利用ENSP搭建一个三层网络架构
1. 项目概述
1.1 项目背景
为支持公司业务发展,构建一个高性能、高可靠、易管理且安全的现代化办公室网络,以满足200名员工日常办公、协同通信及业务系统访问需求。
1.2 建设目标
构建一个稳定可靠、有线无线一体化的网络基础环境。
实现网络逻辑隔离与访问控制,保障核心数据安全。
提供无缝的无线网络覆盖
确保关键网络服务(如DHCP、网关)的高可用性,实现快速故障切换(由于S5700无法进行dhcp和VRRP联动,SW2未作DHCP)
优化网络路径,消除环路,并合理规划IP地址。
2. 网络设计原则
分层架构:采用经典的核心-汇聚-接入三层模型,实现功能分离、便于扩展与管理。
冗余可靠:在汇聚层及核心链路部署设备与链路冗余,关键服务采用VRRP协议,确保无单点故障。
安全合规:通过VLAN隔离、ACL策略及NAT技术,实现网络边界防护与内部访问控制。
易于管理:通过合理的IP地址规划、VLAN划分及集中式的策略部署,简化日常运维。
有许多不足的地方,慢慢学习和优化
LSW3
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW3
[LSW3]vlan 10
[LSW3-vlan10]q
[LSW3]int eth0/0/1
[LSW3-Ethernet0/0/1]port link-type access
[LSW3-Ethernet0/0/1]port default vlan 10
[LSW3-Ethernet0/0/1]int eth0/0/2
[LSW3-Ethernet0/0/2]port link-type access
[LSW3-Ethernet0/0/2]port default vlan 10
[LSW3-Ethernet0/0/2]quit
[LSW3]int g0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW3-GigabitEthernet0/0/1]int g0/0/2
[LSW3-GigabitEthernet0/0/2]port link-type trunk
[LSW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[LSW3-GigabitEthernet0/0/2]q
[LSW3]stp mode mstp
[LSW3]stp region-configuration
[LSW3-mst-region]region-name myRegion
[LSW3-mst-region]revision-level 1
[LSW3-mst-region]instance 10 vlan 10
[LSW3-mst-region]instance 20 vlan 20
[LSW3-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW3-mst-region]q
[LSW3]stp enable
LSW5
[LSW5]vlan 20
[LSW5-vlan20]q
[LSW5]int eth0/0/1
[LSW5-Ethernet0/0/1]port link-type access
[LSW5-Ethernet0/0/1]port default vlan 20
[LSW5-Ethernet0/0/1]int g0/0/1
[LSW5-GigabitEthernet0/0/1]port link-type trunk
[LSW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 20
[LSW5-GigabitEthernet0/0/1]int g0/0/2
[LSW5-GigabitEthernet0/0/2]port link-type trunk
[LSW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 20
[LSW5-GigabitEthernet0/0/2]
[LSW5]stp mode mstp
[LSW5]stp region-configuration
[LSW5-mst-region]region-name myRegion
[LSW5-mst-region]revision-level 1
[LSW5-mst-region]instance 10 vlan 10
[LSW5-mst-region]instance 20 vlan 20
[LSW5-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW5-mst-region]q
[LSW5]stp enable
LSW6
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center ena
Info: Information center is disabled.
[Huawei]sysname LSW6
[LSW6]vlan 100
[LSW6-vlan100]q
[LSW6]int eth0/0/1
[LSW6-Ethernet0/0/1]port link-type access
[LSW6-Ethernet0/0/1]port default vlan 100
[LSW6-Ethernet0/0/1]int g0/0/1
[LSW6-GigabitEthernet0/0/1]port link-type trunk
[LSW6-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
LSW1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW1
[LSW1]vlan batch 10 20 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 20
[LSW1-GigabitEthernet0/0/2]int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100
[LSW1-GigabitEthernet0/0/3]quit
[LSW1]int vlanif10
[LSW1-Vlanif10]ip address 192.168.10.254 24
[LSW1-Vlanif10]int vlanif20
[LSW1-Vlanif20]ip address 192.168.20.253 24
[LSW1-Vlanif20]int vlanif100
[LSW1-Vlanif100]ip address 192.168.100.254 24
[LSW1-Vlanif100]
[LSW1]int g0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[LSW1]vlan 80
[LSW1]int vlanif80
[LSW1-Vlanif80]ip address 192.168.80.252 24
[LSW1]stp mode mstp
[LSW1]stp region-configuration
[LSW1-mst-region]region-name myRegion
[LSW1-mst-region]revision-level 1
[LSW1-mst-region]instance 10 vlan 10
[LSW1-mst-region]instance 20 vlan 20
[LSW1-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1-mst-region]quit
[LSW1]stp instance 10 root primary
[LSW1]stp instance 20 root secondary
[LSW1]stp enable
[LSW1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[LSW1]ip pool tang
Info:It's successful to create an IP address pool.
