- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
34-局域網組網案例
本章節下載 (609.13 KB)
局域網組網案例
Copyright © 2024 bobty下载软件 版權所有,保留一切權利。
非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。
除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。
本文檔中的信息可能變動,恕不另行通知。
目 錄
本案例介紹小型園區典型組網配置。
如圖1所示,在小型園區中,S5130係列或S5130S係列以太網交換機通常部署在網絡的接入層,S5560X係列或S6520X係列以太網交換機可部署在網絡的核心,出口路由器一般選用MSR係列路由器。
· 各交換機開啟STP功能防止環路。
· 接入交換機與核心交換機通過鏈路聚合組網保證可靠性。
· 園區網中不同的業務部門劃分到不同的VLAN中,部門間的業務在核心交換機上通過VLAN接口進行三層互通。
· 核心交換機作為DHCP服務器,為園區網用戶動態分配IP地址。
· 接入交換機上開啟DHCP Snooping功能,防止內網用戶私接小路由器分配IP地址;同時配置IP source guard功能,防止內網用戶私自更改IP地址。
配置思路如下,具體數據規劃請參見表1。
(1) 登錄設備
(2) 配置管理IP地址和Telnet功能
(3) 配置接口和VLAN
(4) 配置核心交換機DHCP服務器功能
(5) 配置核心交換機路由
(6) 配置出口路由器
(7) 配置接入交換機的DHCP Snooping功能
(8) 配置接入交換機IP source Guard功能
|
配置步驟 |
配置項 |
配置數據 |
說明 |
|
登錄設備 |
通過Console口登錄 |
設置傳輸速率等通信參數 |
PC端通過終端仿真軟件登錄設備 |
|
配置管理IP和telnet功能 |
管理VLAN |
VLAN 5 |
交換機缺省VLAN為VLAN 1。一般不將其配置為管理VLAN 本文將VLAN5配置為管理VLAN |
|
管理用以太網口或管理VLAN接口IP地址 |
10.10.1.1/24 |
有管理用以太網口的交換機,可為管理用以太網口M-GigabitEthernet0/0/0配置IP地址用於登錄交換機 沒有管理用以太網口的交換機,可為管理VLAN接口配置IP地址 |
|
|
配置接口和VLAN |
動態聚合 |
ACCSW1:上行聚合接口BAGG1 CORESW:下行聚合接口BAGG1 |
接入交換機與核心交換機間通過聚合鏈路連接 |
|
端口類型 |
連接PC的端口一般設置為access口;連接交換機的端口建議設置為trunk口。 |
trunk類型端口一般用於連接交換機 access類型端口一般用於連接PC |
|
|
VLAN ID |
ACCSW1:VLAN 10 ACCSW2:VLAN 20 CORESW:VLAN 100、10、20 |
為實現部門A和部門B二層隔離,將部門A劃分到VLAN10中,部門B劃分到VLAN20中。 核心交換機通過Vlan-int100連接出口路由器 |
|
|
核心交換機上配置DHCP服務器功能 |
DHCP Server |
- |
在園區核心交換機上部署DHCP服務器 |
|
地址池 |
VLAN 10:ip pool 1 VLAN 20:ip pool 2 |
部門A的終端從ip pool 1中獲取IP地址 部門B的終端從ip pool 2中獲取IP地址 |
|
|
地址分配方式 |
基於全局地址池 |
無 |
|
|
配置核心交換機路由 |
IP地址 |
Vlan-int10:10.10.10.1/24 Vlan-int20:10.10.20.1/24 Vlan-int100:10.10.100.1/24 |
Vlan-int100是核心交換機與園區出口路由器對接的IP地址,用於園區內部網絡與出口路由器互通 核心交換機上需要配置一條缺省路由下一跳指向出口路由器 在核心交換機上配置Vlan-int10、Vlan-int20的IP地址後,部門A與部門B之間可以通過核心交換機互訪 |
|
配置出口路由器 |
公網接口IP地址 |
GE0/2:202.101.100.2/30 |
GE0/2為出口路由器連接Internet的接口,一般稱為公網接口 |
|
公網網關 |
202.101.100.1/30 |
該地址是與出口路由器對接的運營商設備的IP地址,出口路由器上需要配置一條缺省路由指向該地址,用於指導內網流量轉發至外網 |
|
|
DNS地址 |
202.101.100.199 |
DNS服務器用於將域名解析成IP地址 |
|
|
內網接口IP地址 |
GE0/1:10.10.100.2/24 |
GE0/1為出口路由器連接內網的接口 |
|
|
接入交換機上配置DHCP Snooping |
信任接口 |
- |
指定二層聚合接口BAGG1為DHCP Snooping功能的信任端口 |
|
接入交換機上配置IP Source Guard |
IPSG檢查 |
- |
配置IPv4接口綁定功能,綁定源IP地址和MAC地址 |
接入交換機Access Switch 1和Access Switch 2的配置基本相同。本小節以配置接入交換機Access Switch 1為例說明配置方法。
(1) 通過Console口首次登錄設備
# 將PC斷電。
因為PC的串口不支持熱插拔,請不要在PC帶電的情況下,將串口線插入或者拔出PC。
# 使用產品隨機附帶的配置口電纜連接PC機和設備。請先將配置口電纜的DB-9(孔)插頭插入PC機的9芯(針)串口中,再將RJ-45插頭端插入設備的Console口中。
· 連接時請認準接口上的標識,以免誤插入其他接口。
· 在拆下配置口電纜時,請先拔出RJ-45端,再拔下DB-9端。
圖2 將設備與PC通過配置口電纜進行連接
# 給PC上電。
# 在PC上打開終端仿真程序,按照表2要求設置終端參數。
|
參數 |
值 |
|
波特率 |
9600 |
|
數據位 |
8 |
|
停止位 |
1 |
|
奇偶校驗 |
無 |
|
流量控製 |
無 |
# 給設備上電。
在設備自檢結束後,用戶可鍵入回車進入命令交互界麵。
缺省情況下,通過Console登錄設備的認證方式為None,即不需要用戶名、密碼即可登錄設備。首次登錄後,建議修改通過Console口登錄設備的認證方式以增強設備的安全性。有關通過Console口登錄設備的認證方式的詳細介紹,請參見對應的配置手冊中“基礎配置指導”中的“登錄設備”。
(2) 配置IP地址和Telnet
# 創建VLAN 5,並將接口Ten-GigabitEthernet1/0/10加入到VLAN 5中。假設連接網管的接口是Ten-GigabitEthernet1/0/10。
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] sysname ACCSW1
[ACCSW1] vlan 5
[ACCSW1-vlan5] port ten-gigabitethernet 1/0/10
[ACCSW1-vlan5] quit
# 創建VLAN接口5,並將接口IP地址配置為10.10.1.1/24。
[ACCSW1] interface vlan-interface 5
[ACCSW1-Vlan-interface5] ip address 10.10.1.1 24
[ACCSW1-Vlan-interface5] quit
# 開啟Telnet服務。
[ACCSW1] telnet server enable
# 配置Telnet登錄使用scheme認證方式。
[ACCSW1] line vty 0 63
[ACCSW1-line-vty0-63] authentication-mode scheme
[ACCSW1-line-vty0-63] quit
# 創建本地用戶,並配置本地用戶的密碼、用戶角色和服務類型。本例中用戶名和密碼均為admin,服務類型為telnet,用戶角色為network-admin。
[ACCSW1] local-user admin
New local user added.
[ACCSW1-luser-manage-admin] password simple hello12345
[ACCSW1-luser-manage-admin] authorization-attribute user-role network-admin
[ACCSW1-luser-manage-admin] service-type telnet
[ACCSW1-luser-manage-admin] quit
# 在終端上通過Telnet登錄到設備,輸入正確的用戶名和密碼後,出現用戶視圖的命令行提示符表示登錄成功。
C:\Users\Administrator> telnet 10.10.1.1
******************************************************************************
* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: admin
Password:
...
