ファイアウォール デュアル マシン ホット バックアップ、DHCP サーバー、コア スイッチの負荷分散および冗長設計

開発 2023-05-05 07:33:32 訪問数: null

記事ディレクトリ

  • 目次:
  • 1. ファイアウォール二重化ホットスタンバイ技術の概念
  • 2.と組み合わせて使用​​するための関連技術ガイダンス
  • 3. 設計要件とトポロジー
  • 4: 構成プロセスと対応するコマンド
  • 要約する

1. ファイアウォール ホット バックアップの概要:

        一般的に言えば、ファイアウォールは企業ネットワークの出口に展開され、企業に出入りするすべてのアクセス トラフィックを制限します。しかし、ファイアウォールが企業ネットワークの出口に配備されている場合、ファイアウォールに障害が発生すると、ネットワーク ビジネス全体に影響が及びます。したがって、ファイアウォールの信頼性を向上させるために、ルーティングおよびスイッチング デバイスで VRRP テクノロジと同様のファイアウォール デュアル システム ホット バックアップ テクノロジを構成できます。
ファイアウォール ダブルクリック ホット スタンバイ アーキテクチャでは、1 つのファイアウォールに障害が発生した場合、ビジネス トラフィックを別のファイアウォールにスムーズに切り替えて、トラフィックとサービスが中断されないようにすることができます。これにより、内部および外部のネットワーク ユーザーに対して透過的になり、ファイアウォールの障害を認識できなくなります。

2. このトポロジ設計図には、次のようなさまざまなプロトコル構成が含まれています。

1. Eth-Trunk リンク バンドリング
2. VLAN ベースの構成
3. MSTP マルチ スパニング ツリー
4. VRRP ゲートウェイ構成
5. DHCP リレー
6. DHCP スヌーピング構成

7. FTP コントロール リストへのアクセス
8. ファイアウォールの基本設定とデュアル マシンのホット スタンバイ
9. ISP1、ISP2、および FW1、FW2 コア スイッチ インターフェイスの設定
10. OSPF の設定
11. WLAN の設定

12. いくつかの機能テスト


3. 設計要件:

1.イントラネット端末がDHCPサーバーからIPアドレスを自動取得できる

2. イントラネット部門は相互に通信できず、すべて外部ネットワークにアクセスできます.リビングルームはイントラネット FTP サーバーにアクセスできません.

3. 内部ネットワークが外部ネットワークにアクセスする場合、ISP1 が優先され、ISP1 のリンクが失敗すると、ISP2 に切り替えられます。

4. デュアル マシンのホット スタンバイ FW1 がメイン リンクです。FW2 はバックアップ リンクであり、FW1 に障害が発生すると、回線は FW2 に切り替わります

5.コアスイッチは負荷分散と冗長設計のためにVRRPを使用していますが、一方のデバイスが故障した場合、もう一方のデバイスに正常に切り替えることができます。

6. AC は SW2 の側面に取り付けられており、WLAN はパスワードなしでリビングルームにログインするように構成されており、他の部門はネットワークにログインするためにパスワードが必要です。

トポロジ ダイアグラムは次のとおりです。

4: 構成プロセスと対応するコマンド:

1.コア スイッチ間の eth-trunk リンク設定:

<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys LW1
[LW1]
[LW1]int eth-trunk 1  进入聚合端口
[LW1-Eth-Trunk1]mode lacp-static  定义为LACP模式
[LW1-Eth-Trunk1]po link-type tr
[LW1-Eth-Trunk1]po trunk allow-pass vlan all  允许所有流量通行
[LW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/5  添加聚合端口

<sw>sy
Enter system view, return user view with Ctrl+Z.
[sw]sys LW2
[LW2]int eth-trunk 1
[LW2-Eth-Trunk1]mode lacp-static 
[LW2-Eth-Trunk1]po link-type tr
[LW2-Eth-Trunk1]po tr allow-pass vlan all
[LW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/5

2. VLAN レイヤー 2 構成:

LW1:
[LW1]vlan batch 10 20 30 40 50 200 201 111 
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW1]int g0/0/6
[LW1-GigabitEthernet0/0/6]po link-type tr
[LW1-GigabitEthernet0/0/6]po tr allow-pass vlan 10 111
[LW1-GigabitEthernet0/0/6]int g0/0/7
[LW1-GigabitEthernet0/0/7]po link-type tr
[LW1-GigabitEthernet0/0/7]po tr allow-pass vlan 20 111
[LW1-GigabitEthernet0/0/7]int g0/0/8
[LW1-GigabitEthernet0/0/8]po link-type tr
[LW1-GigabitEthernet0/0/8]po tr allow-pass vlan 30 111
[LW1-GigabitEthernet0/0/8]int g0/0/9
[LW1-GigabitEthernet0/0/9]po link-type tr
[LW1-GigabitEthernet0/0/9]po tr allow-pass vlan 40 111
[LW1-GigabitEthernet0/0/9]int g0/0/10
[LW1-GigabitEthernet0/0/10]po link-type tr
[LW1-GigabitEthernet0/0/10]po tr allow-pass vlan 50 111
[LW1-GigabitEthernet0/0/10]int g0/0/1
[LW1-GigabitEthernet0/0/1]po link-ty ac
[LW1-GigabitEthernet0/0/1]po default vlan 200
[LW1-GigabitEthernet0/0/1]int g0/0/2
[LW1-GigabitEthernet0/0/2]po link-type ac
[LW1-GigabitEthernet0/0/2]po default vlan 201

