.2.30.254 24
[Core-H3C-S5820-S1-Vlan-interface30] quit
[Core-H3C-S5820-S1] interface Vlan-interface 100
[Core-H3C-S5820-S1-Vlan-interface100] ip address 10.2.100.254 24
[Core-H3C-S5820-S1-Vlan-interface100] quit
[Core-H3C-S5820-S1] interface Vlan-interface 101
[Core-H3C-S5820-S1-Vlan-interface101] ip address 10.2.101.254 24
[Core-H3C-S5820-S1-Vlan-interface101] quit
[Core-H3C-S5820-S1] interface Vlan-interface 102
[Core-H3C-S5820-S1-Vlan-interface102] ip address 10.2.102.254 24
[Core-H3C-S5820-S1-Vlan-interface102] quit
[Core-H3C-S5820-S1] interface Vlan-interface 201
[Core-H3C-S5820-S1-Vlan-interface201] ip address 10.2.201.254 24在 Core-H3C-S5820-S1 上配置 G1/0/1 和 G2/0/1 的 IP 地址。
[Core-H3C-S5820-S1] interface GigabitEthernet 1/0/1
[Core-H3C-S5820-S1-GigabitEthernet1/0/1] port link-mode route
[Core-H3C-S5820-S1-GigabitEthernet1/0/1] ip address 10.2.111.2 24
[Core-H3C-S5820-S1-GigabitEthernet1/0/1] quit
[Core-H3C-S5820-S1] interface GigabitEthernet 2/0/1
[Core-H3C-S5820-S1-GigabitEthernet2/0/1] port link-mode route
[Core-H3C-S5820-S1-GigabitEthernet2/0/1] ip address 10.2.112.2 24
[Core-H3C-S5820-S1-GigabitEthernet2/0/1] quit检查 IP 地址配置。
[Core-H3C-S5820-S1] display ip interface brief
在 Core-H3C-S5820-S1 上配置路由。
[Core-H3C-S5820-S1] ip route-static 0.0.0.0 0 10.2.111.1
[Core-H3C-S5820-S1] ip route-static 0.0.0.0 0 10.2.112.1在 Core-H3C-S5820-S1 上配置策略路由,实现按业务分流。
定义访问控制列表ACL 3000、3001、3002,用来匹配不同的源和目的。
[Core-H3C-S5820-S1] acl advanced 3000
[Core-H3C-S5820-S1-acl-ipv4-adv-3000] rule 0 permit ip source 10.2.10.0 0.0.0.255
[Core-H3C-S5820-S1-acl-ipv4-adv-3000] rule 5 permit ip source 10.2.20.0 0.0.0.255
[Core-H3C-S5820-S1-acl-ipv4-adv-3000] rule 10 permit ip source 10.2.30.0 0.0.0.255
[Core-H3C-S5820-S1-acl-ipv4-adv-3000] rule 15 permit ip source 10.2.101.0 0.0.0.255
[Core-H3C-S5820-S1-acl-ipv4-adv-3000] rule 20 permit ip source 10.2.102.0 0.0.0.255
[Core-H3C-S5820-S1-acl-ipv4-adv-3000] quit
[Core-H3C-S5820-S1] acl advanced 3001
[Core-H3C-S5820-S1-acl-ipv4-adv-3001] rule 0 permit ip source 10.2.201.0 0.0.0.255
[Core-H3C-S5820-S1-acl-ipv4-adv-3001] quit
[Core-H3C-S5820-S1] acl advanced 3002
[Core-H3C-S5820-S1-acl-ipv4-adv-3002] rule 0 permit ip destination 10.2.0.0 0.0.255.255
[Core-H3C-S5820-S1-acl-ipv4-adv-3002] quit定义节点,根据不同的源目地址匹配不同的动作。
[Core-H3C-S5820-S1] policy-based-route r1 node 1
[Core-H3C-S5820-S1-pbr-r1-1] if-match acl 3002
[Core-H3C-S5820-S1-pbr-r1-1] quit
[Core-H3C-S5820-S1] policy-based-route r1 node 2