上述終端輸出信息是以S5560X-30C-PWR-EI設備(Release 1118P07版本)為例,具體輸出信息請以設備實際情況為準。
(3) 配置接口與VLAN
# 在接入交換機上創建VLAN 10。
[ACCSW1] vlan 10
[ACCSW1-vlan10] quit
# 配置連接PC1的接口GigabitEthernet1/0/1,並配置為邊緣端口。
[ACCSW1] interface gigabitethernet 1/0/1
[ACCSW1-GigabitEthernet1/0/1] port link-type access
[ACCSW1-GigabitEthernet1/0/1] port acess vlan 10
[ACCSW1-GigabitEthernet1/0/1] stp edged-port
[ACCSW1-GigabitEthernet1/0/1] quit
# 配置連接PC2的接口GigabitEthernet1/0/2,並配置為邊緣端口。
[ACCSW1] interface gigabitethernet 1/0/2
[ACCSW1-GigabitEthernet1/0/2] port link-type access
[ACCSW1-GigabitEthernet1/0/2] port acess vlan 10
[ACCSW1-GigabitEthernet1/0/2] stp edged-port
[ACCSW1-GigabitEthernet1/0/2] quit
# 配置連接打印機的接口GigabitEthernet1/0/3,並配置為邊緣端口。
[ACCSW1] interface gigabitethernet 1/0/3
[ACCSW1-GigabitEthernet1/0/3] port link-type access
[ACCSW1-GigabitEthernet1/0/3] port acess vlan 10
[ACCSW1-GigabitEthernet1/0/3] stp edged-port
[ACCSW1-GigabitEthernet1/0/3] quit
(4) 配置上行聚合
# 創建二層聚合接口1,並配置該接口為動態聚合模式。
[ACCSW1] interface bridge-aggregation 1
[ACCSW1-Bridge-Aggregation1] link-aggregation mode dynamic
[ACCSW1-Bridge-Aggregation1] quit
# 分別將端口Ten-GigabitEthernet1/0/7至Ten-GigabitEthernet1/0/8加入到聚合組1中。
[ACCSW1] interface ten-gigabitethernet 1/0/7
[ACCSW1-Ten-GigabitEthernet1/0/7] port link-aggregation group 1
[ACCSW1-Ten-GigabitEthernet1/0/7] quit
[ACCSW1] interface ten-gigabitethernet 1/0/8
[ACCSW1-Ten-GigabitEthernet1/0/8] port link-aggregation group 1
[ACCSW1-Ten-GigabitEthernet1/0/8] quit
# 配置二層聚合接口1為Trunk端口,並允許VLAN 10的報文通過。
[ACCSW1] interface bridge-aggregation 1
[ACCSW1-Bridge-Aggregation1] port link-type trunk
[ACCSW1-Bridge-Aggregation1] port trunk permit vlan 10
[ACCSW1-Bridge-Aggregation1] quit
# 通過display link-aggregation verbose命令查看聚合接口1配置結果。
[ACCSW1] display link-aggregation verbose Bridge-Aggregation 1
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
XGE1/0/7 S 32768 61 2 {ACDEF}
XGE1/0/8 S 32768 62 2 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
XGE1/0/7(R) 32768 111 2 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/8 32768 112 2 0x8000, 000f-e267-57ad {ACDEF}
# 查看ACCSW1上VLAN 10的配置信息,驗證以上配置是否生效。
[ACCSW1] display vlan 10
VLAN ID: 10
VLAN type: Static
Route interface: Not configured
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports:
Bridge-Aggregation1
GigabitEthernet1/0/1 GigabitEthernet1/0/2
GigabitEthernet1/0/3 Ten-GigabitEthernet1/0/7
Ten-GigabitEthernet1/0/8
(5) 配置BPDU保護功能
[ACCSW1] stp bpdu-protection
(6) 配置DHCP snooping
# 開啟DHCP Snooping功能。
[ACCSW1] dhcp snooping enable
# 指定二層聚合接口1為DHCP Snooping功能的信任端口。
[ACCSW1] interface bridge-aggregation 1
[ACCSW1-Bridge-Aggregation1] dhcp snooping trust
[ACCSW1-Bridge-Aggregation1] quit
(7) 配置IP Source Guard
# 開啟接口GigabitEthernet1/0/1、GigabitEthernet1/0/2的IPv4接口綁定功能,綁定源IP地址和MAC地址,並啟用接口的DHCP Snooping 表項記錄功能。
[ACCSW1] interface gigabitethernet 1/0/1
[ACCSW1-GigabitEthernet1/0/1] ip verify source ip-address mac-address
[ACCSW1-GigabitEthernet1/0/1] dhcp snooping binding record
[ACCSW1-GigabitEthernet1/0/1] quit
[ACCSW1] interface gigabitethernet 1/0/2
[ACCSW1-GigabitEthernet1/0/2] ip verify source ip-address mac-address
[ACCSW1-GigabitEthernet1/0/2] dhcp snooping binding record
[ACCSW1-GigabitEthernet1/0/2] quit
(8) 保存配置
# 保存接入交換機上的配置(以ACCSW1為例)。
[ACCSW1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
有關“登錄設備”、“配置IP地址和Telnet”的配置方法,請參見“1.4.1 配置接入交換機”中的“通過Console口首次登錄設備”、“配置IP地址和Telnet”。
(1) 配置VLAN與VLAN接口
# 創建VLAN 10、VLAN 20和VLAN 100。
<Sysname> system-view
[Sysname] sysname CORESW1
[CORESW1] vlan 10 20
[CORESW1] vlan 100
[CORESW1-vlan100] port gigabitethernet 1/0/1
[CORESW1-vlan100] quit
# 創建VLAN接口10,並將接口的IP地址配置為10.10.10.1/24。
[CORESW1] interface vlan-interface 10
[CORESW1-Vlan-interface10] ip address 10.10.10.1 24
[CORESW1-Vlan-interface10] quit
# 創建VLAN接口20,並將接口的IP地址配置為10.10.20.1/24。
[CORESW1] interface vlan-interface 20
[CORESW1-Vlan-interface20] ip address 10.10.20.1 24
[CORESW1-Vlan-interface20] quit
# 創建VLAN接口100,並將接口的IP地址配置為10.10.100.1/24。
[CORESW1] interface vlan-interface 100
[CORESW1-Vlan-interface100] ip address 10.10.100.1 24
[CORESW1-Vlan-interface100] quit
(2) 配置下行聚合,並查看配置
# 創建二層聚合接口1,並配置該接口為動態聚合模式。
[CORESW1] interface bridge-aggregation 1
[CORESW1-Bridge-Aggregation1] link-aggregation mode dynamic
[CORESW1-Bridge-Aggregation1] quit
# 分別將端口Ten-GigabitEthernet1/0/7至Ten-GigabitEthernet1/0/8加入到聚合組1中。
[CORESW1] interface ten-gigabitethernet 1/0/7
[CORESW1-Ten-GigabitEthernet1/0/7] port link-aggregation group 1
[CORESW1-Ten-GigabitEthernet1/0/7] quit
[CORESW1] interface ten-gigabitethernet 1/0/8
[CORESW1-Ten-GigabitEthernet1/0/8] port link-aggregation group 1
[CORESW1-Ten-GigabitEthernet1/0/8] quit
# 配置二層聚合接口1為Trunk端口,並允許VLAN 10的報文通過。
[CORESW1] interface bridge-aggregation 1
[CORESW1-Bridge-Aggregation1] port link-type trunk
[CORESW1-Bridge-Aggregation1] port trunk permit vlan 10
[CORESW1-Bridge-Aggregation1] quit
# 通過display link-aggregation verbose命令查看聚合接口1配置結果。
[CORESW1] display link-aggregation verbose Bridge-Aggregation 1
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
XGE1/0/7(R) S 32768 61 2 {ACDEF}
XGE1/0/8 S 32768 62 2 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
XGE1/0/7 32768 111 2 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/8 32768 112 2 0x8000, 000f-e267-57ad {ACDEF}
# 查看CORESW1上VLAN 10、VLAN 100的配置信息,驗證以上配置是否生效。
[CORESW1] display vlan 10
VLAN ID: 10
VLAN type: Static
Route interface: Configured
IPv4 address: 10.10.10.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports:
Bridge-Aggregation1
Ten-GigabitEthernet1/0/7 Ten-GigabitEthernet1/0/8
[CORESW1] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Configured
IPv4 address: 10.10.100.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0100
