大纲

改名
超时设置
堆叠配置、改名
lacp配置
vlan创建和接口vlan放行
vlanif三层口IP地址配置,loopback地址配置
出口路由器nat配置
dhcp配置、global配置、中继代理配置
vpn实例创建
vlanif三层口下绑定vpn实例
ip pool下绑定vpn实例
ospf对接配置
创建过滤ip-prefix前缀
ospf进程1中2区域分别调用ip-prefix前缀过滤掉对方的网段
核心和防火墙对接配置、vlanif接口地址、ospf对接
防火墙配置、资源分配、设置IP地址等
防火墙全局下ospf和核心对接配置
无线AC配置
准入认证配置
防火墙自定义地址集及策略配置
三个绕行重定向配置

改设备超时禁用,完成配置后再改回来,Y区域不能改。

[Huawei] user-interface console 0
[Huawei-ui-console0] idle-timeout 0
[Huawei-ui-console0] quit

[Huawei] user-interface console 0
[Huawei-ui-console0] undo idle-timeout
[Huawei-ui-console0] quit

改设备名称

X_T1_Core1
X_T1_AGG1
X_T1_AGG2
X_T2_AGG1_1
X_T2_AGG1_2
X_T1_ACC1
X_T1_ACC2
X_T2_ACC1
X_T2_ACC2
X_T1_Export1
X_T1_Export2
X_T1_FW1
X_T1_AC1

堆叠

X_T2_AGG1-1
stack slot 0 renumber 0
stack slot 0 priority 200

insterface stack-port 0/1
port interface g0/0/1 enable
shutdown interface g0/0/1

insterface stack-port 0/2
port interface g0/0/2 enable
shutdown interface g0/0/2

X_T2_AGG1-2
stack slot 0 renumber 1
stack slot 0 priority 100

insterface stack-port 0/1
port interface g0/0/2 enable

insterface stack-port 0/2
port interface g0/0/1enable

X_T2_AGG1_1 //写个脚本一次行刷进去,手动太慢了会重启
interface stack-port 0/1
undo shutdown interface g0/0/1

interface stack-port 0/2
undo shutdown interface g0/0/1

堆叠配置清除(全局下)
reset stack config

堆叠后的设备命名为 X_T2_AGG1

堆叠查看

dis stack

lacp配置

X_T1_Core1
interface Eth-Trunk 1
mode lacp
trunkport GigabitEthernet 0/0/23
trunkport GigabitEthernet 0/0/24
trunkport GigabitEthernet 1/0/23
trunkport GigabitEthernet 1/0/24

X_T1_Core1
interface Eth-Trunk 2
mode lacp
trunkport GigabitEthernet 0/0/21
trunkport GigabitEthernet 0/0/22
trunkport GigabitEthernet 1/0/21
trunkport GigabitEthernet 1/0/22

X_T1_AGG1
interface Eth-Trunk 1
mode lacp
trunkport GigabitEthernet 0/0/23
trunkport GigabitEthernet 0/0/24
trunkport GigabitEthernet 1/0/23
trunkport GigabitEthernet 1/0/24

interface Eth-Trunk 2
mode lacp
trunkport GigabitEthernet 0/0/21
trunkport GigabitEthernet 1/0/21

interface Eth-Trunk 3
mode lacp
trunkport GigabitEthernet 0/0/22
trunkport GigabitEthernet 1/0/22

X_T2_AGG1
interface Eth-Trunk 1
mode lacp
trunkport GigabitEthernet 0/0/23
trunkport GigabitEthernet 0/0/24
trunkport GigabitEthernet 1/0/23
trunkport GigabitEthernet 1/0/24

interface Eth-Trunk 2
mode lacp
trunkport GigabitEthernet 0/0/21
trunkport GigabitEthernet 1/0/21

interface Eth-Trunk 3
mode lacp
trunkport GigabitEthernet 0/0/22
trunkport GigabitEthernet 1/0/22

X_T2_ACC1
interface eth-trunk 1
mode lacp
trunkport GigabitEthernet 0/0/23
trunkport GigabitEthernet 0/0/24

X_T2_ACC2
interface eth-trunk 1
mode lacp
trunkport GigabitEthernet 0/0/23
trunkport GigabitEthernet 0/0/24

业务互联与vlan划分

所有设备最终vlan

X_T1_Export1
vlan 201

X_T1_Export2
vlan 202

X_T1_AC
vlan 100 203 51 to 55 101 to 105

核心上
vlan 51-55,60,101-105,201-209 100 60

X_T1_AGG1
vlan 11-15,21-25,100,208

X_T2_AGG1
vlan 31-35,41-45,100,209

X_T1_ACC1
vlan 100

X_T1_ACC2
vlan 100

X_T2_ACC1
vlan 100

X_T2_ACC2
vlan 100

FW
vlan 204 205 206 207

互联vlan

vlan 60 服务器区
vlan 100 capwap无线隧道
vlan 201 核心交换机与X_Export1互联
vlan 202 核心交换机与X_Export2互联
vlan 203 核心与无线控制器互联
vlan 204 核心与防火墙互联
vlan 205 核心与防火墙互联
vlan 206 核心与防火墙互联
vlan 207 核心与防火墙互联
vlan 208 核心与汇聚1互联
vlan 209 核心与汇聚2互联