LW2:
[LW2]vlan batch 10 20 30 40 50 100 101 
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW2]vlan batch 111 102 200 201
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW2]int g0/0/6
[LW2-GigabitEthernet0/0/6]po link-type tr
[LW2-GigabitEthernet0/0/6]po tr allow-pass vlan 10 111 100 101 102
[LW2-GigabitEthernet0/0/6]int g0/0/7
[LW2-GigabitEthernet0/0/7]po link-type tr
[LW2-GigabitEthernet0/0/7]po tr allow-pass vlan 20 100 101 102 111
[LW2-GigabitEthernet0/0/7]int g0/0/8
[LW2-GigabitEthernet0/0/8]po link-type tr
[LW2-GigabitEthernet0/0/8]po tr allow-pass vlan 30 100 101 102 111
[LW2-GigabitEthernet0/0/8]int g0/0/9
[LW2-GigabitEthernet0/0/9]po link-type tr
[LW2-GigabitEthernet0/0/9]po tr allow-pass vlan 40 100 101 102 111
[LW2-GigabitEthernet0/0/9]int g0/0/10 
[LW2-GigabitEthernet0/0/10]po link-type tr
[LW2-GigabitEthernet0/0/10]po tr allow-pass vlan 50 111
[LW2-GigabitEthernet0/0/10]int g0/0/1
[LW2-GigabitEthernet0/0/1]po link-type ac
[LW2-GigabitEthernet0/0/1]po de vlan 201 
[LW2-GigabitEthernet0/0/1]int g0/0/2
[LW2-GigabitEthernet0/0/2]po link-ty ac
[LW2-GigabitEthernet0/0/2]po de vlan 200

JR1:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR1
[JR1]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR1]int g0/0/1 
[JR1-GigabitEthernet0/0/1]po link-ty tr
[JR1-GigabitEthernet0/0/1]po tr allow-pass vlan 10 111
[JR1-GigabitEthernet0/0/1]int g0/0/2
[JR1-GigabitEthernet0/0/2]po link-type tr
[JR1-GigabitEthernet0/0/2]po tr allow-pass vlan 10 111 100 101 102
[JR1-GigabitEthernet0/0/2]int g0/0/3 
[JR1-GigabitEthernet0/0/3]po link-ty ac
[JR1-GigabitEthernet0/0/3]po de vlan 10 
[JR1-GigabitEthernet0/0/3]int g0/0/4
[JR1-GigabitEthernet0/0/4]po link-ty tr
[JR1-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR1-GigabitEthernet0/0/4]po tr pvid vlan 100

JR2:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR2
[JR2]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR2]int g0/0/1 
[JR2-GigabitEthernet0/0/1]po link-ty tr
[JR2-GigabitEthernet0/0/1]po tr allow-pass vlan 20 111
[JR2-GigabitEthernet0/0/1]int g0/0/2
[JR2-GigabitEthernet0/0/2]po link-ty tr
[JR2-GigabitEthernet0/0/2]po tr allow-pass vlan 20 111 100 101 102
[JR2-GigabitEthernet0/0/2]int g0/0/3 
[JR2-GigabitEthernet0/0/3]po link-ty ac
[JR2-GigabitEthernet0/0/3]po de vlan 20 
[JR2-GigabitEthernet0/0/3]int g0/0/4
[JR2-GigabitEthernet0/0/4]po link-ty tr
[JR2-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR2-GigabitEthernet0/0/4]po tr pvid vlan 100

JR3:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR3
[JR3]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR3]int g0/0/1 
[JR3-GigabitEthernet0/0/1]po link-ty tr
[JR3-GigabitEthernet0/0/1]po tr allow-pass vlan 30 111
[JR3-GigabitEthernet0/0/1]int g0/0/2
[JR3-GigabitEthernet0/0/2]po link-ty tr
[JR3-GigabitEthernet0/0/2]po tr allow-pass vlan 30 111 100 101 102
[JR3-GigabitEthernet0/0/2]
[JR3-GigabitEthernet0/0/2]int g0/0/3 
[JR3-GigabitEthernet0/0/3]po link-ty ac
[JR3-GigabitEthernet0/0/3]po de vlan 30 
[JR3-GigabitEthernet0/0/3]int g0/0/4
[JR3-GigabitEthernet0/0/4]po link-ty tr
[JR3-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR3-GigabitEthernet0/0/4]po tr pvid vlan 100

JR4:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR4
[JR4]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR4]int g0/0/1 
[JR4-GigabitEthernet0/0/1]po link-ty tr
[JR4-GigabitEthernet0/0/1]po tr allow-pass vlan 40 111
[JR4-GigabitEthernet0/0/1]int g0/0/2
[JR4-GigabitEthernet0/0/2]po link-ty tr
[JR4-GigabitEthernet0/0/2]po tr allow-pass vlan 40 111 100 101 102
[JR4-GigabitEthernet0/0/2]int g0/0/3 
[JR4-GigabitEthernet0/0/3]po link-ty ac
[JR4-GigabitEthernet0/0/3]po de vlan 40 
[JR4-GigabitEthernet0/0/3]int g0/0/4
[JR4-GigabitEthernet0/0/4]po link-ty tr
[JR4-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR4-GigabitEthernet0/0/4]po tr pvid vlan 100

