Author: BSXY_19 Jike_Chen Yongyue BSXY_Information College_Business card v is at the end Note: Reposting any content without permission is prohibited

Enterprise/campus network planning and design of IPv4 plus IPv6 based on eNSP_comprehensive experiment/big assignment

Foreword and technical/resource download instructions ( **Reposting any content without permission is prohibited** )

Foreword and technical/resource download instructions ( reposting any content without permission is prohibited )

If you have any questions, you can explain your situation in the comment area. The blogger will reply as soon as he sees it. I hope that other people can also reply to other people's questions .
You can implement it step by step according to the design and implementation steps provided below (each command is a key command); but if necessary, you can also download the complete topo diagram and complete configuration from the following address for reference and reference , if you get the topo map, you can view the configuration in multiple displays and view the corresponding commands. The supporting resources are connected as follows, and the corresponding content is shown in the following figure :

Network planning - eNSP-based IPv4 plus IPv6 enterprise/campus planning and design - complete or course design can refer to all configuration commands step by step (ensp) + step-by-step notepad commands that can be directly brushed can quickly configure repetitive tasks + can Copy command notes + detailed address planning table + full video configuration
insert image description here
Since the loaded resources may be dynamically adjusted in price, which may exceed the resource price, if you think it is too high, you can communicate with V: CwJp0403 (73~89 ie Yes, if you are not sincere, you can go to other places to look for the verification message: v4 and v6) I am usually online when I need to communicate, and I will do my best to answer any questions for you . Well, the corresponding test Commands and screenshots , which step can achieve what effect description and which step should be used after the configuration is completed, the test results of the command, etc. are all placed in the resources in the figure below, and are being updated continuously... The topo picture is like this,
tourist Office
insert image description here
corresponding Most of the address planning and routing planning are clearly marked in the figure. The

technologies used in the topo network include vlan division, eth-trunk binding, MSTP, VRRP, DHCP relay, OSPF, BFD fault detection, port security and Isolation, wireless WLAN, PPPoE, IS-IS, BGP, MPLS VPN, DHCPsnooping, NQA, NATserver address mapping, NAT (address pool, easyIP conversion), telnet, ACL, IPsec VPN, route import, default route, FW security policy planning, ISISv6, OSPFv3, DHCPv6, 6to4 tunnel, BGP4+, etc. This experiment is very suitable for small partners who have learned the corresponding individual technologies and want to integrate these technologies, and for small partners who have completed the course design, they can refer to it and carry out their own planning and design. The scene is suitable for graduation design, campus network planning, enterprise network planning and other occasions. If you have any questions, you can privately message bloggers on the platform. Bloggers will reply as soon as they see it. Finally, it is explained that the final authorship of the topo planning belongs to: BSXY_ School of Information_19 Computer Science_Chen Yongyue
insert image description here

1. Design topo diagrams and design requirements (a brief list of 35)

Topology 1:
insert image description here

Design requirements:

Complete the configuration of the corresponding interface address of the server, firewall, and router

Configure Eth-Trunk link bundling in Huiyuan Building to improve link redundancy

Divide multiple different VLANs according to different regions, reduce the size of the broadcast domain, and improve the reliability and security of the network

Configure MSTP+VRRP in Mingcheng Building, realize redundancy at the same time, divide instances, let different VLANs preferentially select corresponding switches, and reduce STP shocks

All users of Mingcheng Building, Huiyuan Building, and Derun Building can automatically obtain addresses by configuring the corresponding DHCP relay, and the DHCP server is DHCPserver

Configure corresponding ospf, OSPF activates MD5 authentication in multi-area area 0, and SW1/SW2 is configured by interface

Devices in area 0 enable BFD to quickly detect link failures

Sub-campus users also need to automatically obtain addresses. The corresponding server is AR4, and AR4 is configured with corresponding sub-interfaces to assign addresses to corresponding terminals.

Configure port security, and the interface can automatically learn the MAC address

Configure port isolation to prevent PC6 and PC7 from communicating with each other in the same VLAN

The wireless address and AP address of the branch campus/division are assigned by SW8

FW2 acts as a PPPoE client, and AR5 acts as a PPPoE server for corresponding dial-up Internet access

R1, R2, R3 deploy ISIS Level-2, area ID 49.0000

Deploy MPLS VPN, where R1 and R3 are used as PE equipment, and R2 is used as a route emitter

FW1 and FW2 serve as the CE side to establish eBGP neighbor relationship with the PE side

Operator AS 100, the headquarters/main campus is at 65430, and the branches are at AS65000

Deploy IPSec VPN between FW1 and FW2 to realize communication between headquarters/main campus and branches

Among them, the communication between the headquarters and the branch uses MPLS VPN first. If the MPLS VPN fails, use IPSec VPN to realize communication.

If the NQA detection in FW1 detects that 10.1.5.5 is unreachable, the delivery will be stopped and sent to the intranet by default.

NAT configuration headquarters/main campus user location external network address pool 10.1.22.100~10.1.22.110

Branch users access the extranet using EASY-IP

Extranet users access intranet WEB services——use 100.100.100.100 for corresponding address mapping

The server of the finance department can only be accessed by vlan 10 users of the intranet

Configuring DHCP Snooping to Prevent DHCP Spoofing and Access to Unauthorized DHCP Servers

All internal switches can be remotely managed by telnet

Users in the main campus/headquarters can access the external network Baidu through the domain name (www.baidu.com), and wireless users can also

In ipv6, the link-local address is used for the interconnection address in AS100

The lo0 address of R1, R2, R3 is 2001:10:1:X::X/128

Activate ISISv6 and ensure the topological separation of v4 and v6

The new Lo0 interface address of SW1 SW2 is 2001:192:168:X::X/128

FW1, SW1, and SW2 deploy OSPFv3 area 0, where the interconnection address uses the Link-local address

Branch FW2 and AR4 deploy OSPFv3, and the interconnection address uses link-local address

FW1 and FW2 use the MPLS VPN network to establish a 6to4 tunnel

Deploy BGP4+ on the basis of 6to4 tunnels to realize IPv6 intercommunication between headquarters and branches

2. Corresponding address planning table

insert image description here

The address planning table was a little blurry when uploaded, and there is no optimization of the picture here, but the one in Excel can be edited or changed, as shown in the picture below, it is clearer

3. Planning and design of medium and large campus/enterprise network based on eNSP_ensp comprehensive homework (optional)

Interlude part: Based on eNSP medium and large campus/enterprise network planning and design_ensp comprehensive homework (ensp comprehensive experiment) as shown in the figure below ( but it will not be introduced and explained in detail in this article, if you want to view it, you can click the link to view and read it yourself ):

Design requirements:

Complete the configuration of the corresponding interface address of the server, firewall, and router

Configure Eth-Trunk link bundling in Huiyuan Building to improve link redundancy

Divide multiple different VLANs according to different regions, reduce the size of the broadcast domain, and improve the reliability and security of the network

Configure RSTP+VRRP in Huiyuan Building to avoid network loopback and fast convergence

Configure MSTP+VRRP in Mingcheng Building, realize redundancy at the same time, divide instances, let different VLANs preferentially select corresponding switches, and reduce STP shocks

All users in Mingcheng Building, Huiyuan Building, and service areas can automatically obtain addresses by configuring the corresponding DHCP relay, and the DHCP server is AR2

Sub-campus users also need to automatically obtain addresses. The corresponding server is AR13, and AR13 is configured with corresponding sub-interfaces to assign addresses to corresponding terminals.

