三層旁掛直接轉發-->所有DHCP基於核心SW-->核心SW上行三層轉...

admin

三層旁掛直接轉發
三層旁掛直接轉發-->所有DHCP基於核心SW-->核心SW上行三層轉發至路由

基本通信配置
ISP
配置思路：模擬公網內的私網用戶及運營商接口
<Huawei>system-view
[Huawei]sysname ISP
[ISP]interface loopback 0
[ISP-LoopBack0]ip address 172.16.200.200 32
[ISP-LoopBack0]interface gigabitethernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip address 222.67.55.1 29
[ISP-GigabitEthernet0/0/0]quit

Gateway
配置思路：配置接口地址，出接口配置NAT轉換使用EASY-IP；配置與核心間的路由；配置默認路由下一跳指向運營商網關。
<Huawei>system-view
[Huawei]sysname Gateway
[Gateway]interface loopback 0
[Gateway-LoopBack0]ip address 100.100.100.100 32
[Gateway-LoopBack0]interface gigabitethernet 0/0/0
[Gateway-GigabitEthernet0/0/0]ip address 222.67.55.2 29
[Gateway-GigabitEthernet0/0/0]interface gigabitethernet 0/0/1
[Gateway-GigabitEthernet0/0/1]ip address 172.16.12.2 24
[Gateway-GigabitEthernet0/0/1]quit
[Gateway]ospf 1
[Gateway-ospf-1]area 0
[Gateway-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher admin1234
[Gateway-ospf-1-area-0.0.0.0]network 100.100.100.100 0.0.0.0
[Gateway-ospf-1-area-0.0.0.0]network 172.16.12.0 0.0.0.255
[Gateway-ospf-1-area-0.0.0.0]quit
[Gateway-ospf-1]quit
[Gateway]acl 2000
[Gateway-acl-basic-2000]step 20
[Gateway-acl-basic-2000]rule 20 permit source any
[Gateway-acl-basic-2000]quit
[Gateway]interface gigabitethernet 0/0/0
[Gateway-GigabitEthernet0/0/0]nat outbound 2000
[Gateway-GigabitEthernet0/0/0]quit
[Gateway]nat alg ftp enable
[Gateway]ip route-static 0.0.0.0 0.0.0.0 222.67.55.1

JRSW1
配置思路：下行接口為TRUNK PVID配置為管理VLAN；放行管理及STA業務VLAN；上行接口為TRUNK 放行管理及STA業務VLAN。
<Huawei>system-view
[Huawei]sysname JRSW
[JRSW]vlan batch 10 101 to 102
[JRSW]interface gigabitethernet 0/0/1
[JRSW-GigabitEthernet0/0/1]port link-type trunk
[JRSW-GigabitEthernet0/0/1]port trunk pvid vlan 10
[JRSW-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[JRSW-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 101 to 102
[JRSW-GigabitEthernet0/0/1]port-isolate enable
[JRSW-GigabitEthernet0/0/1]quit
[JRSW]interface gigabitethernet 0/0/2
[JRSW-GigabitEthernet0/0/2]port link-type trunk
[JRSW-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
[JRSW-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 101 to 102
[JRSW-GigabitEthernet0/0/2]quit

JRSW2
配置思路：上行接口配置為ACCESS訪問，放行VLAN 200；上行接口配置為TRUNK放行VLAN 200。
<Huawei>system-view
[Huawei]sysname JRSW2
[JRSW2]vlan batch 200
[JRSW2]interface gigabitethernet 0/0/1
[JRSW2-GigabitEthernet0/0/1]port link-type trunk
[JRSW2-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[JRSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 200
[JRSW2-GigabitEthernet0/0/1]interface gigabitethernet 0/0/2
[JRSW2-GigabitEthernet0/0/2]port link-type access
[JRSW2-GigabitEthernet0/0/2]port default vlan 200
[JRSW2-GigabitEthernet0/0/2]quit

