基于ENSP的校园网络搭建与配置全解析
|
78
|
eNSP

1880 字
|
32 分钟

本文基于华为ENSP模拟器,搭建了一套包含核心交换机、接入交换机、AC、路由器、防火墙及ISP路由的完整企业网络,严格遵循原始配置命令,补充关键注释说明配置用途,助力大家理解网络搭建逻辑与设备配置要点。

一、实验拓扑图(ENSP)

拓扑结构概述

本实验拓扑包含以下设备及连接关系,可直接在ENSP中还原:

  • 核心层:2台核心交换机(Core-SW1、Core-SW2),通过Eth-Trunk链路聚合互联,实现冗余备份
  • 接入层:7台接入交换机(LSW3~LSW9),分别连接至核心交换机,对应不同业务VLAN
  • 无线控制:1台AC(AC1),连接核心交换机,管理无线AP,提供WLAN服务
  • 路由层:2台核心路由器(Core-R1、Core-R2),连接核心交换机与防火墙,运行OSPF协议
  • 安全层:1台防火墙(FW1),连接路由器与ISP,实现访问控制、NAT转换
  • 外部网络:1台ISP路由器(ISP-R),模拟公网环境

拓扑图

二、设备配置详情(ENSP)

网段用途网关/虚拟IP关联设备
192.168.10.0/24接入层VLAN10终端192.168.10.252(VRRP)LSW9
192.168.20.0/24接入层VLAN20终端192.168.20.252(VRRP)LSW3
192.168.30.0/24接入层VLAN30终端192.168.30.252(VRRP)LSW4
192.168.40.0/24接入层VLAN40终端192.168.40.252(VRRP)LSW5
192.168.50.0/24接入层VLAN50终端192.168.50.252(VRRP)LSW6
192.168.60.0/24接入层VLAN60终端192.168.60.252(VRRP)LSW7
192.168.100.0/24无线用户网段192.168.100.254AC1、Core-SW1/2
192.168.101.0/24AC与AP管理网段192.168.101.1AC1
192.168.200.0/24DMZ区域(服务器)192.168.200.1FW1
192.168.2-8.0/24核心路由互联网段Core-R1/2、FW1
200.10.10.0/30防火墙-ISP互联网段FW1、ISP-R
200.10.20.0/28ISP公网网段200.10.20.1ISP-R

1. 核心交换机 Core-SW1 配置



<Huawei>sys  # 进入系统视图
[Huawei]undo info-center enable  # 关闭信息中心,减少日志干扰
[Huawei]sys Core-SW1  # 重命名设备为Core-SW1
[Core-SW1]vlan batch 10 20 30 40 50 60 100 101  # 批量创建业务VLAN及管理VLAN

# 配置VLAN10接口及VRRP(虚拟路由冗余),优先级120为主设备
[Core-SW1]int Vlanif 10     
[Core-SW1-Vlanif10]ip address 192.168.10.254 24  # 配置接口IP
[Core-SW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.252  # 虚拟网关IP
[Core-SW1-Vlanif10]vrrp vrid  10 priority 120  # 优先级120(默认100,值高为主)
[Core-SW1-Vlanif10]vrrp vrid 10 track interface g0/0/1  # 跟踪G0/0/1接口状态
[Core-SW1-Vlanif10]vrrp vrid 10 track interface g0/0/2  # 跟踪G0/0/2接口状态
[Core-SW1-Vlanif10]quit

# 配置VLAN20-VLAN60接口及VRRP,与VLAN10逻辑一致,Core-SW1为VLAN10-30主设备
[Core-SW1]int Vlanif 20
[Core-SW1-Vlanif20]ip add 192.168.20.254 24
[Core-SW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.252
[Core-SW1-Vlanif20]vrrp vrid 20 priority 120
[Core-SW1-Vlanif20]vrrp vrid 20 track interface g0/0/1
[Core-SW1-Vlanif20]vrrp vrid 20 track interface g0/0/2

