利用ENSP搭建一个三层网络架构

1. 项目概述
1.1 项目背景

为支持公司业务发展，构建一个高性能、高可靠、易管理且安全的现代化办公室网络，以满足200名员工日常办公、协同通信及业务系统访问需求。

1.2 建设目标

构建一个稳定可靠、有线无线一体化的网络基础环境。

实现网络逻辑隔离与访问控制，保障核心数据安全。

提供无缝的无线网络覆盖

确保关键网络服务（如DHCP、网关）的高可用性，实现快速故障切换（由于S5700无法进行dhcp和VRRP联动，SW2未作DHCP）

优化网络路径，消除环路，并合理规划IP地址。

2. 网络设计原则
分层架构：采用经典的核心-汇聚-接入三层模型，实现功能分离、便于扩展与管理。

冗余可靠：在汇聚层及核心链路部署设备与链路冗余，关键服务采用VRRP协议，确保无单点故障。

安全合规：通过VLAN隔离、ACL策略及NAT技术，实现网络边界防护与内部访问控制。

易于管理：通过合理的IP地址规划、VLAN划分及集中式的策略部署，简化日常运维。

有许多不足的地方，慢慢学习和优化

LSW3

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW3
[LSW3]vlan 10
[LSW3-vlan10]q
[LSW3]int eth0/0/1
[LSW3-Ethernet0/0/1]port link-type access
[LSW3-Ethernet0/0/1]port default vlan 10
[LSW3-Ethernet0/0/1]int eth0/0/2
[LSW3-Ethernet0/0/2]port link-type access
[LSW3-Ethernet0/0/2]port default vlan 10
[LSW3-Ethernet0/0/2]quit
[LSW3]int g0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW3-GigabitEthernet0/0/1]int g0/0/2
[LSW3-GigabitEthernet0/0/2]port link-type trunk
[LSW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[LSW3-GigabitEthernet0/0/2]q

[LSW3]stp mode mstp
[LSW3]stp region-configuration
[LSW3-mst-region]region-name myRegion
[LSW3-mst-region]revision-level 1
[LSW3-mst-region]instance 10 vlan 10
[LSW3-mst-region]instance 20 vlan 20
[LSW3-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW3-mst-region]q
[LSW3]stp enable

LSW5

[LSW5]vlan 20
[LSW5-vlan20]q
[LSW5]int eth0/0/1
[LSW5-Ethernet0/0/1]port link-type access
[LSW5-Ethernet0/0/1]port default vlan 20
[LSW5-Ethernet0/0/1]int g0/0/1
[LSW5-GigabitEthernet0/0/1]port link-type trunk
[LSW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 20
[LSW5-GigabitEthernet0/0/1]int g0/0/2
[LSW5-GigabitEthernet0/0/2]port link-type trunk
[LSW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 20
[LSW5-GigabitEthernet0/0/2]

[LSW5]stp mode mstp
[LSW5]stp region-configuration
[LSW5-mst-region]region-name myRegion
[LSW5-mst-region]revision-level 1
[LSW5-mst-region]instance 10 vlan 10
[LSW5-mst-region]instance 20 vlan 20
[LSW5-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW5-mst-region]q
[LSW5]stp enable

LSW6

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center ena
Info: Information center is disabled.
[Huawei]sysname LSW6
[LSW6]vlan 100
[LSW6-vlan100]q
[LSW6]int eth0/0/1
[LSW6-Ethernet0/0/1]port link-type access
[LSW6-Ethernet0/0/1]port default vlan 100
[LSW6-Ethernet0/0/1]int g0/0/1
[LSW6-GigabitEthernet0/0/1]port link-type trunk
[LSW6-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

LSW1

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW1
[LSW1]vlan batch 10 20 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 20
[LSW1-GigabitEthernet0/0/2]int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100
[LSW1-GigabitEthernet0/0/3]quit
[LSW1]int vlanif10
[LSW1-Vlanif10]ip address 192.168.10.254 24
[LSW1-Vlanif10]int vlanif20
[LSW1-Vlanif20]ip address 192.168.20.253 24
[LSW1-Vlanif20]int vlanif100
[LSW1-Vlanif100]ip address 192.168.100.254 24
[LSW1-Vlanif100]