Name: VLAN 0100
Tagged ports: None
Untagged ports: None
(3) 配置DHCP服務器,並查看配置
# 開啟DHCP服務。
[CORESW1] dhcp enable
# 創建DHCP地址池1,用來為10.10.10.0/24網段內的客戶端分配動態IP地址,並配置DNS服務器地址、出口網關、租期,為打印機配置固定的IP地址10.10.10.254。
[CORESW1] dhcp server ip-pool 1
[CORESW1-dhcp-pool-1] network 10.10.10.0 mask 255.255.255.0
[CORESW1-dhcp-pool-1] gateway-list 10.10.10.1
[CORESW1-dhcp-pool-1] dns-list 202.101.100.199
[CORESW1-dhcp-pool-1] expired day 30
[CORESW1-dhcp-pool-1] static-bind ip-address 10.10.10.254 24 client-identifier aabb-cccc-dd
[CORESW1-dhcp-pool-1] quit
# 創建DHCP地址池2,用來為10.10.20.0/24網段內的客戶端分配動態IP地址,並配置DNS服務器地址、出口網關、租期。
[CORESW1] dhcp server ip-pool 2
[CORESW1-dhcp-pool-2] network 10.10.20.0 mask 255.255.255.0
[CORESW1-dhcp-pool-2] gateway-list 10.10.20.1
[CORESW1-dhcp-pool-2] dns-list 202.101.100.199
[CORESW1-dhcp-pool-2] expired day 30
[CORESW1-dhcp-pool-2] quit
# 配置VLAN接口10和VLAN接口20工作在DHCP服務器模式,並指定接口引用的地址池。
[CORESW1] interface vlan-interface 10
[CORESW1-Vlan-interface10] dhcp select server
[CORESW1-Vlan-interface10] dhcp server apply ip-pool 1
[CORESW1-Vlan-interface10] quit
[CORESW1 interface vlan-interface 20
[CORESW1-Vlan-interface20] dhcp select server
[CORESW1-Vlan-interface20] dhcp server apply ip-pool 2
[CORESW1-Vlan-interface20] quit
# 使用display dhcp server pool命令查看DHCP地址池的信息。
[CORESW1] display dhcp server pool
Pool name: 1
Network: 10.10.10.0 mask 255.255.255.0
dns-list 202.101.100.199
expired 30 0 0 0
gateway-list 10.10.10.1
static bindings:
ip-address 10.10.10.254 mask 255.255.255.0
client-identifier aabb-cccc-dd
Pool name: 2
Network: 10.10.20.0 mask 255.255.255.0
dns-list 202.101.100.199
expired 30 0 0 0
gateway-list 10.10.20.1
(4) 配置路由,並查看路由表
# 配置缺省靜態路由,下一跳指向出口路由器,使內網數據可以發到出口路由器。
[CORESW1] ip route-static 0.0.0.0 0 10.10.100.2
# 使用display ip routing-table命令查看路由表信息。
[CORESW1] display ip routing-table
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 10.10.100.2 Vlan100
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.0/24 Direct 0 0 10.10.10.1 Vlan10
10.10.10.0/32 Direct 0 0 10.10.10.1 Vlan10
10.10.10.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.255/32 Direct 0 0 10.10.10.1 Vlan10
10.10.20.0/24 Direct 0 0 10.10.20.1 Vlan20
10.10.20.0/32 Direct 0 0 10.10.20.1 Vlan20
10.10.20.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.255/32 Direct 0 0 10.10.20.1 Vlan20
10.10.100.0/24 Direct 0 0 10.10.100.1 Vlan100
10.10.100.0/32 Direct 0 0 10.10.100.1 Vlan100
10.10.100.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.100.255/32 Direct 0 0 10.10.100.1 Vlan100
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
(5) 保存配置
# 保存核心交換機CORESW1上的配置。
[CORESW1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
有關“登錄設備”、“配置IP地址和Telnet”的配置方法,請參見“1.4.1 配置接入交換機”中的“通過Console口首次登錄設備”、“配置IP地址和Telnet”。
(1) 配置公網接口和內網接口IP
# 配置公網接口IP地址。
[Router] interface GigabitEthernet 0/2
[Router-GigabitEthernet0/2] ip address 202.101.100.2 30
[Router-GigabitEthernet0/2] quit
# 配置內網接口IP地址。
[Router] interface GigabitEthernet 0/1
[Router-GigabitEthernet0/1] ip address 10.10.100.2 24
[Router-GigabitEthernet0/1] quit
(2) 配置允許上網的ACL
# 配置ACL。
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permiet source 10.10.10.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permiet source 10.10.20.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permiet source 10.10.100.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit
# 配置報文過濾。
[Router] interface gigabitethernet 0/1
[Router-GigabitEthernet0/1] packet-filter 2000 inbound
[Router-GigabitEthernet0/1] quit
[Router] packet-filter default deny
# 使用display acl命令查看ACL的配置信息。
[Router] display acl 2000
Basic IPv4 ACL 2000, 3 rules,
ACL's step is 5, start ID is 0
rule 0 permit source 10.10.10.0 0.0.0.255
rule 5 permit source 10.10.20.0 0.0.0.255
rule 10 permit source 10.10.100.0 0.0.0.255
# 使用display packet-filter命令查看ACL在報文過濾中的應用情況。
[Router] display packet-filter interface gigabitethernet 0/1 inbound
Interface: GigabitEthernet 0/1
Inbound policy:
IPv4 ACL 2000
(3) 配置到內網和公網的路由
[Router] ip route-static 10.10.10.0 255.255.255.0 10.10.100.1
[Router] ip route-static 10.10.20.0 255.255.255.0 10.10.100.1
[Router] ip route-static 0.0.0.0 0.0.0.0 202.101.100.1
(4) 配置DNS解析
[Router] dns server 202.101.100.199
[Router] dns proxy enable
(5) 保存配置
# 保存出口路由器Router上的配置。
[Router] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 同一個部門內部兩台PC間可以ping通。
# 以VLAN 10所在的業務部門為例,PC1和PC2是通過ACCSW1實現二層互通的。假設PC2通過DHCP自動獲取的IP為10.10.10.20,如果PC1和PC2之間能ping通,則說明二層互通正常。
<PC1> ping 10.10.10.20
Ping 10.10.10.20 (10.10.10.20): 56 data bytes, press CTRL+C to break
56 bytes from 10.10.10.20: icmp_seq=0 ttl=255 time=1.015 ms
56 bytes from 10.10.10.20: icmp_seq=1 ttl=255 time=2.338 ms
56 bytes from 10.10.10.20: icmp_seq=2 ttl=255 time=1.951 ms
56 bytes from 10.10.10.20: icmp_seq=3 ttl=255 time=1.719 ms
56 bytes from 10.10.10.20: icmp_seq=4 ttl=255 time=1.629 ms
--- Ping statistics for 10.10.10.20 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.015/1.730/2.338/0.434 ms
(2) 兩個不同部門內的PC可以ping通。
# 部門間的通信是通過CORESW1上的VLAN接口實現的。假設PC3通過DHCP自動獲取的IP為10.10.20.10,如果PC1和PC3之間互ping測試正常,則說明兩個部門之間通過VLAN接口實現三層互通正常。
<PC1> ping 10.10.20.10
Ping 10.10.20.10 (10.10.20.10): 56 data bytes, press CTRL+C to break
56 bytes from 10.10.20.10: icmp_seq=0 ttl=254 time=2.709 ms
56 bytes from 10.10.20.10: icmp_seq=1 ttl=254 time=0.877 ms
56 bytes from 10.10.20.10: icmp_seq=2 ttl=254 time=0.850 ms
56 bytes from 10.10.20.10: icmp_seq=3 ttl=254 time=0.805 ms
56 bytes from 10.10.20.10: icmp_seq=4 ttl=254 time=0.814 ms
--- Ping statistics for 10.10.20.10 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.805/1.211/2.709/0.749 ms
(3) 每個部門各選一台PC可以ping通外網。
