考核项目
地址规划表
| 设备 | 接口 | 地址 | 备注 |
|---|---|---|---|
| ISP | g0/0/0 | 1.1.1.254/24 | |
| g0/0/1 | 202.100.10.1/24 | ||
| g0/0/2 | 101.100.10.1/24 | ||
| YX-FW | g1/0/1 | 202.100.10.2/24 | easy-ip |
| g1/0/0 | 192.168.30.2/24 | ||
| tunnel 1 | 192.168.50.1/24 | gre | |
| YC-FW | g1/0/1 | 101.100.10.2/24 | napt |
| g1/0/0 | 192.168.40.2/24 | ||
| tunnel 1 | 192.168.50.2/24 | gre | |
| YX-Core | g0/0/1 | access vlan 30 | |
| g0/0/2 | trunk | ||
| g0/0/3 | trunk | ||
| g0/0/4 | trunk | ||
| YX-AC | g0/0/1 | trunk | |
| YC-Core | g0/0/0 | 192.168.40.1/24 | |
| g0/0/1 | 192.168.60.1/24 | ||
| YX-汇聚1 | e0/0/1 | trunk | |
| e0/0/2 | Eth-1、trunk | ||
| e0/0/3 | Eth-1、trunk | ||
| e0/0/4 | trunk | ||
| YX-汇聚2 | e0/0/1 | trunk | |
| e0/0/2 | Eth-1、trunk | ||
| e0/0/3 | Eth-1、trunk | ||
| LSW1 | e0/0/1 | trunk | |
| e0/0/2 | trunk | ||
| e0/0/3 | access vlan 10 | ||
| e0/0/4 | access vlan 20 | ||
| e0/0/5 | trunk pvid 100 | ||
| e0/0/6 | trunk pvid 100 | ||
| LSW2 | g0/0/1 | access vlan 40 | |
| g0/0/2 | access vlan 80 | ||
| g0/0/3 | access vlan 70 | ||
| PC1 | e0/0/0 | 192.168.10.251/24 | |
| Client1 | e0/0/0 | 192.168.20.251/24 | |
| AP1 | e0/0/0 | DHCP动态获取 | |
| AP2 | e0/0/0 | DHCP动态获取 | |
| PC3 | e0/0/0 | 192.168.80.251/24 | |
| PC4 | e0/0/0 | 192.168.70.251/24 | |
| Server-ftp | e0/0/0 | 1.1.1.251/24 | |
| Server-http | e0/0/0 | 1.1.1.252/24 | |
| vlan 10 | 192.168.10.0/24 | ||
| vlan 20 | 192.168.20.0/24 | ||
| vlan 30 | 192.168.30.0/24 | ||
| vlan 60 | 192.168.60.0/24 | ||
| vlan 70 | 192.168.70.0/24 | ||
| vlan 80 | 192.168.80.0/24 | ||
| vlan 100 | 172.16.100.0/24 | 管理 | |
| vlan 101 | 10.10.101.0/24 | 业务1 | |
| vlan 102 | 10.10.102.0/24 | 业务2 |
1 无线项目需求
随着公司业务的进一步扩大,越来越多的员工和访客需要通过无线连接的方式进行上网办公。为了满足这些需求,客户计划在园区内部署无线网络:
1、根据拓扑图,完善YX-AC和YX-Access的配置,其中,转发模式为隧道转发模式。
2、现在为某公司进行无线网络规划,要求使用的业务VLAN为VLAN101、VLAN 102使用的管理VLAN为VLAN100。同时,AC充当DHCP Server,分别为这三个VLAN分配相应的地址。
3、配置AP组,组名为GOK。域管理模板的名称为GOK,国家码为中国,并将此模板绑定到AP组中。AC源接口为VLANIF100。AP的认证方式为MAC认证。
4、配置VAP模板GOK-lab:配置SSID模板GOK1,SSID名称为gok。配置安全模板GOK1,设置安全策略为密钥认证,密码为goktech@123。开放2.4G和5G频段,wlan id为1。在VAP模板中绑定这些模板,配置转发模式为隧道转发模式,业务VLAN为VLAN101。
5、 以及配置VAP模板Student-lab:配置SSID目标Student,SSID名称为Student。配置安全模板Student1,设置安全策略为密钥认证,密码为student@123,开发2.4G频段,wlanid在2。在VAP目标中绑定这些目标,配置转发模式为隧道转发模式,业务VLAN为VLAN102。
6、 AP间的漫游方式为二层漫游。
YX-AC
sy
sys YX-AC
dhcp enable
vlan batch 10 20 30 100 101 102
ip pool vlan100
network 172.16.100.0 mask 24
gateway-list 172.16.100.254
dns-list 8.8.8.8
qu
ip pool vlan101
network 10.10.101.0 mask 24
gateway-list 10.10.101.254
dns-list 8.8.8.8
qu
ip pool vlan102
network 10.10.102.0 mask 24
gateway-list 10.10.102.254
dns-list 8.8.8.8
qu
int vlanif 100
ip add 172.16.100.254 24
dhcp select global
qu
int vlanif 101
ip add 10.10.101.254 24
dhcp select global
qu
int vlanif 102
ip add 10.10.102.254 24
dhcp select global
qu
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101 102
qu
capwap source int vlanif 100
wlan
ap auth-mode mac-auth
ap-group name GOK
qu
ap-id 1 ap-mac 00e0-fce8-0760
ap-name AP1
ap-group GOK
y
qu
ap-id 2 ap-mac 00e0-fc44-3f10
ap-name AP2
ap-group GOK
y
qu
regulatory-domain-profile name default
country-code cn
qu
ap-group name GOK
regulatory-domain-profile name default
qu
qu
wlan
security-profile name GOK1
security wpa-wpa2 psk pass-phrase goktech@123 aes
qu
security-profile name Student1
security wpa-wpa2 psk pass-phrase student@123 aes
qu
ssid-profile name GOK1
ssid gok
qu
ssid-profile name Student
ssid Student
qu
vap-profile name GOK-lab
forward-mode tunnel
service-vlan vlan-id 101
security-profile GOK1
ssid-profile GOK1
qu
vap-profile name Student-lab
forward-mode tunnel