JR5:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR5
[JR5]vlan batch 10 20 30 40 50 111 
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR5]int g0/0/1 
[JR5-GigabitEthernet0/0/1]po link-ty tr
[JR5-GigabitEthernet0/0/1]po tr allow-pass vlan 50 111
[JR5-GigabitEthernet0/0/1]int g0/0/2
[JR5-GigabitEthernet0/0/2]po link-ty tr
[JR5-GigabitEthernet0/0/2]po tr allow-pass vlan 50 111 
[JR5-GigabitEthernet0/0/2]int g0/0/3 
[JR5-GigabitEthernet0/0/3]po link-ty ac
[JR5-GigabitEthernet0/0/3]po de vlan 50 
[JR5-GigabitEthernet0/0/3]int g0/0/4
[JR5-GigabitEthernet0/0/4]po link-ty ac
[JR5-GigabitEthernet0/0/4]po de vlan 50

3. MSTP 設定:

LW1:
[LW1]stp en 
[LW1]stp mode mstp 定义为MSTP
[LW1]stp region-configuration  进入stp视图
[LW1-mst-region]region-name stp  命名
[LW1-mst-region]revision-level 1
[LW1-mst-region]instance 1 vlan 10 20 50  配置生成树实例和VLAN的映射关系

[LW1-mst-region]instance 2 vlan 30 40
[LW1-mst-region]active region-configuration  激活MST域的配置(这个命令必须开启)
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW1-mst-region]
[LW1-mst-region]stp instance 1 root primary 配置当前设备为生成树实例1的根桥设备
[LW1]stp instance 2 root secondary  配置当前设备为生成树实例2的备份根桥设备


LW2:
[LW2]stp en 
[LW2]stp mode mstp
[LW2]stp region-configuration
[LW2-mst-region]region-name stp
[LW2-mst-region]revision-level 1
[LW2-mst-region]instance 1 vlan 10 20 50 
[LW2-mst-region]instance 2 vlan 30 40
[LW2-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW2-mst-region]
[LW2-mst-region]stp instance 1 root secondary
[LW2]stp instance 2 root primary

JR1:
[JR1]stp en 
[JR1]stp mode mstp
[JR1]stp region-configuration
[JR1-mst-region]region-name stp
[JR1-mst-region]revision-level 1
[JR1-mst-region]instance 1 vlan 10 20 50 
[JR1-mst-region]instance 2 vlan 30 40
[JR1-mst-region]active region-configuration

JR2:
[JR2]stp en 
[JR2]stp mode mstp
[JR2]stp region-configuration
[JR2-mst-region]region-name stp
[JR2-mst-region]revision-level 1
[JR2-mst-region]instance 1 vlan 10 20 50 
[JR2-mst-region]instance 2 vlan 30 40
[JR2-mst-region]active region-configuration

JR3:
[JR3]stp en 
[JR3]stp mode mstp
[JR3]stp region-configuration
[JR3-mst-region]region-name stp
[JR3-mst-region]revision-level 1
[JR3-mst-region]instance 1 vlan 10 20 50 
[JR3-mst-region]instance 2 vlan 30 40
[JR3-mst-region]active region-configuration

JR4:
[JR4]stp en 
[JR4]stp mode mstp
[JR4]stp region-configuration
[JR4-mst-region]region-name stp
[JR4-mst-region]revision-level 1
[JR4-mst-region]instance 1 vlan 10 20 50 
[JR4-mst-region]instance 2 vlan 30 40
[JR4-mst-region]active region-configuration

JR5:
[JR5]stp en 
[JR5]stp mode mstp
[JR5]stp region-configuration
[JR5-mst-region]region-name stp
[JR5-mst-region]revision-level 1
[JR5-mst-region]instance 1 vlan 10 20 50 
[JR5-mst-region]instance 2 vlan 30 40
[JR5-mst-region]active region-configuration

4. VRRP ゲートウェイの冗長構成:

LW1:
[LW1]int vlan 10 进入vlanif视图
[LW1-Vlanif10]ip add 192.168.10.254 24  配置vlanif10虚拟地址
[LW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.1  配置vrid 1 中的虚拟网关地址
[LW1-Vlanif10]vrrp vrid 10 priority  120  配置该接口在vrid 1 中的优先级,缺省为100(数值越大越优先)
[LW1-Vlanif10]int vlan 20
[LW1-Vlanif20]ip add 192.168.20.254 24
[LW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[LW1-Vlanif20]vrrp vrid 20 priority  120
[LW1-Vlanif20]int vlan 30
[LW1-Vlanif30]ip add 192.168.30.254 24
[LW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[LW1-Vlanif30]int vlan 40
[LW1-Vlanif40]ip add 192.168.40.254 24
[LW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[LW1-Vlanif40]int vlan 50
[LW1-Vlanif50]ip add 192.168.50.254 24
[LW1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
[LW1-Vlanif50]vrrp vrid 50 priority  120

LW2:
[LW2]int vlan 10
[LW2-Vlanif10]ip add 192.168.10.253 24
[LW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.1
[LW2-Vlanif10]int vlan 20
[LW2-Vlanif20]ip add 192.168.20.253 24
[LW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[LW2-Vlanif20]int vlan 30
[LW2-Vlanif30]ip add 192.168.30.253 24
[LW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[LW2-Vlanif30]vrrp vrid 30 priority  120
[LW2-Vlanif30]int vlan 40
[LW2-Vlanif40]ip add 192.168.40.253 24
[LW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[LW2-Vlanif40]vrrp vrid 40 priority  120
[LW2-Vlanif40]int vlan 50
[LW2-Vlanif50]ip add 192.168.50.253 24
[LW2-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1