Huiyuan Building mainly configures OSPF so that its corresponding routers can learn the corresponding routing table

Mingcheng Building applies RIP protocol and OSPF protocol, and imports RIP and OSPF routes bidirectionally, so that it can communicate with Huiyuan Building

The service area is configured with corresponding ftp, dns, and web servers. If there is a PC connected, the address can be obtained automatically. The PC here is used to test the corresponding DHCP

FW1 and LSW4 configure Vlink respectively, so that area3 and area0 can communicate with each other and learn the corresponding routing information

Both FW1 and FW2 are configured with corresponding security policies, and the traffic from trust to dmz is allowed on FW1

Both FW1/FW2 are configured with corresponding default routes pointing to our carrier ISP

FW1/FW2 configure the corresponding NAT policy, so that the internal network and dmz can access the external network (Baidu)

Configure corresponding IPsec VPN on FW1/FW2 to allow intercommunication between the simulated main campus and the simulated sub-campus. The network segment allowed for intercommunication is 172.16.XX/16

The external network simulates the use of ISP to use IS-IS routing to allow them to communicate

Users in the main campus/sub-campus can access the extranet Baidu through the domain name (www.baidu.com), and the main campus can access the intranet web server through the domain name (www.xyw.com)

The dns server of users in our main campus uses our internal dns server, and the dns server of sub-campus uses the dns server of ISP

4. The whole process of network planning ( step by step )

1. eth-trunk configuration

	HX_SW1:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname HX_SW1
[HX_SW1]int eth-trunk 1
[HX_SW1-Eth-Trunk1]mode lacp-static
[HX_SW1-Eth-Trunk1]max active-linknumber 2
[HX_SW1-Eth-Trunk1]trunkport g0/0/24
[HX_SW1-Eth-Trunk1]trunkport g0/0/23
[HX_SW1-Eth-Trunk1]trunkport g0/0/22
[HX_SW1-Eth-Trunk1]lacp preempt enable
[HX_SW1-Eth-Trunk1]lacp preempt delay 10
[HX_SW1-Eth-Trunk1]qui
[HX_SW1]int g0/0/24
[HX_SW1-GigabitEthernet0/0/24]lacp priority 16384
[HX_SW1-GigabitEthernet0/0/24]qui
[HX_SW2]
----------------------------------
	HX_SW2
<Huawei>sys
[Huawei]un in en
[Huawei]sysname HX_SW2
[HX_SW2]int eth-trunk 1
[HX_SW2-Eth-Trunk1]mode lacp-static
[HX_SW2-Eth-Trunk1]max active-linknumber 2
[HX_SW2-Eth-Trunk1]trunkport g0/0/24
[HX_SW2-Eth-Trunk1]trunkport g0/0/23
[HX_SW2-Eth-Trunk1]trunkport g0/0/22
[HX_SW2-Eth-Trunk1]lacp preempt enable
[HX_SW2-Eth-Trunk1]lacp preempt delay 10
[HX_SW2-Eth-Trunk1]qui
[HX_SW2]int g0/0/24
[HX_SW2-GigabitEthernet0/0/24]lacp priority 16384
[HX_SW2-GigabitEthernet0/0/24]qui
[HX_SW2]