CoreSW
配置思路：核心交換！AP管理vlan 10；STA業務vlan 101 to 102；PC業務vlan 200；上行轉發vlan 12；下行至AC vlan 100；批量創建完各vlan；把vlan加入相應接口內。
<Huawei>system-view
[Huawei]sysname Coresw
[Coresw]vlan batch 10 12 100 to 102 200
[Coresw]interface gigabitethernet 0/0/1
[Coresw-GigabitEthernet0/0/1]port link-type trunk
[Coresw-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[Coresw-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 101 to 102
[Coresw-GigabitEthernet0/0/1]interface gigabitethernet 0/0/2
[Coresw-GigabitEthernet0/0/2]port link-type trunk
[Coresw-GigabitEthernet0/0/2]port trunk pvid vlan 12
[Coresw-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
[Coresw-GigabitEthernet0/0/2]port trunk allow-pass vlan 12
[Coresw-GigabitEthernet0/0/2]interface gigabitethernet 0/0/3
[Coresw-GigabitEthernet0/0/3]port link-type trunk
[Coresw-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
[Coresw-GigabitEthernet0/0/3]port trunk allow-pass vlan 100
[Coresw-GigabitEthernet0/0/3]interface gigabitethernet 0/0/4
[Coresw-GigabitEthernet0/0/4]port link-type trunk
[Coresw-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[Coresw-GigabitEthernet0/0/4]port trunk allow-pass vlan 200
[Coresw-GigabitEthernet0/0/4]quit
配置邏輯接口及DHCP服務；注意VLANIF10的DHCP服務為AP管理為AP分配地址，AC的源接口為VLANIF100；在VLANIF10的DHCP配置中切記配置option43，向AP通告AC所在位置！（在二層轉發中無需進行此步）
[Coresw]dhcp enable
[Coresw]ip pool vlan10
[Coresw-ip-pool-vlan10]gateway-list 172.16.10.1
[Coresw-ip-pool-vlan10]network 172.16.10.0 mask 24
[Coresw-ip-pool-vlan10]excluded-ip-address 172.16.10.200 172.16.10.254
[Coresw-ip-pool-vlan10]lease day 2 hour 0 minute 0
[Coresw-ip-pool-vlan10]dns-list 202.96.199.133 202.96.0.133
[Coresw-ip-pool-vlan10]option 43 sub-option 3 ascii 172.16.100.1
[Coresw-ip-pool-vlan10]quit
[Coresw]ip pool vlan101
[Coresw-ip-pool-vlan101]gateway-list 192.168.101.1
[Coresw-ip-pool-vlan101]network 192.168.101.0 mask 24
[Coresw-ip-pool-vlan101]excluded-ip-address 192.168.101.200 192.168.101.254
[Coresw-ip-pool-vlan101]lease day 2 hour 0 minute 0
[Coresw-ip-pool-vlan101]dns-list 202.96.199.133 202.96.0.133
[Coresw-ip-pool-vlan101]quit
[Coresw]ip pool vlan102
[Coresw-ip-pool-vlan102]gateway-list 192.168.102.1
[Coresw-ip-pool-vlan102]network 192.168.102.0 mask 24
[Coresw-ip-pool-vlan102]excluded-ip-address 192.168.102.200 192.168.102.254
[Coresw-ip-pool-vlan102]lease day 2 hour 0 minute 0
[Coresw-ip-pool-vlan102]dns-list 202.96.199.133 202.96.0.133
[Coresw-ip-pool-vlan102]quit
[Coresw]ip pool vlan200
[Coresw-ip-pool-vlan200]gateway-list 192.168.200.1
[Coresw-ip-pool-vlan200]network 192.168.200.0 mask 24
[Coresw-ip-pool-vlan200]excluded-ip-address 192.168.200.200 192.168.200.254
[Coresw-ip-pool-vlan200]lease day 2 hour 0 minute 0
[Coresw-ip-pool-vlan200]dns-list 202.96.199.133 202.96.0.133
[Coresw-ip-pool-vlan200]quit
[Coresw]interface vlanif 10
[Coresw-Vlanif10]ip address 172.16.10.1 24
[Coresw-Vlanif10]dhcp select global
[Coresw-Vlanif10]interface vlanif 101
[Coresw-Vlanif101]ip address 192.168.101.1 24
[Coresw-Vlanif101]dhcp select global
[Coresw-Vlanif101]interface vlanif 102
[Coresw-Vlanif102]ip address 192.168.102.1 24
[Coresw-Vlanif102]dhcp select global
[Coresw-Vlanif102]interface vlanif 12
[Coresw-Vlanif12]ip address 172.16.12.1 24
[Coresw-Vlanif12]interface vlanif 100
[Coresw-Vlanif100]ip address 172.16.100.2 24
[Coresw-Vlanif100]interface vlanif 200
[Coresw-Vlanif200]ip address 192.168.200.1 24
[Coresw-Vlanif200]dhcp select global
[Coresw-Vlanif200]interface loopback 0
[Coresw-LoopBack0]ip address 101.101.101.101 32
[Coresw-LoopBack0]quit
[Coresw]ip route-static 0.0.0.0 0.0.0.0 172.16.12.2
配置與AC和路由間的動態路由
[Coresw]ospf 1
[Coresw-ospf-1]area 0
[Coresw-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher admin1234
[Coresw-ospf-1-area-0.0.0.0]network 172.16.10.0 0.0.0.255
[Coresw-ospf-1-area-0.0.0.0]network 192.168.101.0 0.0.0.255
[Coresw-ospf-1-area-0.0.0.0]network 192.168.102.0 0.0.0.255
[Coresw-ospf-1-area-0.0.0.0]network 172.16.100.0 0.0.0.255
[Coresw-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.255
[Coresw-ospf-1-area-0.0.0.0]network 172.16.12.0 0.0.0.255

AC配置
配置思路：先配置互通及路由；再配置WLAN業務；STA業務數據為直接轉發，所以不存在AC到出口路由的路由互通，僅需要有AC到核心的動態路由便可。
[AC]vlan batch 100
[AC]interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1]port link-type trunk
[AC-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[AC-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1]quit
[AC]interface loopback 0
[AC-LoopBack0]ip address 102.102.102.102 32
[AC-LoopBack0]interface vlanif 100
[AC-Vlanif100]ip address 172.16.100.1 24
[AC-Vlanif100]quit
[AC]ospf 1
[AC-ospf-1]area 0
[AC-ospf-1-area-0.0.0.0]authentication-mode md5 1 cipher admin1234
[AC-ospf-1-area-0.0.0.0]network 172.16.100.0 0.0.0.255
[AC-ospf-1-area-0.0.0.0]network 102.102.102.102 0.0.0.0
[AC-ospf-1-area-0.0.0.0]quit
[AC-ospf-1]quit
配置WLAN業務
[AC]wlan
[AC-wlan-view]ap-group name zurkj
[AC-wlan-ap-group-zurkj]quit
[AC-wlan-view]regulatory-domain-profile name zurkj
[AC-wlan-regulate-domain-zurkj]country-code cn
[AC-wlan-regulate-domain-zurkj]quit
[AC-wlan-view]ap-group name zurkj
[AC-wlan-ap-group-zurkj]regulatory-domain-profile zurkj
[AC-wlan-ap-group-zurkj]quit
[AC-wlan-view]quit
[AC]capwap source ip-address 172.16.100.1
[AC]wlan
[AC-wlan-view]ap auth-mode mac-auth
[AC-wlan-view]ap-id 0 ap-mac 00E0-FCEF-67E0
[AC-wlan-ap-0]ap-name ap0
[AC-wlan-ap-0]ap-group zurkj
[AC-wlan-ap-0]quit
[AC-wlan-view]quit
[AC]vlan pool vlanpool
[AC-vlan-pool-vlanpool]vlan 101 to 102
[AC-vlan-pool-vlanpool]assignment hash
[AC-vlan-pool-vlanpool]quit
[AC]wlan
[AC-wlan-view]security-profile name zurkj
[AC-wlan-sec-prof-zurkj]security wpa-wpa2 psk pass-phrase qwe123123 aes
[AC-wlan-sec-prof-zurkj]quit
[AC-wlan-view]security-profile name ipgzj
[AC-wlan-sec-prof-ipgzj]security wpa-wpa2 psk pass-phrase qwe321321 aes
[AC-wlan-sec-prof-ipgzj]quit
[AC-wlan-view]ssid-profile name zurkj
[AC-wlan-ssid-prof-zurkj]ssid zurkj
[AC-wlan-ssid-prof-zurkj]quit
[AC-wlan-view]ssid-profile name ipgzj
[AC-wlan-ssid-prof-ipgzj]ssid ipgzj
[AC-wlan-ssid-prof-ipgzj]quit
[AC-wlan-view]traffic-profile name zurkj
[AC-wlan-traffic-prof-zurkj]rate-limit client up 1024
[AC-wlan-traffic-prof-zurkj]rate-limit client down 1024
[AC-wlan-traffic-prof-zurkj]quit
[AC-wlan-view]traffic-profile name ipgzj
[AC-wlan-traffic-prof-ipgzj]rate-limit client up 2048
[AC-wlan-traffic-prof-ipgzj]rate-limit client down 2048
[AC-wlan-traffic-prof-ipgzj]quit
[AC-wlan-view]vap-profile name zurkj
[AC-wlan-vap-prof-zurkj]forward-mode direct-forward
[AC-wlan-vap-prof-zurkj]service-vlan vlan-pool vlanpool
[AC-wlan-vap-prof-zurkj]security-profile zurkj
[AC-wlan-vap-prof-zurkj]ssid-profile zurkj
[AC-wlan-vap-prof-zurkj]traffic-profile zurkj
[AC-wlan-vap-prof-zurkj]quit
[AC-wlan-view]vap-profile name ipgzj
[AC-wlan-vap-prof-ipgzj]forward-mode direct-forward
[AC-wlan-vap-prof-ipgzj]service-vlan vlan-pool vlanpool
[AC-wlan-vap-prof-ipgzj]security-profile ipgzj
[AC-wlan-vap-prof-ipgzj]ssid-profile ipgzj
[AC-wlan-vap-prof-ipgzj]traffic-profile ipgzj
[AC-wlan-vap-prof-ipgzj]quit
[AC-wlan-view]ap-group name zurkj
[AC-wlan-ap-group-zurkj]vap-profile zurkj wlan 1 radio all
[AC-wlan-ap-group-zurkj]vap-profile ipgzj wlan 2 radio all
[AC-wlan-ap-group-zurkj]quit
[AC-wlan-view]quit


注意：由於核心交換機配置的有三層網關，STA及PC用戶業務在訪問公網設置時必須配置默認路由！同樣路由器也需要配置默認路由！NAT轉換配置在路由器的邊界接口上。
完成！