业务vlan

vlan 11-15 市场部market X_T1_AGG1
vlan 21-25 采购部purchase X_T1_AGG1
vlan 31-35 财务部finance X_T2_AGG1
vlan 41-45 人事部hr X_T2_AGG1
vlan 51-55 内部无线 核心上配、AC
vlan 101-105 外部无线 核心上配、AC
vlan 60 核心交换机,连接服务器
vlan 100 AC、核心、汇聚、接入 ,capwap管理(二层组网架构)
vlan 201 出口X_T1_Export1、核心上,出口Export1和核心互联
vlan 202 出口X_T1_Export1、核心上,出口Export2和核心互联
vlan 203 核心、AC,AC和核心互联
vlan 204-207 核心、防火墙,核心与防火墙互联
vlan 208 核心、X_T1_AGG1,核心与汇聚1互联
vlan 209 核心、X_T2_AGG1,核心与汇聚2互联

各设备接口vlan放行

X_T1_ACC1
上联eth1口trunk放行vlan 100
下联口接无线ap的access分配vlan 100

X_T1_ACC2
上联eth1口trunk放行vlan 100
下联口接无线ap的access分配vlan 100

X_T2_ACC1
上联eth1口trunk放行vlan 100
下联口接无线ap的access分配vlan 100

X_T2_ACC2
上联eth1口trunk放行vlan 100
下联口接无线ap的access分配vlan 100

X_T1_AGG1
上联eth1口trunk放行vlan 100 208
下联eth2和3有预配vlan 100要先删除
undo port trunk allow-pass vlan 100
下联eth2口hybrid打上vlan标记11 to 15 21 to 25 100
下联eth3口hybrid打上vlan标记11 to 15 21 to 25 100

X_T2_AGG1
上联eth1口trunk放行vlan 100 209
下联eth2口hybrid打上vlan标记31 to 35 41 to 45 100
下联eth3口hybrid打上vlan标记31 to 35 41 to 45 100

X_T1_Core1
左联接服务器access分配vlan 60
上联接X_T1_Export1的互联口access分配vlan 201
上联接X_T1_Export2的互联口access分配vlan 202
右联接AC控制器trunk口配置vlan 51 to 55 101 to 105 100 203
下联接X_T1_AGG1的eth1口 trunk放行vlan 208 100
下联接X_T2_AGG1的eth2口 trunk放行vlan 209 100
右联接防火墙上面一条线trunk放行vlan 204 to 205,undo掉vlan 1
右联接防火墙下面一条线trunk放行vlan 206 to 207,undo掉vlan 1

interface GigabitEthernet0/0/1
port link-type access
port default vlan 201

interface GigabitEthernet0/0/2
port link-type access
port default vlan 202

X_T1_Export1
下联核心口配access口vlan 201

X_T1_Export2
下联核心口配access口vlan 202

X_T1_FW
左联接核心交换机(转二层口portswitch)的上面对应条线trunk放行vlan 204 to 205,undo掉vlan 1
左联接核心交换机(转二层口portswitch)的下面对应条线trunk放行vlan 206 to 207,undo掉vlan 1

