数据通信 - 建设篇
第四章 华为/华三交换机快速构建三层架构拓扑CLI
- 数据通信 - 建设篇
- 系列文章回顾
- 华为/华三交换机快速构建三层架构拓扑CLI
- 背景介绍
- 物料列表
- 拓扑技术
- 实验参数
- 接入层交换机快速构建
- 接入层PoE设备交换机快速构建
- 交换机配置验收和确认
- 汇聚层交换机快速构建
- 核心层交换机快速构建
- 交换机配置验收和确认
- 无线控制器快速构建
- 无线控制器配置验收和确认
系列文章回顾
第一章 华为/华三交换机配置自动备份到FTP/SFTP
第二章 华为/华三交换机配置SSH免密登录
第三章 华为/华三交换机配置NTP时钟同步
华为/华三交换机快速构建三层架构拓扑CLI
背景介绍
内网从零到一构建三层架构的网络拓扑设计,将使用华为交换机和华三交换机完成快速构建,本文仅记录CLI的命令,全干货实操无理论。
物料列表
- 接入层交换机型号 (经过实验的型号列表) :
Client:FutureMatrix S1730S-S48T4S-A1,HUAWEI S1730S-S48T4S-A
PoE:FutureMatrix S1730S-S24P4S-A1,FutureMatrix S1730S-S24P4S-A2,H3C S5024PV3-EI-PWR - 汇聚层交换机型号 (经过实验的型号列表) :
FutureMatrix S5735S-L24T4S-A1,HUAWEI S5735S-L48T4S-A1,HUAWEI S5720-52P-LI-AC - 核心层交换机型号 (实验仅使用S5系列作为核心层。实际上架推荐使用S7及以上的系列) :
HUAWEI S5720-32P-EI-AC - 无线控制器型号:
H3C WX2540H
拓扑技术
RSTP快速生成树- 汇聚层上联核心层使用链路聚合
- 堆叠技术,使用堆叠线缆互联2台核心交换机
实验参数
- 交换机dns server:
1.1.1.1,1.1.1.2 - 交换机管理网段sw-manage:
vlan 200,ip address 1.1.200.0/24 - 核心层交换机管理地址:
vlanif200 1.1.200.254/24 - 1楼划分VLAN:
vlan 11,vlanif11 1.1.11.0/24 - 监控网段:
vlan 60 - 无线访客网段:
vlan 88 - 无线免认证网段:
vlan 80 - 无线实名认证网段:
vlan 84 - 无线哑终端网段:
vlan 90
接入层交换机快速构建
注意事项:电口上联用电口板卡最后2个电口,光口上联用光口板卡前2个光口。
本案例光口上联和电口上联都有涉及,注意区分。
涉及console口和配置local-user的密码时会弹出Y/N确认,本案例未写出Y/N确认,命令需修改才能用来刷脚本请注意。
# 连接终端用户的接入层交换机# FutureMatrix S1730S-S48T4S-A1
# HUAWEI S1730S-S48T4S-A
sys
sysname L2sw-1F-Client-01
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]vlan 11desc 1fquit
vlan 200desc sw-managequit
int range gi 0/0/1 to gi 0/0/47desc Clientport link-type accessport default vlan 11stp edged-port enablequit
int gi 0/0/48desc up-sw-link-GE0/0/1port link-type trunkundo port trunk allow-pass vlan 1port trunk allow-pass vlan 11 200quitundo int vlan 1
int vlan 200desc sw-manage-ipip addr 1.1.200.111 24quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200aaalocal-aaa-user password policy administratorpass expire 0quitlocal-user admin pass irr [password] privilege level 15local-user admin idle-timeout 30 access-limit 5local-user admin ftp-directory flash:/local-user admin service-type terminal ssh ftp httplocal-user admin state activequituser-int console 0authen passset authen pass cipher [password]quit
user-int vty 0 4authen aaauser privilege level 15protocol inbound allquitundo ntp server disable
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
ntp-service unicast-server 1.1.200.254quit
save force
接入层PoE设备交换机快速构建
# 连接PoE设备的接入层交换机 - HUAWEI# FutureMatrix S1730S-S24P4S-A1
# FutureMatrix S1730S-S24P4S-A2
sys
sysname L2sw-1F-POE-01
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]vlan 60desc monitorquit
vlan 80desc officequit
vlan 84desc portal-officequit
vlan 88desc guestquit
vlan 90desc terminalquit
vlan 200desc sw-managequit
int range gi 0/0/1 to gi 0/0/10desc APpoe enableport link-type trunkport trunk pvid vlan 200undo port trunk allow-pass vlan 1port trunk allow-pass vlan 80 84 88 90 200stp edged-port enablequit
int range gi 0/0/11 to gi 0/0/23desc monitorpoe enableport link-type accessport default vlan 60stp edged-port enablequit
int gi 0/0/24desc up-sw-link-GE0/0/2undo poe enableport link-type trunkport trunk allow-pass vlan allundo port trunk allow-pass vlan 1quitundo int vlan 1