[Core-SW1-Vlanif20]int Vlanif 30
[Core-SW1-Vlanif30]ip address 192.168.30.254 24
[Core-SW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.252
[Core-SW1-Vlanif30]vrrp vrid 30 priority 120 
[Core-SW1-Vlanif30]vrrp vrid 30 track interface g0/0/1
[Core-SW1-Vlanif30]vrrp vrid 30 track interface g0/0/2

# VLAN40-VLAN60 Core-SW1为备设备,不设置优先级(默认100)
[Core-SW1-Vlanif30]int Vlanif 40
[Core-SW1-Vlanif40]ip address 192.168.40.254 24
[Core-SW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.252
[Core-SW1-Vlanif40]vrrp vrid 40 track interface g0/0/1
[Core-SW1-Vlanif40]vrrp vrid 40 track interface g0/0/2

[Core-SW1-Vlanif40]int  vlan 50
[Core-SW1-Vlanif50]ip address 192.168.50.254 24
[Core-SW1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.252
[Core-SW1-Vlanif50]vrrp vrid 50 track interface  g0/0/1
[Core-SW1-Vlanif50]vrrp vrid 50 track interface g0/0/2

[Core-SW1-Vlanif50]int vlan 60
[Core-SW1-Vlanif60]ip address 192.168.60.254 24
[Core-SW1-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.252
[Core-SW1-Vlanif60]vrrp vrid 60 track interface g0/0/1
[Core-SW1-Vlanif60]vrrp vrid 60 track interface g0/0/2

# 配置管理VLAN100(AC互联)
[Core-SW1-Vlanif60]int vlan 100
[Core-SW1-Vlanif100]ip address 192.168.100.254 24
[Core-SW1-Vlanif100]undo shutdown  # 启用接口
[Core-SW1-Vlanif100]qu

# 创建VLAN5、7(连接路由器Core-R1、Core-R2)
[Core-SW1]vlan batch 5 7 
[Core-SW1]int Vlanif 5
[Core-SW1-Vlanif5]ip address 192.168.5.2 24  # 与Core-R1 G2/0/0互联
[Core-SW1-Vlanif5]int Vlanif 7
[Core-SW1-Vlanif7]ip address 192.168.7.2 24  # 与Core-R2 G2/0/1互联
[Core-SW1-Vlanif7]qu

# 配置与路由器连接的接口,设为access模式,划入对应VLAN
[Core-SW1]int g0/0/1
[Core-SW1-GigabitEthernet0/0/1]port link-type access  # 接口类型为access
[Core-SW1-GigabitEthernet0/0/1]port default  vlan 5  # 默认划入VLAN5
[Core-SW1-GigabitEthernet0/0/1]int g0/0/2
[Core-SW1-GigabitEthernet0/0/2]port link-type access
[Core-SW1-GigabitEthernet0/0/2]port default vlan 7  # 默认划入VLAN7
[Core-SW1-GigabitEthernet0/0/2]qu

# 配置链路聚合Eth-Trunk1,连接Core-SW2,提升带宽与冗余
[Core-SW1]int Eth-Trunk 1
[Core-SW1-Eth-Trunk1]port link-type trunk  # 链路类型为trunk,允许跨VLAN通行
[Core-SW1-Eth-Trunk1]port trunk allow-pass vlan all  # 允许所有VLAN通过
[Core-SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/3  # 加入成员接口G0/0/3
[Core-SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4  # 加入成员接口G0/0/4

# 配置与接入交换机连接的接口,设为trunk模式,允许所有VLAN通过
[Core-SW1]int GigabitEthernet 0/0/5
[Core-SW1-GigabitEthernet0/0/5]port link-type  trunk 
[Core-SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan all 

[Core-SW1-GigabitEthernet0/0/5]int GigabitEthernet 0/0/6
[Core-SW1-GigabitEthernet0/0/6]port link-type trunk
[Core-SW1-GigabitEthernet0/0/6]port trunk allow-pass vlan all

[Core-SW1-GigabitEthernet0/0/6]int GigabitEthernet 0/0/7
[Core-SW1-GigabitEthernet0/0/7]port link-type trunk
[Core-SW1-GigabitEthernet0/0/7]port trunk allow-pass vlan all