[Core-H3C-S5820-S1-pbr-r1-2] if-match acl 3000
[Core-H3C-S5820-S1-pbr-r1-2] apply next-hop 10.2.111.1
[Core-H3C-S5820-S1-pbr-r1-2] quit
[Core-H3C-S5820-S1] policy-based-route r2 node 2
[Core-H3C-S5820-S1-pbr-r2-2] if-match acl 3001
[Core-H3C-S5820-S1-pbr-r2-2] apply next-hop 10.2.112.1
[Core-H3C-S5820-S1-pbr-r2-2] quit在接口上应用转发策略路由,处理此接口接收的报文。
[Core-H3C-S5820-S1] interface Vlan-interface 10
[Core-H3C-S5820-S1-Vlan-interface10] ip policy-based-route r1
[Core-H3C-S5820-S1-Vlan-interface10] quit
[Core-H3C-S5820-S1] interface Vlan-interface 20
[Core-H3C-S5820-S1-Vlan-interface20] ip policy-based-route r1
[Core-H3C-S5820-S1-Vlan-interface20] quit
[Core-H3C-S5820-S1] interface Vlan-interface 30
[Core-H3C-S5820-S1-Vlan-interface30] ip policy-based-route r1
[Core-H3C-S5820-S1-Vlan-interface30] quit
[Core-H3C-S5820-S1] interface Vlan-interface 101
[Core-H3C-S5820-S1-Vlan-interface101] ip policy-based-route r1
[Core-H3C-S5820-S1-Vlan-interface101] quit
[Core-H3C-S5820-S1] interface Vlan-interface 102
[Core-H3C-S5820-S1-Vlan-interface102] ip policy-based-route r1
[Core-H3C-S5820-S1-Vlan-interface102] quit
[Core-H3C-S5820-S1] interface Vlan-interface201
[Core-H3C-S5820-S1-Vlan-interface201] ip address 10.2.201.254 255.255.255.0
[Core-H3C-S5820-S1-Vlan-interface201] ip policy-based-route r2
[Core-H3C-S5820-S1-Vlan-interface201] quit查看路由配置。
[Core-H3C-S5820-S1] dis ip routing-table
[Core-H3C-S5820-S1] display acl all
[Core-H3C-S5820-S1] display ip policy-based-route
出口路由器配置
在 Out-HW-AR6121-R1 上配置 G0/0/0 和 G0/0/1 的 IP 地址。
[Out-HW-AR6121-R1] interface GigabitEthernet 0/0/0
[Out-HW-AR6121-R1-GigabitEthernet0/0/0] ip address 10.2.111.1 24
[Out-HW-AR6121-R1-GigabitEthernet0/0/0] quit
[Out-HW-AR6121-R1] interface GigabitEthernet 0/0/1
[Out-HW-AR6121-R1-GigabitEthernet0/0/1] ip address 203.0.113.2 24
[Out-HW-AR6121-R1-GigabitEthernet0/0/1] quit在 Out-HW-AR6121-R1 上配置 NAT。
[Out-HW-AR6121-R1] acl 2000
[Out-HW-AR6121-R1-acl-basic-2000] rule permit source 10.2.10.0 0.0.0.255
[Out-HW-AR6121-R1-acl-basic-2000] rule permit source 10.2.20.0 0.0.0.255
[Out-HW-AR6121-R1-acl-basic-2000] rule permit source 10.2.30.0 0.0.0.255
[Out-HW-AR6121-R1-acl-basic-2000] rule permit source 10.2.101.0 0.0.0.255
[Out-HW-AR6121-R1-acl-basic-2000] rule permit source 10.2.102.0 0.0.0.255
[Out-HW-AR6121-R1-acl-basic-2000] quit
[Out-HW-AR6121-R1] interface GigabitEthernet 0/0/1
[Out-HW-AR6121-R1-GigabitEthernet0/0/1] nat outbound 2000
