华为Ensp拓扑,使用MSTP、OSPF、DHCP、VRRP、链路聚合、CHAP
OSPF+DHCP+VRRP+Eth-trunk+PPP(CHAP)+MSTP
实验目标:
- LSW1和LSW2核心交换机互为备份,配置链路聚合,设备冗余设计,LSW1和LSW2作为核心交换机配置DHCP下发,并配置VRRP作为终端的网关。
- AR1与AR2通过ppp链路连接,启用ppp协议的chap认证,AR2为认证方、AR1为被认证方,用户名为路由器名称,密码:123456 。AR1与AR2的连接采用静态路由(默认路由连接)。
- 在AR1的S1/0/0接口上配置NAT地址转换,使内部各网段PC能访问互联网服务器server1 。
- AR1与LSW1和LSW2核心交换机采用OSPF实现路由互通
- 在核心交换机启用的vrrp协议中,VLAN61、62的数据流默认通过LSW1转发,VLAN63、64数据流默认通过LSW2转发。
- 整个网络采用多生成树,设置LSW1作为生成树实例1的根,VLAN61、62归属于生成树实例1,设置LSW2作为生成树实例2的根,VLAN63、64归属于生成树实例2.
- 配置ACAP使的无线用户获取IP地址并能够上网
配置思路:
IP地址表:
| 设备 | 端口 | IP地址 |
|---|---|---|
| AR1 | G0/0/1 | 10.10.111.1/30 |
| AR1 | G0/0/2 | 10.10.112.1/30 |
| AR1 | S1/0/0 | 11.11.11.1/24 |
| AR1 | Loopback0 | 1.1.1.1/32 |
| AR2 | G0/0/0 | 200.200.46.1/24 |
| AR2 | S1/0/0 | 11.11.11.2/24 |
| LSW1 | VLANif61 | 10.10.61.252/24 |
| LSW1 | VLANif62 | 10.10.62.252/24 |
| LSW1 | VLANif63 | 10.10.63.252/24 |
| LSW1 | VLANif64 | 10.10.64.252/24 |
| LSW1 | VLANif100 | 10.10.100.252/24 |
| LSW1 | VLANif101 | 10.10.101.252/24 |
| LSW1 | VLANif111 | 10.10.111.2/30 |
| LSW1 | Loopback0 | 2.2.2.2/32 |
| LSW2 | VLANif61 | 10.10.61.253/24 |
| LSW2 | VLANif62 | 10.10.62.253/24 |
| LSW2 | VLANif63 | 10.10.63.253/24 |
| LSW2 | VLANif64 | 10.10.64.253/24 |
| LSW2 | VLANif100 | 10.10.100.1/24 |
| LSW2 | VLANif101 | 10.10.101.1/24 |
| LSW2 | VLANif112 | 10.10.112.2/30 |
| LSW2 | Loopback0 | 3.3.3.3/32 |
| AC | VLANif100 | 10.10.100.2/24 |
| AC | Loopback0 | 4.4.4.4/32 |
| PC1 | E0/0/1 | DHCP获取 |
| PC2 | E0/0/1 | DHCP获取 |
| PC3 | E0/0/1 | DHCP获取 |
| STA1 | DHCP获取 | |
| STA2 | DHCP获取 |
接口表:
| 本端设备 | 本端接口 | 所属VLAN | 对端设备 | 对端接口 | 所属VLAN |
|---|---|---|---|---|---|
| AR1 | G0/0/1 | LSW1 | G0/0/24 | VLAN111 | |
| AR1 | G0/0/2 | LSW2 | G0/0/24 | VLAN112 | |
| AR1 | S1/0/0 | AR2 | S1/0/0 | ||
| AR2 | G0/0/0 | Server1 | E0/0/0 | ||
| AR2 | S1/0/0 | AR1 | S1/0/0 | ||
| LSW1 | G0/0/1 | VLAN61~64 | LSW3 | G0/0/1 | VLAN61~64 |
| LSW1 | G0/0/2 | VLAN61~64 | LSW4 | G0/0/1 | VLAN61~64 |
| LSW1 | G0/0/3 | VLAN6164、100101 | LSW5 | G0/0/1 | VLAN61~64 |
| LSW1 | G0/0/21 | VLAN61~64 | LSW2 | G0/0/21 | VLAN61~64 |
| LSW1 | G0/0/22 | VLAN61~64 | LSW2 | G0/0/22 | VLAN61~64 |
| LSW1 | G0/0/23 | VLAN100 | AC | G0/0/2 | VLAN100 |
| LSW1 | G0/0/24 | VLAN111 | AR1 | G0/0/1 | |
| LSW2 | G0/0/1 | VLAN61~64 | LSW3 | G0/0/2 | VLAN61~64 |
| LSW2 | G0/0/2 | VLAN61~64 | LSW4 | G0/0/2 | VLAN61~64 |
| LSW2 | G0/0/3 | VLAN6164、100101 | LSW5 | G0/0/2 | VLAN61~64 |
| LSW2 | G0/0/21 | VLAN61~64 | LSW1 | G0/0/21 | VLAN61~64 |
| LSW2 | G0/0/22 | VLAN61~64 | LSW1 | G0/0/22 | VLAN61~64 |
| LSW2 | G0/0/24 | VLAN112 | AR1 | G0/0/2 | |