[Core-SW1-GigabitEthernet0/0/7]int GigabitEthernet 0/0/8
[Core-SW1-GigabitEthernet0/0/8]port link-type trunk
[Core-SW1-GigabitEthernet0/0/8]port trunk allow-pass vlan all

[Core-SW1-GigabitEthernet0/0/8]int GigabitEthernet 0/0/9
[Core-SW1-GigabitEthernet0/0/9]port link-type trunk
[Core-SW1-GigabitEthernet0/0/9]port trunk allow-pass vlan all

[Core-SW1-GigabitEthernet0/0/9]int GigabitEthernet 0/0/10
[Core-SW1-GigabitEthernet0/0/10]port link-type trunk
[Core-SW1-GigabitEthernet0/0/10]port trunk allow-pass vlan all

# 配置与AC连接的接口,设置PVID为VLAN101(CAPWAP隧道VLAN)
[Core-SW1-GigabitEthernet0/0/10]int GigabitEthernet 0/0/12
[Core-SW1-GigabitEthernet0/0/12]port link-type trunk
[Core-SW1-GigabitEthernet0/0/12]port trunk allow-pass vlan all

[Core-SW1-GigabitEthernet0/0/12]int GigabitEthernet 0/0/13
[Core-SW1-GigabitEthernet0/0/13]port link-type trunk
[Core-SW1-GigabitEthernet0/0/13]port trunk pvid vlan 101  # 未打标签帧划入VLAN101
[Core-SW1-GigabitEthernet0/0/13]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/13]qu

# 配置STP(生成树协议),防止环路
[Core-SW1]stp enable  # 启用STP
[Core-SW1]stp region-configuration  # 进入MST区域配置
[Core-SW1-mst-region]region-name huawei  # 区域名称为huawei
[Core-SW1-mst-region]revision-level 5  # 修订级别为5
[Core-SW1-mst-region]instance 1 vlan 10 20 30 100  # 实例1包含VLAN10、20、30、100
[Core-SW1-mst-region]instance 2 vlan 40 50 60  # 实例2包含VLAN40、50、60
[Core-SW1-mst-region]active region-configuration  # 激活MST区域配置
[Core-SW1-mst-region]qu
[Core-SW1]stp instance 1 root primary  # 实例1为根桥(主根)
[Core-SW1]stp instance 2 root secondary  # 实例2为备份根桥

# 配置OSPF路由协议,宣告所有直连网络
[Core-SW1]ospf 10  # 启动OSPF进程10
[Core-SW1-ospf-10]area 0  # 进入区域0(骨干区域)
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.10.0 0.0.0.255  # 宣告VLAN10网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.20.0 0.0.0.255  # 宣告VLAN20网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.30.0 0.0.0.255  # 宣告VLAN30网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.40.0 0.0.0.255  # 宣告VLAN40网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.50.0 0.0.0.255  # 宣告VLAN50网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.60.0 0.0.0.255  # 宣告VLAN60网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.100.0 0.0.0.255  # 宣告VLAN100网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.5.0 0.0.0.255  # 宣告VLAN5网段(连R1)
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.7.0 0.0.0.255  # 宣告VLAN7网段(连R2)

2. 核心交换机 Core-SW2 配置



<Huawei>sys
[Huawei]undo info enable  
[Huawei]sys Core-SW2  # 重命名设备为Core-SW2
[Core-SW2]vlan batch 10 20 30 40 50 60 100 101 6 8  # 批量创建VLAN,含连接路由器的VLAN6、8

# 配置VLAN10-VLAN30接口及VRRP,Core-SW2为备设备(默认优先级100)
[Core-SW2]int Vlanif 10
[Core-SW2-Vlanif10]ip address 192.168.10.253 24  # 与Core-SW1形成冗余IP
[Core-SW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.252  # 统一虚拟网关
[Core-SW2-Vlanif10]vrrp vrid 10 track interface g0/0/1  # 跟踪接口状态
[Core-SW2-Vlanif10]vrrp vrid 10 track interface g0/0/2