2. VLAN bottom division

	JR_SW3:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname JR_SW3
[JR_SW3]vlan batch 10 20 100 101 900
[JR_SW3]int g0/0/3
[JR_SW3-GigabitEthernet0/0/3]port link-type access
[JR_SW3-GigabitEthernet0/0/3]port default vlan 10
[JR_SW3-GigabitEthernet0/0/3]int g0/0/4
[JR_SW3-GigabitEthernet0/0/4]port link-type access
[JR_SW3-GigabitEthernet0/0/4]port default vlan 20
[JR_SW3-GigabitEthernet0/0/4]qui
[JR_SW3]int g0/0/5
[JR_SW3-GigabitEthernet0/0/5]port link-type trunk
[JR_SW3-GigabitEthernet0/0/5]port trunk all vlan 100 101
[JR_SW3-GigabitEthernet0/0/5]port trunk pvid vlan 100
[JR_SW3]port-group g g0/0/1 g0/0/2
[JR_SW3-port-group]port link-type trunk
[JR_SW3-GigabitEthernet0/0/1]port link-type trunk
[JR_SW3-GigabitEthernet0/0/2]port link-type trunk
[JR_SW3-port-group]port trunk  allow-pass vlan 10 20 100 101 900
[JR_SW3-GigabitEthernet0/0/1]port trunk  allow-pass vlan 10 20 100 101 900
[JR_SW3-GigabitEthernet0/0/2]port trunk  allow-pass vlan 10 20 100 101 900
[JR_SW3-port-group]qui
[JR_SW3]
-------------------------------------
	JR_SW4:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname JR_SW4
[JR_SW4]vlan batch 30 40 100 102 900
[JR_SW4]int g0/0/3
[JR_SW4-GigabitEthernet0/0/3]port link-type access
[JR_SW4-GigabitEthernet0/0/3]port default vlan 30
[JR_SW4-GigabitEthernet0/0/3]int g0/0/4
[JR_SW4-GigabitEthernet0/0/4]port link-type access
[JR_SW4-GigabitEthernet0/0/4]port default vlan 40
[JR_SW4-GigabitEthernet0/0/4]qui
[JR_SW4]int g0/0/5
[JR_SW4-GigabitEthernet0/0/5]port link-type trunk
[JR_SW4-GigabitEthernet0/0/5]port trunk pvid vlan 100
[JR_SW4-GigabitEthernet0/0/5]port trunk allow-pass vlan 100 102
[JR_SW4-GigabitEthernet0/0/5]qui
[JR_SW4]port-group g g0/0/1 g0/0/2
[JR_SW4-port-group]port link-type trunk
[JR_SW4-GigabitEthernet0/0/1]port link-type trunk
[JR_SW4-GigabitEthernet0/0/2]port link-type trunk
[JR_SW4-port-group]port trunk  allow-pass vlan 30 40 100 102 900
[JR_SW4-GigabitEthernet0/0/1]port trunk  allow-pass vlan 30 40 100 102 900
[JR_SW4-GigabitEthernet0/0/2]port trunk  allow-pass vlan 30 40 100 102 900
[JR_SW4-port-group]qui
[JR_SW4]
------------------------------------
	JR_SW5:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname JR_SW5
[JR_SW5]vlan batch 50 100 103 900
[JR_SW5]port-group g g0/0/3 g0/0/4
[JR_SW5-port-group]port link-type access
[JR_SW5-GigabitEthernet0/0/3]port link-type access
[JR_SW5-GigabitEthernet0/0/4]port link-type access
[JR_SW5-port-group]port default vlan 50
[JR_SW5-GigabitEthernet0/0/3]port default vlan 50
[JR_SW5-GigabitEthernet0/0/4]port default vlan 50
[JR_SW5-port-group]qui
[JR_SW5]port-group g g0/0/1 g0/0/2
[JR_SW5-port-group]port link-type trunk
[JR_SW5-GigabitEthernet0/0/1]port link-type trunk
[JR_SW5-GigabitEthernet0/0/2]port link-type trunk
[JR_SW5-port-group]port trunk  allow-pass vlan 50 900
[JR_SW5-GigabitEthernet0/0/1]port trunk  allow-pass vlan 50 100 103 900
[JR_SW5-GigabitEthernet0/0/2]port trunk  allow-pass vlan 50 100 103 900
[JR_SW5-port-group]qui
[JR_SW5]int g0/0/5
[JR_SW5-GigabitEthernet0/0/5]port link-type trunk
[JR_SW5-GigabitEthernet0/0/5]port trunk pvid vlan 100
[JR_SW5-GigabitEthernet0/0/5]port trunk allow-pass vlan 100 103
[JR_SW5-GigabitEthernet0/0/5]qui
[JR_SW5]
--------------------------------
	JR_SW6:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname JR_SW6
[JR_SW6]vlan batch 200 900
[JR_SW6]port-group g g0/0/1 g0/0/2
[JR_SW6-port-group]port link-type trunk
[JR_SW6-GigabitEthernet0/0/1]port link-type trunk
[JR_SW6-GigabitEthernet0/0/2]port link-type trunk
[JR_SW6-port-group]port trunk allow-pass vlan 200 900
[JR_SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan 200 900
[JR_SW6-GigabitEthernet0/0/2]port trunk allow-pass vlan 200 900
[JR_SW6-port-group]qui
[JR_SW6]port-group g g0/0/3 g0/0/4
[JR_SW6-port-group]port link-type access
[JR_SW6-GigabitEthernet0/0/3]port link-type access
[JR_SW6-GigabitEthernet0/0/4]port link-type access
[JR_SW6-port-group]port default vlan 200
[JR_SW6-GigabitEthernet0/0/3]port default vlan 200
[JR_SW6-GigabitEthernet0/0/4]port default vlan 200
[JR_SW6-port-group]qui
[JR_SW6]
-----------------------------------------
	HX_SW1:
[HX_SW1]vlan batch 10 11 20 30 40 50 100 101 102 103 200 900
[HX_SW1]int g0/0/1
[HX_SW1-GigabitEthernet0/0/1]port link-type access
[HX_SW1-GigabitEthernet0/0/1]port default vlan 11
[HX_SW1-GigabitEthernet0/0/1]int g0/0/2
[HX_SW1-GigabitEthernet0/0/2]port link-type trunk
[HX_SW1-GigabitEthernet0/0/2]port trunk  allow-pass vlan 200 900
[HX_SW1-GigabitEthernet0/0/2]int g0/0/3
[HX_SW1-GigabitEthernet0/0/3]port link-type trunk
[HX_SW1-GigabitEthernet0/0/3]port trunk  allow-pass vlan 10 20 100 101 900
[HX_SW1-GigabitEthernet0/0/3]int g0/0/4
[HX_SW1-GigabitEthernet0/0/4]port link-type trunk
[HX_SW1-GigabitEthernet0/0/4]port trunk  allow-pass vlan 30 40 100 102 900
[HX_SW1-GigabitEthernet0/0/4]int g0/0/5
[HX_SW1-GigabitEthernet0/0/5]port link-type trunk
[HX_SW1-GigabitEthernet0/0/5]port trunk  allow-pass vlan 50 100 103 900
[HX_SW1-GigabitEthernet0/0/5]int eth-trunk 1
[HX_SW1-Eth-Trunk1]port link-type trunk
[HX_SW1-Eth-Trunk1]port trunk  allow-pass vlan all
[HX_SW1-Eth-Trunk1]qui
[HX_SW1]
--------------------------------------
	HX_SW2:
[HX_SW2]vlan batch 10 12 20 30 40 50 100 101 102 103 200 900
[HX_SW2]int g0/0/1
[HX_SW2-GigabitEthernet0/0/1]port link-type access
[HX_SW2-GigabitEthernet0/0/1]port default vlan 12
[HX_SW2-GigabitEthernet0/0/1]int g0/0/2
[HX_SW2-GigabitEthernet0/0/2]port link-type trunk
[HX_SW2-GigabitEthernet0/0/2]port trunk  allow-pass vlan 200 900
[HX_SW2-GigabitEthernet0/0/2]int g0/0/3
[HX_SW2-GigabitEthernet0/0/3]port link-type trunk
[HX_SW2-GigabitEthernet0/0/3]port trunk  allow-pass vlan 10 20 100 101 900
[HX_SW2-GigabitEthernet0/0/3]int g0/0/4
[HX_SW2-GigabitEthernet0/0/4]port link-type trunk
[HX_SW2-GigabitEthernet0/0/4]port trunk  allow-pass vlan 30 40 100 102 900
[HX_SW2-GigabitEthernet0/0/4]int g0/0/5
[HX_SW2-GigabitEthernet0/0/5]port link-type trunk
[HX_SW2-GigabitEthernet0/0/5]port trunk  allow-pass vlan 50 100 103 900
[HX_SW2-GigabitEthernet0/0/5]int g0/0/6
[HX_SW2-GigabitEthernet0/0/6]port link-type trunk
[HX_SW2-GigabitEthernet0/0/6]port trunk  allow-pass vlan all
[HX_SW2-GigabitEthernet0/0/6]int eth-trunk 1
[HX_SW2-Eth-Trunk1]port link-type trunk
[HX_SW2-Eth-Trunk1]port trunk  allow-pass vlan all
[HX_SW2-Eth-Trunk1]qui
[HX_SW2]

3、MSTP

	HX_SW1:
[HX_SW1]stp region-configuration
[HX_SW1-mst-region]region-name huawei
[HX_SW1-mst-region]revision-level 1
[HX_SW1-mst-region]instance 1 vlan 10 20 100 101 200
[HX_SW1-mst-region]instance 2 vlan 30 40 50 102 103
[HX_SW1-mst-region]active region-configuration
[HX_SW1-mst-region]qui
[HX_SW1]stp instance 1 root primary
[HX_SW1]stp instance 2 root secondary
---------------------------
	HX_SW2:
[HX_SW2]stp region-configuration
[HX_SW2-mst-region]region-name huawei
[HX_SW2-mst-region]revision-level 1
[HX_SW2-mst-region]instance 1 vlan 10 20 100 101 200
[HX_SW2-mst-region]instance 2 vlan 30 40 50 102 103
[HX_SW2-mst-region]active region-configuration
[HX_SW2-mst-region]qui
[HX_SW2]stp instance 2 root primary
[HX_SW2]stp instance 1 root secondary
----------------------------
	JR_SW3:
[JR_SW3]stp region-configuration
[JR_SW3-mst-region]region-name huawei
[JR_SW3-mst-region]revision-level 1
[JR_SW3-mst-region]instance 1 vlan 10 20 100 101 200
[JR_SW3-mst-region]instance 2 vlan 30 40 50 102 103
[JR_SW3-mst-region]active region-configuration
[JR_SW3-mst-region]qui
[JR_SW3]
----------------------------
	JR_SW4:
[JR_SW4]stp region-configuration
[JR_SW4-mst-region]region-name huawei
[JR_SW4-mst-region]revision-level 1
[JR_SW4-mst-region]instance 1 vlan 10 20 100 101 200
[JR_SW4-mst-region]instance 2 vlan 30 40 50 102 103
[JR_SW4-mst-region]active region-configuration
[JR_SW4-mst-region]qui
[JR_SW4]
---------------------------
	JR_SW5:
[JR_SW5]stp region-configuration
[JR_SW5-mst-region]region-name huawei
[JR_SW5-mst-region]revision-level 1
[JR_SW5-mst-region]instance 1 vlan 10 20 100 101 200
[JR_SW5-mst-region]instance 2 vlan 30 40 50 102 103
[JR_SW5-mst-region]active region-configuration
[JR_SW5-mst-region]qui
[JR_SW5]
--------------------------
	JR_SW6:
[JR_SW6]stp region-configuration
[JR_SW6-mst-region]region-name huawei
[JR_SW6-mst-region]revision-level 1
[JR_SW6-mst-region]instance 1 vlan 10 20 100 101 200
[JR_SW6-mst-region]instance 2 vlan 30 40 50 102 103
[JR_SW6-mst-region]active region-configuration
[JR_SW6-mst-region]qui
[JR_SW6]