[LSW1-ip-pool-tang]q
[LSW1]int vlanif10
[LSW1-Vlanif10]dhcp select global
[LSW1-Vlanif10]q
[LSW1]ip pool tang
[LSW1-ip-pool-tang]gateway-list 192.168.10.254
[LSW1-ip-pool-tang]network 192.168.10.0 mask 255.255.255.0
[LSW1-ip-pool-tang]dns-list 8.8.8.8
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.253
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.254
Error:Only idle or expired IP address can be disabled.
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.252
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.251
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.250
[LSW1-ip-pool-tang]lease day 1
[LSW1-ip-pool-tang]quit
interface Vlanif10
ip address 192.168.10.251 255.255.255.0
[LSW1] User interface con0 is available
Please Press ENTER.
<LSW1>sys
Enter system view, return user view with Ctrl+Z.
[LSW1]int vlanif10
[LSW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW1-Vlanif10]vrrp vrid 10 priority 120
[LSW1-Vlanif10]vrrp vrid 10 preempt-mode timer delay 5
[LSW1-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/5 reduced 30
[LSW1-Vlanif10]q
[LSW1]int vlanif20
[LSW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[LSW1-Vlanif20]vrrp vrid 20 priority 100
[LSW1-Vlanif20]vrrp vrid 20 preempt-mode timer delay 5
[LSW1-Vlanif20]vrrp vrid 20 track interface g0/0/5 reduced 30
[LSW1-GigabitEthernet0/0/2]int g0/0/5
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10
LSW2
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan batch 10 20 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 20
[Huawei-GigabitEthernet0/0/1]q
[Huawei]int vlanif10
[Huawei-Vlanif10]ip address 192.168.10.253 24
[Huawei-Vlanif10]int vlanif20
[Huawei-Vlanif20]ip address 192.168.20.254 24
[LSW2]int vlanif100
[LSW2-Vlanif100]ip address 192.168.100.253 24
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type trunk
[Huawei-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[LSW2]vlan batch 70 80
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 70 80
[LSW2-GigabitEthernet0/0/3]int g0/0/5
[LSW2-GigabitEthernet0/0/5]port link-type trunk
[LSW2-GigabitEthernet0/0/5]port trunk pvid vlan 70
[LSW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 70 80
[LSW2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/3]quit
[LSW2]
[LSW2]stp mode mstp
[LSW2]stp region-configuration
[LSW2-mst-region]region-name myRegion
[LSW2-mst-region]revision-level 1
[LSW2-mst-region]instance 10 vlan 10
[LSW2-mst-region]instance 20 vlan 20
[LSW2-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2-mst-region]quit
[LSW2]stp instance 20 root primary
[LSW2]stp instance 10 root secondary
[LSW2]stp enable
<LSW2>sys
Enter system view, return user view with Ctrl+Z.
[LSW2]int vlanif20
[LSW2-Vlanif20]q
[LSW2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[LSW2]int vlanif20
[LSW2-Vlanif20]dhcp select global
[LSW2-Vlanif20]q
[LSW2]ip pool tang1
Info:It's successful to create an IP address pool.
[LSW2-ip-pool-tang1]gateway-list 192.168.20.254
[LSW2-ip-pool-tang1]network 192.168.20.0 mask 255.255.255.0
[LSW2-ip-pool-tang1]dns-list 8.8.8.8
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.254
Error:Only idle or expired IP address can be disabled.
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.253
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.252
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.251
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.250
[LSW2]int vlan10
[LSW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW2-Vlanif10]vrrp vrid 10 priority 100
[LSW2-Vlanif10]vrrp vrid 10 preempt-mode timer delay 5
[LSW2-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/6 reduced 30
[LSW2-Vlanif10]q
[LSW2]int vlanif20
[LSW2-Vlanif20]ip address 192.168.20.251 24
[LSW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[LSW2-Vlanif20]vrrp vrid 20 priority 120
[LSW2-Vlanif20]vrrp vrid 20 preempt-mode timer delay 5
[LSW2-Vlanif20]vrrp vrid 20 track interface g0/0/6 reduced 30
[LSW2]int g0/0/6
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default allow-pass vlan 20
AC1
<AC6005>
<AC6005>sys
Enter system view, return user view with Ctrl+Z.