int vlan 200desc sw-manage-ipip addr 1.1.200.112 24quit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200aaalocal-aaa-user password policy administratorpass expire 0quitlocal-user admin pass irr [password] privilege level 15local-user admin idle-timeout 30 access-limit 5local-user admin ftp-directory flash:/local-user admin service-type terminal ssh ftp httplocal-user admin state activequituser-int console 0authen passset authen pass cipher [password]quit
user-int vty 0 4authen aaauser privilege level 15protocol inbound allquitundo ntp server disable
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00
ntp-service unicast-server 1.1.200.254quit
save force
# 连接PoE设备的接入层交换机 - H3C# H3C S5024PV3-EI-PWR
sys
sysname L2sw-1F-POE-02
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]vlan 60name monitorquit
vlan 80name officequit
vlan 84name portal-officequit
vlan 88name guestquit
vlan 90name terminalquit
vlan 200name sw-managequit
int range gi 1/0/1 to gi 1/0/10desc APpoe enableport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 60 80 84 88 90 200stp edged-portquit
int range gi 1/0/11 to gi 1/0/23desc monitorpoe enableport link-type accessport access vlan 60stp edged-portquit
int gi 1/0/24desc up-sw-link-GE0/0/3undo poe enableport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 2 to 4094stp point-to-point force-truequitundo int vlan 1
int vlan 200desc sw-manage-ipip addr 1.1.200.113 24ntp-service broadcast-clientquit
ip route-static 0.0.0.0 0 1.1.200.254stp mode rstp
stp global enable
lldp global enable
ip http enable
ip https enablessh server enable
sftp server enable
ssh user admin service-type all authentication-type anylocal-user admin class managepass simple [password]service-type https ssh terminal ftpauthorization-attr user-role level-15authorization-attr work-directory flash:/quituser-int aux 0authen schemeuser-role network-adminquit
user-int vty 0 4authen schemeprotocol inbound allquitclock timezone Beijing add 08:00:00
clock protocol ntpquit
save force
交换机配置验收和确认
# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.200.254PING 1.1.200.254: 56 data bytes, press CTRL_C to breakReply from 1.1.200.254: bytes=56 Sequence=1 ttl=254 time=1 msReply from 1.1.200.254: bytes=56 Sequence=2 ttl=254 time=1 msReply from 1.1.200.254: bytes=56 Sequence=3 ttl=254 time=1 msReply from 1.1.200.254: bytes=56 Sequence=4 ttl=254 time=1 msReply from 1.1.200.254: bytes=56 Sequence=5 ttl=254 time=1 ms--- 1.1.200.254 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 1/1/1 ms# lldp邻居发现验证
<switch>dis lldp neighbor brief
Local Intf Neighbor Dev Neighbor Intf Exptime(s)
GE0/0/48 L3sw-1F GE0/0/3 107
汇聚层交换机快速构建
注意事项:电口上联用电口板卡最后2个电口,光口上联用光口板卡前2个光口。
本案例光口上联和电口上联都有涉及,注意区分。
涉及console口和配置local-user的密码时会弹出Y/N确认,本案例未写出Y/N确认,命令需修改才能用来刷脚本请注意。
# 汇聚层交换机: 下联接入层交换机, 上联核心层交换机.# FutureMatrix S5735S-L24T4S-A1
# HUAWEI S5735S-L48T4S-A1
# HUAWEI S5720-52P-LI-AC
sys
sysname L3sw-1F
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]vlan 11desc 1fquit
vlan 60desc monitorquit
vlan 80desc officequit
vlan 84desc portal-officequit
vlan 88desc guestquit
vlan 90desc terminalquit
vlan 200desc sw-managequitint range gi 0/0/1 to gi 0/0/48desc L2swport link-type trunkport trunk allow-pass vlan allundo port trunk allow-pass vlan 1stp point-to-point force-truequitint eth1desc up-sw-link-GE0-1/0/1port link-type trunkport trunk allow-pass vlan allundo port trunk allow-pass vlan 1stp point-to-point force-truemode lacptrunkport gi 0/0/51 to gi 0/0/52 mode activequitundo int vlan 1
