原创:厦门微思网络
配置接入层交换机
1.以接入交换机ACC1为例,创建ACC1的业务VLAN 10和20。
<HUAWEI> system-view
[HUAWEI] sysname ACC1 //修改设备名称为ACC1
[ACC1] vlan batch 10 20 //批量创建VLAN
2.配置ACC1连接CORE1和CORE2的GE1/0/3和GE1/0/4,透传部门A和部门B的VLAN。
[ACC1] interface GE 1/0/3
[ACC1-GE1/0/3] port link-type trunk //配置为trunk模式,用于透传VLAN。
[ACC1-GE1/0/3] port trunk allow-pass vlan 10 20 //配置GE1/0/3透传ACC1上的业务VLAN
[ACC1-GE1/0/3] quit
[ACC1] interface GE 1/0/4
[ACC1-GE1/0/4] port link-type trunk //配置为trunk模式,用于透传VLAN。
[ACC1-GE1/0/4] port trunk allow-pass vlan 10 20 //配置GE1/0/4透传ACC1上的业务VLAN
[ACC1-GE1/0/4] quit
3.配置ACC1连接用户的接口,使各部门加入VLAN。
[ACC1] interface GE 1/0/1 //配置连接部门A的接口
[ACC1-GE1/0/1] port link-type access
[ACC1-GE1/0/1] port default vlan 10
[ACC1-GE1/0/1] quit
[ACC1] interface GE 1/0/2 //配置连接部门B的接口
[ACC1-GE1/0/2] port link-type access
[ACC1-GE1/0/2] port default vlan 20
[ACC1-GE1/0/2] quit
4.配置BPDU保护功能,加强网络的稳定性。
[ACC1] stp bpdu-protection
配置汇聚/核心层交换机
1.以汇聚/核心交换机CORE1为例,创建其与接入交换机、备份设备以及园区出口路由器互通的VLAN。
<HUAWEI> system-view
[HUAWEI] sysname CORE1 //修改设备名称为CORE1
[CORE1] vlan batch 10 20 30 40 50 100 300 //批量创建VLAN
2.配置用户侧的接口VLAN和VLANIF,VLANIF接口用于部门之间互访。以CORE1连接ACC1的10GE1/0/1接口为例,其他接口不再赘述。
[CORE1] interface 10GE 1/0/1
[CORE1-10GE1/0/1] port link-type trunk //配置为trunk模式,用于透传VLAN
[CORE1-10GE1/0/1] port trunk allow-pass vlan 10 20 //配置10GE1/0/1透传ACC1上的业务VLAN
[CORE1-10GE1/0/1] quit
[CORE1] interface Vlanif 10 //配置VLANIF10,使部门之间三层互通
[CORE1-Vlanif10] ip address 192.168.10.1 24
[CORE1-Vlanif10] quit
[CORE1] interface Vlanif 20 //配置VLANIF20,使部门之间三层互通
[CORE1-Vlanif20] ip address 192.168.20.1 24
[CORE1-Vlanif20] quit
3.配置连接出口路由器的接口VLAN和VLANIF。
[CORE1] interface 10GE 1/0/7
[CORE1-10GE1/0/7] port link-type access //配置为access模式
[CORE1-10GE1/0/7] port default vlan 100
[CORE1-10GE1/0/7] quit
[CORE1] interface Vlanif 100 //配置VLANIF,使CORE1与路由器之间三层互通
[CORE1-Vlanif100] ip address 172.16.1.1 24
[CORE1-Vlanif100] quit
4.配置两个核心交换机直连的接口VLAN和VLANIF。
[CORE1] interface 10GE 1/0/5
[CORE1-10GE1/0/5] port link-type access //配置为access模式
[CORE1-10GE1/0/5] port default vlan 300
[CORE1-10GE1/0/5] quit
[CORE1] interface Vlanif 300
[CORE1-Vlanif300] ip address 172.16.3.1 24
[CORE1-Vlanif300] quit
查看配置结果
1.完成接口和VLAN的配置后,可以通过以下命令查看配置结果。
执行display vlan命令检查ACC1上的VLAN配置结果。
[ACC1] display vlan
The total number of VLANs is : 2
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common UT: GE0/0/1(U) TG:GE0/0/3(U) GE0/0/4(U)
20 common UT: GE0/0/2(U) TG:GE0/0/3(U) GE0/0/4(U) //可以看到,ACC1上,下行接口已与业务VLAN相对应,上行接口透传所有业务VLAN。
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
10 enable default enable disable VLAN 0010
20 enable default enable disable VLAN 0020
执行display vlan命令检查CORE1上的VLAN配置结果。
[CORE1] display vlan
The total number of VLANs is : 7
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common TG:10GE1/0/1(U)
20 common TG:10GE1/0/1(U)
30 common TG:10GE1/0/2(U)
40 common TG:10GE1/0/3(U)
50 common TG:10GE1/0/4(U)
100 common TG:10GE1/0/7(U)
300 common UT:10GE1/0/5(U)
[CORE1] display vlan
The total number of VLANs is : 7
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common TG:10GE1/0/1(U)
20 common TG:10GE1/0/1(U)
30 common TG:10GE1/0/2(U)
40 common TG:10GE1/0/3(U)
50 common TG:10GE1/0/4(U)
100 common TG:10GE1/0/7(U)
300 common UT:10GE1/0/5(U) //可以看到,CORE1上,与各接入交换机相连的接口已加入接入交换机对应的业务VLAN。
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
10 enable default enable disable VLAN 0010
20 enable default enable disable VLAN 0020
30 enable default enable disable VLAN 0030
40 enable default enable disable VLAN 0040