5. DHCP サーバーの構成とリレーの構成:

DHCP:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]sys DHCP
[DHCP]
[DHCP]dhcp en  开启DHCP功能
Info: The operation may take a few seconds. Please wait for a moment.done.
[DHCP]
[DHCP]ip pool vlan10  创建地址池
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24  配置网络段及掩码
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.1  配置网关
[DHCP-ip-pool-vlan10]dns-list 8.8.8.8  配置DNS服务器
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.250 192.168.10.254  排除该地址不能获取
[DHCP-ip-pool-vlan10]ip pool vlan20
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[DHCP-ip-pool-vlan20]dns-list  8.8.8.8
[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.250 192.168.20.254
[DHCP-ip-pool-vlan20]ip pool vlan30
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
[DHCP-ip-pool-vlan30]gateway-list 192.168.30.1
[DHCP-ip-pool-vlan30]dns-list  8.8.8.8
[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.250 192.168.30.254
[DHCP-ip-pool-vlan30]ip pool vlan40
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 24
[DHCP-ip-pool-vlan40]gateway-list 192.168.40.1
[DHCP-ip-pool-vlan40]dns-list  8.8.8.8
[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.250 192.168.40.254
[DHCP-ip-pool-vlan40]int g0/0/0
[DHCP-GigabitEthernet0/0/0]ip add 192.168.50.3 24
[DHCP-GigabitEthernet0/0/0]dhcp select global  在全局中获取地址
[DHCP-GigabitEthernet0/0/0]ip route-s 0.0.0.0 0 192.168.50.1  配置静态路由
  
LW1:
[LW1]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[LW1]int vlan 10
[LW1-Vlanif10]dhcp select relay  配置该vlanif为中继
[LW1-Vlanif10]dhcp relay server-ip 192.168.50.3  自动获取的地址在该接口地址处获取
[LW1-Vlanif10]int vlan 20
[LW1-Vlanif20]dhcp select relay
[LW1-Vlanif20]dhcp relay server-ip 192.168.50.3
[LW1-Vlanif20]int vlan 30
[LW1-Vlanif30]dhcp select relay
[LW1-Vlanif30]dhcp relay server-ip 192.168.50.3
[LW1-Vlanif30]int v 40
[LW1-Vlanif40]dhcp select relay
[LW1-Vlanif40]dhcp relay server-ip 192.168.50.3

LW2:
[LW2]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[LW2]int vlan 10
[LW2-Vlanif10]dhcp select relay
[LW2-Vlanif10]dhcp relay server-ip 192.168.50.3
[LW2-Vlanif10]int vlan 20
[LW2-Vlanif20]dhcp select relay
[LW2-Vlanif20]dhcp relay server-ip 192.168.50.3
[LW2-Vlanif20]int vlan 30
[LW2-Vlanif30]dhcp select relay
[LW2-Vlanif30]dhcp relay server-ip 192.168.50.3
[LW2-Vlanif30]int v 40
[LW2-Vlanif40]dhcp select relay
[LW2-Vlanif40]dhcp relay server-ip 192.168.50.3

6. DHCP スヌーピング構成:

JR1:
[JR1]dhcp en 开启DHCP
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR1]dhcp snooping en  开启DHCP Snooping 功能
[JR1]vlan 10 
[JR1-vlan10]dhcp snooping en  在vlan10 snooping功能开启
[JR1-vlan10]int g0/0/1
[JR1-GigabitEthernet0/0/1]dhcp snooping trusted  配置snooping信任接口
[JR1-GigabitEthernet0/0/1]int g0/0/2
[JR1-GigabitEthernet0/0/2]dhcp snooping trusted

JR2:
[JR2]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR2]dhcp snooping en
[JR2]vlan 20 
[JR2-vlan20]dhcp snooping en
[JR2-vlan20]int g0/0/1
[JR2-GigabitEthernet0/0/1]dhcp snooping trusted
[JR2-GigabitEthernet0/0/1]int g0/0/2
[JR2-GigabitEthernet0/0/2]dhcp snooping trusted

JR3:
[JR3]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR3]dhcp snooping en
[JR3]vlan 30 
[JR3-vlan30]dhcp snooping en
[JR3-vlan30]int g0/0/1
[JR3-GigabitEthernet0/0/1]dhcp snooping trusted
[JR3-GigabitEthernet0/0/1]int g0/0/2
[JR3-GigabitEthernet0/0/2]dhcp snooping trusted

JR4:
[JR4]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR4]dhcp snooping en
[JR4]vlan 40 
[JR4-vlan40]dhcp snooping en
[JR4-vlan40]int g0/0/1
[JR4-GigabitEthernet0/0/1]dhcp snooping trusted
[JR4-GigabitEthernet0/0/1]int g0/0/2
[JR4-GigabitEthernet0/0/2]dhcp snooping trusted

7. ACL アクセス制御リストの設定:

LW1:控制会客厅及wlan流量不能访问FTP
[LW1]acl 3000  开启acl视图
acl number 3000
 acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.2 0 #拒接192.168.10.0/24网段地址访问192.168.50.2
 rule 10 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.50.2 0
 rule 15 deny ip source 192.168.101.0 0.0.0.255 destination 192.168.50.2 0
 rule 100 permit ip  允许所有地址访问
[LW1]int g0/0/10
[LW1-GigabitEthernet0/0/10] traffic-filter outbound acl 3000  #在该接口处出口方向加入acl3000