X_T1_AC控制器
左联接核心的trunk口放行vlan 100 203 51 to 55 101 to 105
ac G0/0/1口互连核心G0/0/3口

配置三层口vlan-if

X_T1_Export1
Ge0/0/1
interface vlanif 201
ip add 10.1.200.1 30

int loopback 0
10.1.0.1/32

X_T1_Export2
Ge0/0/1
interface vlanif 202
ip add 10.1.200.5 30

inteface loopback 0
10.1.0.2/32

X_T1_Core1
interface vlanif 60
ip add 10.1.60.254 24

interface vlanif 51
ip add 10.1.51.254 24

interface vlanif 52
ip add 10.1.52.254 24

interface vlanif 53
ip add 10.1.53.254 24

interface vlanif 54
ip add 10.1.54.254 24

interface vlanif 55
ip add 10.1.55.254 24

interface vlanif 101
ip add 10.1.101.254 24

interface vlanif 102
ip add 10.1.102.254 24

interface vlanif 103
ip add 10.1.103.254 24

interface vlanif 104
ip add 10.1.104.254 24

interface vlanif 105
ip add 10.1.105.254 24

interface vlanif 201
ip add 10.1.200.2 30

interface vlanif 202
ip add 10.1.200.6 30

interface vlanif 203
ip add 10.1.200.9 30

interface vlanif 204
ip add 10.1.200.13 30

interface vlanif 205
ip add 10.1.200.17 30

interface vlanif 206
ip add 10.1.200.21 30

interface vlanif 207
ip add 10.1.200.25 30

interface vlanif 208
ip add 10.1.200.29 30

interface vlanif 209
ip add 10.1.200.33 30

inteface loopback 0
10.1.0.3/32

inteface loopback 1
10.1.0.4/32

inteface loopback 2
10.1.0.5/32

X_T1_AGG1
interface vlanif 11
ip add 10.1.11.254 24

interface vlanif 12
ip add 10.1.12.254 24

interface vlanif 13
ip add 10.1.13.254 24

interface vlanif 14
ip add 10.1.14.254 24

interface vlanif 15
ip add 10.1.15.254 24

interface vlanif 21
ip add 10.1.21.254 24

interface vlanif 22
ip add 10.1.22.254 24

interface vlanif 23
ip add 10.1.23.254 24

interface vlanif 24
ip add 10.1.24.254 24

interface vlanif 25
ip add 10.1.25.254 24

interface vlanif 208
ip add 10.1.200.30 30

inteface loopback 0
10.1.0.6/32

X_T2_AGG1
interface vlanif 31
ip add 10.1.31.254 24

interface vlanif 32
ip add 10.1.32.254 24

interface vlanif 33
ip add 10.1.33.254 24

interface vlanif 34
ip add 10.1.34.254 24

interface vlanif 35
ip add 10.1.35.254 24

interface vlanif 41
ip add 10.1.41.254 24

interface vlanif 42
ip add 10.1.42.254 24

interface vlanif 43
ip add 10.1.43.254 24

interface vlanif 44
ip add 10.1.44.254 24

interface vlanif 45
ip add 10.1.45.254 24

interface vlanif 209
ip add 10.1.200.34 30

inteface loopback 0
10.1.0.7/32

X_T1_AC1
insterface vlan 203
10.1.200.10 30

inteface loopback 0
10.1.0.11/32

interface vlanif 100
ip add 10.1.100.254 24

capwap source interface Vlanif 100

出口路由器配置

X_Export2
interface vlan 202
ip address 10.1.200.5 255.255.255.252

interface GigabitEthernet0/0/9
ip address 10.255.3.1 255.255.255.0

interface GigabitEthernet0/0/10
ip address 10.255.4.1 255.255.255.0

ip route-static 0.0.0.0 0.0.0.0 10.255.3.254
ip route-static 0.0.0.0 0.0.0.0 10.255.4.254

##X_Export2上网配置
acl number 2000
rule permit source 10.1.11.0 0.0.0.255
rule permit source 10.1.12.0 0.0.0.255
rule permit source 10.1.13.0 0.0.0.255
rule permit source 10.1.14.0 0.0.0.255
rule permit source 10.1.15.0 0.0.0.255
rule permit source 10.1.21.0 0.0.0.255
rule permit source 10.1.22.0 0.0.0.255
rule permit source 10.1.23.0 0.0.0.255
rule permit source 10.1.24.0 0.0.0.255
rule permit source 10.1.25.0 0.0.0.255
rule permit source 10.1.51.0 0.0.0.255
rule permit source 10.1.52.0 0.0.0.255
rule permit source 10.1.53.0 0.0.0.255
rule permit source 10.1.54.0 0.0.0.255
rule permit source 10.1.55.0 0.0.0.255
rule permit source 10.1.101.0 0.0.0.255
rule permit source 10.1.102.0 0.0.0.255
rule permit source 10.1.103.0 0.0.0.255
rule permit source 10.1.104.0 0.0.0.255
rule permit source 10.1.105.0 0.0.0.255

interface g0/0/9
nat outbound 2000

nat address-group 1 10.255.4.2 10.255.4.100

interface GigabitEthernet0/0/10
ip address 10.255.4.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global current-interface 8081 inside 10.1.60.101 www

X_T1_Export1

acl 2000
undo rule 5
rule permit source 10.1.11.0 0.0.0.255
rule permit source 10.1.12.0 0.0.0.255
rule permit source 10.1.13.0 0.0.0.255
rule permit source 10.1.14.0 0.0.0.255
rule permit source 10.1.15.0 0.0.0.255
rule permit source 10.1.21.0 0.0.0.255
rule permit source 10.1.22.0 0.0.0.255
rule permit source 10.1.23.0 0.0.0.255
rule permit source 10.1.24.0 0.0.0.255
rule permit source 10.1.25.0 0.0.0.255
rule permit source 10.1.51.0 0.0.0.255
rule permit source 10.1.52.0 0.0.0.255
rule permit source 10.1.53.0 0.0.0.255
rule permit source 10.1.54.0 0.0.0.255
rule permit source 10.1.55.0 0.0.0.255
rule permit source 10.1.101.0 0.0.0.255
rule permit source 10.1.102.0 0.0.0.255
rule permit source 10.1.103.0 0.0.0.255
rule permit source 10.1.104.0 0.0.0.255
rule permit source 10.1.105.0 0.0.0.255

DHCP配置

X_T1_Core1
dhcp enable

X_T1_AC
dhcp enable
interface Vlanif 100
dhcp select interface
dhcp server ip-range 10.1.100.1 10.1.100.253 //避免抢占网关

