数据通信 - 建设篇


第四章 华为/华三交换机快速构建三层架构拓扑CLI

  • 数据通信 - 建设篇
  • 系列文章回顾
  • 华为/华三交换机快速构建三层架构拓扑CLI
  • 背景介绍
  • 物料列表
  • 拓扑技术
  • 实验参数
  • 接入层交换机快速构建
  • 接入层PoE设备交换机快速构建
  • 交换机配置验收和确认
  • 汇聚层交换机快速构建
  • 核心层交换机快速构建
  • 交换机配置验收和确认
  • 无线控制器快速构建
  • 无线控制器配置验收和确认



系列文章回顾

第一章 华为/华三交换机配置自动备份到FTP/SFTP第二章 华为/华三交换机配置SSH免密登录第三章 华为/华三交换机配置NTP时钟同步


华为/华三交换机快速构建三层架构拓扑CLI

背景介绍

内网从零到一构建三层架构的网络拓扑设计,将使用华为交换机和华三交换机完成快速构建,本文仅记录CLI的命令,全干货实操无理论。

物料列表

  1. 接入层交换机型号 (经过实验的型号列表)
    Client:FutureMatrix S1730S-S48T4S-A1HUAWEI S1730S-S48T4S-APoE:FutureMatrix S1730S-S24P4S-A1FutureMatrix S1730S-S24P4S-A2H3C S5024PV3-EI-PWR
  2. 汇聚层交换机型号 (经过实验的型号列表)
    FutureMatrix S5735S-L24T4S-A1HUAWEI S5735S-L48T4S-A1HUAWEI S5720-52P-LI-AC
  3. 核心层交换机型号 (实验仅使用S5系列作为核心层。实际上架推荐使用S7及以上的系列)
    HUAWEI S5720-32P-EI-AC
  4. 无线控制器型号:H3C WX2540H


拓扑技术

  1. RSTP快速生成树
  2. 汇聚层上联核心层使用链路聚合
  3. 堆叠技术,使用堆叠线缆互联2台核心交换机

实验参数

  1. 交换机dns server:1.1.1.11.1.1.2
  2. 交换机管理网段sw-manage:vlan 200ip address 1.1.200.0/24
  3. 核心层交换机管理地址:vlanif200 1.1.200.254/24
  4. 1楼划分VLAN:vlan 11vlanif11 1.1.11.0/24
  5. 监控网段:vlan 60
  6. 无线访客网段:vlan 88
  7. 无线免认证网段:vlan 80
  8. 无线实名认证网段:vlan 84
  9. 无线哑终端网段:vlan 90



接入层交换机快速构建

注意事项:电口上联用电口板卡最后2个电口,光口上联用光口板卡前2个光口。
本案例光口上联和电口上联都有涉及,注意区分。
涉及console口和配置local-user的密码时会弹出Y/N确认,本案例未写出Y/N确认,命令需修改才能用来刷脚本请注意。

# 连接终端用户的接入层交换机

# FutureMatrix S1730S-S48T4S-A1
# HUAWEI S1730S-S48T4S-A
sys
sysname L2sw-1F-Client-01
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]

vlan 11
 desc 1f
 quit
vlan 200
 desc sw-manage
 quit
int range gi 0/0/1 to gi 0/0/47
 desc Client
 port link-type access
 port default vlan 11
 stp edged-port enable
 quit
int gi 0/0/48
 desc up-sw-link-GE0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 11 200
 quit
 
undo int vlan 1
int vlan 200
 desc sw-manage-ip
 ip addr 1.1.200.111 24
 quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254

stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200

stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200

aaa
 local-aaa-user password policy administrator
  pass expire 0
  quit
 local-user admin pass irr [password] privilege level 15
 local-user admin idle-timeout 30 access-limit 5
 local-user admin ftp-directory flash:/
 local-user admin service-type terminal ssh ftp http
 local-user admin state active
 quit
 
user-int console 0
 authen pass
 set authen pass cipher [password]
 quit
user-int vty 0 4
 authen aaa
 user privilege level 15
 protocol inbound all
 quit

undo ntp server disable
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
ntp-service unicast-server 1.1.200.254

quit
save force



接入层PoE设备交换机快速构建

# 连接PoE设备的接入层交换机 - HUAWEI

# FutureMatrix S1730S-S24P4S-A1
# FutureMatrix S1730S-S24P4S-A2
sys
sysname L2sw-1F-POE-01
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]

vlan 60
 desc monitor
 quit
vlan 80
 desc office
 quit
vlan 84
 desc portal-office
 quit
vlan 88
 desc guest
 quit
vlan 90
 desc terminal
 quit
vlan 200
 desc sw-manage
 quit
int range gi 0/0/1 to gi 0/0/10
 desc AP
 poe enable
 port link-type trunk
 port trunk pvid vlan 200
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 80 84 88 90 200
 stp edged-port enable
 quit
int range gi 0/0/11 to gi 0/0/23
 desc monitor
 poe enable
 port link-type access
 port default vlan 60
 stp edged-port enable
 quit
int gi 0/0/24
 desc up-sw-link-GE0/0/2
 undo poe enable
 port link-type trunk
 port trunk allow-pass vlan all
 undo port trunk allow-pass vlan 1
 quit
 
undo int vlan 1
int vlan 200
 desc sw-manage-ip
 ip addr 1.1.200.112 24
 quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254

stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200

stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200

aaa
 local-aaa-user password policy administrator
  pass expire 0
  quit
 local-user admin pass irr [password] privilege level 15
 local-user admin idle-timeout 30 access-limit 5
 local-user admin ftp-directory flash:/
 local-user admin service-type terminal ssh ftp http
 local-user admin state active
 quit
 
user-int console 0
 authen pass
 set authen pass cipher [password]
 quit
user-int vty 0 4
 authen aaa
 user privilege level 15
 protocol inbound all
 quit

undo ntp server disable
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
ntp-service unicast-server 1.1.200.254

quit
save force



# 连接PoE设备的接入层交换机 - H3C

# H3C S5024PV3-EI-PWR
sys
sysname L2sw-1F-POE-02
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]

vlan 60
 name monitor
 quit
vlan 80
 name office
 quit
vlan 84
 name  portal-office
 quit
vlan 88
 name guest
 quit
vlan 90
 name  terminal
 quit
vlan 200
 name sw-manage
 quit
int range gi 1/0/1 to gi 1/0/10
 desc AP
 poe enable
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 60 80 84 88 90 200
 stp edged-port
 quit
int range gi 1/0/11 to gi 1/0/23
 desc monitor
 poe enable
 port link-type access
 port access vlan 60
 stp edged-port
 quit
int gi 1/0/24
 desc up-sw-link-GE0/0/3
 undo poe enable
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 2 to 4094
 stp point-to-point force-true
 quit
 
undo int vlan 1
int vlan 200
 desc sw-manage-ip
 ip addr 1.1.200.113 24
 ntp-service broadcast-client
 quit
ip route-static 0.0.0.0 0 1.1.200.254

stp mode rstp
stp global enable
lldp global enable
ip http enable
ip https enable

ssh server enable
sftp server enable
ssh user admin service-type all authentication-type any

local-user admin class manage
 pass simple [password]
 service-type https ssh terminal ftp
 authorization-attr user-role level-15
 authorization-attr work-directory flash:/
 quit
 
user-int aux 0
 authen scheme
 user-role network-admin
 quit
user-int vty 0 4
 authen scheme
 protocol inbound all
 quit

clock timezone Beijing add 08:00:00
clock protocol ntp

quit
save force



交换机配置验收和确认

# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.200.254
  PING 1.1.200.254: 56  data bytes, press CTRL_C to break
    Reply from 1.1.200.254: bytes=56 Sequence=1 ttl=254 time=1 ms
    Reply from 1.1.200.254: bytes=56 Sequence=2 ttl=254 time=1 ms
    Reply from 1.1.200.254: bytes=56 Sequence=3 ttl=254 time=1 ms
    Reply from 1.1.200.254: bytes=56 Sequence=4 ttl=254 time=1 ms
    Reply from 1.1.200.254: bytes=56 Sequence=5 ttl=254 time=1 ms

  --- 1.1.200.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/1/1 ms
    
# lldp邻居发现验证
<switch>dis lldp neighbor brief 
Local Intf       Neighbor Dev       Neighbor Intf             Exptime(s)
GE0/0/48         L3sw-1F	   		GE0/0/3                   107




汇聚层交换机快速构建

注意事项:电口上联用电口板卡最后2个电口,光口上联用光口板卡前2个光口。
本案例光口上联和电口上联都有涉及,注意区分。
涉及console口和配置local-user的密码时会弹出Y/N确认,本案例未写出Y/N确认,命令需修改才能用来刷脚本请注意。

# 汇聚层交换机: 下联接入层交换机, 上联核心层交换机.

# FutureMatrix S5735S-L24T4S-A1
# HUAWEI S5735S-L48T4S-A1
# HUAWEI S5720-52P-LI-AC
sys
sysname L3sw-1F
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]

vlan 11
 desc 1f
 quit
vlan 60
 desc monitor
 quit
vlan 80
 desc office
 quit
vlan 84
 desc portal-office
 quit
vlan 88
 desc guest
 quit
vlan 90
 desc terminal
 quit
vlan 200
 desc sw-manage
 quit
 
int range gi 0/0/1 to gi 0/0/48
 desc L2sw
 port link-type trunk
 port trunk allow-pass vlan all
 undo port trunk allow-pass vlan 1
 stp point-to-point force-true
 quit
 
int eth1
 desc up-sw-link-GE0-1/0/1
 port link-type trunk
 port trunk allow-pass vlan all
 undo port trunk allow-pass vlan 1
 stp point-to-point force-true
 mode lacp
 trunkport gi 0/0/51 to gi 0/0/52 mode active
 quit

 
undo int vlan 1
int vlan 200
 desc sw-manage-ip
 ip addr 1.1.200.119 24
 ntp-service broadcast-client
 quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254

stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200

stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200

aaa
 local-aaa-user password policy administrator
  pass expire 0
  quit
 local-user admin pass irr [password] privilege level 15
 local-user admin idle-timeout 30 access-limit 5
 local-user admin ftp-directory flash:/
 local-user admin service-type terminal ssh ftp http
 local-user admin state active
 quit
 
user-int console 0
 authen pass
 set authen pass cipher [password]
 quit
user-int vty 0 4
 authen aaa
 user privilege level 15
 protocol inbound all
 quit

undo ntp server disable
ntp-service ipv6 disable
ntp-service ipv6 server disable
ntp-service sync-interval 360
ntp-service source-interface Vlanif200
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00

quit
save force




核心层交换机快速构建

# 2台核心层交换机分别下联汇聚层交换机, 组建堆叠系统
# HUAWEI S5720-32P-EI-AC

# 堆叠交换机1
sys
sysname Core-L3sw-Stack01
dis stack config
stack slot 0 priority 200
stack slot 0 renumber 0
quit
save
y

# 堆叠交换机2
sys
sysname Core-L3sw-Stack02
dis stack config
stack slot 0 priority 100
stack slot 0 renumber 1
quit
save
y

### 2台堆叠交换机先后重启, 先重启主交换机再重启次交换机
### 开机后检查堆叠状态
dis stack config
dis stack port brief
dis stack peers
dis stack channel all

### console口接入任何一台堆叠交换机都会进入堆叠系统, 开始配置核心层交换机
sys
sysname Core-L3sw
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]

vlan 11
 desc 1f
 quit
vlan 60
 desc monitor
 quit
vlan 80
 desc office
 quit
vlan 84
 desc portal-office
 quit
vlan 88
 desc guest
 quit
vlan 90
 desc terminal
 quit
vlan 200
 desc sw-manage
 quit
 
undo int vlan 1
int vlan 11
 desc 1F DHCP
 ip addr 1.1.11.254 24
 dhcp select global
 quit
int vlan 60
 desc monitor
 ip addr 1.1.60.254 22
 quit
int vlan 80
 desc office
 ip addr 1.1.80.254 22
 dhcp select global
 quit
int vlan 84
 desc portal-office
 ip addr 1.1.84.254 22
 dhcp select global
 quit
int vlan 88
 desc guest
 ip addr 1.1.88.254 24
 dhcp select global
 quit
int vlan 90
 desc terminal
 ip addr 1.1.90.254 24
 dhcp select global
 quit
int vlan 200
 desc sw-manage-ip
 ip addr 1.1.200.119 24
 ntp-service broadcast-server
 quit

int eth 1
 desc L3sw-1F-GE0/0/51-52
 port link-type trunk
 port trunk allow-pass vlan all
 undo port trunk allow-pass vlan 1
 stp point-to-point force-true
 mode lacp
 trunkport gi 0/0/1 mode active
 trunkport gi 1/0/1 mode active
 quit
int eth 2
 description ac_200.201_GE1/0/4-5
 port link-type trunk
 port trunk allow-pass vlan all
 undo port trunk allow-pass vlan 1
 stp point-to-point force-true
 trunkport gi 0/0/2 mode active
 trunkport gi 1/0/2 mode active
 quit