4、VRRP

	HX_SW1:
[HX_SW1]int vlan 10
[HX_SW1-Vlanif10]ip add 192.168.10.254 24
[HX_SW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.1
[HX_SW1-Vlanif10]vrrp vrid 10 priority 105
[HX_SW1-Vlanif10]vrrp vrid 10 track int g0/0/1
[HX_SW1-Vlanif10]int vlan 20
[HX_SW1-Vlanif20]ip add 192.168.20.254 24
[HX_SW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[HX_SW1-Vlanif20]vrrp vrid 20 priority 105
[HX_SW1-Vlanif20]vrrp vrid 20 track int g0/0/1
[HX_SW1-Vlanif20]int vlan 100
[HX_SW1-Vlanif100]ip add 192.168.100.254 24
[HX_SW1-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.1
[HX_SW1-Vlanif100]vrrp vrid 100 priority 105
[HX_SW1-Vlanif100]vrrp vrid 100 track int g0/0/1
[HX_SW1-Vlanif100]int vlan 101
[HX_SW1-Vlanif101]ip add 192.168.101.254 24
[HX_SW1-Vlanif101]vrrp vrid 101 virtual-ip 192.168.101.1
[HX_SW1-Vlanif101]vrrp vrid 101 priority 105
[HX_SW1-Vlanif101]vrrp vrid 101 track int g0/0/1
[HX_SW1-Vlanif101]int vlan 200
[HX_SW1-Vlanif200]ip add 192.168.200.254 24
[HX_SW1-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1
[HX_SW1-Vlanif200]vrrp vrid 200 priority 105
[HX_SW1-Vlanif200]vrrp vrid 200 track int g0/0/1
[HX_SW1-Vlanif200]int vlan 30
[HX_SW1-Vlanif30]ip add 192.168.30.254 24
[HX_SW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[HX_SW1-Vlanif30]int vlan 40
[HX_SW1-Vlanif40]ip add 192.168.40.254 24
[HX_SW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[HX_SW1-Vlanif40]int vlan 50
[HX_SW1-Vlanif50]ip add 192.168.50.254 24
[HX_SW1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
[HX_SW1-Vlanif50]int vlan 102
[HX_SW1-Vlanif102]ip add 192.168.102.254 24
[HX_SW1-Vlanif102]vrrp vrid 102 virtual-ip 192.168.102.1
[HX_SW1-Vlanif102]int vlan 103
[HX_SW1-Vlanif103]ip add 192.168.103.254 24
[HX_SW1-Vlanif103]vrrp vrid 103 virtual-ip 192.168.103.1
[HX_SW1-Vlanif103]int vlan 11
[HX_SW1-Vlanif11]ip add 192.168.11.1 24
[HX_SW1-Vlanif11]qui
[HX_SW1]
------------------------------
	HX_SW2:
[HX_SW2]int vlan 10
[HX_SW2-Vlanif10]ip add 192.168.10.253 24
[HX_SW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.1
[HX_SW2-Vlanif10]int vlan 20
[HX_SW2-Vlanif20]ip add 192.168.20.253 24
[HX_SW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[HX_SW2-Vlanif20]int vlan 100
[HX_SW2-Vlanif100]ip add 192.168.100.253 24
[HX_SW2-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.1
[HX_SW2-Vlanif100]int vlan 101
[HX_SW2-Vlanif101]ip add 192.168.101.253 24
[HX_SW2-Vlanif101]vrrp vrid 101 virtual-ip 192.168.101.1
[HX_SW2-Vlanif101]int vlan 200
[HX_SW2-Vlanif200]ip add 192.168.200.253 24
[HX_SW2-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1
[HX_SW2-Vlanif200]int vlan 30
[HX_SW2-Vlanif30]ip add 192.168.30.253 24
[HX_SW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[HX_SW2-Vlanif30]vrrp vrid 30 priority 105
[HX_SW2-Vlanif30]vrrp vrid 30 track int g0/0/1
[HX_SW2-Vlanif30]int vlan 40
[HX_SW2-Vlanif40]ip add 192.168.40.253 24
[HX_SW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[HX_SW2-Vlanif40]vrrp vrid 40 priority 105
[HX_SW2-Vlanif40]vrrp vrid 40 track int g0/0/1
[HX_SW2-Vlanif40]int vlan 50
[HX_SW2-Vlanif50]ip add 192.168.50.253 24
[HX_SW2-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
[HX_SW2-Vlanif50]vrrp vrid 50 priority 105
[HX_SW2-Vlanif50]vrrp vrid 50 track int g0/0/1
[HX_SW2-Vlanif50]int vlan 102
[HX_SW2-Vlanif102]ip add 192.168.102.253 24
[HX_SW2-Vlanif102]vrrp vrid 102 virtual-ip 192.168.102.1
[HX_SW2-Vlanif102]vrrp vrid 102 priority 105
[HX_SW2-Vlanif102]vrrp vrid 102 track int g0/0/1
[HX_SW2-Vlanif102]int vlan 103
[HX_SW2-Vlanif103]ip add 192.168.103.253 24
[HX_SW2-Vlanif103]vrrp vrid 103 virtual-ip 192.168.103.1
[HX_SW2-Vlanif103]vrrp vrid 103 priority 105
[HX_SW2-Vlanif103]vrrp vrid 103 track int g0/0/1
[HX_SW2-Vlanif103]int vlan 12
[HX_SW2-Vlanif12]ip add 192.168.12.2 24
[HX_SW2-Vlanif12]qui
[HX_SW2]

5. Test the PC through the gateway

/*手动给PC配置IP地址访问网关，如给vlan10下的PC配置
    IP：192.168.10.3
    GW：192.168.10.1  测试访问网关，ping 192.168.10.1通了即可*/

/*手动给PC配置IP地址访问网关，如给vlan30下的PC配置
    IP：192.168.30.7
    GW：192.168.30.1  测试访问网关，ping 192.168.30.1通了即可*/