# 以VLAN 10所在的業務部門為例,通過在PC1上ping公網網關地址(即與出口路由器對接的運營商設備的IP地址)來驗證是否可以訪問外網,如果ping測試正常,則說明內網用戶訪問外網正常。測試方法與步驟1類似。
· 接入交換機ACCSW1:
#
sysname ACCSW1
#
telnet server enable
#
dhcp snooping enable
#
vlan 5
#
vlan 10
#
stp bpdu-protection
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10
link-aggregation mode dynamic
dhcp snooping trust
#
interface Vlan-interface5
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
stp edged-port
ip verify source ip-address mac-address
dhcp snooping binding record
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 10
stp edged-port
ip verify source ip-address mac-address
dhcp snooping binding record
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
stp edged-port
#
interface Ten-GigabitEthernet1/0/7
port link-mode bridge
port link-type trunk
port trunk permit vlan 10
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/0/8
port link-mode bridge
port link-type trunk
port trunk permit vlan 10
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/0/10
port link-mode bridge
port access vlan 5
#
line vty 0 63
authentication-mode scheme
#
local-user admin class manage
password hash $h$6$/up8ijTTulpXAAkL$s9fFDXwWVzNd0j2F8Rq/ZQEiMbA2s8uW31kkcaDoGHoNyvE/zZLV9HoLp+i0+VcV6Jpm48ufEAxbuKvi6qtWmg==
service-type telnet
authorization-attribute user-role network-admin
#
· 接入交換機ACCSW2:
ACCSW2的配置文件除VLAN ID、管理VLAN接口IP地址、聚合接口編號與ACCSW1不同外,其他配置與ACCSW1相同,配置文件略。
· 核心交換機CORESW1:
#
sysname CORESW1
#
vlan 10
#
vlan 20
#
vlan 100
#
dhcp server ip-pool 1
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
dns-list 202.101.100.199
expired day 30
static-bind ip-address 10.10.10.254 mask 255.255.255.0 client-identifier aaaa-cccc-dd
#
dhcp server ip-pool 2
gateway-list 10.10.20.1
network 10.10.20.0 mask 255.255.255.0
dns-list 202.101.100.199
expired day 30
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10
link-aggregation mode dynamic
#
interface Vlan-interface10
ip address 10.10.10.1 255.255.255.0
dhcp server apply ip-pool 1
#
interface Vlan-interface20
ip address 10.10.20.1 255.255.255.0
dhcp server apply ip-pool 2
#
interface Vlan-interface100
ip address 10.10.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 100
#
interface Ten-GigabitEthernet1/0/7
port link-mode bridge
port link-type trunk
port trunk permit vlan 10
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/0/8
port link-mode bridge
port link-type trunk
port trunk permit vlan 10
port link-aggregation group 1
#
ip route-static 0.0.0.0 0 10.10.100.2
#
· 出口路由器Router:
#
sysname Router
#
packet-filter default deny
#
dns proxy enable
dns server 202.101.100.199
#
interface GigabitEthernet0/1
port link-mode route
ip address 10.10.100.2 255.255.255.0
packet-filter 2000 inbound
#
interface GigabitEthernet0/2
port link-mode route
ip address 202.101.100.2 255.255.255.252
#
ip route-static 0.0.0.0 0 202.101.100.1
ip route-static 10.10.10.0 24 10.10.100.1
ip route-static 10.10.20.0 24 10.10.100.1
#
acl basic 2000
rule 0 permit source 10.10.10.0 0.0.0.255
rule 5 permit source 10.10.20.0 0.0.0.255
rule 10 permit source 10.10.100.0 0.0.0.255
#
· 產品配套“基礎配置指導”中的“登錄設備”。
· 產品配套“基礎命令參考”中的“登錄設備”。
· 產品配套“二層技術-以太網交換配置指導”中的“VLAN”。
· 產品配套“二層技術-以太網交換命令參考”中的“VLAN”。
· 產品配套“二層技術-以太網交換配置指導”中的“以太網鏈路聚合”。
· 產品配套“二層技術-以太網交換命令參考”中的“以太網鏈路聚合”。
· 產品配套“三層技術-IP業務配置指導”中的“DHCP”。
· 產品配套“三層技術-IP業務命令參考”中的“DHCP”。
· 產品配套“ACL和QoS配置指導”中的“ACL”。
· 產品配套“ACL和QoS命令參考”中的“ACL”。
· 產品配套“安全配置指導”中的“IP Source Guard”。
· 產品配套“安全命令參考”中的“IP Source Guard”。
本案例介紹中小型園區典型組網配置。
如圖3所示,在中小園區中,S5130係列或S5130S係列以太網交換機通常部署在網絡的接入層,S5560X係列或S6520X係列以太網交換機通常部署在網絡的核心,出口路由器一般選用MSR係列路由器。
· 核心交換機配置VRRP保證網絡可靠性。
· 園區網中不同的業務部門劃分到不同的VLAN中,部門間的業務在核心交換機上通過VLAN接口三層互通。
· 核心交換機作為DHCP服務器,為園區網用戶分配IP地址。
· 接入交換機上配置DHCP Snooping功能,防止內網用戶私接小路由器分配IP地址;同時配置IP Source Guard功能,防止內網用戶私自更改IP地址。
· 在出口路由器上對雙向流量配置基於IP的限速。
登錄設備後,本例所需配置如下,具體數據規劃請參見2.3 (7)表3。
(1) 登錄設備
(2) 配置管理IP地址和Telnet功能
(3) 配置網絡互連互通
(4) 配置核心交換機DHCP功能
(5) 配置核心交換機OSPF功能
(6) 配置核心交換可靠性功能
(7) 配置限速
|
配置步驟 |
配置項 |
配置數據 |
說明 |
|
登錄設備 |
通過Console口登錄 |
設置傳輸速率等通信參數 |
PC端通過終端仿真軟件登錄設備 |
|
配置管理IP和telnet功能 |
管理VLAN |
VLAN 5 |
交換機缺省VLAN為VLAN 1。一般不將其配置為管理VLAN 本文將VLAN5配置為管理VLAN |
|
管理用以太網口或管理VLAN接口IP地址 |
10.10.1.1/24
|
此處以ACCSW1為例。 有管理用以太網口的交換機,可為管理用以太網口M-GigabitEthernet0/0/0配置IP地址用於登錄交換機 沒有管理用以太網口的交換機,可為管理VLAN接口配置IP地址 |
|
|
配置接口和VLAN |
端口類型 |
連接交換機的端口建議設置為trunk,連接PC的端口設置為access。 |
trunk類型端口一般用於連接交換機 access類型端口一般用於連接PC hybrid類型端口是通用端口,既可以用來連接交換機,也可用來連接PC |
|
VLAN ID |
ACCSW1:VLAN 10、20 CORESW1:VLAN 10、20、30、40、50、100、300 |
為實現部門A和部門B二層隔離,將部門A劃分到VLAN10中,部門B劃分到VLAN20中。 核心交換機1通過Vlan-int100連接出口路由器 |
|
|
核心交換機上配置DHCP服務器功能 |
DHCP Server |
CORESW1、CORESW2 |
在核心交換機1、核心交換機2上部署DHCPServer |
|
地址池 |
VLAN 10:ip pool 10 VLAN 20:ip pool 20 |
部門A的終端從ip pool 10中獲取IP地址 部門B的終端從ip pool 20中獲取IP地址 |
|
|
地址分配方式 |
基於全局地址池 |
無 |
|
|
配置核心交換機路由 |
IP地址 |
以CORESW1為例: Vlan-int10:192.168.10.1/24 Vlan-int20:192.168.20.1/24 Vlan-int100:172.16.1.1/24 Vlan-int300:172.16.3.1/24 |
Vlan-int100用於核心交換機1與園區出口路由器對接。Vlan-int300用於核心交換機1與核心交換機2對接 在核心交換機1上配置Vlan-int10、Vlan-int20的IP地址後,部門A與部門B之間可以通過核心交換機1互訪 |
|
配置出口路由器 |
公網接口的IP地址 |
GE0/0:202.101.100.2/30 |
GE0/0為出口路由器連接Internet的接口,一般稱為公網接口 |
|
公網網關 |
202.101.100.1/30 |
該地址是與出口路由器對接的運營商設備的IP地址,出口路由器上需要配置一條缺省路由指向該地址,用於指導內網流量轉發至Internet |
|
|
DNS地址 |
202.101.100.199 |
DNS服務器用於將域名解析成IP地址 |
|
|
內網接口的IP地址 |
GE0/1:172.16.1.2/24 GE0/2:172.16.2.2/24 |
GE0/1、GE0/2為出口路由器連接內網的接口,GE0/1連接主設備,GE0/2連接備設備 |
|
|
在接入交換機上配置DHCP Snooping和IP Source Guard |
信任接口 |
GE1/0/1 GE1/0/2 |
配置信任接口後,用戶隻會接收從信任接口進入的DHCP報文,防止內網私接小路由器為主機分配IP地址 |
接入交換機ACCSW1、ACCSW2、ACCSW3和ACCSW4的配置基本相同。本小節以配置接入交換機ACCSW1為例說明配置方法。
(1) 通過Console口首次登錄設備
# 將PC斷電。
因為PC的串口不支持熱插拔,請不要在PC帶電的情況下,將串口線插入或者拔出PC。
# 使用產品隨機附帶的配置口電纜連接PC機和設備。請先將配置口電纜的DB-9(孔)插頭插入PC機的9芯(針)串口中,再將RJ-45插頭端插入設備的Console口中。
· 連接時請認準接口上的標識,以免誤插入其他接口。