int vlan 200desc sw-manage-ipip addr 1.1.200.119 24ntp-service broadcast-clientquit
ip route-static 0.0.0.0 0.0.0.0 1.1.200.254stp enable
stp mode rstp
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200aaalocal-aaa-user password policy administratorpass expire 0quitlocal-user admin pass irr [password] privilege level 15local-user admin idle-timeout 30 access-limit 5local-user admin ftp-directory flash:/local-user admin service-type terminal ssh ftp httplocal-user admin state activequituser-int console 0authen passset authen pass cipher [password]quit
user-int vty 0 4authen aaauser privilege level 15protocol inbound allquitundo ntp server disable
ntp-service ipv6 disable
ntp-service ipv6 server disable
ntp-service sync-interval 360
ntp-service source-interface Vlanif200
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00quit
save force
核心层交换机快速构建
# 2台核心层交换机分别下联汇聚层交换机, 组建堆叠系统
# HUAWEI S5720-32P-EI-AC# 堆叠交换机1
sys
sysname Core-L3sw-Stack01
dis stack config
stack slot 0 priority 200
stack slot 0 renumber 0
quit
save
y# 堆叠交换机2
sys
sysname Core-L3sw-Stack02
dis stack config
stack slot 0 priority 100
stack slot 0 renumber 1
quit
save
y### 2台堆叠交换机先后重启, 先重启主交换机再重启次交换机
### 开机后检查堆叠状态
dis stack config
dis stack port brief
dis stack peers
dis stack channel all### console口接入任何一台堆叠交换机都会进入堆叠系统, 开始配置核心层交换机
sys
sysname Core-L3sw
dns reslove
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]vlan 11desc 1fquit
vlan 60desc monitorquit
vlan 80desc officequit
vlan 84desc portal-officequit
vlan 88desc guestquit
vlan 90desc terminalquit
vlan 200desc sw-managequitundo int vlan 1
int vlan 11desc 1F DHCPip addr 1.1.11.254 24dhcp select globalquit
int vlan 60desc monitorip addr 1.1.60.254 22quit
int vlan 80desc officeip addr 1.1.80.254 22dhcp select globalquit
int vlan 84desc portal-officeip addr 1.1.84.254 22dhcp select globalquit
int vlan 88desc guestip addr 1.1.88.254 24dhcp select globalquit
int vlan 90desc terminalip addr 1.1.90.254 24dhcp select globalquit
int vlan 200desc sw-manage-ipip addr 1.1.200.119 24ntp-service broadcast-serverquitint eth 1desc L3sw-1F-GE0/0/51-52port link-type trunkport trunk allow-pass vlan allundo port trunk allow-pass vlan 1stp point-to-point force-truemode lacptrunkport gi 0/0/1 mode activetrunkport gi 1/0/1 mode activequit
int eth 2description ac_200.201_GE1/0/4-5port link-type trunkport trunk allow-pass vlan allundo port trunk allow-pass vlan 1stp point-to-point force-truetrunkport gi 0/0/2 mode activetrunkport gi 1/0/2 mode activequitdhcp enable
ip pool vlan11gateway-list 1.1.11.254network 1.1.11.0 mask 255.255.255.0lease day 3 hour 0 minute 0dns-list 1.1.1.1 1.1.1.2domain-name [mydomainname_1F]quit
ip pool vlan80gateway-list 1.1.80.254network 1.1.80.0 mask 255.255.252.0lease day 1 hour 12 minute 0dns-list 1.1.1.1 1.1.1.2quit
ip pool vlan84gateway-list 1.1.84.254network 1.1.84.0 mask 255.255.252.0lease day 1 hour 12 minute 0dns-list 1.1.1.1 1.1.1.2quit
ip pool vlan88gateway-list 1.1.88.254network 1.1.88.0 mask 255.255.255.0lease day 1 hour 12 minute 0dns-list 1.1.1.1 1.1.1.2quit