| LSW2 | G0/0/23 | VLAN100 | AC | G0/0/1 | VLAN100 |
| LSW3 | G0/0/1 | VLAN61~64 | LSW1 | G0/0/1 | VLAN61~64 |
| LSW3 | G0/0/2 | VLAN61~64 | LSW2 | G0/0/1 | VLAN61~64 |
| LSW3 | E0/0/1 | VLAN61 | PC1 | E0/0/1 | VLAN61 |
| LSW4 | G0/0/1 | VLAN61~64 | LSW1 | G0/0/2 | VLAN61~64 |
| LSW4 | G0/0/2 | VLAN61~64 | LSW2 | G0/0/2 | VLAN61~64 |
| LSW4 | E0/0/1 | VLAN62 | PC2 | E0/0/1 | VLAN62 |
| LSW5 | G0/0/1 | VLAN61~64 | LSW1 | G0/0/3 | VLAN61~64 |
| LSW5 | G0/0/2 | VLAN61~64 | LSW2 | G0/0/3 | VLAN61~64 |
| LSW5 | E0/0/1 | VLAN63 | PC3 | E0/0/1 | VLAN63 |
| LSW5 | E0/0/22 | VLAN64、100~101 | AP1 | G0/0/0 | VLAN64 |
| AC | G0/0/1 | VLAN100 | LSW2 | G0/0/23 | VLAN100 |
| AC | G0/0/2 | VLAN100 | LSW1 | G0/0/23 | VLAN100 |
路由器基本配置:
AR1:
system-view
sysname AR1
inter s1/0/0
ip add 11.11.11.1 24
inter g0/0/1
ip add 10.10.111.1 30
inter g0/0/2
ip add 10.10.112.1 30
quit
ip route-static 0.0.0.0 0 11.11.11.2
AR2:
system-view
sysname AR2
inter s1/0/0
ip add 11.11.11.2 24
inter g0/0/0
ip add 200.200.46.1 24
quit
ip route-static 0.0.0.0 0 11.11.11.1
交换机VLAN划分:
LSW1:
system-view
sysname LSW1
dhcp enable #开启全局dhcp服务
vlan batch 61 to 64 100 101 111
inter g0/0/1
port link-type trunk
port trunk allow vlan 61 to 64
inter g0/0/2
port link-type trunk
port trunk allow vlan 61 to 64
inter g0/0/3
port link-type trunk
port trunk allow vlan 61 to 64 100 101
inter g0/0/24
port link-type access
port default vlan 111
inter eth 0 #创建端口聚合组0
trunkport g 0/0/21 to 0/0/22 #将g0/0/21和g0/0/22两个端口加入聚合组中
port link-type trunk #干道模式
port trunk allow vlan 61 to 64 100 101 #放行vlan61~64、100、101
LSW2:
system-view
sysname LSW2
dhcp enable #开启全局dhcp服务
vlan batch 61 to 64 100 101 112
inter g0/0/1
port link-type trunk
port trunk allow vlan 61 to 64
inter g0/0/2
port link-type trunk
port trunk allow vlan 61 to 64
inter g0/0/3
port link-type trunk
port trunk allow vlan 61 to 64 100 101
inter g0/0/24
port link-type access
port default vlan 112
inter g0/0/23
port link-type access
port default vlan 100
inter eth 0 #创建端口聚合组0
trunkport g 0/0/21 to 0/0/22
port link-type trunk
port trunk allow vlan 61 to 64 100 101
LSW3:
system-view
sysname LSW3
vlan batch 61 to 64
inter g0/0/1
port link-type trunk
port trunk allow vlan 61 to 64
inter g0/0/2
port link-type trunk
port trunk allow vlan 61 to 64
inter e0/0/1
port link-type access
port default vlan 61
LSW4:
system-view
sysname LSW4
vlan batch 61 to 64
inter g0/0/1
port link-type trunk
port trunk allow vlan 61 to 64
inter g0/0/2
port link-type trunk
port trunk allow vlan 61 to 64
inter e0/0/1
port link-type access
port default vlan 62
LSW5:
system-view
sysname LSW5
