数据通信 - 建设篇
第四章 华为/华三交换机快速构建三层架构拓扑CLI
- 数据通信 - 建设篇
- 系列文章回顾
- 华为/华三交换机快速构建三层架构拓扑CLI
- 背景介绍
- 物料列表
- 拓扑技术
- 实验参数
- 接入层交换机快速构建
- 接入层PoE设备交换机快速构建
- 交换机配置验收和确认
- 汇聚层交换机快速构建
- 核心层交换机快速构建
- 交换机配置验收和确认
- 无线控制器快速构建
- 无线控制器配置验收和确认
系列文章回顾
第一章 华为/华三交换机配置自动备份到FTP/SFTP第二章 华为/华三交换机配置SSH免密登录第三章 华为/华三交换机配置NTP时钟同步
华为/华三交换机快速构建三层架构拓扑CLI
背景介绍
内网从零到一构建三层架构的网络拓扑设计,将使用华为交换机和华三交换机完成快速构建,本文仅记录CLI的命令,全干货实操无理论。
物料列表
- 接入层交换机型号 (经过实验的型号列表) :
Client:FutureMatrix S1730S-S48T4S-A1
,HUAWEI S1730S-S48T4S-A
PoE:FutureMatrix S1730S-S24P4S-A1
,FutureMatrix S1730S-S24P4S-A2
,H3C S5024PV3-EI-PWR
- 汇聚层交换机型号 (经过实验的型号列表) :
FutureMatrix S5735S-L24T4S-A1
,HUAWEI S5735S-L48T4S-A1
,HUAWEI S5720-52P-LI-AC
- 核心层交换机型号 (实验仅使用S5系列作为核心层。实际上架推荐使用S7及以上的系列) :
HUAWEI S5720-32P-EI-AC
- 无线控制器型号:
H3C WX2540H
拓扑技术
-
RSTP
快速生成树 - 汇聚层上联核心层使用链路聚合
- 堆叠技术,使用堆叠线缆互联2台核心交换机
实验参数
- 交换机dns server:
1.1.1.1
,1.1.1.2
- 交换机管理网段sw-manage:
vlan 200
,ip address 1.1.200.0/24
- 核心层交换机管理地址:
vlanif200 1.1.200.254/24
- 1楼划分VLAN:
vlan 11
,vlanif11 1.1.11.0/24
- 监控网段:
vlan 60
- 无线访客网段:
vlan 88
- 无线免认证网段:
vlan 80
- 无线实名认证网段:
vlan 84
- 无线哑终端网段:
vlan 90
接入层交换机快速构建
注意事项:电口上联用电口板卡最后2个电口,光口上联用光口板卡前2个光口。
本案例光口上联和电口上联都有涉及,注意区分。
涉及console口和配置local-user的密码时会弹出Y/N确认,本案例未写出Y/N确认,命令需修改才能用来刷脚本请注意。
# 连接终端用户的接入层交换机
# FutureMatrix S1730S-S48T4S-A1
# HUAWEI S1730S-S48T4S-A
sys
sysname L2sw-1F-Client-01
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]
vlan 11
desc 1f
quit
vlan 200
desc sw-manage
quit
int range gi 0/0/1 to gi 0/0/47
desc Client
port link-type access
port default vlan 11
stp edged-port enable
quit
int gi 0/0/48
desc up-sw-link-GE0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 11 200
quit
undo int vlan 1
int vlan 200
desc sw-manage-ip
ip addr 1.1.200.111 24
quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254
stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200
stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200
aaa
local-aaa-user password policy administrator
pass expire 0
quit
local-user admin pass irr [password] privilege level 15
local-user admin idle-timeout 30 access-limit 5
local-user admin ftp-directory flash:/
local-user admin service-type terminal ssh ftp http
local-user admin state active
quit
user-int console 0
authen pass
set authen pass cipher [password]
quit
user-int vty 0 4
authen aaa
user privilege level 15
protocol inbound all
quit
undo ntp server disable
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
ntp-service unicast-server 1.1.200.254
quit
save force
接入层PoE设备交换机快速构建
# 连接PoE设备的接入层交换机 - HUAWEI
# FutureMatrix S1730S-S24P4S-A1
# FutureMatrix S1730S-S24P4S-A2
sys
sysname L2sw-1F-POE-01
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]
vlan 60
desc monitor
quit
vlan 80
desc office
quit
vlan 84
desc portal-office
quit
vlan 88
desc guest
quit
vlan 90
desc terminal
quit
vlan 200
desc sw-manage
quit
int range gi 0/0/1 to gi 0/0/10
desc AP
poe enable
port link-type trunk
port trunk pvid vlan 200
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80 84 88 90 200
stp edged-port enable
quit
int range gi 0/0/11 to gi 0/0/23