DHCP配置global

X_T1_Core1
interface Vlanif208
dhcp select global

interface Vlanif209
dhcp select global

interface Vlanif51
dhcp select global

interface Vlanif52
dhcp select global

interface Vlanif53
dhcp select global

interface Vlanif54
dhcp select global

interface Vlanif55
dhcp select global

interface Vlanif101
dhcp select global

interface Vlanif102
dhcp select global

interface Vlanif103
dhcp select global

interface Vlanif104
dhcp select global

interface Vlanif105
dhcp select global

DHCP配置中继

X_T1_AGG1
dhcp enable
interface Vlanif11
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif12
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif13
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif14
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif15
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif21
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif22
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif23
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif24
dhcp select relay
dhcp relay server-ip 10.1.200.29

interface Vlanif25
dhcp select relay
dhcp relay server-ip 10.1.200.29

查看所有中继配置
dis dhcp relay all

DHCP配置中继

X_T2_AGG1
dhcp enable
interface Vlanif31
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif32
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif33
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif34
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif35
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif41
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif42
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif43
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif44
dhcp select relay
dhcp relay server-ip 10.1.200.33

interface Vlanif45
dhcp select relay
dhcp relay server-ip 10.1.200.33

网络隔离

hcie datacome x区_华为

vpn实例建立

X_T1_Core1
ip vpn-instance Employee
ipv4-family
route-distinguisher 65001:1

ip vpn-instance Guest
ipv4-family
route-distinguisher 65001:2

vlanif绑定vpn实例

X_T1_Core1
interface Vlanif51
ip binding vpn-instance Employee
ip address 10.1.51.254 24

interface Vlanif52
ip binding vpn-instance Employee
ip address 10.1.52.254 24

interface Vlanif53
ip binding vpn-instance Employee
ip address 10.1.53.254 24

interface Vlanif54
ip binding vpn-instance Employee
ip address 10.1.54.254 24

interface Vlanif55
ip binding vpn-instance Employee
ip address 10.1.55.254 24

interface Vlanif60
ip binding vpn-instance Employee
ip address 10.1.60.254 24

interface Vlanif206
ip binding vpn-instance Employee
ip address 10.1.200.21 30

interface Vlanif207
ip binding vpn-instance Guest
ip address 10.1.200.25 30

interface Vlanif208
ip binding vpn-instance Employee
ip address 10.1.200.29 30

interface Vlanif209
ip binding vpn-instance Employee
ip address 10.1.200.33 30

interface Vlanif101
ip binding vpn-instance Guest
ip address 10.1.101.254 24

interface Vlanif102
ip binding vpn-instance Guest
ip address 10.1.102.254 24

interface Vlanif103
ip binding vpn-instance Guest
ip address 10.1.103.254 24

interface Vlanif104
ip binding vpn-instance Guest
ip address 10.1.104.254 24

interface Vlanif105
ip binding vpn-instance Guest
ip address 10.1.105.254 24

查看所有绑定
dis ip vpn-instance Employee inteface

DHCP地址池中绑定vpn实例

X_T1_Core1
ip pool wireless_employee1
vpn-instance Employee

ip pool wireless_employee2
vpn-instance Employee

ip pool wireless_employee3
vpn-instance Employee

ip pool wireless_employee4
vpn-instance Employee

ip pool wireless_employee5
vpn-instance Employee

ip pool wireless_guest1
vpn-instance Guest

ip pool wireless_guest2
vpn-instance Guest

ip pool wireless_guest3
vpn-instance Guest

ip pool wireless_guest4
vpn-instance Guest

ip pool wireless_guest5
vpn-instance Guest

ip pool wired_finance1
vpn-instance Employee

ip pool wired_finance2
vpn-instance Employee

ip pool wired_finance3
vpn-instance Employee

ip pool wired_finance4
vpn-instance Employee

ip pool wired_finance5
vpn-instance Employee

ip pool wired_market1
vpn-instance Employee

ip pool wired_market2
vpn-instance Employee

ip pool wired_market3
vpn-instance Employee

ip pool wired_market4
vpn-instance Employee

ip pool wired_market5
vpn-instance Employee

ip pool wired_purchase1
vpn-instance Employee

ip pool wired_purchase2
vpn-instance Employee

ip pool wired_purchase3
vpn-instance Employee

ip pool wired_purchase4
vpn-instance Employee

ip pool wired_purchase5
vpn-instance Employee

ip pool wired_hr1
vpn-instance Employee

ip pool wired_hr2
vpn-instance Employee

ip pool wired_hr3
vpn-instance Employee

ip pool wired_hr4
vpn-instance Employee

ip pool wired_hr5
vpn-instance Employee

防火墙基础配置

vlan batch 204 to 207
interface Vlanif 204
interface Vlanif 205
interface Vlanif 206
interface Vlanif 207
interface loop 0
interface loop 1