6. DHCP relay

<Huawei>sys
[Huawei]un in en
[Huawei]sysname DHCP
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]ip add 192.168.200.3 24
[DHCP-GigabitEthernet0/0/0]qui
[DHCP]dhcp enable
[DHCP]ip pool vlan10
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.1
[DHCP-ip-pool-vlan10]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.250 192.168.10.254
[DHCP-ip-pool-vlan10]qui
[DHCP]ip pool vlan20
[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[DHCP-ip-pool-vlan20]gateway-list 192.168.20.1
[DHCP-ip-pool-vlan20]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.250 192.168.20.254
[DHCP-ip-pool-vlan20]qui
[DHCP]ip pool vlan30
[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
[DHCP-ip-pool-vlan30]gateway-list 192.168.30.1
[DHCP-ip-pool-vlan30]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.250 192.168.30.254
[DHCP-ip-pool-vlan30]qui
[DHCP]ip pool vlan40
[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 24
[DHCP-ip-pool-vlan40]gateway-list 192.168.40.1
[DHCP-ip-pool-vlan40]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.250 192.168.40.254
[DHCP-ip-pool-vlan40]qui
[DHCP]ip pool vlan50
[DHCP-ip-pool-vlan50]network 192.168.50.0 mask 24
[DHCP-ip-pool-vlan50]gateway-list 192.168.50.1
[DHCP-ip-pool-vlan50]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-vlan50]excluded-ip-address 192.168.50.250 192.168.50.254
[DHCP-ip-pool-vlan50]qui
[DHCP]ip pool ap_pool
[DHCP-ip-pool-ap_pool]network 192.168.100.0 mask 24
[DHCP-ip-pool-ap_pool]gateway-list 192.168.100.1
[DHCP-ip-pool-ap_pool]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-ap_pool]excluded-ip-address 192.168.100.250 192.168.100.254
[DHCP-ip-pool-ap_pool]qui
[DHCP]ip pool hua1
[DHCP-ip-pool-hua1]network 192.168.101.0 mask 24
[DHCP-ip-pool-hua1]gateway-list 192.168.101.1
[DHCP-ip-pool-hua1]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-hua1]excluded-ip-address 192.168.101.250 192.168.101.254
[DHCP-ip-pool-hua1]qui
[DHCP]ip pool hua2
[DHCP-ip-pool-hua2]network 192.168.102.0 mask 24
[DHCP-ip-pool-hua2]gateway-list 192.168.102.1
[DHCP-ip-pool-hua2]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-hua2]excluded-ip-address 192.168.102.250 192.168.102.254
[DHCP-ip-pool-hua2]qui
[DHCP]ip pool hua3
[DHCP-ip-pool-hua3]network 192.168.103.0 mask 24
[DHCP-ip-pool-hua3]gateway-list 192.168.103.1
[DHCP-ip-pool-hua3]dns-list 192.168.200.2 8.8.8.8
[DHCP-ip-pool-hua3]excluded-ip-address 192.168.103.250 192.168.103.254
[DHCP-ip-pool-hua3]qui
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]dhcp select global
[DHCP-GigabitEthernet0/0/0]qui
[DHCP]ip route-static 0.0.0.0 0 192.168.200.1
[DHCP]
-----------------------------------
	HX_SW1:
[HX_SW1]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[HX_SW1]int vlan 10
[HX_SW1-Vlanif10]dhcp select relay
[HX_SW1-Vlanif10]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif10]int vlan 20
[HX_SW1-Vlanif20]dhcp select relay
[HX_SW1-Vlanif20]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif20]int vlan 30
[HX_SW1-Vlanif30]dhcp select relay
[HX_SW1-Vlanif30]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif30]int vlan 40
[HX_SW1-Vlanif40]dhcp select relay
[HX_SW1-Vlanif40]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif40]int vlan 50
[HX_SW1-Vlanif50]dhcp select relay
[HX_SW1-Vlanif50]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif50]int vlan 100
[HX_SW1-Vlanif100]dhcp select relay
[HX_SW1-Vlanif100]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif100]int vlan 101
[HX_SW1-Vlanif101]dhcp select relay
[HX_SW1-Vlanif101]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif101]int vlan 102
[HX_SW1-Vlanif102]dhcp select relay
[HX_SW1-Vlanif102]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif102]int vlan 103
[HX_SW1-Vlanif103]dhcp select relay
[HX_SW1-Vlanif103]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif103]qui
[HX_SW1]
----------------------------
	HX_SW2:
[HX_SW2]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[HX_SW2]int vlan 10
[HX_SW2-Vlanif10]dhcp select relay
[HX_SW2-Vlanif10]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif10]int vlan 20
[HX_SW2-Vlanif20]dhcp select relay
[HX_SW2-Vlanif20]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif20]int vlan 30
[HX_SW2-Vlanif30]dhcp select relay
[HX_SW2-Vlanif30]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif30]int vlan 40
[HX_SW2-Vlanif40]dhcp select relay
[HX_SW2-Vlanif40]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif40]int vlan 50
[HX_SW2-Vlanif50]dhcp select relay
[HX_SW2-Vlanif50]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif50]int vlan 100
[HX_SW2-Vlanif100]dhcp select relay
[HX_SW2-Vlanif100]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif100]int vlan 101
[HX_SW2-Vlanif101]dhcp select relay
[HX_SW2-Vlanif101]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif101]int vlan 102
[HX_SW2-Vlanif102]dhcp select relay
[HX_SW2-Vlanif102]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif102]int vlan 103
[HX_SW2-Vlanif103]dhcp select relay
[HX_SW2-Vlanif103]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif103]qui
[HX_SW2]
-------------------------------------
	PC://目的只是模拟PC用于管理或测试telnet使用
<Huawei>sys
[Huawei]un in en
[Huawei]sysname PC
[PC]dhcp en
[PC]int g0/0/0
[PC-GigabitEthernet0/0/0]ip add dhcp-alloc 
[PC-GigabitEthernet0/0/0]qui
[PC]qui
<PC>sa

7. Wireless WLAN

<AC6605>sys
[AC6605]un in en
[AC6605]sysname AC1
[AC1]vlan 100
[AC1-vlan100]int vlan 100
[AC1-Vlanif100]ip add 192.168.100.100 24
[AC1-Vlanif100]qui
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC1-GigabitEthernet0/0/1]qui
[AC1]ip route-static 0.0.0.0 0.0.0.0 192.168.100.253
[AC1]capwap source interface vlanif100
[AC1]wlan
[AC1-wlan-view]ssid-profile name SSID_PRO
[AC1-wlan-ssid-prof-SSID_PRO]ssid huawei
[AC1-wlan-ssid-prof-SSID_PRO]qui
[AC1-wlan-view]security-profile name SEC_PRO
[AC1-wlan-sec-prof-SEC_PRO]security wpa2 psk pass-phrase huawei@123 aes
[AC1-wlan-sec-prof-SEC_PRO]qui
[AC1-wlan-view]vap-profile name VAP1_PRO
[AC1-wlan-vap-prof-VAP1_PRO]ssid-profile SSID_PRO
[AC1-wlan-vap-prof-VAP1_PRO]security-profile SEC_PRO
[AC1-wlan-vap-prof-VAP1_PRO]service-vlan vlan-id 101
[AC1-wlan-vap-prof-VAP1_PRO]qui
[AC1-wlan-view]vap-profile name VAP2_PRO
[AC1-wlan-vap-prof-VAP2_PRO]ssid-profile SSID_PRO
[AC1-wlan-vap-prof-VAP2_PRO]security-profile SEC_PRO
[AC1-wlan-vap-prof-VAP2_PRO]service-vlan vlan-id 102
[AC1-wlan-vap-prof-VAP2_PRO]qui
[AC1-wlan-view]vap-profile name VAP3_PRO
[AC1-wlan-vap-prof-VAP3_PRO]ssid-profile SSID_PRO
[AC1-wlan-vap-prof-VAP3_PRO]security-profile SEC_PRO
[AC1-wlan-vap-prof-VAP3_PRO]service-vlan vlan-id 103
[AC1-wlan-vap-prof-VAP3_PRO]qui
[AC1-wlan-view]vap-profile name VAP4_PRO
[AC1-wlan-vap-prof-VAP4_PRO]ssid-profile SSID_PRO
[AC1-wlan-vap-prof-VAP4_PRO]security-profile SEC_PRO
[AC1-wlan-vap-prof-VAP4_PRO]service-vlan vlan-id 104
[AC1-wlan-vap-prof-VAP4_PRO]qui
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc41-4590
[AC1-wlan-ap-1]ap-id 2 ap-mac 00e0-fc63-1250
[AC1-wlan-ap-2]ap-id 3 ap-mac 00e0-fc1f-8060
[AC1-wlan-ap-3]ap-id 4 ap-mac 00e0-fc1f-76d0
[AC1-wlan-ap-4]qui
[AC1-wlan-view]ap-id 1
[AC1-wlan-ap-1]ap-name AREA_1
[AC1-wlan-ap-1]vap-profile VAP1_PRO wlan 1 radio 0
[AC1-wlan-ap-1]vap-profile VAP1_PRO wlan 1 radio 1
[AC1-wlan-ap-1]qui
[AC1-wlan-view]ap-id 2
[AC1-wlan-ap-2]ap-name AREA_2
[AC1-wlan-ap-2]vap-profile VAP2_PRO wlan 1 radio 0
[AC1-wlan-ap-2]vap-profile VAP2_PRO wlan 1 radio 1
[AC1-wlan-ap-2]qui
[AC1-wlan-view]ap-id 3
[AC1-wlan-ap-3]ap-name AREA_3
[AC1-wlan-ap-3]vap-profile VAP3_PRO wlan 1 radio 0
[AC1-wlan-ap-3]vap-profile VAP3_PRO wlan 1 radio 1
[AC1-wlan-ap-3]qui
[AC1-wlan-view]ap-id 4
[AC1-wlan-ap-4]ap-name AREA_4
[AC1-wlan-ap-4]vap-profile VAP4_PRO wlan 1 radio 0
[AC1-wlan-ap-4]vap-profile VAP4_PRO wlan 1 radio 1
[AC1-wlan-ap-4]qui
[AC1-wlan-view]qui
[AC1]qui
<AC1>sa