[LW1]:控制部门之间不能互访。
acl number 3001
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255  #拒绝192.168.10.0/24网段访问192.168.20.0/24网段设备

 rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 15 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
 rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 25 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 30 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
 rule 35 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
 rule 40 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 45 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 50 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 55 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 60 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 200 permit ip
[LW1]int g0/0/6
[LW1-GigabitEthernet0/0/6]tr	
[LW1-GigabitEthernet0/0/6]traffic-filter i	
[LW1-GigabitEthernet0/0/6]traffic-filter inbound a	
[LW1-GigabitEthernet0/0/6]traffic-filter inbound acl 3001  在该接口进口方向配置acl3000策略
[LW1-GigabitEthernet0/0/6]int g0/0/7
[LW1-GigabitEthernet0/0/7]traffic-filter inbound acl 3001
[LW1-GigabitEthernet0/0/7]int g0/0/8
[LW1-GigabitEthernet0/0/8]traffic-filter inbound acl 3001
[LW1-GigabitEthernet0/0/8]int g0/0/9
[LW1-GigabitEthernet0/0/9]traffic-filter inbound acl 3001

LW2:
[LW2]ACL 3000
acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.2 0
 rule 10 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.50.2 0
 rule 15 deny ip source 192.168.101.0 0.0.0.255 destination 192.168.50.2 0
 rule 100 permit ip
[LW2]int g0/0/10
[LW2-GigabitEthernet0/0/10]traffic-filter outbound acl 3000


acl number 3001
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 15 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
 rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 25 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 30 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
 rule 35 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
 rule 40 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 45 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 50 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 55 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 60 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 200 permit ip
[LW2]int g0/0/6
[LW2-GigabitEthernet0/0/6]tr	
[LW2-GigabitEthernet0/0/6]traffic-filter i	
[LW2-GigabitEthernet0/0/6]traffic-filter inbound a	
[LW2-GigabitEthernet0/0/6]traffic-filter inbound acl 3001
[LW2-GigabitEthernet0/0/6]int g0/0/7
[LW2-GigabitEthernet0/0/7]tr	
[LW2-GigabitEthernet0/0/7]traffic-filter in	
[LW2-GigabitEthernet0/0/7]traffic-filter inbound a	
[LW2-GigabitEthernet0/0/7]traffic-filter inbound acl 3001
[LW2-GigabitEthernet0/0/7]int g0/0/8
[LW2-GigabitEthernet0/0/8]traffic-filter inbound acl 3001
[LW2-GigabitEthernet0/0/8]int g0/0/9
[LW2-GigabitEthernet0/0/9]traffic-filter inbound acl 3001

8. ファイアウォールの構成とデュアル マシンのホット スタンバイ (発信インターフェイスからの NAT 変換):

FW1:
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sys FW1
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.200.1 24
[FW1-GigabitEthernet1/0/0]service-manage all permit  允许所有流量访问
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 192.168.1.1 24
[FW1-GigabitEthernet1/0/1]service-manage all permit
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/2]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/3]int g1/0/4
[FW1-GigabitEthernet1/0/4]ip add 192.168.201.1 24
[FW1-GigabitEthernet1/0/4]service-manage all permit
[FW1-GigabitEthernet1/0/4]firewall zone trust  配置安全域(可信任安全域)
[FW1-zone-trust]add int g1/0/0  加入端口
[FW1-zone-trust]add int g1/0/4
[FW1-zone-trust]firewall zone untrust  配置安全域(不可信任安全域)
[FW1-zone-untrust]add int g1/0/2
[FW1-zone-untrust]add int g1/0/3
[FW1-zone-untrust]firewall zone dmz  配置安全域(服务器安全域)
[FW1-zone-dmz]add int g1/0/1
[FW1-zone-dmz]ip route-s 0.0.0.0 0 10.1.1.5  配置通往ISP1的静态路由
[FW1]ip route-s 0.0.0.0 0 20.1.1.5 preference 70  配置通往ISP2的静态路由为备份路由

[FW1]security-policy  配置安全策略
[FW1-policy-security]rule name local_dmz  命名
[FW1-policy-security-rule-local_dmz]source-zone local  始(源)区域
[FW1-policy-security-rule-local_dmz]destination-zone dmz  目的区域
[FW1-policy-security-rule-local_dmz]action permit  允许通过
[FW1-policy-security-rule-local_dmz]
[FW1-policy-security-rule-local_dmz]rule name trust_untrust
[FW1-policy-security-rule-trust_untrust]source-zone trust
[FW1-policy-security-rule-trust_untrust]destination-zone untrust
[FW1-policy-security-rule-trust_untrust]action permit

[FW1]nat-policy  配置nat视图
[FW1-policy-nat]rule name ISP
[FW1-policy-nat-rule-ISP]source-zone trust  源区域
[FW1-policy-nat-rule-ISP]destination-zone untrust  目的区域
[FW1-policy-nat-rule-ISP]source-address 192.168.10.0 24  源地址
[FW1-policy-nat-rule-ISP]source-address 192.168.20.0 24 
[FW1-policy-nat-rule-ISP]source-address 192.168.30.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.40.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.100.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.101.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.102.0 24
[FW1-policy-nat-rule-ISP]action source-nat easy-ip   使用出接口地址转换