[LSW1]int g0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan all

[LSW1]vlan 80
[LSW1]int vlanif80
[LSW1-Vlanif80]ip address 192.168.80.252 24

[LSW1]stp mode mstp
[LSW1]stp region-configuration
[LSW1-mst-region]region-name myRegion
[LSW1-mst-region]revision-level 1
[LSW1-mst-region]instance 10 vlan 10
[LSW1-mst-region]instance 20 vlan 20
[LSW1-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW1-mst-region]quit
[LSW1]stp instance 10 root primary
[LSW1]stp instance 20 root secondary
[LSW1]stp enable

[LSW1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[LSW1]ip pool tang
Info:It's successful to create an IP address pool.
[LSW1-ip-pool-tang]q
[LSW1]int vlanif10
[LSW1-Vlanif10]dhcp select global
[LSW1-Vlanif10]q
[LSW1]ip pool tang
[LSW1-ip-pool-tang]gateway-list 192.168.10.254
[LSW1-ip-pool-tang]network 192.168.10.0 mask 255.255.255.0
[LSW1-ip-pool-tang]dns-list 8.8.8.8
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.253
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.254
Error:Only idle or expired IP address can be disabled.
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.252
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.251
[LSW1-ip-pool-tang]excluded-ip-address 192.168.10.250
[LSW1-ip-pool-tang]lease day 1
[LSW1-ip-pool-tang]quit

interface Vlanif10
ip address 192.168.10.251 255.255.255.0

[LSW1] User interface con0 is available

Please Press ENTER.
<LSW1>sys
Enter system view, return user view with Ctrl+Z.
[LSW1]int vlanif10
[LSW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW1-Vlanif10]vrrp vrid 10 priority 120
[LSW1-Vlanif10]vrrp vrid 10 preempt-mode timer delay 5
[LSW1-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/5 reduced 30
[LSW1-Vlanif10]q
[LSW1]int vlanif20
[LSW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[LSW1-Vlanif20]vrrp vrid 20 priority 100
[LSW1-Vlanif20]vrrp vrid 20 preempt-mode timer delay 5
[LSW1-Vlanif20]vrrp vrid 20 track interface g0/0/5 reduced 30
[LSW1-GigabitEthernet0/0/2]int g0/0/5
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10

LSW2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan batch 10 20 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 20
[Huawei-GigabitEthernet0/0/1]q
[Huawei]int vlanif10
[Huawei-Vlanif10]ip address 192.168.10.253 24
[Huawei-Vlanif10]int vlanif20
[Huawei-Vlanif20]ip address 192.168.20.254 24

[LSW2]int vlanif100
[LSW2-Vlanif100]ip address 192.168.100.253 24
[Huawei]int g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type trunk
[Huawei-GigabitEthernet0/0/4]port trunk allow-pass vlan all

[LSW2]vlan batch 70 80
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 70 80
[LSW2-GigabitEthernet0/0/3]int g0/0/5
[LSW2-GigabitEthernet0/0/5]port link-type trunk
[LSW2-GigabitEthernet0/0/5]port trunk pvid vlan 70
[LSW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 70 80

[LSW2]int g0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/3]quit
[LSW2]

[LSW2]stp mode mstp
[LSW2]stp region-configuration
[LSW2-mst-region]region-name myRegion
[LSW2-mst-region]revision-level 1
[LSW2-mst-region]instance 10 vlan 10
[LSW2-mst-region]instance 20 vlan 20
[LSW2-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LSW2-mst-region]quit
[LSW2]stp instance 20 root primary
[LSW2]stp instance 10 root secondary
[LSW2]stp enable

<LSW2>sys
Enter system view, return user view with Ctrl+Z.
[LSW2]int vlanif20
[LSW2-Vlanif20]q
[LSW2]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[LSW2]int vlanif20
[LSW2-Vlanif20]dhcp select global
[LSW2-Vlanif20]q
[LSW2]ip pool tang1
Info:It's successful to create an IP address pool.
[LSW2-ip-pool-tang1]gateway-list 192.168.20.254
[LSW2-ip-pool-tang1]network 192.168.20.0 mask 255.255.255.0
[LSW2-ip-pool-tang1]dns-list 8.8.8.8
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.254
Error:Only idle or expired IP address can be disabled.
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.253
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.252
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.251
[LSW2-ip-pool-tang1]excluded-ip-address 192.168.20.250

[LSW2]int vlan10
[LSW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[LSW2-Vlanif10]vrrp vrid 10 priority 100
[LSW2-Vlanif10]vrrp vrid 10 preempt-mode timer delay 5
[LSW2-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/6 reduced 30
[LSW2-Vlanif10]q