ip pool vlan90gateway-list 1.1.90.254network 1.1.90.0 mask 255.255.255.0lease day 1 hour 12 minute 0dns-list 1.1.1.1 1.1.1.2quit
ip pool vlan200gateway-list 1.1.200.254network 1.1.200.0 mask 255.255.255.0excluded-ip-addr 1.1.200.201lease unlimiteddns-list 1.1.1.1 1.1.1.2option 43 ip-addr 1.1.200.201quitstp enable
stp mode rstp
stp instance 0 root primary
lldp enable
http server enable
http secure-server enable
http server-source -i vlan 200stelnet server enable
ssh user admin
ssh user admin authen all
ssh user admin service-type all
ssh server-source -i vlan 200aaalocal-aaa-user password policy administratorundo password alert originalpass expire 0quitlocal-user admin pass irr [password] privilege level 15local-user admin idle-timeout 30 access-limit 5local-user admin ftp-directory flash:/local-user admin service-type terminal ssh ftp httplocal-user admin state activequituser-int console 0authen aaaquit
user-int vty 0 4authen aaauser privilege level 15protocol inbound allquitundo ntp server disable
ntp-service ipv6 disable
ntp-service ipv6 server disable
ntp-service sync-interval 180
ntp-service source-interface Vlanif200
clock timezone Beijing,Chongqing,Hongkon,Urumqi add 08:00:00cpu-defend policy arpmiss01car packet-type arp-miss cir 128 cbs 20000auto-defend threshold 200auto-defend protocol arpquit
cpu-defend-policy arpmiss01 globalquit
save force
交换机配置验收和确认
# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.11.111
<switch>ping 1.1.11.112
<switch>ping 1.1.11.113
<switch>ping 1.1.11.119# lldp邻居发现验证
<switch>dis lldp nei brief
Local Intf Neighbor Dev Neighbor Intf Exptime(s)
GE0/0/1 L3sw-1F GE0/0/51 102
GE1/0/1 L3sw-1F GE0/0/52 119
无线控制器快速构建
# 无线控制器: 旁挂核心交换机# H3C WX2540H
sys
sysname ac_200.201
dns server 1.1.1.1
dns server 1.1.1.2
dns domain [mydomainname_1F]vlan 80name officequit
vlan 84name portal-officequit
vlan 88name guestquit
vlan 90name terminalquit
vlan 200name sw-managequitundo int vlan 1
int vlan 200desc sw-manage-ipip addr 1.1.200.201 24ntp-service broadcast-clientquitint bri 1desc Core-L3sw_GE0-1/0/2port link-type trunkport trunk permit vlan allundo port trunk permit vlan 1stp point-to-point force-truequit
int range gi 1/0/4 to gi 1/0/5port link-mode bridgeport link-agg group 1quitip route-static 0.0.0.0 0 1.1.200.254stp mode rstp
stp global enable
lldp global enable
ip http enable
ip https enablessh server enable
sftp server enable
ssh user admin service-type all authentication-type anylocal-user admin class managepass simple [password]service-type https ssh terminal ftpauthorization-attr user-role level-15authorization-attr work-directory flash:/quituser-int console 0authen schemeuser-role network-adminquit
user-int vty 0 4authen schemeprotocol inbound allquitntp-service enable
clock timezone Beijing add 08:00:00
clock protocol ntpquit
save force
无线控制器配置验收和确认
# 配置验收和确认 -- 放在最后步骤再验收配置
# ping验证
<switch>ping 1.1.200.254# lldp邻居发现验证
<switch>dis lldp nei list
Chassis ID : * -- -- Nearest nontpmr bridge neighbor# -- -- Nearest customer bridge neighborDefault -- -- Nearest bridge neighbor
System Name Local Interface Chassis ID Port ID
Core-L3sw GE1/0/4 2065-xxxx-efe0 GigabitEthernet0/0/2 4
Core-L3sw GE1/0/5 2065-xxxx-efe0 GigabitEthernet1/0/2 4
[UWELL-AC-WX2540H_200.201]
——线程池)
——初步认识类与对象)
)
)
)