[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 200 virtual-ip 192.168.200.254 active   该接口虚拟网关为(master)优先级
[FW1-GigabitEthernet1/0/0]int g1/0/2
[FW1-GigabitEthernet1/0/2]vrrp vrid 10 virtual-ip 10.1.1.254 active
[FW1-GigabitEthernet1/0/2]int g1/0/3
[FW1-GigabitEthernet1/0/3]vrrp vrid 20 virtual-ip 20.1.1.254 active
[FW1-GigabitEthernet1/0/3]int g1/0/4
[FW1-GigabitEthernet1/0/4]vrrp vrid 201 virtual-ip 192.168.201.254 active
[FW1-GigabitEthernet1/0/4]
[FW1-GigabitEthernet1/0/4]hrp interface g1/0/1 remote 192.168.1.2   指定心跳口: hrp interface [心跳口] remote [邻居心跳口IP地址]
[FW1]
[FW1]hrp en 开启HRP功能,开启后提示符出现HRP_S
Info: NAT IP detect function is disabled.
HRP_S[FW1]hrp mirror session enable  启动会话快速备份
HRP_S[FW1]hrp auto-sync  开启自动备份(系统默认开启)

FW2:
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]un in en
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]sys FW2
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 192.168.200.3 24
[FW2-GigabitEthernet1/0/0]service-manage all permit
[FW2-GigabitEthernet1/0/0]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 192.168.1.2 24
[FW2-GigabitEthernet1/0/1]service-manage all permit
[FW2-GigabitEthernet1/0/1]int g1/0/2
[FW2-GigabitEthernet1/0/2]ip add 20.1.1.2 24
[FW2-GigabitEthernet1/0/2]int g1/0/3
[FW2-GigabitEthernet1/0/3]ip add 10.1.1.2 24
[FW2-GigabitEthernet1/0/3]int g1/0/4
[FW2-GigabitEthernet1/0/4]ip add 192.168.201.3 24
[FW2-GigabitEthernet1/0/4]service-manage all permit
[FW2-GigabitEthernet1/0/4]firewall zone trust
[FW2-zone-trust]add int g1/0/0
[FW2-zone-trust]add int g1/0/4
[FW2-zone-trust]firewall zone untrust
[FW2-zone-untrust]add int g1/0/2
[FW2-zone-untrust]add int g1/0/3
[FW2-zone-untrust]firewall zone dmz
[FW2-zone-dmz]add int g1/0/1
[FW2-zone-dmz]ip route-s 0.0.0.0 0 10.1.1.5
[FW2]ip route-s 0.0.0.0 0 20.1.1.5 preference 70

[FW2]security-policy 
[FW2-policy-security]rule name local_dmz
[FW2-policy-security-rule-local_dmz]source-zone local
[FW2-policy-security-rule-local_dmz]destination-zone dmz
[FW2-policy-security-rule-local_dmz]action permit
[FW2-policy-security-rule-local_dmz]
[FW2-policy-security-rule-local_dmz]rule name trust_untrust
[FW2-policy-security-rule-trust_untrust]source-zone trust
[FW2-policy-security-rule-trust_untrust]destination-zone untrust
[FW2-policy-security-rule-trust_untrust]action permit

[FW2]nat-policy
[FW2-policy-nat]rule name ISP
[FW2-policy-nat-rule-ISP]source-zone trust
[FW2-policy-nat-rule-ISP]destination-zone untrust
[FW2-policy-nat-rule-ISP]source-address 192.168.10.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.20.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.30.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.40.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.100.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.101.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.102.0 24
[FW2-policy-nat-rule-ISP]action source-nat easy-ip

[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]vrrp vrid 200 virtual-ip 192.168.200.254 standby  该接口虚拟网关为备份
[FW2-GigabitEthernet1/0/0]int g1/0/2
[FW2-GigabitEthernet1/0/2]vrrp vrid 10 virtual-ip 20.1.1.254 standby
[FW2-GigabitEthernet1/0/2]int g1/0/3
[FW2-GigabitEthernet1/0/3]vrrp vrid 20 virtual-ip 10.1.1.254 standby
[FW2-GigabitEthernet1/0/3]int g1/0/4
[FW2-GigabitEthernet1/0/4]vrrp vrid 201 virtual-ip 192.168.201.254 standby
[FW2-GigabitEthernet1/0/4]
[FW2-GigabitEthernet1/0/4]hrp interface g1/0/1 remote 192.168.1.1
[FW2]
[FW2]hrp en
Info: NAT IP detect function is disabled.
HRP_S[FW2]hrp mirror session enable
HRP_S[FW2]hrp auto-sync

9. ISP1、ISP2、および FW1 と FW2 に接続されたコア スイッチ インターフェイスの構成:

LW1:连接防火墙的上行接口配置
[LW1]int vlan 200
[LW1-Vlanif200]ip add 192.168.200.2 24
[LW1-Vlanif200]int v 201
[LW1-Vlanif201]ip add 192.168.201.2 24
[LW1-Vlanif201]int g0/0/1
[LW1-GigabitEthernet0/0/1]po link-ty ac
[LW1-GigabitEthernet0/0/1]po de vlan 200
[LW1-GigabitEthernet0/0/1]int g0/0/2
[LW1-GigabitEthernet0/0/2]po link-ty ac
[LW1-GigabitEthernet0/0/2]po de vlan 201
[LW1-GigabitEthernet0/0/2]ip route-s 0.0.0.0 0 192.168.200.254  配置上行口连接FW1的静态路由
[LW1]ip route-s 0.0.0.0 0 192.168.201.254 pre 70  配置上行口连接FW2的静态路由