[LSW2]int vlanif20
[LSW2-Vlanif20]ip address 192.168.20.251 24
[LSW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[LSW2-Vlanif20]vrrp vrid 20 priority 120
[LSW2-Vlanif20]vrrp vrid 20 preempt-mode timer delay 5
[LSW2-Vlanif20]vrrp vrid 20 track interface g0/0/6 reduced 30
[LSW2]int g0/0/6
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default allow-pass vlan 20

AC1

<AC6005>
<AC6005>sys
Enter system view, return user view with Ctrl+Z.
[AC6005]undo info-center enable
Info: Information center is disabled.
[ac1]sysname AC1
[AC1]vlan batch 70 80
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 70 80
[AC1-GigabitEthernet0/0/1]quit
[AC1]int vlanif70
[AC1-Vlanif70]ip address 192.168.70.254 24
[AC1-Vlanif70]int vlanif80
[AC1-Vlanif80]ip address 192.168.80.254 24
[AC1-Vlanif80]q
[AC1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[AC1]ip pool 123
Info: It is successful to create an IP address pool.
[AC1-ip-pool-123]gateway-list 192.168.70.254
[AC1-ip-pool-123]network 192.168.70.0 mask 255.255.255.0
[AC1-ip-pool-123]quit
[AC1]ip pool huawei
Info: It is successful to create an IP address pool.
[AC1-ip-pool-huawei]gateway-list 192.168.80.254
[AC1-ip-pool-huawei]network 192.168.80.0 mask 255.255.255.0
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.254
Error: The gateway cannot be excluded.
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.253
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.252
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.251
[AC1-ip-pool-huawei]excluded-ip-address 192.168.80.250
[AC1-ip-pool-huawei]dns-list 8.8.8.8
[AC1-ip-pool-huawei]lease day 1
[AC1-ip-pool-huawei]q
[AC1]int vlan70
[AC1-Vlanif70]dhcp select global
[AC1-Vlanif70]int vlanif80
[AC1-Vlanif80]dhcp select global
[AC1]capwap source interface vlanif80
[AC1]wlan
[AC1-wlan-view]regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default]country-code CN
Info: The current country code is same with the input country code.
[AC1-wlan-regulate-domain-default]q
[AC1-wlan-view]security-profile name office-sec
[AC1-wlan-sec-prof-office-sec]security wpa2 psk pass-phrase huawei123 aes
[AC1-wlan-sec-prof-office-sec]quit
[AC1-wlan-view]ssid-profile name office-ssid
[AC1-wlan-ssid-prof-office-ssid]ssid office-wifi
Info: This operation may take a few seconds, please wait.done.
<AC1>sys
Enter system view, return user view with Ctrl+Z.
[AC1]wlan
[AC1-wlan-view]vap-profile name office-vap
[AC1-wlan-vap-prof-office-vap]forward-mode tunnel
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]service-vlan vlan-id 80
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]ssid-profile office-ssid
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]security-profile office-sec
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-office-vap]quit

[AC1-wlan-view]quit

[AC1]wlan
[AC1-wlan-view]ap-group name office-group
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC1-wlan-ap-group-office-group]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-office-group]vap-profile office-vap wlan 1 radio all
Info: This operation may take a few seconds, please wait...done.
[AC1-wlan-ap-group-office-group]quit
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc1c-4cb0
[AC1-wlan-ap-1]ap-name AP-office
[AC1-wlan-ap-1]ap-name office-group
[AC1-wlan-ap-1]quit
[AC1-wlan-view]quit

[AC6605]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6605]int vlan10
[AC6605-Vlanif10]ip address 192.168.10.252 24
[AC6605-Vlanif10]int vlanif20
[AC6605-Vlanif20]ip address 192.168.20.252 24
[AC6605-Vlanif20]

[AC6605]int g0/0/1
[AC6605-GigabitEthernet0/0/1]port link-type trunk
[AC6605-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC6605-GigabitEthernet0/0/1]quit

[AC6605]ip route-static 192.168.137.0 24 192.168.20.251

[AC6605]stp mode mstp
[AC6605]stp region-configuration
Info: Please activate the stp region-configuration after it is modified.
[AC6605-mst-region]region-name myRegion
[AC6605-mst-region]revision-level 1
[AC6605-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6605-mst-region]q
[AC6605]stp enable

到目前实现了全网通信，接着利用VRRP和MSTP协议

AR1

[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/1]ip address 192.168.137.2 24

[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.10.250 24

[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.20.250 24

[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.137.1

[Huawei]ip route-static 192.168.80.0 24 192.168.20.251

[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit
[Huawei-acl-basic-2000]q
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]nat outbound 2000

通过查询验证