8. Firewall FW1 configuration

<USG6000V1>sys
[USG6000V1]un in en
[USG6000V1]sysname FW1
[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 192.168.11.22 24
[FW1-GigabitEthernet1/0/1]service-manage all permit
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 192.168.12.22 24
[FW1-GigabitEthernet1/0/2]service-manage all permit
[FW1-GigabitEthernet1/0/2]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.111.22 24
[FW1-GigabitEthernet1/0/0]service-manage all permit
[FW1-GigabitEthernet1/0/0]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip add 10.1.122.22 24
[FW1-GigabitEthernet1/0/3]service-manage all permit
[FW1-GigabitEthernet1/0/3]int g1/0/4
[FW1-GigabitEthernet1/0/4]ip add 10.1.22.22 24
[FW1-GigabitEthernet1/0/4]service-manage all permit
[FW1-GigabitEthernet1/0/4]qui
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/1
[FW1-zone-trust]add int g1/0/2
[FW1-zone-trust]qui
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/0
[FW1-zone-dmz]qui
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/3
[FW1-zone-untrust]add int g1/0/4
[FW1-zone-untrust]qui
[FW1]icmp ttl-exceeded send
[FW1]

9. OSPF & authentication

	FW1:
[FW1]ospf 1 router-id 10.1.4.4
[FW1-ospf-1]default-route-advertise
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]net 192.168.11.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]net 192.168.12.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]authentication-mode md5 1 plain huawei
[FW1-ospf-1-area-0.0.0.0]qui
[FW1-ospf-1]qui
[FW1]
--------------------------------
	HX_SW1:
[HX_SW1]ospf 1 router-id 10.1.5.5
[HX_SW1-ospf-1]area 1
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.20.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.30.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.40.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.50.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.100.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.101.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.102.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]network 192.168.103.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.1]qui
[HX_SW1-ospf-1]area 0
[HX_SW1-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]authentication-mode md5 1 plain huawei
[HX_SW1-ospf-1-area-0.0.0.0]qui
[HX_SW1-ospf-1]silent-interface vlan 10
[HX_SW1-ospf-1]silent-interface vlan 20
[HX_SW1-ospf-1]silent-interface vlan 30
[HX_SW1-ospf-1]silent-interface vlan 40
[HX_SW1-ospf-1]silent-interface vlan 50
[HX_SW1-ospf-1]silent-interface vlan 101
[HX_SW1-ospf-1]silent-interface vlan 102
[HX_SW1-ospf-1]silent-interface vlan 103
[HX_SW1-ospf-1]silent-interface vlan 200
[HX_SW1-ospf-1]qui
[HX_SW1]
------------------------------
	HX_SW2:
[HX_SW2]ospf 1 router-id 10.1.6.6
[HX_SW2-ospf-1]area 1
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.20.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.30.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.40.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.50.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.100.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.101.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.102.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]network 192.168.103.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.1]qui
[HX_SW2-ospf-1]area 0
[HX_SW2-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]authentication-mode md5 1 plain huawei
[HX_SW2-ospf-1-area-0.0.0.0]qui
[HX_SW2-ospf-1]silent-interface vlan 10
[HX_SW2-ospf-1]silent-interface vlan 20
[HX_SW2-ospf-1]silent-interface vlan 30
[HX_SW2-ospf-1]silent-interface vlan 40
[HX_SW2-ospf-1]silent-interface vlan 50
[HX_SW2-ospf-1]silent-interface vlan 101
[HX_SW2-ospf-1]silent-interface vlan 102
[HX_SW2-ospf-1]silent-interface vlan 103
[HX_SW1-ospf-1]silent-interface vlan 200
[HX_SW2-ospf-1]qui
[HX_SW2]

10. BFD fault detection

	FW1:
[FW1]bfd
[FW1-bfd]qui
[FW1]ospf
[FW1-ospf-1]bfd all-interfaces enable
[FW1-ospf-1]qui
[FW1]
------------------------------
	HX_SW1:
[HX_SW1]bfd
[HX_SW1-bfd]qui
[HX_SW1]int vlan 11
[HX_SW1-Vlanif11]ospf bfd enable
[HX_SW1-Vlanif11]qui
[HX_SW1]
-----------------------------
	HX_SW2:
[HX_SW2]bfd
[HX_SW2-bfd]qui
[HX_SW2]int vlan 12
[HX_SW2-Vlanif12]ospf bfd enable
[HX_SW2-Vlanif12]qui
[HX_SW2]

11. Branch/branch school DHCP configuration

	AR4:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname AR4
[AR4]dhcp enable
[AR4]int g0/0/1
[AR4-GigabitEthernet0/0/1]ip add 172.16.60.4 24
[AR4-GigabitEthernet0/0/1]dhcp select int
[AR4-GigabitEthernet0/0/1]qui
[AR4]int g0/0/2
[AR4-GigabitEthernet0/0/2]ip add 172.16.48.4 24
[AR4-GigabitEthernet0/0/2]int g0/0/0
[AR4-GigabitEthernet0/0/0]ip add 172.16.134.4 24
[AR4-GigabitEthernet0/0/0]qui
[AR4]

12. Port Security and Isolation

	SW7:
<Huawei>sys
[Huawei]un in en
[Huawei]sys SW7
[SW7]p g g0/0/2 g0/0/3
[SW7-port-group]port-security enable
[SW7-GigabitEthernet0/0/2]port-security enable
[SW7-GigabitEthernet0/0/3]port-security enable
[SW7-port-group]port-security mac-add sticky
[SW7-GigabitEthernet0/0/2]port-security mac-add sticky
[SW7-GigabitEthernet0/0/3]port-security mac-add sticky
[SW7-port-group]port-isolate enable
[SW7-GigabitEthernet0/0/2]port-isolate enable
[SW7-GigabitEthernet0/0/3]port-isolate enable
[SW7-port-group]qui
[SW7]dis port-isolate group all
  The ports in isolate group 1:
GigabitEthernet0/0/2     GigabitEthernet0/0/3     
[SW7]