[Core-SW2-Vlanif10]int vlan 20
[Core-SW2-Vlanif20]ip address 192.168.20.253 24
[Core-SW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.252
[Core-SW2-Vlanif20]vrrp vrid 20 track interface g0/0/1
[Core-SW2-Vlanif20]vrrp vrid 20 track interface g0/0/2

[Core-SW2-Vlanif20]int vlan 30
[Core-SW2-Vlanif30]ip address 192.168.30.253 24
[Core-SW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.252
[Core-SW2-Vlanif30]vrrp vrid 30 track interface g0/0/1
[Core-SW2-Vlanif30]vrrp vrid 30 track interface g0/0/2

# 配置VLAN40-VLAN60接口及VRRP,Core-SW2为主设备(优先级120)
[Core-SW2-Vlanif30]int vlan 40
[Core-SW2-Vlanif40]ip address 192.168.40.253 24
[Core-SW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.252
[Core-SW2-Vlanif40]vrrp vrid 40 priority 120  # 设为120,成为主设备
[Core-SW2-Vlanif40]vrrp vrid 40 track interface g0/0/1
[Core-SW2-Vlanif40]vrrp vrid 40 track interface g0/0/2

[Core-SW2-Vlanif40]int vlan 50
[Core-SW2-Vlanif50]ip address 192.168.50.253 24
[Core-SW2-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.252
[Core-SW2-Vlanif50]vrrp vrid 50 priority 120
[Core-SW2-Vlanif50]vrrp vrid 50 track interface g0/0/1
[Core-SW2-Vlanif50]vrrp vrid 50 track interface g0/0/2

[Core-SW2-Vlanif50]int vlan 60
[Core-SW2-Vlanif60]ip address 192.168.60.253 24
[Core-SW2-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.252
[Core-SW2-Vlanif60]vrrp vrid 60 priority 120
[Core-SW2-Vlanif60]vrrp vrid 60 track interface g0/0/1
[Core-SW2-Vlanif60]vrrp vrid 60 track interface g0/0/2

# 配置VLAN6、8(连接路由器Core-R1、Core-R2)
[Core-SW2-Vlanif60]int vlan 6
[Core-SW2-Vlanif6]ip address 192.168.6.2 24  # 与Core-R1 G2/0/1互联
[Core-SW2-Vlanif6]int vlan 8
[Core-SW2-Vlanif8]ip address 192.168.8.2 24  # 与Core-R2 G2/0/0互联
[Core-SW2-Vlanif8]qu

# 配置与路由器连接的接口,access模式划入对应VLAN
[Core-SW2]int g0/0/1
[Core-SW2-GigabitEthernet0/0/1]port link-type access 
[Core-SW2-GigabitEthernet0/0/1]port default vlan 8  # 划入VLAN8(连R2)
[Core-SW2-GigabitEthernet0/0/1]int g0/0/2
[Core-SW2-GigabitEthernet0/0/2]port link-type access
[Core-SW2-GigabitEthernet0/0/2]port default vlan 6  # 划入VLAN6(连R1)
[Core-SW2-GigabitEthernet0/0/2]qu

# 配置链路聚合Eth-Trunk1,与Core-SW1互联
[Core-SW2]int Eth-Trunk 1
[Core-SW2-Eth-Trunk1]port link-type trunk 
[Core-SW2-Eth-Trunk1]port trunk allow-pass vlan all 
[Core-SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/3
[Core-SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/4
[Core-SW2-Eth-Trunk1]QU  # 简化命令,等价于quit

# 配置与接入交换机连接的接口,trunk模式允许所有VLAN
[Core-SW2]int g0/0/5
[Core-SW2-GigabitEthernet0/0/5]port link-type trunk 
[Core-SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan all 

[Core-SW2-GigabitEthernet0/0/5]int g0/0/6
[Core-SW2-GigabitEthernet0/0/6]port link-type trunk
[Core-SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan all

[Core-SW2-GigabitEthernet0/0/6]int g0/0/7
[Core-SW2-GigabitEthernet0/0/7]port link-type trunk
[Core-SW2-GigabitEthernet0/0/7]port trunk allow-pass vlan all