vlan batch 61 to 64 100 101
inter g0/0/1
port link-type trunk
port trunk allow vlan 61 to 64 100 101
inter g0/0/2
port link-type trunk
port trunk allow vlan 61 to 64 100 101
inter e0/0/1
port link-type access
port default vlan 63
inter e0/0/22
port link-type trunk
port trunk allow vlan 64 100 101
port trunk pvid vlan 64
核心交换机IP、VRRP配置:
LSW1:
dhcp enable
inter vlan 61
ip add 10.10.61.252 24
vrrp vrid 1 virtual-ip 10.10.61.254
vrrp vrid 1 priority 120 #设置优先级为120;让VLAN61在LSW1上作为主网关
vrrp vrid 1 preempt-mode timer delay 2 #配置抢占模式为2s
vrrp vrid 1 track interface g0/0/24 reduced 50 #当g0/0/24端口出现异常时优先级自动降低50
inter vlan 62
ip add 10.10.62.252 24
vrrp vrid 1 virtual-ip 10.10.62.254
vrrp vrid 1 priority 120 #设置优先级为120;让VLAN62在LSW1上作为主网关
vrrp vrid 1 preempt-mode timer delay 2
vrrp vrid 1 track interface g0/0/24 reduced 50
inter vlan 63
ip add 10.10.63.252 24
vrrp vrid 1 virtual-ip 10.10.63.254
vrrp vrid 1 priority 90 #设置优先级为90;让VLAN63在LSW1上作为备网关
vrrp vrid 1 preempt-mode timer delay 2
inter vlan 64
ip add 10.10.63.252 24
vrrp vrid 1 virtual-ip 10.10.64.254
vrrp vrid 1 priority 90 #设置优先级为90;让VLAN63在LSW1上作为备网关
vrrp vrid 1 preempt-mode timer delay 2
inter vlan 100
ip add 10.10.100.252 24
inter vlan 101
ip add 10.10.101.252 24
vrrp vrid 1 virtual-ip 10.10.101.254
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 2
inter vlan 111
ip add 10.10.111.2 30
LSW2:
dhcp enable
inter vlan 61
ip add 10.10.61.253 24
vrrp vrid 1 virtual-ip 10.10.61.254
vrrp vrid 1 priority 90 #设置优先级为90;让VLAN63在LSW2上作为备网关
vrrp vrid 1 preempt-mode timer delay 2
inter vlan 62
ip add 10.10.62.253 24
vrrp vrid 1 virtual-ip 10.10.62.254
vrrp vrid 1 priority 90 ##设置优先级为90;让VLAN62在LSW2上作为备网关
vrrp vrid 1 preempt-mode timer delay 2
inter vlan 63
ip add 10.10.63.253 24
vrrp vrid 1 virtual-ip 10.10.63.254
vrrp vrid 1 priority 120 #设置优先级为120;让VLAN63在LSW2上作为主网关
vrrp vrid 1 preempt-mode timer delay 2
vrrp vrid 1 track interface g0/0/24 reduced 50 #当g0/0/24端口出现异常时优先级自动降低50
inter vlan 64
ip add 10.10.64.253 24
vrrp vrid 1 virtual-ip 10.10.64.254
vrrp vrid 1 priority 120 #设置优先级为120;让VLAN64在LSW2上作为主网关
vrrp vrid 1 preempt-mode timer delay 2
vrrp vrid 1 track interface g0/0/24 reduced 50
inter vlan 100
ip add 10.10.100.253 24
inter vlan 101
ip add 10.10.101.253 24
vrrp vrid 1 virtual-ip 10.10.101.254
vrrp vrid 1 priority 120 #设置优先级为120;让VLAN101在LSW2上作为主网关
vrrp vrid 1 preempt-mode timer delay 2
vrrp vrid 1 track interface g0/0/24 reduced 50
inter vlan 112
ip add 10.10.112.2 30
DHCP配置:
LSW1:
ip pool vlan61 #创建全局地址池vlan61
network 10.10.61.0 mask 24 #地址池网段10.10.61.0
gateway-list 10.10.61.254 #地址池网关10.10.61.254