13. WLAN part of branch/branch school

	LSW8:
<Huawei>sys
[Huawei]un in en
[Huawei]sys LSW8
[LSW8]vlan batch 100 104 48
[LSW8]int g0/0/1
[LSW8-GigabitEthernet0/0/1]port link acc
[LSW8-GigabitEthernet0/0/1]port default vlan 48
[LSW8-GigabitEthernet0/0/1]int g0/0/2
[LSW8-GigabitEthernet0/0/2]port link trunk
[LSW8-GigabitEthernet0/0/2]port trunk all vlan 100 104
[LSW8-GigabitEthernet0/0/2]port trunk pvid vlan 100
[LSW8-GigabitEthernet0/0/2]qui
[LSW8]dhcp enable
[LSW8]ip pool ap_pool
[LSW8-ip-pool-ap_pool]gateway-list 172.16.100.1
[LSW8-ip-pool-ap_pool]network 172.16.100.0 mask 24 
[LSW8-ip-pool-ap_pool]excluded-ip-address 172.16.100.129 172.16.100.254 
[LSW8-ip-pool-ap_pool]lease unlimited
[LSW8-ip-pool-ap_pool]option 43 sub-option 3 ascii 192.168.100.100
[LSW8-ip-pool-ap_pool]qui
[LSW8]ip pool hua4
[LSW8-ip-pool-hua4]network 172.16.104.0 mask 24
[LSW8-ip-pool-hua4]gateway-list 172.16.104.1
[LSW8-ip-pool-hua4]dns-list 192.168.200.2 8.8.8.8
[LSW8-ip-pool-hua4]excluded-ip-address 172.16.104.250 172.16.104.254
[LSW8-ip-pool-hua4]qui
[LSW8]int vlan 48
[LSW8-Vlanif48]ip add 172.16.48.8 24
[LSW8-Vlanif48]int vlan 100
[LSW8-Vlanif100]ip add 172.16.100.1 24
[LSW8-Vlanif100]dhcp select global
[LSW8-Vlanif100]int vlan 104
[LSW8-Vlanif104]ip add 172.16.104.1 24
[LSW8-Vlanif104]dhcp select global
[LSW8-Vlanif104]qui
[LSW8]
//配置好后等待与总部/主校互通即可放射

14. Branch/branch school OSPF configuration

	FW2:
<USG6000V1>sys
[USG6000V1]un in en
[USG6000V1]sys FW2
[FW2]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 10.1.133.33 24
[FW2-GigabitEthernet1/0/1]service-manage all permit
[FW2-GigabitEthernet1/0/1]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 172.16.134.33 24
[FW2-GigabitEthernet1/0/0]service-manage all permit
[FW2-GigabitEthernet1/0/2]int g1/0/2
[FW2-GigabitEthernet1/0/2]service-manage all permit
[FW2-GigabitEthernet1/0/2]qui
[FW2]firewall zone trust
[FW2-zone-trust]add int g1/0/0
[FW2-zone-trust]qui
[FW2]firewall zone untrust
[FW2-zone-untrust]add int g1/0/1
[FW2-zone-untrust]add int g1/0/2
[FW2-zone-untrust]qui
[FW2]icmp ttl send
[FW2]ospf
[FW2-ospf-1]default-route-advertise
[FW2-ospf-1]area 0
[FW2-ospf-1-area-0.0.0.0]net 172.16.134.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0]qui
[FW2-ospf-1]qui
[FW2]
-----------------------------
	AR4:
[AR4]OSPF
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]net 172.16.0.0 0.0.255.255
[AR4-ospf-1-area-0.0.0.0]qui
[AR4-ospf-1]qui
[AR4]
----------------------------
	LSW8:
[LSW8]ospf
[LSW8-ospf-1]area 0
[LSW8-ospf-1-area-0.0.0.0]net 172.16.0.0 0.0.255.255
[LSW8-ospf-1-area-0.0.0.0]qui
[LSW8-ospf-1]qui
[LSW8]

15. PPPoE dial-up

	AR5:
<Huawei>sys
[Huawei]un in en
[Huawei]sys AR5
[AR5]int loo0
[AR5-LoopBack0]ip add 10.1.5.5 32
[AR5-LoopBack0]int g0/0/0
[AR5-GigabitEthernet0/0/0]ip add 10.1.22.5 24
[AR5-GigabitEthernet0/0/0]int g0/0/1
[AR5-GigabitEthernet0/0/1]ip add 10.1.33.5 24
[AR5-GigabitEthernet0/0/1]int g0/0/2
[AR5-GigabitEthernet0/0/2]ip add 10.10.10.9 24
[AR5-GigabitEthernet0/0/1]qui
[AR5]aaa
[AR5-aaa]local-user user password cipher huawei
[AR5-aaa]local-user user service-type ppp
[AR5-aaa]qui
[AR5]int virtual-template1
[AR5-Virtual-Template1]ip add unnumbered int g0/0/1
[AR5-Virtual-Template1]ppp authentication-mode chap
[AR5-Virtual-Template1]remote add 10.1.33.33
[AR5-Virtual-Template1]int g0/0/1
[AR5-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1
[AR5-GigabitEthernet0/0/1]qui
[AR5]ip route-static 0.0.0.0 0 10.1.22.22
----------------------------
	FW2:
[FW2]int Dialer 1
[FW2-Dialer1]ip add ppp-negotiate
[FW2-Dialer1]ppp chap user user
[FW2-Dialer1]ppp chap password cipher huawei
[FW2-Dialer1]dialer user test1
[FW2-Dialer1]dialer bundle 1
[FW2-Dialer1]mtu 1492
[FW2-Dialer1]qui
[FW2]int g1/0/2
[FW2-GigabitEthernet1/0/2]pppoe-client dial-bundle-number 1
[FW2-GigabitEthernet1/0/2]qui
[FW2]firewall zone untrust
[FW2-zone-untrust]add int dialer 1
[FW2-zone-untrust]qui
[FW2]

16. Public network interworking

	AR1:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname AR1
[AR1]int loo0
[AR1-LoopBack0]ip add 10.1.1.1 32
[AR1-LoopBack0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 10.1.12.1 24
[AR1-GigabitEthernet0/0/1]qui
[AR1]isis 
[AR1-isis-1]net 49.0000.0000.0000.0001.00
[AR1-isis-1]is-level level-2
[AR1-isis-1]qui
[AR1]int loo0
[AR1-LoopBack0]isis en
[AR1-LoopBack0]int g0/0/1
[AR1-GigabitEthernet0/0/1]isis en
[AR1-GigabitEthernet0/0/1]qui
[AR1]
------------------------------
	AR2:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname AR2
[AR2]int loo0
[AR2-LoopBack0]ip add 10.1.2.2 32
[AR2-LoopBack0]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 10.1.12.2 24
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 10.1.23.2 24
[AR2-GigabitEthernet0/0/1]qui
[AR2]isis
[AR2-isis-1]net 49.0000.0000.0000.0002.00
[AR2-isis-1]is-level level-2
[AR2-isis-1]qui
[AR2]int loo0
[AR2-LoopBack0]isis en
[AR2-LoopBack0]int g0/0/0
[AR2-GigabitEthernet0/0/0]isis en
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]isis en
[AR2-GigabitEthernet0/0/1]qui
[AR2]
----------------------------
	AR3:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname AR3
[AR3]int loo0
[AR3-LoopBack0]ip add 10.1.3.3 32
[AR3-LoopBack0]int g0/0/0
[AR3-GigabitEthernet0/0/0]ip add 10.1.23.3 24
[AR3-GigabitEthernet0/0/0]qui
[AR3]isis
[AR3-isis-1]net 49.0000.0000.0000.0003.00
[AR3-isis-1]is-level level-2
[AR3-isis-1]int loo0
[AR3-LoopBack0]isis en
[AR3-LoopBack0]int g0/0/0
[AR3-GigabitEthernet0/0/0]isis en
[AR3-GigabitEthernet0/0/0]qui
[AR3]

