华为中小型网络公司拓扑(进阶)
在此,先说一句不好意思本来我是想在交换机之间用防火墙连接,但发现防火墙的透明模式有点问题,
就没弄了,任何在弄vpn的时候ensp突然崩溃了,当时我看了一下内存应该是笔记本性能不够导致ensp崩溃了,然后就导致这个拓扑还有好几处没弄。但现在我也暂时不想弄了,因为我发现把全部设备开了已经开始多多少少有点问题了,有点遗憾,暂时封存了等我有钱换电脑在去弄这个拓扑。需求就不介绍,因为还没有完全弄完,就介绍一下已经实现了什么功能,以后我的文章主要以实现单一功能为主。
看图:
实现的功能:
双dhcp,出口负载均衡,无线ap是新加的(我很怀疑出问题就是因为他),链路聚合(防火墙和交换机),is-is的配置。
ip划分:
为什么要说ip划分部分,因为这次是双dhcp,所有ip划分上我做了一些改变,分公司上的不写,因为分公司的设备度没配置。
网段 | vlan | 可用地址 | 掩码 |
192.168.80.0 | 80 | 192.168.80.1-192.168.81.254 | 23 |
192.168.70.0 | 70 | 192.168.70.1-192.168.71.254 | 23 |
192.168.60.0 | 60 | 192.168.60.1-192.168.61.254 | 23 |
192.168.50.0 | 50 | 192.168.50.1-192.168.51.254 | 23 |
192.168.40.0 | 40 | 192.168.40.1-192.168.41.254 | 23 |
192.168.30.0 | 30 | 192.168.30.1-192.168.31.254 | 23 |
192.168.20.0 | 20 | 192.168.20.1-192.168.21.254 | 23 |
192.168.10.0 | 10 | 192.168.10.1-192.168.11.254 | 23 |
这里可能有人问我为什么要用划分9为掩码,这是为dhcp配置地址考虑因为两者可分配的地址要尽可能完全相同,才不会说产生问题。
双dhcp:
dhcp1
#
dhcp enable
#主要配置我就不说,可以看我上一篇的配置
ip pool vlan10
gateway-list 192.168.11.254
network 192.168.10.0 mask 255.255.254.0
excluded-ip-address 192.168.10.240 192.168.11.253 #这是排除保留地址和dhcp需要分配的地址,其他配置基本一模一样
dns-list 192.168.80.1
option 43 sub-option 2 ip-address 192.168.10.241 #这个是分配地址给ap时报告给ac
#
ip pool vlan20
gateway-list 192.168.21.254
network 192.168.20.0 mask 255.255.254.0
excluded-ip-address 192.168.20.240 192.168.21.253
dns-list 192.168.80.1
#
ip pool vlan30
gateway-list 192.168.31.254
network 192.168.30.0 mask 255.255.254.0
excluded-ip-address 192.168.30.240 192.168.31.253
dns-list 192.168.80.1
#
ip pool vlan40
gateway-list 192.168.41.254
network 192.168.40.0 mask 255.255.254.0
excluded-ip-address 192.168.40.240 192.168.41.253
dns-list 192.168.80.1
#
ip pool vlan60
gateway-list 192.168.61.254
network 192.168.60.0 mask 255.255.254.0
excluded-ip-address 192.168.60.240 192.168.61.253
dns-list 192.168.80.1
#
ip pool vlan50
gateway-list 192.168.51.254
network 192.168.50.0 mask 255.255.254.0
excluded-ip-address 192.168.50.240 192.168.51.253
dns-list 192.168.80.1
#
interface GigabitEthernet0/0/0
ip address 192.168.70.1 255.255.254.0
dhcp select global #这里的作用是使dhcp全局化,就是让pc的dhcp可以访问到dhcp
#
ip route-static 0.0.0.0 0.0.0.0 192.168.71.254 #因为这个本来是路由器的,所有需要配一个默认路由指定它的下一跳
#
dhcp2
#同上
dhcp enable
#
ip pool vlan10
gateway-list 192.168.11.254
network 192.168.10.0 mask 255.255.254.0
excluded-ip-address 192.168.10.1 192.168.10.254
excluded-ip-address 192.168.11.240 192.168.11.253
dns-list 192.168.80.1
option 43 sub-option 2 ip-address 192.168.10.241
#
ip pool vlan20
gateway-list 192.168.21.254
network 192.168.20.0 mask 255.255.254.0
excluded-ip-address 192.168.20.1 192.168.20.254
excluded-ip-address 192.168.21.1 192.168.21.253
dns-list 192.168.80.1
#
ip pool vlan30
gateway-list 192.168.31.254
network 192.168.30.0 mask 255.255.254.0
excluded-ip-address 192.168.30.1 192.168.30.254
excluded-ip-address 192.168.31.240 192.168.31.253
dns-list 192.168.80.1
#
ip pool vlan40
gateway-list 192.168.41.254
network 192.168.40.0 mask 255.255.254.0
excluded-ip-address 192.168.40.1 192.168.40.254
excluded-ip-address 192.168.41.240 192.168.41.253
dns-list 192.168.80.1
#
ip pool vlan50
gateway-list 192.168.51.254
network 192.168.50.0 mask 255.255.254.0
excluded-ip-address 192.168.50.1 192.168.50.254
excluded-ip-address 192.168.51.240 192.168.51.253
dns-list 192.168.80.1
#
ip pool vlan60
gateway-list 192.168.61.254
network 192.168.60.0 mask 255.255.254.0
excluded-ip-address 192.168.60.1 192.168.60.254