dns-list 8.8.8.8 #dns地址8.8.8.8
excluded-ip-address 10.10.61.250 10.10.61.253 #保留10.10.61.250~10.10.61.253的地址段
lease day 1 hour 30 minute 0 #租约时间为1小时30分钟
quit
inter vlan 61
dhcp select global #启用dhcp全局下发
ip pool vlan62
network 10.10.62.0 mask 24
gateway-list 10.10.62.254
dns-list 8.8.8.8
excluded-ip-address 10.10.62.250 10.10.62.253
lease day 1 hour 30 minute 0
quit
inter vlan 62
dhcp select global
ip pool vlan63
network 10.10.63.0 mask 24
gateway-list 10.10.63.254
dns-list 8.8.8.8
excluded-ip-address 10.10.63.250 10.10.63.253
lease day 1 hour 30 minute 0
quit
inter vlan 63
dhcp select global
ip pool vlan64
network 10.10.64.0 mask 24
gateway-list 10.10.64.254
dns-list 8.8.8.8
excluded-ip-address 10.10.64.250 10.10.64.253
lease day 1 hour 30 minute 0
option 43 sub-option 2 ip-address 10.10.100.2 #为AP指定AC的IP地址
quit
inter vlan 64
dhcp select global
ip pool vlan101
network 10.10.101.0 mask 24
gateway-list 10.10.101.254
dns-list 8.8.8.8
excluded-ip-address 10.10.101.250 10.10.101.253
lease day 1 hour 30 minute 0
quit
inter vlan 101
dhcp select global
LSW2:
ip pool vlan61
network 10.10.61.0 mask 24
gateway-list 10.10.61.254
dns-list 8.8.8.8
excluded-ip-address 10.10.61.250 10.10.61.253
lease day 1 hour 30 minute 0
quit
inter vlan 61
dhcp select global
ip pool vlan62
network 10.10.62.0 mask 24
gateway-list 10.10.62.254
dns-list 8.8.8.8
excluded-ip-address 10.10.62.250 10.10.62.253
lease day 1 hour 30 minute 0
quit
inter vlan 62
dhcp select global
ip pool vlan63
network 10.10.63.0 mask 24
gateway-list 10.10.63.254
dns-list 8.8.8.8
excluded-ip-address 10.10.63.250 10.10.63.253
lease day 1 hour 30 minute 0
quit
inter vlan 63
dhcp select global
ip pool vlan64
network 10.10.64.0 mask 24
gateway-list 10.10.64.254
dns-list 8.8.8.8
excluded-ip-address 10.10.64.250 10.10.64.253
lease day 1 hour 30 minute 0
option 43 sub-option 2 ip-address 10.10.100.2
quit
inter vlan 64
dhcp select global
ip pool vlan101
network 10.10.101.0 mask 24
gateway-list 10.10.101.254
dns-list 8.8.8.8
excluded-ip-address 10.10.101.250 10.10.101.253
lease day 1 hour 30 minute 0
quit
inter vlan 101
dhcp select global
OSPF配置:
AR1:
ospf 1 router-id 1.1.1.1
default-route-advertise #导入默认路由
bfd all-interfaces enable
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.10.111.0 0.0.0.3
network 10.10.112.0 0.0.0.3
LSW1:
ospf 1 router-id 2.2.2.2
bfd all-interfaces enable
area 0.0.0.0
network 10.10.61.0 0.0.0.255
network 10.10.62.0 0.0.0.255
network 10.10.63.0 0.0.0.255
network 10.10.64.0 0.0.0.255
network 10.10.100.0 0.0.0.255
network 10.10.101.0 0.0.0.255
network 2.2.2.2 0.0.0.0
