S2700&S3700通常部署在网络的接入层,S5700&S6700通常部署在网络的核心,出口路由器一般选用AR系列路由器。
- 接入交换机与核心交换机通过Eth-Trunk组网保证可靠性。
- 每个部门业务划分到一个VLAN中,部门间的业务在CORE上通过VLANIF三层互通。
- 核心交换机作为DHCP Server,为园区用户分配IP地址。
- 接入交换机上配置DHCP Snooping功能,防止内网用户私接小路由器分配IP地址;同时配置IPSG功能,防止内网用户私自更改IP地址。
配置设备管理IP地址后,可以通过管理IP远程登录设备,
1、配置管理IP
<HUAWEI> system-view
[HUAWEI] vlan 5 //创建交换机管理VLAN 5
[HUAWEI-VLAN5] management-vlan
[HUAWEI-VLAN5] quit
[HUAWEI] interface vlanif 5
[HUAWEI-vlanif5] ip address 10.10.1.1 24
[HUAWEI-vlanif5] quit
2、将接口加入到管理VLAN
[HUAWEI] interface GigabitEthernet 0/0/8 //假设连接网管的接口为GigabitEthernet 0/0/8
[HUAWEI-GigabitEthernet0/0/8] port link-type trunk
[HUAWEI-GigabitEthernet0/0/8] port trunk allow-pass vlan 5
[HUAWEI-GigabitEthernet0/0/8] quit
3、配置telnet
[HUAWEI] telnet server enable //Telnet出厂时是关闭的
[HUAWEI] telnet server-source -i vlanif 5 //V200R020及之后版本,必须执行该命令配置连接服务器端的端口,否则Telnet不可用
[HUAWEI] user-interface vty 0 4 //Telnet常用于设备管理员登录,推荐使用AAA认证
[HUAWEI-ui-vty0-4] protocol inbound telnet // V200R006及之前版本缺省支持telnet协议,但是V200R007及之后版本缺省的是SSH协议,因此使用telnet登录之前,必须要先配置这条命令
[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] idle-timeout 15
[HUAWEI-ui-vty0-4] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin password irreversible-cipher Helloworld@6789 //配置管理员Telnet登录交换机的用户名和密码。用户名不区分大小写,密码区分大小写
[HUAWEI-aaa] local-user admin privilege level 15 //将管理员的账号权限设置为15(最高)
[HUAWEI-aaa] local-user admin service-type telnet
配置接入层交换机
以接入交换机ACC1为例,创建ACC1的业务VLAN 10。
<HUAWEI> system-view
[HUAWEI] sysname ACC1 //修改设备名称为ACC1
[ACC1] vlan batch 10 //批量创建VLAN
配置ACC1连接CORE的Eth-Trunk1,透传部门A的VLAN。
[ACC1] interface eth-trunk 1
[ACC1-Eth-Trunk1] port link-type trunk //配置为trunk模式,用于透传VLAN。
[ACC1-Eth-Trunk1] port trunk allow-pass vlan 10 //配置Eth-Trunk1透传ACC1上的业务VLAN
[ACC1-Eth-Trunk1] mode lacp //配置Eth-Trunk1为LACP模式
[ACC1-Eth-Trunk1] quit
[ACC1] interface GigabitEthernet 0/0/1 //将成员接口加入Eth-Trunk1
[ACC1-GigabitEthernet0/0/1] eth-Trunk 1
[ACC1-GigabitEthernet0/0/1] quit
[ACC1] interface GigabitEthernet 0/0/2
[ACC1-GigabitEthernet0/0/2] eth-Trunk 1
[ACC1-GigabitEthernet0/0/2] quit
配置ACC1连接用户的接口,使用户加入VLAN,并将接口配置成边缘端口。
[ACC1] interface Ethernet 0/0/2 //配置连接PC1的接口
[ACC1-Ethernet0/0/2] port link-type access
[ACC1-Ethernet0/0/2] port default vlan 10
[ACC1-Ethernet0/0/2] stp edged-port enable
[ACC1-Ethernet0/0/2] quit
[ACC1] interface Ethernet 0/0/3 //配置连接PC2的接口
[ACC1-Ethernet0/0/3] port link-type access
[ACC1-Ethernet0/0/3] port default vlan 10
[ACC1-Ethernet0/0/3] stp edged-port enable
[ACC1-Ethernet0/0/3] quit
[ACC1] interface Ethernet 0/0/4 //配置连接打印机的接口
[ACC1-Ethernet0/0/4] port link-type access
[ACC1-Ethernet0/0/4] port default vlan 10
[ACC1-Ethernet0/0/4] stp edged-port enable
[ACC1-Ethernet0/0/4] quit
- 配置BPDU保护功能,加强网络的稳定性。
[ACC1] stp bpdu-protection
配置核心层交换机
批量创建CORE与ACC1、ACC2以及园区出口路由器互通的VLAN。
<HUAWEI> system-view
[HUAWEI] sysname CORE //修改设备名称为CORE
[CORE] vlan batch 10 20 100 //批量创建VLAN
配置下行接口和VLANIF接口,VLANIF接口用于部门A与部门B之间互访。以CORE连接ACC1的Eth-Trunk1为例。
[CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] port link-type trunk //配置为trunk模式,用于透传VLAN
[CORE-Eth-Trunk1] port trunk allow-pass vlan 10 //配置Eth-Trunk1透传ACC1上的业务VLAN
[CORE-Eth-Trunk1] mode lacp //配置为LACP模式
[CORE-Eth-Trunk1] quit