· 在拆下配置口電纜時,請先拔出RJ-45端,再拔下DB-9端。
圖4 將設備與PC通過配置口電纜進行連接
# 給PC上電。
# 在PC上打開終端仿真程序,按照表4要求設置終端參數。
|
參數 |
值 |
|
波特率 |
9600 |
|
數據位 |
8 |
|
停止位 |
1 |
|
奇偶校驗 |
無 |
|
流量控製 |
無 |
# 給設備上電。
在設備自檢結束後,用戶可鍵入回車進入命令交互界麵。
缺省情況下,通過Console登錄設備的認證方式為None,即不需要用戶名、密碼即可登錄設備。首次登錄後,建議修改通過Console口登錄設備的認證方式以增強設備的安全性。有關通過Console口登錄設備的認證方式的詳細介紹,請參見對應的配置手冊中“基礎配置指導”中的“登錄設備”。
(2) 配置IP地址和Telnet
# 創建VLAN 5,並將接口Ten-GigabitEthernet1/0/10加入到VLAN 5中。假設連接網管的接口是Ten-GigabitEthernet1/0/10。
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] sysname ACCSW1
[ACCSW1] vlan 5
[ACCSW1-vlan5] port ten-gigabitethernet 1/0/10
[ACCSW1-vlan5] quit
# 創建VLAN接口5,並將接口IP地址配置為10.10.1.1/24。
[ACCSW1] interface vlan-interface 5
[ACCSW1-Vlan-interface5] ip address 10.10.1.1 24
[ACCSW1-Vlan-interface5] quit
# 開啟Telnet服務 。
[ACCSW1] telnet server enable
# 配置Telnet登錄使用scheme認證方式。
[ACCSW1] line vty 0 63
[ACCSW1-line-vty0-63] authentication-mode scheme
[ACCSW1-line-vty0-63] quit
# 創建本地用戶,並配置本地用戶的密碼、用戶角色和服務類型。本例中用戶名和密碼均為admin,服務類型為telnet,用戶角色為network-admin。
[ACCSW1] local-user admin
New local user added.
[ACCSW1-luser-manage-admin] password simple hello12345
[ACCSW1-luser-manage-admin] authorization-attribute user-role network-admin
[ACCSW1-luser-manage-admin] service-type telnet
[ACCSW1-luser-manage-admin] quit
# 在終端上通過Telnet登錄到設備,輸入正確的用戶名和密碼後,出現用戶視圖的命令行提示符表示登錄成功。
C:\Users\Administrator> telnet 10.10.1.1
******************************************************************************
* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: admin
Password:
...
上述終端輸出信息是以S5560X-30C-PWR-EI設備(Release 1118P07版本)為例,具體輸出信息請以設備實際情況為準。
(3) 配置接口與VLAN
# 在接入交換機上創建VLAN 10和VLAN 20。
[ACCSW1] vlan 10 20
# 將連接PC1的接口GigabitEthernet1/0/1加入VLAN 10,並配置為邊緣端口。
[ACCSW1] interface gigabitethernet 1/0/1
[ACCSW1-GigabitEthernet1/0/1] port link-type access
[ACCSW1-GigabitEthernet1/0/1] port acess vlan 10
[ACCSW1-GigabitEthernet1/0/1] stp edged-port
[ACCSW1-GigabitEthernet1/0/1] quit
# 將連接PC1的接口GigabitEthernet1/0/2加入VLAN 20,並配置為邊緣端口。
[ACCSW1] interface gigabitethernet 1/0/2
[ACCSW1-GigabitEthernet1/0/2] port link-type access
[ACCSW1-GigabitEthernet1/0/2] port acess vlan 20
[ACCSW1-GigabitEthernet1/0/2] stp edged-port
[ACCSW1-GigabitEthernet1/0/2] quit
# 將接口GigabitEthernet1/0/3和GigabitEthernet1/0/4的鏈路類型配置為Trunk並允許VLAN 10和VLAN 20的報文通過。
[ACCSW1] interface gigabitethernet 1/0/3
[ACCSW1-GigabitEthernet1/0/3] port link-type trunk
[ACCSW1-GigabitEthernet1/0/3] port trunk permit vlan 10 20
[ACCSW1-GigabitEthernet1/0/3] quit
[ACCSW1] interface gigabitethernet 1/0/4
[ACCSW1-GigabitEthernet1/0/4] port link-type trunk
[ACCSW1-GigabitEthernet1/0/4] port trunk permit vlan 10 20
[ACCSW1-GigabitEthernet1/0/4] quit
# 查看ACCSW1上VLAN 10和VLAN 20的配置信息。
[ACCSW1] display vlan 10
VLAN ID: 10
VLAN type: Static
Route interface: Not configured
Description: VLAN 0010
Name: VLAN 0010
Tagged ports:
GigabitEthernet1/0/3
GigabitEthernet1/0/4
Untagged ports:
GigabitEthernet1/0/1
[ACCSW1] display vlan 20
VLAN ID: 20
VLAN type: Static
Route interface: Not configured
Description: VLAN 0020
Name: VLAN 0020
Tagged ports:
GigabitEthernet1/0/3
GigabitEthernet1/0/4
Untagged ports:
GigabitEthernet1/0/2
(4) 配置BPDU保護功能
[ACCSW1] stp bpdu-protection
(5) 配置DHCP snooping
# 開啟DHCP Snooping功能。
[ACCSW1] dhcp snooping enable
# 指定GigabitEthernet1/0/3為DHCP Snooping功能的信任端口。
[ACCSW1] interface gigabitethernet 1/0/3
[ACCSW1-GigabitEthernet1/0/3] dhcp snooping trust
[ACCSW1-GigabitEthernet1/0/3] quit
(6) 配置IP Source Guard
# 開啟接口GigabitEthernet1/0/1、GigabitEthernet1/0/2的IPv4接口綁定功能,綁定源IP地址和MAC地址,並啟用接口的DHCP Snooping 表項記錄功能。
[ACCSW1] interface gigabitethernet 1/0/1
[ACCSW1-GigabitEthernet1/0/1] ip verify source ip-address mac-address
[ACCSW1-GigabitEthernet1/0/1] dhcp snooping binding record
[ACCSW1-GigabitEthernet1/0/1] quit
[ACCSW1] interface gigabitethernet 1/0/2
[ACCSW1-GigabitEthernet1/0/2] ip verify source ip-address mac-address
[ACCSW1-GigabitEthernet1/0/2] dhcp snooping binding record
[ACCSW1-GigabitEthernet1/0/2] quit
(7) 保存配置
# 保存接入交換機上的配置(以ACCSW1為例)。
[ACCSW1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
核心交換機CORESW1和CORESW2的配置基本相同。本小節如無特殊說明,以配置核心交換機CORESW1為例說明配置方法。
(1) 配置接口與VLAN
# 創建VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 100和VLAN 300。
<Sysname> system-view
[Sysname] sysname CORESW1
[CORESW1] vlan 10 20 30 40 50 100 300
# 配置接口GigabitEthernet1/0/1的鏈路類型為Trunk,並允許VLAN 10和20的報文通過。
[CORESW1] interface gigabitethernet 1/0/1
[CORESW1-GigabitEthernet1/0/1] port link-type trunk
[CORESW1-GigabitEthernet1/0/1] port trunk permit vlan 10 20
[CORESW1-GigabitEthernet1/0/1] quit
# 配置接口GigabitEthernet1/0/5的鏈路類型為Trunk,並允許VLAN 300的報文通過。
[CORESW1] interface gigabitethernet 1/0/5
[CORESW1-GigabitEthernet1/0/5] port link-type trunk
[CORESW1-GigabitEthernet1/0/5] port trunk permit vlan 300
[CORESW1-GigabitEthernet1/0/5] quit
# 配置其他接口的鏈路類型並允許對應的VLAN通過,具體配置過程略。
(2) 配置VLAN接口
# 創建VLAN接口10,並將接口的IP地址配置為192.168.10.1/24。
[CORESW1] interface vlan-interface 10
[CORESW1-Vlan-interface10] ip address 192.168.10.1 24
[CORESW1-Vlan-interface10] quit
# 創建VLAN接口20,並將接口的IP地址配置為192.168.20.1/24。
[CORESW1] interface vlan-interface 20
[CORESW1-Vlan-interface20] ip address 192.168.20.1 24
[CORESW1-Vlan-interface20] quit
# 創建VLAN接口100,並將接口的IP地址配置為172.16.1.1/24。
[CORESW1] interface vlan-interface 100
[CORESW1-Vlan-interface100] ip address 172.16.1.1 24
[CORESW1-Vlan-interface100] quit
# 創建VLAN接口300,並將接口的IP地址配置為172.16.3.1/24。
[CORESW1] interface vlan-interface 300
[CORESW1-Vlan-interface300] ip address 172.16.3.1 24
[CORESW1-Vlan-interface300] quit
# 創建其他VLAN接口,並配置IP地址,具體配置過程略。
# 查看CORESW1上VLAN 10、VLAN 20、VLAN 100、VLAN 300的配置信息。
[CORESW1] display vlan 10
VLAN ID: 10
VLAN type: Static