dhcp enable
ip pool vlan11
 gateway-list 1.1.11.254
 network 1.1.11.0 mask 255.255.255.0
 lease day 3 hour 0 minute 0
 dns-list 1.1.1.1 1.1.1.2
 domain-name [mydomainname_1F]
 quit
ip pool vlan80
 gateway-list 1.1.80.254
 network 1.1.80.0 mask 255.255.252.0
 lease day 1 hour 12 minute 0
 dns-list 1.1.1.1 1.1.1.2
 quit
ip pool vlan84
 gateway-list 1.1.84.254
 network 1.1.84.0 mask 255.255.252.0
 lease day 1 hour 12 minute 0
 dns-list 1.1.1.1 1.1.1.2
 quit
ip pool vlan88
 gateway-list 1.1.88.254
 network 1.1.88.0 mask 255.255.255.0
 lease day 1 hour 12 minute 0
 dns-list 1.1.1.1 1.1.1.2
 quit
ip pool vlan90
 gateway-list 1.1.90.254
 network 1.1.90.0 mask 255.255.255.0
 lease day 1 hour 12 minute 0
 dns-list 1.1.1.1 1.1.1.2
 quit
ip pool vlan200
 gateway-list 1.1.200.254
 network 1.1.200.0 mask 255.255.255.0
 excluded-ip-addr 1.1.200.201
 lease unlimited
 dns-list 1.1.1.1 1.1.1.2
 option 43 ip-addr 1.1.200.201
 quit

stp enable
stp mode rstp
stp instance 0 root primary
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200

stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200

aaa
 local-aaa-user password policy administrator
  undo password alert original
  pass expire 0
  quit
 local-user admin pass irr [password] privilege level 15
 local-user admin idle-timeout 30 access-limit 5
 local-user admin ftp-directory flash:/
 local-user admin service-type terminal ssh ftp http
 local-user admin state active
 quit
 
user-int console 0
 authen aaa
 quit
user-int vty 0 4
 authen aaa
 user privilege level 15
 protocol inbound all
 quit

undo ntp server disable
ntp-service ipv6 disable
ntp-service ipv6 server disable
ntp-service sync-interval 180
ntp-service source-interface Vlanif200
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00

cpu-defend policy arpmiss01
 car packet-type arp-miss cir 128 cbs 20000
 auto-defend threshold 200
 auto-defend protocol arp
 quit
cpu-defend-policy arpmiss01 global

quit
save force

交换机配置验收和确认

# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.11.111
<switch>ping 1.1.11.112
<switch>ping 1.1.11.113
<switch>ping 1.1.11.119

# lldp邻居发现验证
<switch>dis lldp nei brief 
Local Intf       Neighbor Dev         Neighbor Intf             Exptime(s)
GE0/0/1         L3sw-1F 			  GE0/0/51                  102  
GE1/0/1         L3sw-1F   			  GE0/0/52                  119




无线控制器快速构建

# 无线控制器: 旁挂核心交换机

# H3C WX2540H
sys
sysname ac_200.201
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]

vlan 80
 name office
 quit
vlan 84
 name portal-office
 quit
vlan 88
 name guest
 quit
vlan 90
 name terminal
 quit
vlan 200
 name sw-manage
 quit
 
undo int vlan 1
int vlan 200
 desc sw-manage-ip
 ip addr 1.1.200.201 24
 ntp-service broadcast-client
 quit

int bri 1
 desc Core-L3sw_GE0-1/0/2
 port link-type trunk
 port trunk permit vlan all
 undo port trunk permit vlan 1
 stp point-to-point force-true
 quit
int range gi 1/0/4 to gi 1/0/5
 port link-mode bridge
 port link-agg group 1
 quit

ip route-static 0.0.0.0 0 1.1.200.254

stp mode rstp
stp global enable
lldp global enable
ip http enable
ip https enable

ssh server enable
sftp server enable
ssh user admin service-type all authentication-type any

local-user admin class manage
 pass simple [password]
 service-type https ssh terminal ftp
 authorization-attr user-role level-15
 authorization-attr work-directory flash:/
 quit
 
user-int console 0
 authen scheme
 user-role network-admin
 quit
user-int vty 0 4
 authen scheme
 protocol inbound all
 quit

ntp-service enable
clock timezone Beijing add 08:00:00
clock protocol ntp

quit
save force




无线控制器配置验收和确认

# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.200.254

# lldp邻居发现验证
<switch>dis lldp nei list
Chassis ID : * -- -- Nearest nontpmr bridge neighbor
             # -- -- Nearest customer bridge neighbor
             Default -- -- Nearest bridge neighbor
System Name          Local Interface Chassis ID      Port ID
Core-L3sw GE1/0/4         2065-xxxx-efe0  GigabitEthernet0/0/2      4                                                                               
Core-L3sw GE1/0/5         2065-xxxx-efe0  GigabitEthernet1/0/2      4                                                                               
[UWELL-AC-WX2540H_200.201]