vsys enable

vsys name Employee
assign vlan 204
assign vlan 206
assign interface loop 0

vsys name Guest
assign vlan 205
assign vlan 207
assign interface loop 1

switch vsys Employee
dis ip int br

inter virtual-if 1
ip add 10.1.200.253 32

interface vlan 204
ip add 10.1.200.14 30

interface vlan 206
ip add 10.1.200.22 30

interface loopback 0
ip add 10.1.0.8 32

firewall zone untrust
add interface Vlanif 204
add interface virtrual-if 1

firewall zone trust
add interface Vlanif 206

switch vsys Guest
dis ip int br

inter virtual-if 2
ip add 10.1.200.254 32

interface vlan 205
ip add 10.1.200.18 30

interface vlan 207
ip add 10.1.200.26 30

interfack loopback 1
ip add 10.1.0.9 32

firewall zone untrust
add interface Vlanif 205
add interface virtual-if 2

firewall zone trust
add interface Vlanif 207

ospf配置

X_T1_Export1
ospf 1 router-id 10.1.0.1
default-route-advertise
area 0.0.0.0
network 10.1.200.1 0.0.0.0
network 10.1.0.1 0.0.0.0

X_T1_Export2
ospf 1 router-id 10.1.0.2
default-route-advertise
area 0.0.0.0
network 10.1.200.5 0.0.0.0
network 10.1.0.2 0.0.0.0

X_T1_AC1
ospf 1 router-id 10.1.0.11
area 0
network 10.1.0.11 0.0.0.0
network 10.1.200.10 0.0.0.0
network 10.1.100.254 0.0.0.0

##2个vpn实例中过滤掉各自对方的路由
X_T1_Core
ip ip-prefix deny_guest deny 10.1.101.0 24
ip ip-prefix deny_guest deny 10.1.102.0 24
ip ip-prefix deny_guest deny 10.1.103.0 24
ip ip-prefix deny_guest deny 10.1.104.0 24
ip ip-prefix deny_guest deny 10.1.105.0 24
ip ip-prefix deny_guest permit 0.0.0.0 0 less 32

ip ip-prefix deny_employee deny 10.1.11.0 24
ip ip-prefix deny_employee deny 10.1.12.0 24
ip ip-prefix deny_employee deny 10.1.13.0 24
ip ip-prefix deny_employee deny 10.1.14.0 24
ip ip-prefix deny_employee deny 10.1.15.0 24
ip ip-prefix deny_employee deny 10.1.21.0 24
ip ip-prefix deny_employee deny 10.1.22.0 24
ip ip-prefix deny_employee deny 10.1.23.0 24
ip ip-prefix deny_employee deny 10.1.24.0 24
ip ip-prefix deny_employee deny 10.1.25.0 24
ip ip-prefix deny_employee deny 10.1.31.0 24
ip ip-prefix deny_employee deny 10.1.32.0 24
ip ip-prefix deny_employee deny 10.1.33.0 24
ip ip-prefix deny_employee deny 10.1.34.0 24
ip ip-prefix deny_employee deny 10.1.35.0 24
ip ip-prefix deny_employee deny 10.1.41.0 24
ip ip-prefix deny_employee deny 10.1.42.0 24
ip ip-prefix deny_employee deny 10.1.43.0 24
ip ip-prefix deny_employee deny 10.1.44.0 24
ip ip-prefix deny_employee deny 10.1.45.0 24
ip ip-prefix deny_employee deny 10.1.51.0 24
ip ip-prefix deny_employee deny 10.1.52.0 24
ip ip-prefix deny_employee deny 10.1.53.0 24
ip ip-prefix deny_employee deny 10.1.54.0 24
ip ip-prefix deny_employee deny 10.1.55.0 24
ip ip-prefix deny_employee deny 10.1.60.0 24
ip ip-prefix deny_employee permit 0.0.0.0 0 less 32

X_T1_Core1
ospf 1 router-id 10.1.0.3
area 0.0.0.0
network 10.1.200.2 0.0.0.0
network 10.1.200.6 0.0.0.0
network 10.1.200.9 0.0.0.0
area 0.0.0.1
network 10.1.200.13 0.0.0.0
filter ip-prefix deny_guest import
area 0.0.0.2
network 10.1.200.17 0.0.0.0
filter ip-prefix deny_employee import
NSSA

ospf 2 vpn-instance Employee router-id 10.1.0.4
vpn-instance-capability simple
silent-inteface vlanif 51
silent-inteface vlanif 52
silent-inteface vlanif 53
silent-inteface vlanif 54
silent-inteface vlanif 55
silent-inteface vlanif 60
area 1
network 10.1.60.254 0.0.0.0
network 10.1.51.254 0.0.0.0
network 10.1.52.254 0.0.0.0
network 10.1.53.254 0.0.0.0
network 10.1.54.254 0.0.0.0
network 10.1.55.254 0.0.0.0
network 10.1.200.21 0.0.0.0
network 10.1.200.29 0.0.0.0
network 10.1.200.33 0.0.0.0

ospf 3 vpn-instance Guest router-id 10.1.0.5
vpn-instance-capability simple
silent-inteface vlan 101
silent-inteface vlan 102
silent-inteface vlan 103
silent-inteface vlan 104
silent-inteface vlan 105
area 2
NSSA
network 10.1.101.254 0.0.0.0
network 10.1.102.254 0.0.0.0
network 10.1.103.254 0.0.0.0
network 10.1.104.254 0.0.0.0
network 10.1.105.254 0.0.0.0
network 10.1.200.25 0.0.0.0