[CORE] interface GigabitEthernet 0/0/1 //将成员接口加入Eth-Trunk1
[CORE-GigabitEthernet0/0/1] eth-Trunk 1
[CORE-GigabitEthernet0/0/1] quit
[CORE] interface GigabitEthernet 0/0/2
[CORE-GigabitEthernet0/0/2] eth-Trunk 1
[CORE-GigabitEthernet0/0/2] quit
[CORE] interface Vlanif 10 //配置VLANIF,使部门A与部门B之间三层互通
[CORE-Vlanif10] ip address 10.10.10.1 24
[CORE-Vlanif10] quit
[CORE] interface Vlanif 20 //配置VLANIF,使部门B与部门A之间三层互通
[CORE-Vlanif20] ip address 10.10.20.1 24
[CORE-Vlanif20] quit
配置上行接口和VLANIF接口,使园区网络与Internet互通。
[CORE] interface GigabitEthernet 0/0/20
[CORE-GigabitEthernet0/0/20] port link-type access //配置为access模式
[CORE-GigabitEthernet0/0/20] port default vlan 100
[CORE-GigabitEthernet0/0/20] quit
[CORE] interface Vlanif 100 //配置VLANIF,使CORE与路由器之间三层互通
[CORE-Vlanif100] ip address 10.10.100.1 24
[CORE-Vlanif100] quit
执行display eth-trunk 命令检查ACC1上的Eth-Trunk接口配置结果。可以看到,ACC1上, 接口GE0/0/1和GE0/0/2 加入了Eth-Trunk 1。
[ACC1] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 0200-0000-6704
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 1
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/1 Selected 1000M 32768 2 289 10111100 1
GigabitEthernet0/0/2 Selected 1000M 32768 3 289 10100010 1
Partner:--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 0012-3321-2212 32768 2 289 10111100
GigabitEthernet0/0/2 32768 0012-3321-2212 32768 3 289 10111100
执行display vlan命令检查ACC1上的VLAN配置结果。可以看到,ACC1上,接口Eth0/0/2~Eth0/0/4以Untagged方式加入VLAN10,Eth-Trunk 1以Tagged方式加入VLAN10。
[ACC1] display vlan
The total number of VLANs is : 1
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common UT:Eth0/0/2(U) Eth0/0/3(U) Eth0/0/4(U)
TG:Eth-Trunk1(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
10 enable default enable disable VLAN 0010
执行display eth-trunk命令检查CORE上Eth-Trunk接口配置结果。可以看到,CORE上, 接口GE0/0/1和GE0/0/2 加入了Eth-Trunk 1。
[CORE] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 0200-0000-6703
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 1
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/1 Selected 1000M 32768 2 289 10111100 1
GigabitEthernet0/0/2 Selected 1000M 32768 3 289 10100010 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 0012-3321-2211 32768 2 289 10111100
GigabitEthernet0/0/2 32768 0012-3321-2211 32768 3 289 10111100
执行display vlan命令检查CORE上VLAN配置结果。可以看到,CORE上,接口Eth-Trunk1、Eth-Trunk2分别以Tagged方式加入VLAN10和VLAN20;GE0/0/20以Tagged方式加入VLAN100。
[CORE] display vlan
The total number of VLANs is : 3
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
-------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common TG:Eth-Trunk1(U)
20 common TG:Eth-Trunk2(U)
100 common TG:GE0/0/20(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
10 enable default enable disable VLAN 0010
20 enable default enable disable VLAN 0020
100 enable default enable disable VLAN 0100
配置DHCP
在CORE上配置DHCP Server,使部门A(VLAN10)和部门B (VLAN20)的用户都能获取到正确的IP地址。
创建全局地址池,配置出口网关、租期(采用缺省值1天,不需配置)并配置为打印机(MAC地址为a-b-c)分配固定的IP地址10.10.10.254
<CORE> system-view
[CORE] dhcp enable
[CORE] ip pool 10
[CORE-ip-pool-10] network 10.10.10.0 mask 24 //配置部门A的用户可分配的地址池范围
[CORE-ip-pool-10] gateway-list 10.10.10.1 //配置部门A的用户的网关地址
[CORE-ip-pool-10] static-bind ip-address 10.10.10.254 mac-address a-b-c //配置为打印机分配固定的IP地址
[CORE-ip-pool-10] quit