LW2:连接防火墙上行接口配置
[LW2]int vlan 200
[LW2-Vlanif200]ip add 192.168.200.4 24
[LW2-Vlanif200]int v 201
[LW2-Vlanif201]ip add 192.168.201.4 24
[LW2-Vlanif201]int g0/0/1
[LW2-GigabitEthernet0/0/1]po link-ty ac
[LW2-GigabitEthernet0/0/1]po de vlan 200
[LW2-GigabitEthernet0/0/1]int g0/0/2
[LW2-GigabitEthernet0/0/2]po link-ty ac
[LW2-GigabitEthernet0/0/2]po de vlan 201
[LW2-GigabitEthernet0/0/2]ip route-s 0.0.0.0 0 192.168.201.254 
[LW2]ip route-s 0.0.0.0 0 192.168.200.254 pre 70

LSP1:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]sys LSP1
[LSP1]
[LSP1]int g0/0/0
[LSP1-GigabitEthernet0/0/0]
[LSP1-GigabitEthernet0/0/0]ip add 10.1.1.5 24
[LSP1-GigabitEthernet0/0/0]
[LSP1-GigabitEthernet0/0/0]int loopback 0  配置回环口(用作测试)
[LSP1-LoopBack0]
[LSP1-LoopBack0]ip add 5.5.5.5 32
[LSP1-LoopBack0]ip route-s 0.0.0.0 0 10.1.1.254  配置下行口连接防火墙的静态路由

LSP2:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]sys LSP2
[LSP2]
[LSP2]int g0/0/0
[LSP2-GigabitEthernet0/0/0]
[LSP2-GigabitEthernet0/0/0]ip add 20.1.1.5 24
[LSP2-GigabitEthernet0/0/0]
[LSP2-GigabitEthernet0/0/0]int loopback 0
[LSP2-LoopBack0]
[LSP2-LoopBack0]ip add 6.6.6.6 32
[LSP2-LoopBack0]ip route-s 0.0.0.0 0 20.1.1.254

10.ospf 設定:

LW1:
[LW1]ospf router-id 1.1.1.1  配置router-id,唯一的,方便识别
[LW1-ospf-1]area 0
[LW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255  宣告该网段地址
[LW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]

LW2:
[LW2]ospf router-id 2.2.2.2
[LW2-ospf-1]area 0
[LW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255

FW1:
HRP_M[FW1]ospf router-id 3.3.3.3
HRP_M[FW1-ospf-1]area 0 
HRP_M[FW1-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
HRP_M[FW1-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255

FW2:
HRP_M[FW2]ospf router-id 4.4.4.4
HRP_M[FW2-ospf-1]area 0 
HRP_M[FW2-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
HRP_M[FW2-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255

 11. wlan の構成:

LW2:
[LW2]int v 100
[LW2-Vlanif100]ip add 192.168.100.1 24
[LW2-Vlanif100]dhcp sel global
[LW2-Vlanif100]
[LW2-Vlanif100]int v 101
[LW2-Vlanif101]ip add 192.168.101.1 24
[LW2-Vlanif101]dhcp sel global
[LW2-Vlanif101] 
[LW2-Vlanif101]int v 102
[LW2-Vlanif102]ip add 192.168.102.1 24
[LW2-Vlanif102]dhcp sel global
[LW2-Vlanif102]
[LW2-Vlanif102]ip pool AP_GL
Info:It's successful to create an IP address pool.
[LW2-ip-pool-ap_gl]gateway-list 192.168.100.1
[LW2-ip-pool-ap_gl]network 192.168.100.0 mask 24
[LW2-ip-pool-ap_gl]excluded-ip-address 192.168.100.254
[LW2-ip-pool-ap_gl]
[LW2-ip-pool-ap_gl]ip pool AP_YW1
Info:It's successful to create an IP address pool.
[LW2-ip-pool-ap_yw1]gateway-list 192.168.101.1
[LW2-ip-pool-ap_yw1]network 192.168.101.0 mask 24
[LW2-ip-pool-ap_yw1]
[LW2-ip-pool-ap_yw1]ip pool AP_YW2
Info:It's successful to create an IP address pool.
[LW2-ip-pool-ap_yw2]gateway-list 192.168.102.1
[LW2-ip-pool-ap_yw2]network 192.168.102.0 mask 24
[LW2]INT G0/0/11
[LW2-GigabitEthernet0/0/11]po link-ty tr
[LW2-GigabitEthernet0/0/11]po tr allow-pass vlan all

AC配置:
<AC6005>sy
Enter system view, return user view with Ctrl+Z.
[AC6005]vlan b 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6005]int g0/0/1
[AC6005-GigabitEthernet0/0/1]port link-ty tr
[AC6005-GigabitEthernet0/0/1]po tr allow-pass vlan all
[AC6005]int v 100
[AC6005-Vlanif100]ip add 192.168.100.254 24
[AC6005]capwap source interface Vlanif 100   建立CAPWAP隧道的源接口