X_T1_AGG1
ospf router-id 10.1.0.6
silent-interface Vlanif 11
silent-interface vlanif 12
silent-interface vlanif 13
silent-interface vlanif 14
silent-interface vlanif 15
silent-interface vlanif 21
silent-interface vlanif 22
silent-interface vlanif 23
silent-interface vlanif 24
silent-interface vlanif 25
area 1
network 10.1.11.254 0.0.0.0
network 10.1.12.254 0.0.0.0
network 10.1.13.254 0.0.0.0
network 10.1.14.254 0.0.0.0
network 10.1.15.254 0.0.0.0
network 10.1.21.254 0.0.0.0
network 10.1.22.254 0.0.0.0
network 10.1.23.254 0.0.0.0
network 10.1.24.254 0.0.0.0
network 10.1.25.254 0.0.0.0
network 10.1.200.30 0.0.0.0

X_T2_AGG1
ospf router-id 10.1.0.7
silent-interface vlanif 31
silent-interface vlanif 32
silent-interface vlanif 33
silent-interface vlanif 34
silent-interface vlanif 35
silent-interface vlanif 41
silent-interface vlanif 42
silent-interface vlanif 43
silent-interface vlanif 44
silent-interface vlanif 45
area 1
network 10.1.31.254 0.0.0.0
network 10.1.32.254 0.0.0.0
network 10.1.33.254 0.0.0.0
network 10.1.34.254 0.0.0.0
network 10.1.35.254 0.0.0.0
network 10.1.41.254 0.0.0.0
network 10.1.42.254 0.0.0.0
network 10.1.43.254 0.0.0.0
network 10.1.44.254 0.0.0.0
network 10.1.45.254 0.0.0.0
network 10.1.200.34 0.0.0.0

防火墙全局ospf配置

ospf 1 router-id 10.1.0.8 vpn-instance Employee
vpn-instance-capability simple
area 0.0.0.1
network 10.1.200.14 0.0.0.0
network 10.1.200.22 0.0.0.0
network 10.1.0.8 0.0.0.0

ospf 2 router-id 10.1.0.9 vpn-instance Guest
vpn-instance-capability simple
area 0.0.0.2
NSSA
network 10.1.200.18 0.0.0.0
network 10.1.200.26 0.0.0.0
network 10.1.0.9 0.0.0.0

AC无线配置

hcie datacome x区_f5_02

接ap的口子X_T2_ACC2
interface GigabitEthernet0/0/22
port link-type access
port default vlan 100

X_T1_AC1

dis arp all
记录ap的mac地址
AP1:00e0-fcd4-7750
AP2:00e0-fc43-3440

ap auth-mode mac-auth

ap-id 0 ap-mac 00e0-fcd4-7750
ap-name ap1

ap-id 1 ap-mac 00e0-fc43-3440
ap-name ap2

dis ap all
查看到未上线ap

dis ap online-fail-record all
查看不能上线原因

ssid-profile name employee
ssid X_Employee_010
考试时的第10个机架尾部就是010

ssid-profile name guest
ssid X_Guest_010

security-profile name password
security wpa-wpa2 psk pass-phrase Huawei@123 aes

[ac]vlan pool employee
vlan 51 to 55
assignment hash

[ac]vlan pool guest
vlan 101 to 105
assignment hash

vap-profile name employee
forward-mode tunnel
ssid-profile employee
security-profile password
service-vlan vlan-pool employee

vap-profile name guest
forward-mode tunnel
ssid-profile guest
security-profile password
service-vlan vlan-pool guest

regulatory-domain-profile name hcie
country-code CN

ap-group name x
regulatory-domain-profile hcie
vap-profile employee wlan 1 radio all
vap-profile guest wlan 2 radio all

ap-id 0
ap-group x

ap-id 1
ap-group x

准入认证

hcie datacome x区_华为_03

准入认证

分别在AGG1和AGG2上配置认证后下发的vlan信息
X_T1_AGG1
vlan pool market //设置认证通过后下发的vlan,这个名称要和题目上对应,因为radius已经创建好了
valn 11 to 15
vlan pool purchase
valn 21 to 25

先创建mac模版和802.1x模板
dot1x-access-profile name Employee //建立802.1X认证魔板,按题目要求名称不能变,为Employee
mac-access-profile name Employee //建立mac认证魔板,按题目要求名称不能变,为Employee