network 10.10.111.0 0.0.0.3
LSW2:
ospf 1 router-id 3.3.3.3
bfd all-interfaces enable
area 0.0.0.0
network 10.10.61.0 0.0.0.255
network 10.10.62.0 0.0.0.255
network 10.10.63.0 0.0.0.255
network 10.10.64.0 0.0.0.255
network 10.10.100.0 0.0.0.255
network 10.10.101.0 0.0.0.255
network 3.3.3.3 0.0.0.0
network 10.10.112.0 0.0.0.3
MSTP配置:
LSW1:
stp mode mstp #stp模式改为mstp(多生成树)
stp region-configuration #进入mstp配置面板
region-name 1 #配置mstp区域名称为1
revision-level 1 #修订版本等级为1
instance 1 vlan 61 to 62 #创建实例1加入vlan61、62
instance 2 vlan 63 to 64 #创建实例2加入vlan63、64
active region-configuration #提交当前活动区域配置
stp instance 1 root primary #配置实例1为主根
stp instance 2 root secondary #配置实例2为备根
LSW2:
stp mode mstp
stp region-configuration
region-name 1
revision-level 1
instance 1 vlan 61 to 62
instance 2 vlan 63 to 64
active region-configuration
quit
stp instance 2 root primary #配置实例2为主根
stp instance 1 root secondary #配置实例1为备根
LSW3~LSW5:
stp mode mstp
stp region-configuration
region-name 1
revision-level 1
instance 1 vlan 61 to 62
instance 2 vlan 63 to 64
active region-configuration
NAT转换:
AR1:
acl 2000 #进入基本acl2000
rule 0 permit ip
quit
inter s1/0/0
nat outbound 2000 #启用nat出口转换引用acl2000
PPP链路CHAP认证:
AR1(被认证方):
aaa #进入aaa配置面板
local-user AR1 password cipher 123456 #创建本地用户AR1密码为123456
local-user AR1 service ppp #用户服务类型为ppp认证
quit
inter s1/0/0
link-protocol ppp #更改接口协议类型为ppp认证
ppp authentication-mode chap #ppp认证模式为chap认证
remote address 11.11.11.2 #添加认证方ip
ppp chap user AR2 #认证用户名AR2
ppp chap password cipher 123456 #认证密码123456
AR2(认证方):
aaa
local-user AR2 password cipher 123456
local-user AR2 service ppp
quit
inter s1/0/0
link-protocol ppp
ppp authentication-mode chap
ppp chap user AR1
ppp chap password cipher 123456
AP上线:
capwap source interface Vlanif 100 #绑定无线控制管理VLAN100
wlan #进入wlan全局配置面板
regulatory-domain-profile name AP1 #创建管理域AP1
country-code CN #国家代码为CN
quit
ap-group name AP1 #创建AP组
regulatory-domain-profile AP1 #添加管理域AP1
quit
ap auth-mode mac-auth #ap认证方式为mac认证
ap-id 0 ap-mac 00e0-fc13-1c40 #使用ap的mac地址创建ap-id 0
ap-name AP1
ap-group AP1
quit
AP无线下发:
security-profile name AP1 #创建安全策略AP1
security wpa-wpa2 psk pass-phrase 12345678 aes #认证方式为wpa-wpa2密钥12345678
quit
ssid-profile name AP1 #创建ssid策略AP1
ssid AP1 #ssid名称AP1(WIFI名称)
quit
vap-profile name AP1 #创建vap模板AP1
service-vlan vlan-id 101 #添加业务vlan101
ssid-profile AP1 #使能ssid策略AP1
security-profile AP1 #使能安全策略AP1
quit
ap-group name AP1
vap-profile AP1 wlan 1 radio 0 #将AP1映射在2.4Ghz频段
vap-profile AP1 wlan 1 radio 1 #将AP1映射在5Ghz频段
quit
结果测试:
dhcp获取:
VRRP配置查看:
LSW1:
LSW2:
网络互联和NAT测试:
MSTP配置查看:
查看OSPF邻居关系:
R1:
LSW1:
LSW2:
AC:
查看PPP配置状况:
