华为交换机网络规划-案例

1、。某企业网络规划。1。目录一、网络 VLAN地址规划 .3二、网络设备 IP 地址规划 .3三、网络拓扑如下 .4四、核心交换机接口配置.5五、网管平台配置 .6六、网络设备参数设置.6（ 1）外网核心交换机配置6（ 2）防火墙配置16（ 3）AC6605-无线控制器配置23（ 4）接入交换机配置38。2。一、网络 VLAN地址规划VLAN号说明IP 地址段网关10互联网有线用户段/245420监控网络段/235430无线用户段/245440无线 AP地址段/245450保留/245460与防火墙互联网段/24541000设备管理段/2454二、网络设备 IP 地址规划设备名称设备型号设备地址

2、登录密码防火墙USG2250192.168.60.PASS:admin123核心交换机 -WWS770654admin123核心交换机 -JKS770653admin123无线控制器AC660500Admin123接入交换机 01S5700-28P-PWR-LI-AC1admin123接入交换机 02S5700-28P-PWR-LI-AC2admin123接入交换机 03S5700-28P-PWR-LI-AC3admin123接入交换机 04S5700-28P-PWR-LI-AC4admin123接入交换机 05S5700-28P-LI-AC5admin123接入交换机 06S5700-28P

3、-LI-AC6admin123接入交换机 07S5700-28P-LI-AC7admin123接入交换机 08S5700-28P-LI-AC8admin123接入交换机 09S5700-28P-LI-AC9admin123接入交换机 10S5700-28P-LI-AC0admin123admin123。3。三、网络拓扑如下图例 1：互联网网络拓扑。4。图例 2：监控网络拓扑四、核心交换机接口配置互联网核心交换机02460246810121416182022接防VLANVLANTRUNKXXXXTRUNK TRUNK TRUNK TRUNK TRUNK TRUNK TRUNK TRUNK火墙10

4、1013571357911131517192123接VLANVLANTRUNKXXXXTRUNK TRUNK TRUNK TRUNK TRUNK TRUNK TRUNK TRUNKAC1010说明 :VLAN10- 接 PC机上网。 TRUNK- 接接入交换机。 X- 光电复用接口。监控交换机02460246810121416182022VLANVLANVLANTRUNKXXXXTRUNK TRUNK TRUNK TRUNK TRUNK TRUNK TRUNK TRUNK20201013571357911131517192123VLANVLANVLANTRUNKXXXXTRUNK TRUNK

5、TRUNK TRUNK TRUNK TRUNK TRUNK TRUNK202020。5。说明： VLAN20- 接监控 PC或终端。 TRUNK-接接入交换机。五、网管平台配置IP 地址型号密码网管平台密码53HP DL360eGen8Administratoradmin/1234拓扑管理 :六、网络设备参数设置（ 1）外网核心交换机配置display current-configuration!Software Version V200R003C00SPC500#sysname TYG-WW-Core。6。#dns server #vlan batch 10 20 30 40 50 60 1

6、000#observe-port 1 interface GigabitEthernet3/0/4#lldp enable#undo nap slave enable#dba-profile default0 type3 assure 40000 max 80000#dhcp enable#dhcp snooping enable#diffserv domain default#line-profile default0#service-profile default0#vlan 10description NW-netvlan 20description jiankong-netvlan 3

7、0description NW-AP-clientvlan 40description NW-APvlan 50description to_tplinkvlan 60description to_FWvlan 1000description management#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_admin。7。local-user admin password cipher %5d9:MipCfLi

8、B)EQd3Uwe% local-user admin service-type http#interface Vlanif10description NW-netip address 54 dhcp select interfacedhcp server excluded-ip-address 53dhcp server dns-list #interface Vlanif20description jiankong-netip address 54 #interface Vlanif30description NW-AP-clientip address 54 dhcp select in

9、terfacedhcp server lease day 0 hour 6 minute 0dhcp server dns-list #interface Vlanif40description NW-APip address 54 #interface Vlanif50description to_tplink#interface Vlanif60description to_FWip address 54 #interface Vlanif1000description managementip address 54 #interface Ethernet0/0/0#interface G

10、igabitEthernet3/0/0description to_FWport link-type accessport default vlan 60#interface GigabitEthernet3/0/1。8。description to_AC6605port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/2port link-type accessport default vlan 10#interface GigabitEthernet3/0/3port link

11、-type accessport default vlan 10dhcp snooping enable#interface GigabitEthernet3/0/4port link-type accessport default vlan 10dhcp snooping enable#interface GigabitEthernet3/0/5port link-type accessport default vlan 10#interface GigabitEthernet3/0/6port link-type trunkport trunk allow-pass vlan 2 to 4

12、094#interface GigabitEthernet3/0/7port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/8port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/9port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/10port

13、 link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/11port link-type trunk。9。port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/12port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/13port link-type trunkport trunk allow-

14、pass vlan 2 to 4094#interface GigabitEthernet3/0/14port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/15port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/16port link-type trunkport trunk allow-pass vlan 2 to 4094#interface Gigabi

15、tEthernet3/0/17port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/18port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/19port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/20port link-type trunkp

16、ort trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/21port link-type trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/22port link-type trunk。10。port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet3/0/23port link-type trunkport trunk allow-pass vlan 2 to 4

17、094#interface NULL0#ip route-static #snmp-agentsnmp-agent local-engineid 800007DB03D46AA880E600snmp-agent community readcipher %$%$T&Legw4c8h-Y.|!8;Xrp(TP(+e#2C$/)e4,8B:+&Xrs;5+o-feDqC$8Z4A6t$TNr|;X%$%$ mib-view iso-viewsnmp-agent community writeyroQo9;K%$%$ mib-view iso-viewsnmp-agent sys-info vers

18、ion allsnmp-agent target-host trap address udp-domain 53 params securityname cipher %mmV:Q:v8ciq0YC/U0;Kp8% v2c snmp-agent mib-view included iso-view isosnmp-agent trap source Vlanif1000#user-interface con 0authentication-mode passwordset authentication passwordcipher %WJp(2C;L;B_lSU41o+,#DE,vU6%)EX

19、j&XIOM%GJ#DH,% user-interface vty 0 4authentication-mode passworduser privilege level 15set authentication passwordcipher %dze*2MdUX+WX9.,M=Xa7Iy6U/-PTJ7XhTO7Xa:=% user-interface vty 16 20#port-group 1group-member GigabitEthernet3/0/0group-member GigabitEthernet3/0/1group-member GigabitEthernet3/0/2

20、group-member GigabitEthernet3/0/3group-member GigabitEthernet3/0/4group-member GigabitEthernet3/0/5group-member GigabitEthernet3/0/6group-member GigabitEthernet3/0/7。11。group-member GigabitEthernet3/0/8group-member GigabitEthernet3/0/9group-member GigabitEthernet3/0/10group-member GigabitEthernet3/0

21、/11group-member GigabitEthernet3/0/12group-member GigabitEthernet3/0/13group-member GigabitEthernet3/0/14group-member GigabitEthernet3/0/15group-member GigabitEthernet3/0/16group-member GigabitEthernet3/0/17group-member GigabitEthernet3/0/18group-member GigabitEthernet3/0/19group-member GigabitEther

22、net3/0/20group-member GigabitEthernet3/0/21group-member GigabitEthernet3/0/22group-member GigabitEthernet3/0/23#returndis int briPHY: Physical*down: administratively downdown: standby(l): loopback(s): spoofing(E): E-Trunk down(b): BFD down(e): ETHOAM down(dl): DLDP down(d): Dampening SuppressedInUti

23、/OutUti: input utility/output utilityInterface PHY Protocol InUti OutUti inErrors outErrorsGigabitEthernet3/0/0upup1.42%0.50%00GigabitEthernet3/0/1upup0.04%0.44%00GigabitEthernet3/0/2upup2.31%1.82%00GigabitEthernet3/0/3upup0%0%00GigabitEthernet3/0/4down down0% 0%00。12。GigabitEthernet3/0/5down down0%

24、0%00GigabitEthernet3/0/6down down0%0%00GigabitEthernet3/0/7down down0%0%00GigabitEthernet3/0/8down down0%0%00GigabitEthernet3/0/9down down0%0%00GigabitEthernet3/0/10down down0%0%00GigabitEthernet3/0/11down down0%0%00GigabitEthernet3/0/12down down0%0%00GigabitEthernet3/0/13down down0%0%00GigabitEther

25、net3/0/14upup0.01%0.12%00GigabitEthernet3/0/15down down0%0%00GigabitEthernet3/0/16upup0%0%00GigabitEthernet3/0/17down down0%0%00GigabitEthernet3/0/18upup0%0%00GigabitEthernet3/0/19down down0%0%00GigabitEthernet3/0/20upup0.23%0.68%00GigabitEthernet3/0/21down down0%0%00GigabitEthernet3/0/22upup0%0%00G

26、igabitEthernet3/0/23down down0%0%00NULL0upup(s)0% 0%00Vlanif10upup-00Vlanif20upup-00。13。Vlanif30upup-00Vlanif40upup-00Vlanif50updown-00Vlanif60upup-00Vlanif1000upup-00dis ip int b*down: administratively down!down: FIB overload downdown: standby(l): loopback(s): spoofing(d): Dampening Suppressed(E):

27、E-Trunk downThe number of interface that is UP in Physical is 8The number of interface that is DOWN in Physical is 1The number of interface that is UP in Protocol is 7The number of interface that is DOWN in Protocol is 2InterfaceIP Address/MaskPhysical ProtocolEthernet0/0/0unassigneddowndownNULL0una

28、ssignedupup(s)Vlanif1054/24upupVlanif2054/24upupVlanif3054/23upupVlanif4054/24upupVlanif50unassignedupdownVlanif6054/24upupVlanif100054/24upupdis ip rouRoute Flags: R - relay, D - download to fib-Routing Tables: PublicDestinations : 15Routes : 15Destination/MaskProtoPre CostFlags NextHopInterface。14

29、。/0 Static 60 0RDVlanif60/24Direct00D54Vlanif100054/32Direct00DVlanif1000/8Direct00DInLoopBack0/32Direct00DInLoopBack0/24Direct00D54Vlanif1054/32Direct00DVlanif10/24Direct00D54Vlanif2054/32Direct00DVlanif20/23Direct00D54Vlanif3054/32Direct00DVlanif30/24Direct00D54Vlanif4054/32Direct00DVlanif40/24Dir

30、ect00D54Vlanif6054/32Direct00DVlanif60dis versHuawei Versatile Routing Platform SoftwareVRP (R) software, Version 5.130 (S7700 V200R003C00SPC500)Copyright (C) 2000-2013 HUAWEI TECH CO., LTDQuidway S7706 TerabitRouting Switch uptime is0 week, 2 days,4 hours,5 minutesBKP 0 version information:1. PCBVe

31、rsion : LE02BAKI VER.ASupport PoE : NoBoard Type : ES0B00770600MPU Slot Quantity : 2LPU Slot Quantity : 6MPU 7(Master) : uptime is 0 week, 2 days, 4 hours, 4 minutesSDRAM Memory Size: 1024M bytesFlash Memory Size: 64M bytesNVRAM Memory Size: 512K bytesCF Card1 Memory Size : 488M bytesMPU version inf

32、ormation :1. PCBVersion : LE02SRUA VER.DMAB Version : 8Board Type : ES0D00SRUA00CPLD0 Version : 101BootROM Version : 171BootLoad Version : 0203.007a。15。LPU 3 : uptime is 0 week, 2 days, 4 hours, 4 minutesSDRAM Memory Size: 256M bytesFlash Memory Size: 16M bytesLPU version information :1. PCBVersion

33、: LE02G24C VER.DMAB Version : 0Board Type : ES0D0G24CA00CPLD0 Version : 103BootROM Version : 171BootLoad Version : 0203.00a1CMU 9(Master) : uptime is 0 week, 2 days, 4 hours, 4 minutesCMU version information :1. PCBVersion : LE02CMUA VER.BMAB Version : 0Board Type : LE0DCMUA0000 （ 2）防火墙配置display cur

34、rent-configuration15:08:49 2014/08/14#sysname USG2250#l2tp enablel2tp domain suffix-separator #firewall packet-filter default permit interzone local trust direction inboundfirewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone l

35、ocal untrust directionoutboundfirewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction outbound#ip df-unreachables enable#firewall ipv6 session link-state checkfirewall ipv6 statistic system enable#dns resolv

36、edns server unnumbered interface Dialer0#firewall defend udp-short-header enable。16。firewall defend http-flood enablefirewall defend port-scan enablefirewall defend ip-sweep enablefirewall defend teardrop enablefirewall defend ip-fragment enablefirewall defend tcp-flag enablefirewall defend winnuke

37、enablefirewall defend fraggle enablefirewall defend ping-of-death enablefirewall defend icmp-flood enablefirewall defend udp-flood enablefirewall defend syn-flood enablefirewall defend smurf enablefirewall defend land enablefirewall defend ip-spoofing enablefirewall defend arp-flood enablefirewall d

38、efend arp-spoofing enablefirewall defend udp-flood base-session max-rate 1000firewall defend icmp-flood base-session max-rate 255#firewall statistic system enable#pki certificate access-control-policy default permit#dns proxy enable#ddns client enable#license-server domain #lldp enable#web-manager e

39、nableweb-manager security enable port 8443undo web-manager config-guide enable#user-manage web-authentication security port 8888#interface Dialer0link-protocol pppppp chap user 0251chap password cipher %$%$om.kH.-J&:zO-ibUR14+%$%$ ppp pap local-user 0251password cipher %$%$C*:B)5xG.mBH.+r&e%86-$%$%$

40、。17。ipcp dns admit-any ip address ppp-negotiate dialer user 0251dialer bundle 1 nat enable detect ftp#interface Cellular0/1/0link-protocol ppp#interface Cellular0/1/1link-protocol ppp#interface GigabitEthernet0/0/0ip address lldp enablelldp tlv-enable basic-tlv all#interface GigabitEthernet0/0/1pppo

41、e-client dial-bundle-number 1lldp enablelldp tlv-enable basic-tlv all#interface NULL0#firewall zone localset priority 100#firewall zone trustset priority 85detect ftpdetect rtspdetect pptpadd interface GigabitEthernet0/0/0#firewall zone untrustset priority 5detect ftpdetect rtspdetect pptpadd interf

42、ace Dialer0add interface GigabitEthernet0/0/1#firewall zone dmz。18。set priority 50detect ftpdetect rtspdetect pptp#firewall interzone local trustdetect ftpdetect pptpdetect rtsp#firewall interzone local untrustdetect ftpdetect pptpdetect rtsp#firewall interzone local dmzdetect ftpdetect pptpdetect r

43、tsp#firewall interzone trust untrustdetect ftpdetect pptpdetect rtsp#firewall interzone trust dmzdetect ftpdetect pptpdetect rtsp#firewall interzone dmz untrustdetect ftpdetect pptpdetect rtsp#aaalocal-user sun password cipher %$%$%D%Q57=3FRKi)8MrP59:5ro0b0eCR;of%$%$ mib-view iso-viewsnmp-agent comm

44、unity read%$%$:99A)S:z7GhSiPId0&K;F=4%$%$ mib-viewiso-viewsnmp-agent sys-info contact R&D Huawei Technologies Co.,Ltd.snmp-agent sys-info version allsnmp-agent target-host trap address udp-domain 53 params securityname %$%$a6IY(uUaV0|P1l.T&$O;/&z%$%$ v2c snmp-agent mib-view included iso-view isosnmp

45、-agent packet max-size 12000#banner enable#user-interface con 0authentication-mode aaauser-interface tty 2 3authentication-mode passwordmodem bothuser-interface vty 0 4authentication-mode aaaprotocol inbound all#ip address-set内网 192.168.10 type object。20。description内网有线address 0 mask 24#ip address-s

46、et内网 type objectdescription内网无线用户address 0 4 mask 32#slb#cwmp#right-manager server-group#policy interzone local untrust inboundpolicy 0action permitpolicy service service-set telnetpolicy service service-set httppolicy service service-set httpspolicy service service-set sshpolicy service service-set

47、 l2tppolicy service service-set icmp#nat-policy interzone trust untrust outboundpolicy 0action source-natpolicy source address-set内网 192.168.10easy-ip Dialer0policy 1action source-natpolicy source address-set内网 easy-ip Dialer0#returnDIS IP IN TBError: Wrong parameter found at position.ids ip inError

48、: Wrong parameter found at position.dis ip int b。21。15:09:032014/08/14*down: administratively down(s): spoofingInterfaceIP AddressPhysical Protocol DescriptionCellular0/1/0unassigneddownup(s)Huawei,USG2200Cellular0/1/1unassigneddownup(s)Huawei,USG2200Dialer030upup(s) Huawei,USG2200GigabitEthernet0/0

49、/0upupHuawei,USG2200GigabitEthernet0/0/1unassignedupdownHuawei,USG2200dis int bri15:09:052014/08/14PHY: Physical*down: administratively downdown: standby down(s): spoofingInUti/OutUti: input utility/output utilityInterface PHY Protocol InUti OutUti inErrors outErrorsCellular0/1/0down up(s)0%0%00Cell

50、ular0/1/1down up(s)0%0%00Dialer0upup(s)-00GigabitEthernet0/0/0upup0.55%1%00GigabitEthernet0/0/1updown1% 0.55%00NULL0upup(s)0% 0%00dis ip rou15:09:092014/08/14Route Flags: R - relay, D - download to fib-Routing Tables: Public。22。Destinations : 12Routes : 12Destination/MaskProtoPre CostFlags NextHopIn

51、terface/0 Static 600D30Dialer0/24Static 600D54GigabitEthernet0/0/0/8Direct 00DInLoopBack0/32Direct 00D InLoopBack0/24Static 600RD54GigabitEthernet0/0/0/24Static 600RD54GigabitEthernet0/0/0/23Static 600RD54GigabitEthernet0/0/0/24Static 600RD54GigabitEthernet0/0/0/24Direct 00DGigabitEthernet0/0/0/32Di

52、rect 00DInLoopBack01/32Direct 00D1Dialer030/32Direct 00DInLoopBack0dis vers15:09:152014/08/14Huawei Versatile Routing Platform SoftwareSoftware Version: USG2200 V300R001C10SPC100 (VRP (R) Software, Version 5.30)Copyright (C) 2008-2014 Huawei Technologies Co., Ltd. Secoway USG2250 uptime is 0 week, 2

53、 days, 4 hours, 17 minutesRPUs Version Information:2048Mbytes SDRAM64Mbytes FLASH128Kbytes NVRAMPcbVersion : VER.ACPLD LogicVersion : 009BFPGA LogicVersion : 017Small BootROM Version : 536Big BootROMVersion : 7143） AC6605-无线控制器配置AC6605display current-configuration#snmp-agent local-engineid 800007DB0

54、330D17E7303EC。23。snmp-agent communityread %Igs5svSywxh1*S_QP;xGJFl=FA0(%2mP:-;xJb$N;3.NQ%ZQ!EWi 6XxS;% mib-view iso-viewsnmp-agent community complexity-check disablesnmp-agent mib-view iso-view include isosnmp-agent#http secure-server ssl-policy default_policyhttp server enablehttp secure-server ena

55、ble#info-center timestamp log format-date#vlan batch 30 40 100 1000#lldp enable#dhcp enable#diffserv domain default#vlan 30description description NW-AP-clientvlan 40description NW-APvlan 100description to_NW-Corevlan 1000description managemet#pki realm defaultenrollment self-signed#ssl policy defau

56、lt_policy type serverpki-realm default#aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher %IyLi(s!nl/euuILT%(q66;i% local-user admin privilege level 15。24。local-user admin service-type telnet web htt

57、p#interface Vlanif30description NW-AP-client#interface Vlanif40description NW-APip address 00 dhcp select interfacedhcp server excluded-ip-address 54#interface Vlanif1000description managemetip address 00 #interface MEth0/0/1ip address #interface GigabitEthernet0/0/1description to_7706port link-type

58、 trunkport trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/2port link-type trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#interface GigabitEthernet0/0/3port link-type trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#interface GigabitEthernet0/0/4port link-type

59、trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#interface GigabitEthernet0/0/5port link-type trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#interface GigabitEthernet0/0/6。25。port link-type trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#interface GigabitEthern

60、et0/0/7port link-type trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#interface GigabitEthernet0/0/8port link-type trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#interface GigabitEthernet0/0/9port link-type trunkport trunk pvid vlan 40port trunk allow-pass vlan 30 40#inter