在AGG1和AGG2上分别建立和radius服务对接模版
radius-server template Employee //建立和radius服务对接的魔板,按题目要求名称不能变,为Employee
radius-server authentication 10.1.60.2 1812
radius-server accounting 10.1.60.2 1813
radius-server shared-key cipher Huawei@123
radius-server authentication 10.1.60.2 shared-key cipher Huawei@123 //全局下配置

创建认证、计费方案aaa域
aaa
authentication-scheme Employee //创建认证魔板,按题目要求名称不能变,为Employee
authentication-mode radius //认证模式为radius
aaa
accounting-shceme Employee //创建计费魔板,按题目要求名称不能变,为Employee
accounting-mode radius //计费模式为radius
aaa
authentication-shceme Ap_noauthen //创建无线AP不用认证魔板,这个名字可以随便起
authentication-mode none //不认证
aaa
domain employee //建立接入的域,名字已规定小写employee,不能变
authentication-scheme Employee //关联前面建立的认证魔板
accounting-scheme Empoyee //关联前面建立的计费魔板
radius-server Employee //指定radius魔板
aaa
domain Ap_noauthen //建立AP接入域,名字不能变
authentication-scheme Ap_noauthen //关联无认证魔板

配置统一模式认证方式,创建mac认证模版、802.1X模版
authentication-profile name Employee //建立接口调用要用的认证魔板
dot1x-access-profile Employee //调用前面建立的8201.x认证魔板
mac-access-profile Employee //调用前面建立的mac认证魔板
access-domain employee force //强制终端到Employee认证
authentication dot1x-mac-bypass //mac 旁路认证

interface eth 2
authentication-profile Employee //调用魔板

interface eth 3
authentication-profile Employee //调用魔板

domain Ap_noauthen mac-authen force mac-address 580d-6144-d771 msk ffff-ffff-ffff //一边一个ap两边AGG上都要做
domain Ap_noauthen mac-authen force mac-address 580d-6144-d666 msk ffff-ffff-ffff
//让设备不对AP进行准入控制

X_T2_AGG1
vlan pool finance
valn 31 to 35

vlan pool hr
valn 41 to 45

dot1x-access-profile name Employee
mac-access-profile name Employee

radius-server template Employee
radius-server authentication 10.1.60.2 1812
radius-server accounting 10.1.60.2 1813
radius-server shared-key cipher Huawei@123

radius-server authentication 10.1.60.2 shared-key cipher Huawei@123 //全局下配置

aaa
authentication-scheme Employee
authentication-mode radius

aaa
accounting-shceme Employee
accounting-mode radius

aaa
authentication-shceme Ap_noauthen
authentication-mode none

aaa
domain employee
authentication-scheme Employee
accounting-scheme Empoyee
radius-server Employee

aaa
domain Ap_noauthen
authentication-scheme Ap_noauthen

authentication-profile name Employee
dot1x-access-profile Employee
mac-access-profile Employee
access-domain employee force
authentication dot1x-mac-bypass

interface eth 2
authentication-profile Employee

interface eth 3
authentication-profile Employee

domain Ap_noauthen mac-authen force mac-address 580d-6144-d771 msk ffff-ffff-0000
domain Ap_noauthen mac-authen force mac-address 580d-6144-d666 msk ffff-ffff-0000

X_T1_ACC1- X_T1_ACC2- X_T2_ACC1- X_T2_ACC2 //所有接入交换机(接ap口子不能配置)
l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
//把前面那个8021.X报文的固定mac地址0180-c200-0003替换成自己支持的mac地址,这两个地址是固定的记死
interface range g0/0/1 to 0/0/5 //接pc口
l2protocol-tunnel user-defind-protocol dot1x enable

interface eth 1 //上联口
l2protocol-tunnel user-defined-protocol dot1x enable

防火墙上进行自定义集设置

switch vsys Employee
ip address-set market type group
address range 10.1.11.0 10.1.15.255

ip address-set purchase type group
address range 10.1.21.0 10.1.25.255

ip address-set Employee_wlan type group
address range 10.1.51.0 10.1.55.255

ip address-set Guest type group
address range 10.1.101.0 10.1.105.255

ip service-set Guest_Service type object
service protocol tcp destination-port 3389

MPLS地址集
ip address-set YZ type group
address range 10.2.31.0 10.2.35.255
address range 10.2.41.0 10.2.45.255
address range 10.2.51.0 10.2.55.255
address range 10.100.2.0 10.100.2.255
address range 10.3.101.0 10.3.101.255

ip address-set finance type group
address range 10.1.31.0 10.1.35.255

ip address-set hr type group
address range 10.1.41.0 10.1.45.255

ip address-set server type group
address range 10.1.60.0 10.1.60.255

SRv6地址集
ip address-set Z type group
address range 10.3.101.0 10.3.101.255

ip address-set finance type group
address range 10.1.31.0 10.1.35.255

ip address-set hr type group
address range 10.1.41.0 10.1.45.255

ip address-set server type group
address range 10.1.60.0 10.1.60.255

switch vsys Guest
ip address-set Guest type object
address range 10.1.101.0 10.1.105.255

ip service-set Guest_Service type object
service protocol tcp destination-port 3389