excluded-ip-address 192.168.61.240 192.168.61.253
dns-list 192.168.80.1
#
#
interface GigabitEthernet0/0/0
ip address 192.168.70.2 255.255.254.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0 192.168.71.254
#
sw2
#这里我只保留和dhcp相关的配置,网关,vrrp之类还没有截出来,不然显得太多了
interface Vlanif10
dhcp select relay #接受来自其他地方和发送dhcp请求包出去
dhcp relay server-ip 192.168.70.1 #指定dhcp包下一跳地址
dhcp relay server-ip 192.168.70.2
#
interface Vlanif20
dhcp select relay
dhcp relay server-ip 192.168.70.1
dhcp relay server-ip 192.168.70.2
#
interface Vlanif30
dhcp select relay
dhcp relay server-ip 192.168.70.1
dhcp relay server-ip 192.168.70.2
#
interface Vlanif40
dhcp select relay
dhcp relay server-ip 192.168.70.1
dhcp relay server-ip 192.168.70.2
#
interface Vlanif50
dhcp select relay
dhcp relay server-ip 192.168.70.1
dhcp relay server-ip 192.168.70.2
#
interface Vlanif60
dhcp select relay
dhcp relay server-ip 192.168.70.1
dhcp relay server-ip 192.168.70.2
#
sw3和sw2一模一样
出口负载均衡
fw1
#
ip-link check enable #开启链路检测
ip-link name outa #进入名称为outa的project
destination 100.0.0.6 interface GigabitEthernet1/0/0 mode icmp next-hop 100.0.0.6 #0.6是下一跳地址使用icmp协议
ip-link name outb #下同
destination 100.0.1.6 interface GigabitEthernet1/0/1 mode icmp next-hop 100.0.1.6
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.0.0.6 track ip-link outa #配默认路由,当链路down是会降低优先度
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 100.0.1.6 track ip-link outb
#
policy-based-route #和分流的基本一样
rule name outa 1
source-zone trust
source-address 192.168.20.0 mask 255.255.254.0
source-address 192.168.30.0 mask 255.255.254.0
source-address 192.168.40.0 mask 255.255.254.0
destination-address-exclude 192.168.110.0 mask 255.255.254.0
destination-address-exclude 192.168.120.0 mask 255.255.254.0
destination-address-exclude 192.168.80.0 mask 255.255.254.0
track ip-link outa #就是这里联合了链路检测,会降低本策略的优先级
action pbr egress-interface GigabitEthernet1/0/0 next-hop 100.0.0.6
rule name outb 2
source-zone trust
source-address 192.168.50.0 mask 255.255.254.0
source-address 192.168.60.0 mask 255.255.254.0
destination-address-exclude 192.168.110.0 mask 255.255.254.0
destination-address-exclude 192.168.120.0 mask 255.255.254.0
destination-address-exclude 192.168.80.0 mask 255.255.254.0
track ip-link outb
action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.0.1.6
#
无线ap
ac
#
interface Vlanif10 #进入vlan10配上ip作用是给ac配置ip
ip address 192.168.10.241 255.255.254.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
ip route-static 0.0.0.0 0.0.0.0 192.168.11.254 #配置默认路由,指定下一跳地址
#
capwap source interface vlanif10 #可以理解为把vlan10指定为ac对外面联系的ip
#
wlan
security-profile name wifi #配置安全策略
security wpa2 psk pass-phrase huawei@123 aes #配置加密方式 huawei@123是密码
ssid-profile name guest #配置ssid模板
ssid guest #配置ssid名称
ssid-profile name company
ssid company
vap-profile name guest-vap #配置vap模板,可以理解为调用安全策略和ssid模板的工具
service-vlan vlan-id 20 #pc访问的数据划分为vlan20
ssid-profile guest #使用名称为guest ssid模板
security-profile wifi #使用名称为WiFi的安全策略
vap-profile name company-vap
service-vlan vlan-id 20
ssid-profile company
security-profile wifi
ap-group name group1 划分ap组
vap-profile guest-vap wlan 1 radio 0 #guest-vap使用射频卡1
vap-profile company-vap wlan 2 radio 1
ap-id 0 type-id 56 ap-mac 00e0-fc71-0b10 ap-sn 21023544831013561B2C #将ap-Id 0 绑定mac地址为~~~~~~
ap-name ap1 #命名为ap1
ap-group group1 #加入group1
ap-id 1 type-id 56 ap-mac 00e0-fc34-40a0 ap-sn 210235448310D6478737
ap-name ap2
ap-group group1
#
#与ap连接的交换机端口
interface Ethernet0/0/1