desc monitor
poe enable
port link-type access
port default vlan 60
stp edged-port enable
quit
int gi 0/0/24
desc up-sw-link-GE0/0/2
undo poe enable
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
quit
undo int vlan 1
int vlan 200
desc sw-manage-ip
ip addr 1.1.200.112 24
quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254
stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200
stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200
aaa
local-aaa-user password policy administrator
pass expire 0
quit
local-user admin pass irr [password] privilege level 15
local-user admin idle-timeout 30 access-limit 5
local-user admin ftp-directory flash:/
local-user admin service-type terminal ssh ftp http
local-user admin state active
quit
user-int console 0
authen pass
set authen pass cipher [password]
quit
user-int vty 0 4
authen aaa
user privilege level 15
protocol inbound all
quit
undo ntp server disable
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
ntp-service unicast-server 1.1.200.254
quit
save force
# 连接PoE设备的接入层交换机 - H3C
# H3C S5024PV3-EI-PWR
sys
sysname L2sw-1F-POE-02
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]
vlan 60
name monitor
quit
vlan 80
name office
quit
vlan 84
name portal-office
quit
vlan 88
name guest
quit
vlan 90
name terminal
quit
vlan 200
name sw-manage
quit
int range gi 1/0/1 to gi 1/0/10
desc AP
poe enable
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 60 80 84 88 90 200
stp edged-port
quit
int range gi 1/0/11 to gi 1/0/23
desc monitor
poe enable
port link-type access
port access vlan 60
stp edged-port
quit
int gi 1/0/24
desc up-sw-link-GE0/0/3
undo poe enable
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 to 4094
stp point-to-point force-true
quit
undo int vlan 1
int vlan 200
desc sw-manage-ip
ip addr 1.1.200.113 24
ntp-service broadcast-client
quit
ip route-static 0.0.0.0 0 1.1.200.254
stp mode rstp
stp global enable
lldp global enable
ip http enable
ip https enable
ssh server enable
sftp server enable
ssh user admin service-type all authentication-type any
local-user admin class manage
pass simple [password]
service-type https ssh terminal ftp
authorization-attr user-role level-15
authorization-attr work-directory flash:/
quit
user-int aux 0
authen scheme
user-role network-admin
quit
user-int vty 0 4
authen scheme
protocol inbound all
quit
clock timezone Beijing add 08:00:00
clock protocol ntp
quit
save force
交换机配置验收和确认
# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.200.254
PING 1.1.200.254: 56 data bytes, press CTRL_C to break
Reply from 1.1.200.254: bytes=56 Sequence=1 ttl=254 time=1 ms
Reply from 1.1.200.254: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 1.1.200.254: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 1.1.200.254: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 1.1.200.254: bytes=56 Sequence=5 ttl=254 time=1 ms
--- 1.1.200.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
# lldp邻居发现验证
<switch>dis lldp neighbor brief
Local Intf Neighbor Dev Neighbor Intf Exptime(s)
GE0/0/48 L3sw-1F GE0/0/3 107
汇聚层交换机快速构建
注意事项:电口上联用电口板卡最后2个电口,光口上联用光口板卡前2个光口。
本案例光口上联和电口上联都有涉及,注意区分。
涉及console口和配置local-user的密码时会弹出Y/N确认,本案例未写出Y/N确认,命令需修改才能用来刷脚本请注意。
# 汇聚层交换机: 下联接入层交换机, 上联核心层交换机.
# FutureMatrix S5735S-L24T4S-A1
# HUAWEI S5735S-L48T4S-A1
# HUAWEI S5720-52P-LI-AC
sys
sysname L3sw-1F
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]
vlan 11
desc 1f
quit
vlan 60
desc monitor
quit
vlan 80
desc office
quit
vlan 84
desc portal-office
quit
vlan 88
desc guest
quit
vlan 90
desc terminal
quit
vlan 200
desc sw-manage
quit
int range gi 0/0/1 to gi 0/0/48
desc L2sw
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
stp point-to-point force-true
quit
int eth1
desc up-sw-link-GE0-1/0/1
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
stp point-to-point force-true
mode lacp
trunkport gi 0/0/51 to gi 0/0/52 mode active
quit
undo int vlan 1
int vlan 200
desc sw-manage-ip
ip addr 1.1.200.119 24
ntp-service broadcast-client
quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254
stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200
stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200
aaa
local-aaa-user password policy administrator
pass expire 0
quit
local-user admin pass irr [password] privilege level 15
local-user admin idle-timeout 30 access-limit 5
local-user admin ftp-directory flash:/
local-user admin service-type terminal ssh ftp http
local-user admin state active
quit
user-int console 0
authen pass
set authen pass cipher [password]
quit
user-int vty 0 4
authen aaa
user privilege level 15
protocol inbound all
quit
undo ntp server disable
ntp-service ipv6 disable
ntp-service ipv6 server disable
ntp-service sync-interval 360
ntp-service source-interface Vlanif200
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
quit
save force
核心层交换机快速构建
# 2台核心层交换机分别下联汇聚层交换机, 组建堆叠系统
# HUAWEI S5720-32P-EI-AC
# 堆叠交换机1
sys
sysname Core-L3sw-Stack01
dis stack config
stack slot 0 priority 200
stack slot 0 renumber 0
quit
save
y
# 堆叠交换机2
sys
sysname Core-L3sw-Stack02
dis stack config
stack slot 0 priority 100
stack slot 0 renumber 1
quit
save
y
### 2台堆叠交换机先后重启, 先重启主交换机再重启次交换机
### 开机后检查堆叠状态
dis stack config
dis stack port brief
dis stack peers
dis stack channel all
### console口接入任何一台堆叠交换机都会进入堆叠系统, 开始配置核心层交换机
sys
sysname Core-L3sw
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]
vlan 11
desc 1f
quit
vlan 60
desc monitor
quit
vlan 80
desc office
quit
vlan 84
desc portal-office
quit
vlan 88
desc guest
quit
vlan 90
desc terminal
quit
vlan 200
desc sw-manage
quit
undo int vlan 1
int vlan 11
desc 1F DHCP
ip addr 1.1.11.254 24
dhcp select global
quit
int vlan 60
desc monitor
ip addr 1.1.60.254 22
quit
int vlan 80
desc office
ip addr 1.1.80.254 22
dhcp select global
quit
int vlan 84
desc portal-office
ip addr 1.1.84.254 22
dhcp select global
quit
int vlan 88
desc guest
ip addr 1.1.88.254 24
dhcp select global
quit
int vlan 90
desc terminal
ip addr 1.1.90.254 24
dhcp select global
quit
int vlan 200
desc sw-manage-ip
ip addr 1.1.200.119 24
ntp-service broadcast-server
quit
int eth 1
desc L3sw-1F-GE0/0/51-52
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
stp point-to-point force-true
mode lacp
trunkport gi 0/0/1 mode active
trunkport gi 1/0/1 mode active
quit
int eth 2
description ac_200.201_GE1/0/4-5
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
stp point-to-point force-true
trunkport gi 0/0/2 mode active
trunkport gi 1/0/2 mode active
quit
dhcp enable
ip pool vlan11
gateway-list 1.1.11.254
network 1.1.11.0 mask 255.255.255.0
lease day 3 hour 0 minute 0
dns-list 1.1.1.1 1.1.1.2
domain-name [mydomainname_1F]
quit
ip pool vlan80
gateway-list 1.1.80.254
network 1.1.80.0 mask 255.255.252.0
lease day 1 hour 12 minute 0
dns-list 1.1.1.1 1.1.1.2
quit
ip pool vlan84
gateway-list 1.1.84.254
network 1.1.84.0 mask 255.255.252.0
lease day 1 hour 12 minute 0
dns-list 1.1.1.1 1.1.1.2
quit
ip pool vlan88
gateway-list 1.1.88.254
network 1.1.88.0 mask 255.255.255.0
lease day 1 hour 12 minute 0
dns-list 1.1.1.1 1.1.1.2
quit
ip pool vlan90
gateway-list 1.1.90.254
network 1.1.90.0 mask 255.255.255.0
lease day 1 hour 12 minute 0
dns-list 1.1.1.1 1.1.1.2
quit
ip pool vlan200
gateway-list 1.1.200.254
network 1.1.200.0 mask 255.255.255.0
excluded-ip-addr 1.1.200.201
lease unlimited
dns-list 1.1.1.1 1.1.1.2
option 43 ip-addr 1.1.200.201
quit
stp enable
stp mode rstp
stp instance 0 root primary
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200
stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200
aaa
local-aaa-user password policy administrator
undo password alert original
pass expire 0
quit
local-user admin pass irr [password] privilege level 15
local-user admin idle-timeout 30 access-limit 5
local-user admin ftp-directory flash:/
local-user admin service-type terminal ssh ftp http
local-user admin state active
quit
user-int console 0
authen aaa
quit
user-int vty 0 4
authen aaa
user privilege level 15
protocol inbound all
quit
undo ntp server disable
ntp-service ipv6 disable
ntp-service ipv6 server disable
ntp-service sync-interval 180
ntp-service source-interface Vlanif200
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
cpu-defend policy arpmiss01
car packet-type arp-miss cir 128 cbs 20000
auto-defend threshold 200
auto-defend protocol arp
quit
cpu-defend-policy arpmiss01 global
quit
save force
交换机配置验收和确认
# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.11.111
<switch>ping 1.1.11.112
<switch>ping 1.1.11.113
<switch>ping 1.1.11.119
# lldp邻居发现验证
<switch>dis lldp nei brief
Local Intf Neighbor Dev Neighbor Intf Exptime(s)
GE0/0/1 L3sw-1F GE0/0/51 102
GE1/0/1 L3sw-1F GE0/0/52 119
无线控制器快速构建
# 无线控制器: 旁挂核心交换机
# H3C WX2540H
sys
sysname ac_200.201
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]
vlan 80
name office
quit
vlan 84
name portal-office
quit
vlan 88
name guest
quit
vlan 90
name terminal
quit
vlan 200
name sw-manage
quit
undo int vlan 1
int vlan 200
desc sw-manage-ip
ip addr 1.1.200.201 24
ntp-service broadcast-client
quit
int bri 1
desc Core-L3sw_GE0-1/0/2
port link-type trunk
port trunk permit vlan all
undo port trunk permit vlan 1
stp point-to-point force-true
quit
int range gi 1/0/4 to gi 1/0/5
port link-mode bridge
port link-agg group 1
quit
ip route-static 0.0.0.0 0 1.1.200.254
stp mode rstp
stp global enable
lldp global enable
ip http enable
ip https enable
ssh server enable
sftp server enable
ssh user admin service-type all authentication-type any
local-user admin class manage
pass simple [password]
service-type https ssh terminal ftp
authorization-attr user-role level-15
authorization-attr work-directory flash:/
quit
user-int console 0
authen scheme
user-role network-admin
quit
user-int vty 0 4
authen scheme
protocol inbound all
quit
ntp-service enable
clock timezone Beijing add 08:00:00
clock protocol ntp
quit
save force
无线控制器配置验收和确认
# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.200.254
# lldp邻居发现验证
<switch>dis lldp nei list
Chassis ID : * -- -- Nearest nontpmr bridge neighbor
# -- -- Nearest customer bridge neighbor
Default -- -- Nearest bridge neighbor
System Name Local Interface Chassis ID Port ID
Core-L3sw GE1/0/4 2065-xxxx-efe0 GigabitEthernet0/0/2 4
Core-L3sw GE1/0/5 2065-xxxx-efe0 GigabitEthernet1/0/2 4
[UWELL-AC-WX2540H_200.201]