Route interface: Configured
IPv4 address: 192.168.10.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports:
GigabitEthernet1/0/1
Untagged ports: None
[CORESW1] display vlan 20
VLAN ID: 20
VLAN type: Static
Route interface: Configured
IPv4 address: 192.168.20.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0020
Name: VLAN 0020
Tagged ports:
GigabitEthernet1/0/2
Untagged ports: None
[CORESW1] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Configured
IPv4 address: 172.16.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0100
Name: VLAN 0100
Tagged ports: None
Untagged ports: None
[CORESW1] display vlan 300
VLAN ID: 300
VLAN type: Static
Route interface: Configured
IPv4 address: 172.16.3.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0300
Name: VLAN 0300
Tagged ports:
GigabitEthernet1/0/5
Untagged ports: None
(3) 配置VRRP備份
正常情況下內網用戶流量都上送到CORESW1進行處理,隻有當CORESW1或CORESW1的上行鏈路出故障之後,VRRP備份組切換CORESW2為主設備,內網用戶流量上送到CORESW2。
# 在CORESW1上配置VRRP備份組功能。
# 創建VRRP備份組1,並配置VRRP備份組1的虛擬IP地址為172.16.3.10。
[CORESW1] interface vlan-interface 300
[CORESW1-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10
# 設置CORESW1在VRRP備份組1中的優先級為120,高於CORESW2的優先級100,以保證CORESW1成為Master負責轉發流量。
[CORESW1-Vlan-interface300] vrrp vrid 1 priority 120
# 設置CORESW1工作在搶占方式,以保證CORESW1故障恢複後,能再次搶占成為Master,即隻要CORESW1正常工作,就由CORESW1負責轉發流量。為了避免頻繁地進行狀態切換,配置搶占延遲時間為5000厘秒。
[CORESW1-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000
[CORESW1-Vlan-interface300] quit
# 創建和上行接口GigabitEthernet1/0/7物理狀態關聯的Track項1。如果Track項的狀態為Negative,則說明CORESW1的上行接口出現故障。
[CORESW1] track 1 interface gigabitethernet 1/0/7
[CORESW1-track-1] quit
# 設置監視Track項。
[CORESW1] interface vlan-interface 300
[CORESW1-Vlan-interface300] vrrp vrid 1 track 1 priority reduced 30
# 在CORESW2上配置VRRP備份組功能。創建VRRP備份組1,並配置VRRP備份組1的虛擬IP地址為172.16.3.10。
<Sysname> system-view
[Sysname] sysname CORESW2
[CORESW2] interface vlan-interface 300
[CORESW2-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10
# 配置CORESW2在VRRP備份組1中的優先級為100。
[CORESW2-Vlan-interface300] vrrp vrid 1 priority 100
# 配置CORESW2工作在搶占方式,搶占延遲時間為5000厘秒。
[CORESW2-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000
[CORESW2-Vlan-interface300] quit
# 在CORESW1上使用display vrrp verbose命令查詢VRRP備份組信息。
[CORESW1] display vrrp verbose
IPv4 Virtual Router Information:
Running mode : Standard
Total number of virtual routers : 1
Interface Vlan-interface300
VRID : 1 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 120 Running Pri : 120
Preempt Mode : Yes Delay Time : 5000
Auth Type : None
Virtual IP : 172.16.3.10
Virtual MAC : 0000-5e00-0101
Master IP : 172.16.3.1
VRRP Track Information:
Track Object : 1 State : Positive Pri Reduced : 30
# 在CORESW2上使用display vrrp verbose命令查詢VRRP備份組信息。
[CORESW2] display vrrp verbose
IPv4 Virtual Router Information:
Running mode : Standard
Total number of virtual routers : 1
Interface Vlan-interface300
VRID : 1 Adver Timer : 100
Admin Status : Up State : Backup
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 5000
Become Master : 27810ms left
Auth Type : None
Virtual IP : 172.16.3.10
Virtual MAC : 0000-5e00-0101
Master IP : 172.16.3.1
# 由此可見,VRRP備份組創建成功,CORESW1為Master設備,CORESW2為Backup設備。
(4) 配置DHCP服務器,並查看配置
# 開啟DHCP服務。
[CORESW1] dhcp enable
# 創建DHCP地址池1,用來為192.168.10.0/24網段內的客戶端分配動態IP地址,並配置DNS服務器地址、出口網關、租期,為打印機配置固定的IP地址192.168.10.254。
[CORESW1] dhcp server ip-pool 1
[CORESW1-dhcp-pool-1] network 192.168.10.0 mask 255.255.255.0
[CORESW1-dhcp-pool-1] gateway-list 192.168.10.1
[CORESW1-dhcp-pool-1] dns-list 202.101.100.199
[CORESW1-dhcp-pool-1] expired day 30
[CORESW1-dhcp-pool-1] static-bind ip-address 192.168.10.254 24 client-identifier aabb-cccc-dd
[CORESW1-dhcp-pool-1] quit
# 創建DHCP地址池2,用來為192.168.20.0/24網段內的客戶端分配動態IP地址,並配置DNS服務器地址、出口網關、租期。
[CORESW1] dhcp server ip-pool 2
[CORESW1-dhcp-pool-2] network 192.168.20.0 mask 255.255.255.0
[CORESW1-dhcp-pool-2] gateway-list 192.168.20.1
[CORESW1-dhcp-pool-2] dns-list 202.101.100.199
[CORESW1-dhcp-pool-2] expired day 30
[CORESW1-dhcp-pool-2] quit
# 配置VLAN接口10和VLAN接口20工作在DHCP服務器模式。
[CORESW1] interface vlan-interface 10
[CORESW1-Vlan-interface10] dhcp select server
[CORESW1-Vlan-interface10] quit
[CORESW1 interface vlan-interface 20
[CORESW1-Vlan-interface20] dhcp select server
[CORESW1-Vlan-interface20] quit
# 使用display dhcp server pool命令查看DHCP地址池的信息。
[CORESW1] display dhcp server pool
Pool name: 1
Network: 192.168.10.0 mask 255.255.255.0
expired 30 0 0 0
gateway-list 192.168.10.1
static bindings:
ip-address 192.168.10.254 mask 255.255.255.0
client-identifier aabb-cccc-dd
Pool name: 2
Network: 192.168.20.0 mask 255.255.255.0
expired 30 0 0 0
gateway-list 192.168.20.1
(5) 配置OSPF
CORESW1的OSPF配置。
[CORESW1] ospf 100 router-id 2.2.2.2
[CORESW1-ospf-100] area 0
[CORESW1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] quit
[CORESW1-ospf-100] quit
CORESW2的OSPF配置。
[CORESW2] ospf 100 router-id 3.3.3.3
[CORESW2-ospf-100] area 0
[CORESW2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] quit
[CORESW2-ospf-100] quit
# 使用display ospf peer命令查看CORESW1上的OSPF鄰居信息。
[CORESW1] display ospf peer
OSPF Process 100 with Router ID 2.2.2.2
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
3.3.3.3 172.16.3.2 1 33 Full/DR Vlan300
# 使用display ospf peer命令查看CORESW2上的OSPF鄰居信息。
[CORESW2] display ospf peer
OSPF Process 100 with Router ID 3.3.3.3
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
2.2.2.2 172.16.3.1 1 36 Full/BDR Vlan300
(6) 保存配置
# 保存核心交換機上的配置(以CORESW1為例)。
[CORESW1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 配置內網接口和公網接口IP
# 配置內網接口IP地址。
[Router] interface GigabitEthernet 0/1
[Router-GigabitEthernet0/1] ip address 172.16.1.2 24
[Router-GigabitEthernet0/1] quit