[AC6005]undo info-center enable
Info: Information center is disabled.
[ac1]sysname AC1
[AC1]vlan batch 70 80
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 70 80
[AC1-GigabitEthernet0/0/1]quit
[AC1]int vlanif70
[AC1-Vlanif70]ip address 192.168.70.254 24
[AC1-Vlanif70]int vlanif80
[AC1-Vlanif80]ip address 192.168.80.254 24
[AC1-Vlanif80]q
[AC1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[AC1]ip pool 123
Info: It is successful to create an IP address pool.
[AC1-ip-pool-123]gateway-list 192.168.70.254
[AC1-ip-pool-123]network 192.168.70.0 mask 255.255.255.0
[AC1-ip-pool-123]quit
[AC1]ip pool huawei
Info: It is successful to create an IP address pool.
[AC1-ip-pool-huawei]gateway-list 192.168.80.254
[AC1-ip-pool-huawei]network 192.168.80.0 mask 255.255.255.0
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.254
Error: The gateway cannot be excluded.
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.253
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.252
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.251
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.250
[AC1-ip-pool-huawei]dns-list 8.8.8.8
[AC1-ip-pool-huawei]lease day 1
[AC1-ip-pool-huawei]q
[AC1]int vlan70
[AC1-Vlanif70]dhcp select global
[AC1-Vlanif70]int vlanif80
[AC1-Vlanif80]dhcp select global
[AC1]capwap source interface vlanif80
[AC1]wlan
[AC1-wlan-view]regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default]country-code CN
Info: The current country code is same with the input country code.
[AC1-wlan-regulate-domain-default]q
[AC1-wlan-view]security-profile name office-sec
[AC1-wlan-sec-prof-office-sec]security wpa2 psk pass-phrase huawei123 aes
[AC1-wlan-sec-prof-office-sec]quit
[AC1-wlan-view]ssid-profile name office-ssid
[AC1-wlan-ssid-prof-office-ssid]ssid office-wifi
Info: This operation may take a few seconds, please wait.done.
<AC1>sys
Enter system view, return user view with Ctrl+Z.
[AC1]wlan
[AC1-wlan-view]vap-profile name office-vap
[AC1-wlan-vap-prof-office-vap]forward-mode tunnel
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]service-vlan vlan-id 80
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]ssid-profile office-ssid
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]security-profile office-sec
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]quit
[AC1-wlan-view]quit
[AC1]wlan
[AC1-wlan-view]ap-group name office-group
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC1-wlan-ap-group-office-group]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-office-group]vap-profile office-vap wlan 1 radio all
Info: This operation may take a few seconds, please wait...done.
[AC1-wlan-ap-group-office-group]quit
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc1c-4cb0
[AC1-wlan-ap-1]ap-name AP-office
[AC1-wlan-ap-1]ap-name office-group
[AC1-wlan-ap-1]quit
[AC1-wlan-view]quit
[AC6605]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6605]int vlan10
[AC6605-Vlanif10]ip address 192.168.10.252 24
[AC6605-Vlanif10]int vlanif20
[AC6605-Vlanif20]ip address 192.168.20.252 24
[AC6605-Vlanif20]
[AC6605]int g0/0/1
[AC6605-GigabitEthernet0/0/1]port link-type trunk
[AC6605-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC6605-GigabitEthernet0/0/1]quit
[AC6605]ip route-static 192.168.137.0 24 192.168.20.251
[AC6605]stp mode mstp
[AC6605]stp region-configuration
Info: Please activate the stp region-configuration after it is modified.
[AC6605-mst-region]region-name myRegion
[AC6605-mst-region]revision-level 1
[AC6605-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6605-mst-region]q
[AC6605]stp enable
到目前实现了全网通信,接着利用VRRP和MSTP协议
AR1
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/1]ip address 192.168.137.2 24
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.10.250 24
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.20.250 24
[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.137.1
[Huawei]ip route-static 192.168.80.0 24 192.168.20.251
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit
[Huawei-acl-basic-2000]q
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]nat outbound 2000
通过查询验证
AtomGit 是由开放原子开源基金会联合 CSDN 等生态伙伴共同推出的新一代开源与人工智能协作平台。平台坚持“开放、中立、公益”的理念,把代码托管、模型共享、数据集托管、智能体开发体验和算力服务整合在一起,为开发者提供从开发、训练到部署的一站式体验。
更多推荐
11
0- 0
已为社区贡献1条内容
所有评论(0)