[Core-SW2-GigabitEthernet0/0/7]int g0/0/8
[Core-SW2-GigabitEthernet0/0/8]port link-type trunk
[Core-SW2-GigabitEthernet0/0/8]port trunk allow-pass vlan all

[Core-SW2-GigabitEthernet0/0/8]int g0/0/9
[Core-SW2-GigabitEthernet0/0/9]port link-type trunk
[Core-SW2-GigabitEthernet0/0/9]port trunk allow-pass vlan all

[Core-SW2-GigabitEthernet0/0/9]int g0/0/10
[Core-SW2-GigabitEthernet0/0/10]port link-type trunk
[Core-SW2-GigabitEthernet0/0/10]port trunk allow-pass vlan all
[Core-SW2-GigabitEthernet0/0/10] qu

# 配置STP,与Core-SW1保持一致,实现负载均衡
[Core-SW2]stp enable 
[Core-SW2]stp region-configuration 
[Core-SW2-mst-region]region-name huawei  # 区域名称统一为huawei
[Core-SW2-mst-region]revision-level 5  # 修订级别一致
[Core-SW2-mst-region]instance 1 vlan 10 20 30 100  # 实例划分与Core-SW1一致
[Core-SW2-mst-region]instance 2 vlan 40 50 60
[Core-SW2-mst-region]active region-configuration 
[Core-SW2-mst-region]qu
[Core-SW2]stp instance 1 root primary     # 实例1主根(与Core-SW1一致,需根据拓扑调整,此处按原命令保留)
[Core-SW2]stp instance 2 root secondary  # 实例2备份根

# 配置OSPF路由协议,宣告直连网络
[Core-SW2]ospf 20  # 启动OSPF进程20
[Core-SW2-ospf-20]area 0  # 进入骨干区域0
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.40.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.50.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.60.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.6.0 0.0.0.255  # 宣告VLAN6网段(连R1)
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.8.0 0.0.0.255  # 宣告VLAN8网段(连R2)

3. 接入交换机 LSW9 配置(LSW3~LSW7 配置逻辑一致,仅VLAN不同)



<Huawei>sys
[Huawei]undo info-center en  # 简化命令,关闭信息中心
[Huawei]sysname LSW9  # 重命名为LSW9
[LSW9]vlan batch 10 20 30 40 50 60 100 101  # 批量创建所需VLAN

# 配置STP,加入MST区域,与核心交换机保持一致
[LSW9]stp enable 
[LSW9]stp region-configuration 
[LSW9-mst-region]region-name huawei  # 区域名称统一
[LSW9-mst-region]revision-level 5  # 修订级别统一
[LSW9-mst-region]instance 1 vlan 10 20 30 100  # 实例划分一致
[LSW9-mst-region]instance 2 vlan 40 50 60     
[LSW9-mst-region]instance 2 vlan 40 50 60  # 原命令重复,保留原样
[LSW9-mst-region]active region-configuration  # 激活配置
[LSW9-mst-region]qu

# 配置与核心交换机连接的接口,trunk模式允许所有VLAN
[LSW9]int e0/0/1
[LSW9-Ethernet0/0/1]port link-type trunk 
[LSW9-Ethernet0/0/1]port trunk allow-pass vlan all 

[LSW9-Ethernet0/0/1]int e0/0/2
[LSW9-Ethernet0/0/2]port link-type trunk
[LSW9-Ethernet0/0/2]port trunk allow-pass vlan all

# 配置接入终端的接口,access模式划入VLAN10
[LSW9-Ethernet0/0/2]int e0/0/3
[LSW9-Ethernet0/0/3]port link-type access 
[LSW9-Ethernet0/0/3]port default vlan 10  # 终端接入VLAN10
[LSW9-Ethernet0/0/3]int e0/0/4
[LSW9-Ethernet0/0/4]port link-type access
[LSW9-Ethernet0/0/4]port default vlan 10  # 终端接入VLAN10