[Router] interface GigabitEthernet 0/2
[Router-GigabitEthernet0/2] ip address 172.16.2.2 24
[Router-GigabitEthernet0/2] quit
# 配置公網接口IP地址。
[Router] interface GigabitEthernet 0/0
[Router-GigabitEthernet0/0] ip address 202.101.100.2 30
[Router-GigabitEthernet0/0] quit
(2) 配置允許上網的ACL
# 配置ACL。
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 192.168.20.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 172.16.1.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 172.16.2.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 172.16.3.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit
# 配置報文過濾。
[Router] interface gigabitethernet 0/1
[Router-GigabitEthernet0/1] packet-filter 2000 inbound
[Router-GigabitEthernet0/1] quit
[Router] interface gigabitethernet 0/2
[Router-GigabitEthernet0/2] packet-filter 2000 inbound
[Router-GigabitEthernet0/2] quit
[Router] packet-filter default deny
# 使用display acl命令查看ACL的配置信息。
[Router] display acl 2000
Basic IPv4 ACL 2000, 5 rules,
ACL's step is 5, start ID is 0
rule 0 permit source 192.168.10.0 0.0.0.255
rule 5 permit source 192.168.20.0 0.0.0.255
rule 10 permit source 172.16.1.0 0.0.0.255
rule 15 permit source 172.16.2.0 0.0.0.255
rule 20 permit source 172.16.3.0 0.0.0.255
# 使用display packet-filter命令查看ACL在報文過濾中的應用情況。
[Router] display packet-filter interface gigabitethernet 0/1 inbound
Interface: GigabitEthernet0/1
Inbound policy:
IPv4 ACL 2000
[Router] display packet-filter interface gigabitethernet 0/2 inbound
Interface: GigabitEthernet0/2
Inbound policy:
IPv4 ACL 2000
(3) 配置OSPF
配置一條缺省路由指向運營商。
[Router] ip route-static 0.0.0.0 0.0.0.0 202.101.100.1
出口路由器的OSPF配置。在OSPF中引入缺省路由,從而連接內網和公網。
[Router] ospf 10 router-id 1.1.1.1
[Router-ospf-10] default-route-advertise always
[Router-ospf-10] area 0
[Router-ospf-10-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Router-ospf-10-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Router-ospf-10-area-0.0.0.0] quit
[Router-ospf-10] quit
# 使用display ospf peer命令查看Router上的OSPF鄰居信息。
[Router] display ospf peer
OSPF Process 100 with Router ID 1.1.1.1
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
2.2.2.2 172.16.1.1 1 31 Full/DR GE0/1
3.3.3.3 172.16.2.1 1 39 Full/BDR GE0/2
# 使用display ospf routing命令查看CORESW1上的OSPF路由表信息。
[CORESW1] display ospf routing
OSPF Process 100 with Router ID 2.2.2.2
Routing Table
Topology base (MTID 0)
Routing for network
Destination Cost Type NextHop AdvRouter Area
172.16.1.0/24 1 Transit 0.0.0.0 2.2.2.2 0.0.0.0
172.16.2.0/24 2 Transit 172.16.3.2 1.1.1.1 0.0.0.0
172.16.2.0/24 2 Transit 172.16.1.2 1.1.1.1 0.0.0.0
172.16.3.0/24 1 Transit 0.0.0.0 3.3.3.3 0.0.0.0
Routing for ASEs
Destination Cost Type Tag NextHop AdvRouter
0.0.0.0/0 1 Type2 1 172.16.1.2 1.1.1.1
Total nets: 5
Intra area: 4 Inter area: 0 ASE: 1 NSSA: 0
# 使用display ospf routing命令查看CORESW2上的OSPF路由表信息。
[CORESW2] display ospf routing
OSPF Process 100 with Router ID 3.3.3.3
Routing Table
Topology base (MTID 0)
Routing for network
Destination Cost Type NextHop AdvRouter Area
172.16.1.0/24 2 Transit 172.16.3.1 2.2.2.2 0.0.0.0
172.16.1.0/24 2 Transit 172.16.2.2 2.2.2.2 0.0.0.0
172.16.2.0/24 1 Transit 0.0.0.0 1.1.1.1 0.0.0.0
172.16.3.0/24 1 Transit 0.0.0.0 3.3.3.3 0.0.0.0
Routing for ASEs
Destination Cost Type Tag NextHop AdvRouter
0.0.0.0/0 1 Type2 1 172.16.2.2 1.1.1.1
Total nets: 5
Intra area: 4 Inter area: 0 ASE: 1 NSSA: 0
(4) 配置DNS解析
[Router] dns server 202.101.100.199
[Router] dns proxy enable
(5) 配置基於IP或IP網段的限速
# 配置CAR列表。
[Router] qos carl 1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
[Router] qos carl 2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
[Router] qos carl 3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
[Router] qos carl 4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
# 配置限速。
[Router] interface gigabitethernet 0/1
[Router-GigabitEthernet0/1] qos car inbound carl 1 cir 512
[Router-GigabitEthernet0/1] qos car inbound carl 2 cir 512
[Router-GigabitEthernet0/1] qos car outbound carl 3 cir 512
[Router-GigabitEthernet0/1] qos car outbound carl 4 cir 512
[Router-GigabitEthernet0/1] quit
[Router] interface gigabitethernet 0/2
[Router-GigabitEthernet0/2] qos car inbound carl 1 cir 512
[Router-GigabitEthernet0/2] qos car inbound carl 2 cir 512
[Router-GigabitEthernet0/2] qos car outbound carl 3 cir 512
[Router-GigabitEthernet0/2] qos car outbound carl 4 cir 512
[Router-GigabitEthernet0/2] quit
# 使用display qos carl命令查看CAR列表。
[Router] display qos carl
List Rules
1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
# 使用display qos car interface命令查看接口的流量監管配置情況和統計信息。
[Router] display qos car interface gigabitethernet 0/1
Interface: GigabitEthernet0/1
Direction: inbound
Rule: If-match carl 1
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
Rule: If-match carl 2
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
Direction: outbound
Rule: If-match carl 3
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
Rule: If-match carl 4
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
[Router] display qos car interface gigabitethernet 0/2
Interface: GigabitEthernet0/2
Direction: inbound
Rule: If-match carl 1
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
Rule: If-match carl 2
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
Direction: outbound
Rule: If-match carl 3
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
Rule: If-match carl 4
CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets), 0 (Bytes)
Yellow packets: 0 (Packets), 0 (Bytes)
Red packets : 0 (Packets), 0 (Bytes)
(6) 保存配置
# 保存出口路由器Router上的配置。
[Router] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
(1) 同一個部門內部兩台PC間可以ping通。
# 以VLAN 10所在的業務部門為例,PC間是通過ACCSW1實現二層互通的。如果用戶間互ping測試正常,則說明二層互通正常。
<PC1> ping 192.168.10.83