service-vlan vlan-id 102
security-profile Student1
ssid-profile Student
qu
ap-id 1
vap-profile GOK-lab wlan 1 radio all
vap-profile Student-lab wlan 2 radio 1
qu
ap-id 2
vap-profile GOK-lab wlan 1 radio all
vap-profile Student-lab wlan 2 radio 1
qu
qu
YX-Core
sy
sys YX-Core
vlan batch 10 20 30 100 101 102
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 100 101 102
qu
int g0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 100 101 102
qu
int g0/0/4
port link-type trunk
port trunk allow-pass vlan 10 20 100 101 102
qu
YX-汇聚1
vlan batch 10 20 30 100 101 102
int e0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 100 101 102
qu
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 10 20 30 100 101 102
qu
int e0/0/4
port link-type trunk
port trunk allow-pass vlan 10 20 30 100 101 102
qu
YX-汇聚2
vlan batch 10 20 30 100 101 102
int e0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30 100 101 102
qu
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 10 20 30 100 101 102
qu
int e0/0/4
port link-type trunk
port trunk allow-pass vlan 10 20 30 100 101 102
qu
YX-Access
sy
sys YX-Access
vlan batch 10 20 30 100 101 102
int e0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 101 102
qu
int e0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 101 102
qu
int e0/0/5
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 10 20 30 100 101
qu
int e0/0/6
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 10 20 30 100 102
qu
2 组网需求
2.1 YX园区部分
1、内网接入层PC1为vlan10,clinet为vlan20。
2、并且为了提高汇聚层冗余性,需要部署MSTP以及eth-trunk,并且要求YX-汇聚1为vlan 10、vlan 100、 vlan 101的主根桥,vlan20 、vlan 102的备份根桥,YC-汇聚2为vlan 20、vlan 102的主根桥,vlan 10、vlan 100、vlan 101的备份根桥。
3、实现YX园区内网全网互通(包括无线部分)
4、部署YX-FW防火墙,使其内网可以访问公网,采用nat技术——easy ip实现,使用ip地址202.100.10.0。
YX-Access
int vlan 10
ip add 192.168.10.254
qu
int vlan 20
ip add 192.168.20.254
qu
int e0/0/3
port link-type access
port default vlan 10
qu
int e0/0/4
port link-type access
port default vlan 20
qu
YX-汇聚1(先配置)
sy
sys YX-HJ1
stp mode mstp
stp enable
stp region-config
region-name goktech
instance 1 vlan 10 100 101
instance 2 vlan 20 102
revision-level 2
active region-config
qu
stp instance 1 root primary
stp instance 2 root secondary
int eth-trunk 1
mode manual load-balance
trunkport e0/0/2
trunkport e0/0/3
qu
YX-汇聚2(先配置)
sy
sys YX-HJ2
stp mode mstp
stp enable
stp region-config
region-name goktech
instance 1 vlan 10 100 101
instance 2 vlan 20 102
revision-level 2
active region-config
qu
stp instance 1 root secondary
stp instance 2 root primary
int eth-trunk 1
mode manual load-balance
trunkport e0/0/2
trunkport e0/0/3
qu
YX-Core
int vlan 10
ip add 192.168.10.254 24
qu
int vlan 20
ip add 192.168.20.254 24
qu
int vlan 30
ip add 192.168.30.1 24
qu
int vlan 100
ip add 172.16.100.1 24
qu
int g0/0/1
port link-type access
port default vlan 30
qu
ospf 1
area 0
network 192.168.30.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 172.16.100.0 0.0.0.255
qu
YX-FW(admin/Huawei@123)
int g1/0/0
ip add 192.168.3.2 24
qu
int g1/0/1
ip add 202.100.10.2 24
qu
firewall zone trust
add int g1/0/0
qu
firewall zone untrust
add int g1/0/1
qu
security-policy
rule name trust2untrust
source-zone trust
destination-zone untrust
action permit
qu
qu
nat-policy
rule name natacl1
source-zone trust
destination-zone untrust
action source-nat easy-ip
qu
qu
ip route-static 0.0.0.0 0 202.100.10.1
ospf 1
area 0
network 192.168.30.0 0.0.0.255
qu
YX-AC
ip route-static 0.0.0.0 0 172.16.100.1
ospf 1
area 0
network 172.16.100.0 0.0.0.255
network 10.10.101.0 0.0.0.255
network 10.10.102.0 0.0.0.255
qu
qu
有问题, YX-AC使用trunk连接YX-core, 二层环境无法建立ospf, 导致WLAN设备无法连通除AC外的其他设备.