[Out-HW-AR6121-R1-GigabitEthernet0/0/1] quit在 Out-HW-AR6121-R1 上配置静态路由。
[Out-HW-AR6121-R1] ip route-static 0.0.0.0 0 203.0.113.1
[Out-HW-AR6121-R1] ip route-static 10.2.10.0 24 10.2.111.2
[Out-HW-AR6121-R1] ip route-static 10.2.20.0 24 10.2.111.2
[Out-HW-AR6121-R1] ip route-static 10.2.30.0 24 10.2.111.2
[Out-HW-AR6121-R1] ip route-static 10.2.101.0 24 10.2.111.2
[Out-HW-AR6121-R1] ip route-static 10.2.102.0 24 10.2.111.2查看 Out-HW-AR6121-R1 路由表。
[Out-HW-AR6121-R1] display ip routing-table 
在 Out-HW-AR6121-R2 上配置 G0/0/0 和 G0/0/2 的 IP 地址。
[Out-HW-AR6121-R2] interface GigabitEthernet 0/0/0
[Out-HW-AR6121-R2-GigabitEthernet0/0/0] ip address 10.2.112.1 24
[Out-HW-AR6121-R2] interface GigabitEthernet 0/0/2
[Out-HW-AR6121-R2-GigabitEthernet0/0/2] ip address 100.64.0.2 24在 Out-HW-AR6121-R2 上配置 NAT。
[Out-HW-AR6121-R2] acl 2000
[Out-HW-AR6121-R2-acl-basic-2000] rule permit source 10.2.201.0 0.0.0.255
[Out-HW-AR6121-R2-acl-basic-2000] quit
[Out-HW-AR6121-R2] interface GigabitEthernet 0/0/2
[Out-HW-AR6121-R2-GigabitEthernet0/0/2] nat outbound 2000
[Out-HW-AR6121-R2-GigabitEthernet0/0/2] quit在 Out-HW-AR6121-R2 上配置静态路由。
[Out-HW-AR6121-R2] ip route-static 0.0.0.0 0 100.64.0.1
[Out-HW-AR6121-R2] ip route-static 10.2.201.0 24 10.2.112.2查看 Out-HW-AR6121-R2 路由表。
[Out-HW-AR6121-R2] display ip routing-table 
在 Internet 上配置 IP 地址,模拟公网设备。
[Internet] interface GigabitEthernet 0/0/1
[Internet-GigabitEthernet0/0/1] ip address 203.0.113.1 24
[Internet-GigabitEthernet0/0/1] quit
[Internet] interface GigabitEthernet 0/0/2
[Internet-GigabitEthernet0/0/2] ip address 100.64.0.1 24
[Internet-GigabitEthernet0/0/2] quit
[Internet] interface LoopBack 0
[Internet-LoopBack0] ip address 114.114.114.114 32
[Internet-LoopBack0] quit查看 Internet 上 IP 地址配置。
[Internet] display ip interface brief
无线业务配置
在 Core-HW-S6000-AC1 上配置 AP 上线。
[Core-HW-S6000-AC1] capwap source interface Vlanif 100
[Core-HW-S6000-AC1] wlan
[Core-HW-S6000-AC1-wlan-view] ap-group name ap
[Core-HW-S6000-AC1-wlan-ap-group-ap] quit
[Core-HW-S6000-AC1-wlan-view] ap auth-mode mac-auth
[Core-HW-S6000-AC1-wlan-view] ap-id 0 ap-mac 00e0-fc05-07b0
[Core-HW-S6000-AC1-wlan-ap-0] ap-name ap1
[Core-HW-S6000-AC1-wlan-ap-0] ap-group ap
[Core-HW-S6000-AC1-wlan-ap-0] quit
[Core-HW-S6000-AC1-wlan-view] ap-id 1 ap-mac 00e0-fcbb-6b50
[Core-HW-S6000-AC1-wlan-ap-1] ap-name ap2
[Core-HW-S6000-AC1-wlan-ap-1] ap-group ap
[Core-HW-S6000-AC1-wlan-ap-1] quit查看 AP 状态。
[Core-HW-S6000-AC1-wlan-view] display ap all