[AC6005]wlan  进入wlan视图
[AC6005-wlan-view]regulatory-domain-profile name d1  配置安全域D1
[AC6005-wlan-regulate-domain-d1]country-code cn  配置为CN模式
[AC6005-wlan-view]regulatory-domain-profile name d2
[AC6005-wlan-regulate-domain-d2]country-code cn
[AC6005-wlan-view]ap-group name ap1	  配置ap策略组ap1
[AC6005-wlan-ap-group-ap1]regulatory-domain-profile d1  将安全域加入该策略组
[AC6005-wlan-view]ap-group name ap2
regulatory-domain-profile d2

[AC6005-wlan-view]ap auth-mode mac-auth   ap认证设定为MACrenz	
[AC6005-wlan-view]ap-id 0 ap-mac 00E0-FC22-11A0  绑定AP mac地址
[AC6005-wlan-ap-0]ap-name area0 该ap命名为:area0
[AC6005-wlan-ap-0]ap-group ap1  将该ap加入ap1组

[AC6005-wlan-view]ap-id 1 ap-mac 00E0-FC22-11A1
[AC6005-wlan-ap-1]ap-	
[AC6005-wlan-ap-1]ap-name area1
[AC6005-wlan-ap-1]ap-g	
[AC6005-wlan-ap-1]ap-group ap2

[AC6005-wlan-view]ap-id 2 ap-mac 00E0-FC22-11A2
[AC6005-wlan-ap-2]ap-n	
[AC6005-wlan-ap-2]ap-name area2
[AC6005-wlan-ap-2]ap-g	
[AC6005-wlan-ap-2]ap-group ap2

[AC6005-wlan-view]ap-id 3 ap-mac 00E0-FC22-11A3
[AC6005-wlan-ap-3]ap-n	
[AC6005-wlan-ap-3]ap-name area3
[AC6005-wlan-ap-3]ap-g	
[AC6005-wlan-ap-3]ap-group ap2

[AC6005-wlan-view]security-profile name s1  命名密码视图s1
[AC6005-wlan-sec-prof-s1]security open  开放式密码(无需密码)
[AC6005-wlan-view]security-profile name s2
[AC6005-wlan-sec-prof-s2]security wpa-wpa2 psk pass-phrase 12345678 aes    配置密码模式

[AC6005-wlan-view]ssid-profile name ssid1  ssid命名
[AC6005-wlan-ssid-prof-ssid1]ssid huike
[AC6005-wlan-view]ssid-profile name ssid2
[AC6005-wlan-ssid-prof-ssid2]ssid bumen

[AC6005-wlan-view]vap-profile name vap1  vap命名
[AC6005-wlan-vap-prof-vap1]forward-mode tunnel   转发模式为隧道直发
[AC6005-wlan-vap-prof-vap1]service-vlan vlan-id 101  用户在vlan101获取地址
[AC6005-wlan-vap-prof-vap1]security-profile s1  加入密码策略
[AC6005-wlan-vap-prof-vap1]ssid-profile ssid1   加入ssid策略
[AC6005-wlan-view]vap-profile name vap2
[AC6005-wlan-vap-prof-vap2]forward-mode tunnel
[AC6005-wlan-vap-prof-vap2]service-vlan vlan-id 102
[AC6005-wlan-vap-prof-vap2]security-profile s2
[AC6005-wlan-vap-prof-vap2]ssid-profile ssid2

AC6005-wlan-view]ap-group name ap1
[AC6005-wlan-ap-group-ap1]vap-profile vap1 wlan 1 radio all   把vap1加入ap1组
[AC6005-wlan-view]ap-group name ap2
[AC6005-wlan-ap-group-ap2]vap-profile vap2 wlan 1 radio all

12. いくつかの機能テスト:  

 

 

 

 

要約する

この実験は多くの内容をカバーしています. 実際には, デュアル マシンのホット バックアップ テクノロジに限定されません. この実験を行うのに約 1 週間かかりました. トラブルシューティングに多くの時間がかかりました. CSDN で。しかし、まだ理解できない部分がいくつかあります。

1. wlan の起動後、AC と AP 間のトンネルが確立され、AP は AC の管理アドレスを取得できますが、STA プールのアドレスは自動的に取得できません。個々のデバイスで他の構成を行うことはありませんが、WLAN を構成するだけで、すべてのデバイスが正常に動作します。ずっと情報を確認したところ、ENSPソフトのバグが原因で、トンネル転送が不安定になっているとのことで、もし見かけたらご指摘いただければと思います。

2. DHCP サーバーが稼働したり停止したりして、アドレスを取得できないことがあります。しかし、パケットをキャプチャしたときにSTPループは見つかりませんでしたが、DHCPサーバーの送信インターフェイスのアドレスをPINGできない場合があります

おすすめ

転載: blog.csdn.net/m0_63775189/article/details/126847451
おすすめ
ランキング
Web側のオンラインクラウド編集ソリューション
2つのシナリオでのJVMチューニングケース(基本テンプレートの概要-G1)-ピット概要ハイライト21を踏む(週に1回更新)
Node Sass は現在の環境のバインディングを見つけることができませんでした
RabbitMQのコマンドラインの使用方法は、手動でキューrabbitmqadminを作成します
币圈韭菜十大致命操作(八)热爱幻想,无视现实
Wide Face+YOLOV7 顔検出
shrioの研究ノート
Eclipseは「:不明なMavenの設定の問題」を示します
6512. [3.18] GDOI2020シミュレーションツリーとパス
不像总结的总结
アーカイブ
もっと
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(35)
2024-04-29(5)
2024-04-28(12)

コードワールド

© 2018 codetd.com