port link-type trunk #配置trunk端口
port trunk pvid vlan 10 #将本征vlan改为vlan10,vlan10是给ac和ap分配地址的vlan
port trunk allow-pass vlan 10 20 #允许通过vlan10 ,20
#更改本征vlan的作用主要是让ap的dhcp请求包经过trunk端口是不带标签可以直接访问dhcp服务器
避免ap同时在vlan10 ,20获取ip导致冲突。
dhcp pool我是配置dhcp服务器上
dhcp1和dhcp2
#
ip pool vlan10
gateway-list 192.168.11.254
network 192.168.10.0 mask 255.255.254.0
excluded-ip-address 192.168.10.240 192.168.11.253 #这是排除保留地址和dhcp需要分配的地址,其他配置基本一模一样
dns-list 192.168.80.1
option 43 sub-option 2 ip-address 192.168.10.241 #这个是分配地址给ap时报告给ac
#
链路聚合
fw1
#和普通链路聚合差不多,主要是加入区域的时候不用加端口,而是直接加链路
interface Eth-Trunk1
ip address 192.168.81.254 255.255.254.0
mode lacp-static
max active-linknumber 2
service-manage ping permit
#
interface GigabitEthernet1/0/4
undo shutdown
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet1/0/5
undo shutdown
eth-trunk 1
lacp priority 100
#
lacp priority 100
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
sw1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
max active-linknumber 2
#
interface GigabitEthernet0/0/1
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet0/0/2
eth-trunk 1
lacp priority 100
#
IS-IS配置(这是我最近新学的):
知识点:
1.is-is的level-1只能与level-1-2建立连接,而level-1-2可以与level-2和level-1-2建立连接
2.与外部建立连接只能是level-1-2与level-2.
3.同一个路由器不同端口可以不同等级。
isp1
#
isis 1 #创建isis进程
network-entity 10.0000.0000.0000.0001.00 #配置net地址,格式按10.0000.0000.0000.0001.00这个来
import-route isis level-2 into level-1 #配置路由渗透level-2的路由发到level-1
#
interface GigabitEthernet0/0/0
ip address 200.0.0.1 255.255.255.0
isis enable 1 #开启isis
#
interface GigabitEthernet0/0/1
ip address 100.0.2.1 255.255.255.0
isis enable 1
isis circuit-level level-1 #将端口等级设置为level-1(IS-IS 的路由器默认级别是 Level-1-2, 两个路由器在同一个区域,所以 会同时建立 Level-1 和 Level-2 的邻接关系,造成建立重新邻接,增加路由器的性能压力,浪费网路带宽,所以只需建立 Level-1 的邻接关系;但是由于路由器连接了其他区域路由器,所以无法修改路由器级别为 Level-1,只能通过修改接口邻接关系级别为 Level-1 来解决)
isis authentication-mode simple plain 123456 #配置端口认证
#
interface GigabitEthernet0/0/2
ip address 100.0.0.6 255.255.255.0
isis enable 1
#
isp2
#
isis 1
network-entity 10.0000.0000.0000.0002.00
import-route isis level-2 into level-1
#
interface GigabitEthernet0/0/0
ip address 100.0.2.2 255.255.255.0
isis enable 1
isis circuit-level level-1
isis authentication-mode simple plain 123456
#
interface GigabitEthernet0/0/1
ip address 100.0.1.6 255.255.255.0
isis enable 1
#
interface GigabitEthernet0/0/2
ip address 100.0.3.2 255.255.255.0
isis enable 1
isis circuit-level level-1
isis authentication-mode simple plain 123456
#
isp3
#
isis 1
network-entity 10.0000.0000.0000.0003.00
import-route isis level-2 into level-1
#
interface GigabitEthernet0/0/0
ip address 100.0.3.1 255.255.255.0
isis enable 1
isis circuit-level level-1
isis authentication-mode simple plain 123456
#
interface GigabitEthernet0/0/1
ip address 100.0.5.1 255.255.255.0
isis enable 1
isis circuit-level level-1
isis authentication-mode simple plain 123456
#
interface GigabitEthernet0/0/2
ip address 100.0.4.1 255.255.255.0
isis enable 1
#
isp4
#
isis 1
network-entity 10.0000.0000.0000.0004.00
import-route isis level-2 into level-1
#
interface GigabitEthernet0/0/0
ip address 100.0.5.2 255.255.255.0
isis enable 1
isis circuit-level level-1
isis authentication-mode simple plain 123456
#
interface GigabitEthernet0/0/1
ip address 100.0.6.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet0/0/2
ip address 100.0.7.1 255.255.255.0
isis enable 1
#
效果:
dhcp:
双dhcp正常情况下
dhcp2服务器down
ap:
ac查看上线情况
pc访问情况
出口负载均衡:
pc1出口访问
pc3出口访问
isis:
isp1查看路由表