ISP
int g0/0/1
ip add 202.100.10.1 24
qu
2.2 YC园区部分
1、YC园区同理,部署PC3和PC4分别vlan为80、70,并且实现YC园区全网互通
2、YC园区防火墙出口部署nat——动态nat,动态地址池范围101.100.10.10~101.100.10.15,实现YC园区也可以访问公网
ISP
int g0/0/2
ip add 101.100.10.1 24
qu
YC-FW(admin/Huawei@123)
int g1/0/0
ip add 192.168.40.2 24
qu
int g1/0/1
ip add 101.100.10.2 24
qu
firewall zone trust
add int g1/0/0
qu
firewall zone untrust
add int g1/0/1
qu
security-policy
rule name trust2untrust
source-zone trust
destination-zone untrust
action permit
qu
qu
nat address-group YC
section 0 101.100.10.10 101.100.10.15
qu
nat-policy
rule name natacl2
source-zone trust
destination-zone untrust
action source-nat address-group YC
qu
qu
ospf 1
area 0
network 192.168.40.0 0.0.0.255
network 101.100.10.0 0.0.0.255
qu
qu
ip route-static 0.0.0.0 0 101.100.10.1
ip route-static 101.100.10.10 255.255.255.255 NULL0
ip route-static 101.100.10.11 255.255.255.255 NULL0
ip route-static 101.100.10.12 255.255.255.255 NULL0
ip route-static 101.100.10.13 255.255.255.255 NULL0
ip route-static 101.100.10.14 255.255.255.255 NULL0
ip route-static 101.100.10.15 255.255.255.255 NULL0
YC-Core
int g0/0/0
ip add 192.168.40.1 24
qu
int g0/0/1
ip add 192.168.60.1 24
qu
ip route-static 0.0.0.0 0 192.168.40.2
ospf 1
area 0
network 192.168.40.0 0.0.0.255
network 192.168.60.0 0.0.0.255
qu
qu
LSW2
vlan batch 60 70 80
int vlan 60
ip add 192.168.60.2 24
qu
int vlan 70
ip add 192.168.70.254 24
qu
int vlan 80
ip add 192.168.80.254 24
qu
int g0/0/1
port link-type access
port default vlan 60
qu
int g0/0/2
port link-type access
port default vlan 80
qu
int g0/0/3
port link-type access
port default vlan 70
qu
ip route-static 0.0.0.0 0 192.168.60.1
ospf 1
area 0
network 192.168.60.0 0.0.0.255
network 192.168.70.0 0.0.0.255
network 192.168.80.0 0.0.0.255
qu
qu
2.3 最终服务需求部分
1、YX园区防火墙和YC园区防火墙部署GRE隧道,使其YX园区和YC园区的设备可以互相访问,并且都能访问公网ISP的FTP和HTTP的服务器。
YX-FW
interface tunnel 1
tunnel-protocol gre
ip add 192.168.50.1 24
source 202.100.10.2
destination 101.100.10.2
qu
ip route-static 192.168.70.0 24 Tunnel1
ip route-static 192.168.80.0 24 Tunnel1
firewall zone untrust
add interface Tunnel 1
qu
security-policy
rule name L2U
source-zone local
destination-zone untrust
action permit
qu
rule name U2L
source-zone untrust
destination-zone local
action permit
qu
qu
YC-FW
interface tunnel 1
tunnel-protocol gre
ip add 192.168.50.2 24
source 101.100.10.2
destination 202.100.10.2
qu
firewall zone untrust
add interface Tunnel 1
qu
ip route-static 10.10.0.0 16 Tunnel1
ip route-static 192.168.10.0 24 Tunnel1
ip route-static 192.168.20.0 24 Tunnel1
security-policy
rule name L2U
source-zone local
destination-zone untrust
action permit
qu
rule name U2L
source-zone untrust
destination-zone local
action permit
qu
qu
ISP
int g0/0/0
ip add 1.1.1.254 24
qu
3 测试
3.1 无线需求
两台无线设备正常连接
3.2 组网需求
PC1 ping 通ISP
Client1 ping通ISP
PC3/4 ping通ISP
PC1 ping通 Server-http
PC3 ping 通Server-ftp
STA ping 通Server-ftp
Cellphone ping 通Server-http
内网互访