17. BGP builds neighbors

	AR1:
[AR1]bgp 100
[AR1-bgp]peer 10.1.2.2 as-n 100
[AR1-bgp]peer 10.1.2.2 con loo0
[AR1-bgp]ipv4 unicast
[AR1-bgp-af-ipv4]undo peer 10.1.2.2 en
[AR1-bgp-af-ipv4]qui
[AR1-bgp]ipv4 vpnv4
[AR1-bgp-af-vpnv4]peer 10.1.2.2 en
[AR1-bgp-af-vpnv4]qui
[AR1-bgp]qui
[AR1]
-----------------------
	AR2:
[AR2]bgp 100
[AR2-bgp]peer 10.1.1.1 as-n 100
[AR2-bgp]peer 10.1.1.1 con loo0
[AR2-bgp]peer 10.1.3.3 as-n 100
[AR2-bgp]peer 10.1.3.3 con loo0
[AR2-bgp]ipv4 unicast
[AR2-bgp-af-ipv4]undo peer 10.1.1.1 en
[AR2-bgp-af-ipv4]undo peer 10.1.3.3 en
[AR2-bgp-af-ipv4]qui
[AR2-bgp]ipv4 vpnv4
[AR2-bgp-af-vpnv4]peer 10.1.1.1 en
[AR2-bgp-af-vpnv4]peer 10.1.1.1 reflect-client
[AR2-bgp-af-vpnv4]peer 10.1.3.3 en
[AR2-bgp-af-vpnv4]peer 10.1.3.3 reflect-client
[AR2-bgp-af-vpnv4]undo policy vpn-target
[AR2-bgp-af-vpnv4]qui
[AR2-bgp]qui
[AR2]
---------------------------
	AR3:
[AR3]bgp 100
[AR3-bgp]peer 10.1.2.2 as-n 100
[AR3-bgp]peer 10.1.2.2 con loo0
[AR3-bgp]ipv4 unicast
[AR3-bgp-af-ipv4]undo peer 10.1.2.2 en
[AR3-bgp-af-ipv4]qui
[AR3-bgp]ipv4 vpnv4
[AR3-bgp-af-vpnv4]peer 10.1.2.2 en
[AR3-bgp-af-vpnv4]
[AR3-bgp-af-vpnv4]qui
[AR3-bgp]qui
[AR3]
---------------------------
	FW1:
[FW1]bgp 65430
[FW1-bgp]peer 10.1.122.1 as-n 100
[FW1-bgp]import-route ospf 1
[FW1-bgp]qui
[FW1]ospf 1
[FW1-ospf-1]import-route bgp
[FW1-ospf-1]qui
[FW1]
-------------------------
	FW2:
[FW2]bgp 65000
[FW2-bgp]peer 10.1.133.3 as-n 100
[FW2-bgp]import-route ospf 1
[FW2-bgp]qui
[FW2]ospf 1
[FW2-ospf-1]import-route bgp
[FW2-ospf-1]qui
[FW2]

18、MPLS

[AR1]mpls lsr-id 10.1.1.1
[AR1]mpls
[AR1-mpls]mpls ldp
[AR1-mpls-ldp]qui
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]mpls
[AR1-GigabitEthernet0/0/1]mpls ldp
[AR1-GigabitEthernet0/0/1]qui
[AR1]
---------------
	AR2:
[AR2]mpls lsr-id 10.1.2.2
[AR2]mpls
[AR2-mpls]mpls ldp
[AR2-mpls-ldp]qui
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]mpls
[AR2-GigabitEthernet0/0/0]mpls ldp
[AR2-GigabitEthernet0/0/0]qui
[AR2]int g0/0/1
[AR2-GigabitEthernet0/0/1]mpls
[AR2-GigabitEthernet0/0/1]mpls ldp
[AR2-GigabitEthernet0/0/1]qui
[AR2]
------------------------
	AR3:
[AR3]mpls lsr-id 10.1.3.3
[AR3]mpls
[AR3-mpls]mpls ldp
[AR3-mpls-ldp]qui
[AR3]int g0/0/0
[AR3-GigabitEthernet0/0/0]mpls
[AR3-GigabitEthernet0/0/0]mpls ldp
[AR3-GigabitEthernet0/0/0]qui
[AR3]

19. VPN instance

	AR1:
[AR1]ip vpn-instance VPN_A
[AR1-vpn-instance-VPN_A]route-distinguisher 100:22
[AR1-vpn-instance-VPN_A-af-ipv4]vpn-target 100:22 export-extcommunity
[AR1-vpn-instance-VPN_A-af-ipv4]vpn-target 100:33 import-extcommunity
[AR1-vpn-instance-VPN_A-af-ipv4]qui
[AR1-vpn-instance-VPN_A]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip binding vpn-instance VPN_A
[AR1-GigabitEthernet0/0/0]ip add 10.1.122.1 24
[AR1-GigabitEthernet0/0/0]qui
[AR1]bgp 100
[AR1-bgp]ipv4 vpn-instance VPN_A
[AR1-bgp-VPN_A]peer 10.1.122.22 as-n 65430
[AR1-bgp-VPN_A]qui
[AR1-bgp]qui
[AR1]
----------------
	AR3:
[AR3]ip vpn-instance VPN_B
[AR3-vpn-instance-VPN_B]route-distinguisher 100:33
[AR3-vpn-instance-VPN_B-af-ipv4]vpn-target 100:33 export-extcommunity
[AR3-vpn-instance-VPN_B-af-ipv4]vpn-target 100:22 import-extcommunity
[AR3-vpn-instance-VPN_B-af-ipv4]qui
[AR3-vpn-instance-VPN_B]int g0/0/1
[AR3-GigabitEthernet0/0/1]ip binding vpn-instance VPN_B
[AR3-GigabitEthernet0/0/1]ip add 10.1.133.3 24
[AR3-GigabitEthernet0/0/1]qui
[AR3]bgp 100
[AR3-bgp]ipv4 vpn-instance VPN_B
[AR3-bgp-VPN_B]peer 10.1.133.33 as-n 65000
[AR3-bgp-VPN_B]qui
[AR3-bgp]qui
[AR3]

20. Security Policy

这一部分要不我就先不放在文章中，配置
的设备只有FW1和FW2这里的配置的技术呢
是这样的，放行相应的安全策略即可，放行
相应的安全策略这个时候总部/主校区和
分支之间就可以通过我们的MPLSVPN实现互通了

这一部分在文章中省了，但是在可以拷贝的
命令笔记和相应的记事本版本的命令都没有省，
一条一条的命令都是有的，也都是全的。

insert image description here

21、IPSec VPN

这一部分同样要不我就先不放在文章中，配置
的设备只有FW1和FW2这里的配置的技术呢
是这样的，这里得和我们的需求结合一下
FW2的对端是FW1,指定相应的对端地址，但
是这FW1的对端是FW2没错，但是这里没有
对端地址，配置完相应的IPsec之后在放行
相应的安全策略即可。

这一部分在文章中省了，但是在可以拷贝的
命令笔记和相应的记事本版本的命令都没有省，
一条一条的命令都是有的，也都是全的。