前面讲了一些交换机的基本知识及配置,今天做一个交换综合实验,配置有问题的地方大家可以提出来互相交流。
一、网络拓扑如下:
二:需求
1、AR1模拟一台服务器包括Telnet,ftp等,AR2模拟英特网上一台PC,可以使用Telnet登录AR1服务器
2、PC1和PC2属于不同的VLAN,分别是VLAN2和VLAN3,都使用DHCP获取IP地址,可以连通AR2
3、充分考虑网络的冗余,SW1和SW2配置VRRP冗余备份,以及负载均衡,使用MSTP
4、充分考虑网络安全,在防火墙上使用NAT
三、具体配置
1、SW1上配置:
sysname SW1
#
vlan batch 2 to 6
#
stp instance 1 root primary
stp instance 2 root secondary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name HCDP
revision-level 1
instance 1 vlan 2
instance 2 vlan 3 to 4
active region-configuration
#
drop-profile default
#
ip pool vlan2
gateway-list 192.168.2.1
network 192.168.2.0 mask 255.255.255.0
#
ip pool vlan3
gateway-list 192.168.3.1
network 192.168.3.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif2
ip address 192.168.2.253 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.2.1
vrrp vrid 2 priority 105
dhcp select global
#
interface Vlanif3
ip address 192.168.3.253 255.255.255.0
vrrp vrid 3 virtual-ip 192.168.3.1
dhcp select global
#
interface Vlanif4
ip address 192.168.4.253 255.255.255.0
vrrp vrid 4 virtual-ip 192.168.4.1
#
interface Vlanif5
ip address 192.168.5.2 255.255.255.0
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface Ethernet0/0/1
port link-type access
port default vlan 5
#
interface Ethernet0/0/2
eth-trunk 1
#
interface Ethernet0/0/3
eth-trunk 1
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 192.168.2.253 0.0.0.0
network 192.168.3.253 0.0.0.0
network 192.168.4.253 0.0.0.0
network 192.168.5.2 0.0.0.0
#
user-interface con 0
user-interface vty 0 4
#
2、SW2上配置:
sysname SW2
#
vlan batch 2 to 6
#
stp instance 1 root secondary
stp instance 2 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name HCDP
revision-level 1
instance 1 vlan 2
instance 2 vlan 3 to 4
active region-configuration
#
drop-profile default
#
ip pool vlan2
gateway-list 192.168.2.1
network 192.168.2.0 mask 255.255.255.0
#
ip pool vlan3
gateway-list 192.168.3.1
network 192.168.3.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif2
ip address 192.168.2.254 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.2.1
dhcp select global
#
interface Vlanif3
ip address 192.168.3.254 255.255.255.0
vrrp vrid 3 virtual-ip 192.168.3.1
vrrp vrid 3 priority 105
dhcp select global
#
interface Vlanif4
ip address 192.168.4.254 255.255.255.0
vrrp vrid 4 virtual-ip 192.168.4.1
vrrp vrid 4 priority 105
#
interface Vlanif6
ip address 192.168.6.2 255.255.255.0
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface Ethernet0/0/1
port link-type access
port default vlan 6
#
interface Ethernet0/0/2
eth-trunk 1
#
interface Ethernet0/0/3
eth-trunk 1
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 192.168.2.254 0.0.0.0
network 192.168.3.254 0.0.0.0
network 192.168.4.254 0.0.0.0
network 192.168.6.2 0.0.0.0
#
user-interface con 0
user-interface vty 0 4
#
3、SW3上配置:
sysname SW3
#
vlan batch 2 to 6
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
stp region-configuration
region-name HCDP
revision-level 1
instance 1 vlan 2
instance 2 vlan 3 to 4
active region-configuration
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
interface Ethernet0/0/3
port link-type access
port default vlan 2
#
interface Ethernet0/0/4
port link-type access
port default vlan 3
#
interface Ethernet0/0/5
port link-type access
port default vlan 4
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
4、防火墙上配置:
stp region-configuration
region-name 003ce315809c
active region-configuration
#
interface Eth-Trunk1
alias Eth-Trunk1
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.6.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher %$%$muepQ*y#4!i6v]KGc(j;z.%y%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
ospf 1 router-id 1.1.1.1
default-route-advertise always
area 0.0.0.0
network 192.168.5.1 0.0.0.0
network 192.168.6.1 0.0.0.0
#
nqa-jitter tag-version 1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW1
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat server 0 protocol tcp global 100.1.1.1 telnet inside 192.168.4.2 telnet
nat server 1 protocol tcp global 100.1.1.1 www inside 192.168.4.2 www
nat server 2 protocol tcp global 100.1.1.1 20 inside 192.168.4.2 20
nat server 3 protocol tcp global 100.1.1.1 ftp inside 192.168.4.2 ftp
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone trust untrust inbound
policy 0
action permit
#
nat-policy interzone trust untrust outbound
policy 0
action source-nat
easy-ip GigabitEthernet0/0/2
#
5、AR1上配置:
sysname SER
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
ip address 192.168.4.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.4.1
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
authentication-mode password
set authentication password cipher %$%$s||0>!l`9@u~ZkJ:w,@R,"V;|J-"'q/Mq=I.N}~|BQA;"V>,%$%$
user-interface vty 16 20
#
wlan ac
#
6、AR2上配置:
sysname INTERNET
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
四、测试
1、PC1和PC2访问外网
2、外网PC登录Telnet服务器