50 enable default enable disable VLAN 0050
100 enable default enable disable VLAN 0100
300 enable default enable disable VLAN 0300
配置出口路由器的接口地址
1.配置连接内网的接口地址。
<HUAWEI> system-view
[HUAWEI] sysname Router //修改设备名称为Router
[Router] interface GigabitEthernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 172.16.1.2 24 //配置与主设备互连的接口地址
[Router-GigabitEthernet0/0/1] quit
[Router] interface GigabitEthernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 172.16.2.2 24 //配置与备设备互连的接口地址
[Router-GigabitEthernet0/0/2] quit
2.配置连接公网的接口地址。
[Router] interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0] ip address 1.1.1.2 30 //配置路由器连接公网的接口地址
[Router-GigabitEthernet0/0/0] quit
若配置动态路由,此步骤则不需配置。
1.分别在CORE1和CORE2上面配置一条缺省静态路由指向出口路由器及其备份路由。
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.1.2 //CORE1指向出口路由器的缺省静态路由
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.3.2 preference 70 //CORE1指向CORE2的备份静态路由
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.2.2
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.3.1 preference 70
2.在出口路由器配置一条缺省静态路由指向运营商。
[Router] ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
3.在出口路由器配置到内网的主备路由,主路由下一跳指向CORE1,备路由下一跳指向CORE2 。
[Router] ip route-static 192.168.10.0 255.255.255.0 172.16.1.1
[Router] ip route-static 192.168.10.0 255.255.255.0 172.16.2.1 preference 70 //配置到达VLAN10网段指向备设备的备路由
[Router] ip route-static 192.168.20.0 255.255.255.0 172.16.1.1
[Router] ip route-static 192.168.20.0 255.255.255.0 172.16.2.1 preference 70 //配置到达VLAN20网段指向备设备的备路由
配置VRRP主备备份实现虚拟网关冗余
正常情况下内网用户流量都上送到CORE1进行处理,只有当CORE1出故障之后,VRRP备份组切换CORE2为主设备,内网用户流量上送到CORE2。
1.配置示例:在CORE1和CORE2上创建VRRP备份组1和2,配置CORE1的优先级为120,抢占延时为20秒,作为VLAN10和VLAN20的Master设备。
[CORE1] interface Vlanif 10
[CORE1-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3 //配置VRRP group 1的虚地址
[CORE1-Vlanif10] vrrp vrid 1 priority 120 //配置CORE1的优先级为120
[CORE1-Vlanif10] vrrp vrid 1 preempt-mode timer delay 20
[CORE1-Vlanif10] quit
[CORE1] interface Vlanif 20
[CORE1-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3 //配置VRRP group 2的虚地址
[CORE1-Vlanif20] vrrp vrid 2 priority 120
[CORE1-Vlanif20] vrrp vrid 2 preempt-mode timer delay 20
[CORE1-Vlanif20] quit
2.CORE2的优先级为缺省值,作为VLAN10和VLAN20的Backup设备。
[CORE2] interface Vlanif 10
[CORE2-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3
[CORE2-Vlanif10] quit
[CORE2] interface Vlanif 20
[CORE2-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3
[CORE2-Vlanif20] quit
由于CORE1、CORE2和ACC1之间物理成环,实际链路不成环,而交换机默认是开启stp功能的。为了避免影响CORE1和CORE2之间VRRP主备备份的状态,在此需要关闭接入交换机连接上行链路接口的stp功能,具体配置命令如下:
[ACC1] interface GE 1/0/3
[ACC1-GE1/0/3] stp disable //配置关闭ACC1上行链路接口的stp功能
[ACC1-GE1/0/3] quit
[ACC1] interface GE 1/0/4
[ACC1-GE1/0/4] stp disable
[ACC1-GE1/0/4] quit
如果确保网络中没有环路的话也可以直接关闭整机的stp功能,配置命令如下:
[ACC1] stp disable
Warning:The global STP state will be changed. Continue? [Y/N] y
配置出口路由器实现内网共享上网
1.配置允许上网的ACL。以VLAN 10和20的用户为例:
[Router] acl 2000
[Router-acl-basic-2000] rule permit source 192.168.10.0 0.0.0.255 //配置允许VLAN 10的用户上网
[Router-acl-basic-2000] rule permit source 192.168.20.0 0.0.0.255 //配置允许VLAN 20的用户上网
[Router-acl-basic-2000] rule permit source 172.16.1.0 0.0.0.255
[Router-acl-basic-2000] rule permit source 172.16.2.0 0.0.0.255
[Router-acl-basic-2000] quit
2.在连接公网的接口配置NAT转换实现内网上网。
[Router] interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0] nat outbound 2000
[Router-GigabitEthernet0/0/0] quit
3.配置DNS地址解析功能,DNS服务器地址为运营商指定。
[Router] dns resolve
[Router] dns server 8.8.8.8
4.做完上述配置之后,给内网VLAN10的用户配置静态地址,网关设置为192.168.10.3即可以实现上网。