策略放行配置

switch vsys Employee
MPLS顺序版
security-policy
rule name ospf
source-zone trust untrust local
destination-zone trust untrust local
service ospf
action permit

rule name permit60.101
source-zone untrust
destination-zone trust
destination-address 10.1.60.101 32
service http
action permit

rule name permit60.99
source-zone untrust
destination-zone trust
source-address address-set Guest
destination-address 10.1.60.99 32
service Guest_Service
action permit

rule name permit60.100
source-zone untrust
destination-zone trust
source-address address-set Employee_wlan
destination-address 10.1.60.100 32
action permit

rule name deny60.0
source-zone untrust
destination-zone trust
source-address address-set Employee_wlan
destination-address 10.1.60.0 24
action deny

MPLS
rule name permit_OA_X_YZ
source-zone trust
destination-zone untrust
destination-address address-set YZ
source-address address-set market purchase finance hr Empoyee_wlan server
action permit

rule name permit_any
source-zone trust
destination-zone untrust
source-address address-set Employee_wlan market purchase
action permit

MPLS
rule name permit_OA_YZ_X
source-zone untrust
destionation-zone trust
source-address address-set YZ
destination-address address-set market purchase finance hr Employee_wlan server
action permit

SRV6策略顺序
security-policy
rule name ospf
source-zone trust untrust local
destination-zone trust untrust local
service ospf
action permit

rule name permit60.101
source-zone untrust
destnation-zone trust
destination-address 10.1.60.101 32
service http
action permit

rule name permit60.99
source-zone untrust
destination-zone trust
source-address address-set Guest
destination-address 10.1.60.99 32
service Guest_Service
action permit

rule name permit60.100
source-zone untrust
destnation-zone trust
source-address address-set Employee_wlan
destination-address 10.1.60.100 32
action permit

rule name deny60.0
source-zone untrust
destination-zone trust
source-address address-set Employee_wlan
destination-address 10.1.60.0 24
action deny

rule name permit_OA_Z_X
source-zone untrust
destination-zone trust
destination-address address-set market purchase finance hr Employee_wlan server
source-address address-set Z
action permit

rule name permit_any
source-zone trust
destination-zone untrust
source-address address-set Employee_wlan market purchase
action permit

rule name permit_OA_X_Z
source-zone trust
destination-zone untrust
source-address address-set market purchase finance hr Employee_wlan server
destionation-address address-set Z
action permit

switch vsys Guest
security-policy
rule name ospf
source-zone trust untrust local
destination-zone trust untrust local
service ospf
action permit

security-policy
rule name permit60.99
source-zone trust
destination-zone untrust
source-address address-set Guest
destination-address 10.1.60.99 32
service Guest_Service
action permit

rule name deny60.0
source-zone trust
destination-zone untrust
source-address address-set Guest
destination-address 10.1.60.0 24
action deny

rule name permit_any
source-zone trust
destination-zone untrust
source-address address-set Guest
action permit

防火墙全局下配置互访路由

ip route-static vpn-instance Guest 10.1.60.99 32 vpn-instance Employee

解决内部无线到server区不走fw的问题

X_T1_Core
acl number 3000
rule permit ip source 10.1.51.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.52.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.53.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.54.0 0.0.0.255 destination 10.1.60.0 0.0.0.255
rule permit ip source 10.1.55.0 0.0.0.255 destination 10.1.60.0 0.0.0.255

interface g0/0/3
traffic-redirect inbound acl 3000 ip-nexthop 10.1.200.14

##内网WEb服务器源进源出
X_T1_Core1
acl 3002
rule permit tcp source 10.1.60.101 0.0.0.0 source-port eq www

inteface vlanif 204
traffic-redirect inbound acl 3002 ip-nexthop 10.1.200.5
或者
interface g0/0/04
traffic-redirect inbound acl 3002 ip-nexthop 10.1.200.5

X_Export2上配置
acl 3001
rule permit tcp source 10.1.60.101 0.0.0.0 source-port eq www

traffic classifier web operator or
if-match acl 3001

traffic behavior web
redirect ip-nexthop 10.254.4.254

traffic policy web
classifier web behavior web

interface vlan 202
traffic-policy web inbound

dis access-user //在汇聚上查看已上线的用户

所有接入交换机上边缘端口

interface range g0/0/01 to g0/0/020
stp edged-port enable

X_T1_Core
interface range g0/0/01 to g0/0/6
stp edged-port enable

测试

Terminal05关联X_Guest_010
telnet 10.1.60.99 3389
ping 10.255.1.254

所有接入交换机上边缘端口

interface range g0/0/01 to g0/0/020
stp edged-port enable

X_T1_Core
interface range g0/0/01 to g0/0/6
stp edged-port enable

测试

Terminal05关联X_Guest_010
telnet 10.1.60.99 3389
ping 10.255.1.254