在 Core-HW-S6000-AC1 上配置无线业务参数。
[Core-HW-S6000-AC1-wlan-view] security-profile name office
[Core-HW-S6000-AC1-wlan-sec-prof-office] security wpa-wpa2 psk pass-phrase ICTSTU.com aes
[Core-HW-S6000-AC1-wlan-sec-prof-office] quit
[Core-HW-S6000-AC1-wlan-view] ssid-profile name office
[Core-HW-S6000-AC1-wlan-ssid-prof-office] ssid office
[Core-HW-S6000-AC1-wlan-ssid-prof-office] quit
[Core-HW-S6000-AC1-wlan-view] vap-profile name office
[Core-HW-S6000-AC1-wlan-vap-prof-office] forward-mode direct-forward
[Core-HW-S6000-AC1-wlan-vap-prof-office] service-vlan vlan-id 30
[Core-HW-S6000-AC1-wlan-vap-prof-office] security-profile office
[Core-HW-S6000-AC1-wlan-vap-prof-office] ssid-profile office
[Core-HW-S6000-AC1-wlan-vap-prof-office] quit
[Core-HW-S6000-AC1-wlan-view] security-profile name open
[Core-HW-S6000-AC1-wlan-sec-prof-open] security wpa psk pass-phrase 88888888 aes
[Core-HW-S6000-AC1-wlan-sec-prof-open] quit
[Core-HW-S6000-AC1-wlan-view] ssid-profile name open
[Core-HW-S6000-AC1-wlan-ssid-prof-open] ssid open
[Core-HW-S6000-AC1-wlan-ssid-prof-open] quit
[Core-HW-S6000-AC1-wlan-view] vap-profile name open
[Core-HW-S6000-AC1-wlan-vap-prof-open] forward-mode direct-forward
[Core-HW-S6000-AC1-wlan-vap-prof-open] service-vlan vlan-id 201
[Core-HW-S6000-AC1-wlan-vap-prof-open] security-profile open
[Core-HW-S6000-AC1-wlan-vap-prof-open] ssid-profile open
[Core-HW-S6000-AC1-wlan-vap-prof-open] quit在 Core-HW-S6000-AC1 上下发业务。
[Core-HW-S6000-AC1-wlan-view] ap-group name ap
[Core-HW-S6000-AC1-wlan-ap-group-ap] vap-profile office wlan 1 radio all
[Core-HW-S6000-AC1-wlan-ap-group-ap] vap-profile open wlan 2 radio all
[Core-HW-S6000-AC1-wlan-ap-group-ap] quit在 Core-HW-S6000-AC1 查看业务下发情况。
[Core-HW-S6000-AC1-wlan-view] display vap all
业务验证
STA 连接无线验证
配置 STA 连接无线网络,VLAN 30 和 VLAN 201 两个 STA 分别表示不同业务。
在 Core-HW-S6000-AC1 查看无线网络连接情况。
[Core-HW-S6000-AC1-wlan-view] display station ssid office
[Core-HW-S6000-AC1-wlan-view] display station ssid open
两台 STA 分别 ping 114.114.114.114 模拟访问互联网,模拟器里面无线业务不稳定,掉包属于正常情况。
分别查看 Out-HW-AR6121-R1 和 Out-HW-AR6121-R2 的 NAT 会话表,看看是否按照要求分流。
[Out-HW-AR6121-R1] display nat session all
[Out-HW-AR6121-R2] display nat session all
业务访问验证
内部办公业务间可以互访。“VM VLAN 10”模拟桌面云中的云桌面属于 VLAN 10,“TC VLAN 20”模拟 TC 终端属于 VLAN 20。
云桌面可以对内网设备进行管理。
云桌面访问公网验证。
“PC VLAN 201”模拟非办公业务的上网设备,可以访问互联网,但是不能访问内网。
![[openEuler实验]使用Nginx实现OpenCart电商平台](https://images.grbj.cn/202501100344817.png)