Ping 192.168.10.83 (192.168.10.83): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.10.83: icmp_seq=0 ttl=255 time=1.328 ms
56 bytes from 192.168.10.83: icmp_seq=1 ttl=255 time=0.808 ms
56 bytes from 192.168.10.83: icmp_seq=2 ttl=255 time=0.832 ms
56 bytes from 192.168.10.83: icmp_seq=3 ttl=255 time=0.904 ms
56 bytes from 192.168.10.83: icmp_seq=4 ttl=255 time=0.787 ms
--- Ping statistics for 192.168.10.83 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.787/0.932/1.328/0.202 ms
(2) 兩個不同部門內的PC可以ping通。
# 部門間的通信是通過CORESW1或CORESW2實現的。如果用戶之間互ping測試正常,則說明兩個部門之間通過VLAN接口實現三層互通正常。
<PC1> ping 192.168.20.5
Ping 192.168.20.5 (192.168.20.5): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.20.5: icmp_seq=0 ttl=255 time=69.146 ms
56 bytes from 192.168.20.5: icmp_seq=1 ttl=255 time=1.735 ms
56 bytes from 192.168.20.5: icmp_seq=2 ttl=255 time=1.356 ms
56 bytes from 192.168.20.5: icmp_seq=3 ttl=255 time=1.302 ms
56 bytes from 192.168.20.5: icmp_seq=4 ttl=255 time=1.379 ms
--- Ping statistics for 192.168.20.5 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.302/14.984/69.146/27.082 ms
(3) 每個部門各選一台PC可以ping通外網。
# 以VLAN 10所在的業務部門為例,通過在PC1上ping公網網關地址(即與出口路由器對接的運營商設備的IP地址)來驗證是否可以訪問外網,如果ping測試正常,則說明內網用戶訪問外網正常。測試方法與步驟1類似。
· 接入交換機ACCSW1:
#
sysname ACCSW1
#
telnet server enable
#
dhcp snooping enable
#
vlan 5
#
vlan 10
#
vlan 20
#
stp bpdu-protection
#
interface Vlan-interface5
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
stp edged-port
ip verify source ip-address mac-address
dhcp snooping binding record
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 20
stp edged-port
ip verify source ip-address mac-address
dhcp snooping binding record
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
dhcp snooping trust
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
#
interface Ten-GigabitEthernet1/0/10
port link-mode bridge
port access vlan 5
#
line vty 0 63
authentication-mode scheme
#
local-user admin class manage
password hash $h$6$ZJSf20ub4uEzjy2F$cXW3O3Jt5Ci21ECze7w2MdRpLebMaE4vXBo59frUrIZs+Knxw76oNBu+HiB0zqkTfrnw1Phe0rSRa5d+OSIIbg==
service-type telnet
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
· 接入交換機ACCSW2、ACCSW3、ACCSW4:
接入交換機ACCSW2、ACCSW3、ACCSW4除了VLAN ID、管理VLAN接口IP地址、接口編號與ACCSW1不同外,其他配置與ACCSW1相同,配置文件略。
· 核心交換機CORESW1
#
sysname CORESW1
#
track 1 interface GigabitEthernet1/0/7
#
ospf 100 router-id 3.3.3.3
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
dhcp enable
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 100
#
vlan 300
#
ftth
#
dhcp server ip-pool 1
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 202.101.100.199
expired day 30
static-bind ip-address 192.168.10.254 mask 255.255.255.0 client-identifier aabb-cccc-dd
#
dhcp server ip-pool 2
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
dns-list 202.101.100.199
expired day 30
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface100
ip address 172.16.1.1 255.255.255.0
#
interface Vlan-interface300
ip address 172.16.3.1 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.3.10
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode delay 5000
vrrp vrid 1 track 1 priority reduced 30
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 20
#
interface GigabitEthernet1/0/5
port link-mode bridge
port link-type trunk
port trunk permit vlan 300
#
· 核心交換機CORESW2:
核心交換機CORESW2除了VLAN ID、接口編號、OSPF的router-id、VRRP備份組1的優先級與CORESW1不同外,其他配置與CORESW1相同,配置文件略。
· 出口路由器Router
#
sysname Router
#
packet-filter default deny
#
qos carl 1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
qos carl 2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
qos carl 3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
qos carl 4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
#
ospf 10 router-id 1.1.1.1
default-route-advertise always
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
#
dns proxy enable
dns server 202.101.100.199
#
interface GigabitEthernet0/1
port link-mode route
ip address 172.16.1.2 255.255.255.0
packet-filter 2000 inbound
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
qos car inbound carl 2 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
qos car outbound carl 3 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
qos car outbound carl 4 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
#
interface GigabitEthernet0/2
port link-mode route
ip address 172.16.2.2 255.255.255.0
packet-filter 2000 inbound
qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
qos car inbound carl 2 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
qos car outbound carl 3 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
qos car outbound carl 4 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
#
interface GigabitEthernet0/0
port link-mode route
ip address 202.101.100.2 255.255.255.252
#
ip route-static 0.0.0.0 0 202.101.100.1
#
acl basic 2000
rule 0 permit source 192.168.10.0 0.0.0.255
rule 5 permit source 192.168.20.0 0.0.0.255
rule 10 permit source 172.16.1.0 0.0.0.255
rule 15 permit source 172.16.2.0 0.0.0.255
rule 20 permit source 172.16.3.0 0.0.0.255
#
· 產品配套“基礎配置指導”中的“登錄設備”。
· 產品配套“基礎命令參考”中的“登錄設備”。
· 產品配套“二層技術-以太網交換配置指導”中的“VLAN”。
· 產品配套“二層技術-以太網交換命令參考”中的“VLAN”。
· 產品配套“二層技術-以太網交換配置指導”中的“以太網鏈路聚合”。
· 產品配套“二層技術-以太網交換命令參考”中的“以太網鏈路聚合”。
· 產品配套“三層技術-IP業務配置指導”中的“DHCP”。
· 產品配套“三層技術-IP業務命令參考”中的“DHCP”。
· 產品配套“三層技術-IP路由配置指導”中的“OSPF”。
· 產品配套“三層技術-IP路由命令參考”中的“OSPF”。
· 產品配套“ACL和QoS配置指導”中的“ACL”。
· 產品配套“ACL和QoS命令參考”中的“ACL”。
· 產品配套“ACL和QoS配置指導”中的“QoS”。
· 產品配套“ACL和QoS命令參考”中的“QoS”。
· 產品配套“安全配置指導”中的“IP Source Guard”。
· 產品配套“安全命令參考”中的“IP Source Guard”。
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