接入交换机 LSW3~LSW7 补充说明

  • LSW3:接入接口划入VLAN20,对应业务终端
  • LSW4:接入接口划入VLAN30,对应业务终端
  • LSW5:接入接口划入VLAN40,对应业务终端
  • LSW6:接入接口划入VLAN50,对应业务终端
  • LSW7:接入接口划入VLAN60,对应业务终端
  • 所有接入交换机STP、 trunk接口配置与LSW9完全一致,仅接入接口VLAN不同。

4. AC(AC1)配置(无线控制)



<AC6605>system-view  # 进入系统视图
[AC6605]sysname AC1  # 重命名为AC1
[AC1]vlan batch 100 101  # 创建VLAN100(业务VLAN)、VLAN101(CAPWAP隧道VLAN)

# 配置VLAN100接口(与核心交换机互联,业务数据转发)
[AC1]int Vlanif 100
[AC1-Vlanif100]ip address 192.168.100.1 24  # 与Core-SW1 VLAN100互联
[AC1-Vlanif100]qu

# 启用DHCP,为无线终端分配IP
[AC1]dhcp enable 
[AC1]int Vlanif 100
[AC1-Vlanif100]dhcp  select global  # 采用全局地址池分配IP
[AC1-Vlanif100]qu

# 配置VLAN101接口(CAPWAP隧道,管理AP)
[AC1]int Vlanif 101
[AC1-Vlanif101]ip address 192.168.101.1 24
[AC1-Vlanif101]dhcp select interface  # 接口地址池为AP分配IP
[AC1-Vlanif101]qu

# 配置全局DHCP地址池(VLAN100终端)
[AC1]ip pool vlan100
[AC1-ip-pool-vlan100]gateway-list 192.168.100.254  # 网关指向Core-SW1 VLAN100接口
[AC1-ip-pool-vlan100]network 192.168.100.0  # 地址池网段
[AC1-ip-pool-vlan100]dns-list 192.168.200.4  # DNS服务器地址
[AC1-ip-pool-vlan100]excluded-ip-address 192.168.100.1  # 排除AC自身IP,不分配
[AC1-ip-pool-vlan100]qu

# 配置WLAN相关参数,管理AP
[AC1]wlan
[AC1-wlan-view]ap-group name ap-huawei  # 创建AP组ap-huawei
[AC1-wlan-ap-group-ap-huawei]qu

# 配置 regulatory-domain-profile(区域信道配置)
[AC1-wlan-view]regulatory-domain-profile name huawei-domain
[AC1-wlan-regulate-domain-huawei-domain]country-code CN  # 国家代码为中国
[AC1-wlan-regulate-domain-huawei-domain]QU  # 简化命令,等价于quit

# 为AP组绑定区域配置
[AC1-wlan-view]ap-group name ap-huawei
[AC1-wlan-ap-group-ap-huawei]regulatory-domain-profile huawei-domain
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  # 确认修改,重置AP
[AC1-wlan-ap-group-ap-huawei]qu

# 配置CAPWAP隧道源接口(VLAN101)
[AC1-wlan-view]qu
[AC1]capwap  source interface Vlanif 101  # 指定CAPWAP隧道的源接口

# 配置AP认证模式为MAC认证,添加AP
[AC1]wlan 
[AC1-wlan-view]ap auth-mode mac-auth  # AP认证方式为MAC地址认证
[AC1-wlan-view]ap-id 0 ap-mac 00E0-FC5E-3540  # 添加AP,ID为0,MAC为00E0-FC5E-3540
[AC1-wlan-ap-0]ap-name area-1  # AP命名为area-1
[AC1-wlan-ap-0]ap-group ap-huawei  # 将AP加入ap-huawei组
Warning: This operation may cause AP reset. If the country code changes, it will
 clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y  # 确认,AP重启生效
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-0]qu

# 配置与核心交换机连接的接口,trunk模式允许所有VLAN
[AC1-wlan-view]qu
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk 
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan all 
[AC1-GigabitEthernet0/0/1]q

# 配置WLAN安全、SSID、VAP参数
[AC1]wlan
[AC1-wlan-view]security-profile name sec  # 创建安全模板sec
[AC1-wlan-sec-prof-sec]security wpa2 psk pass-phrase huawei@123 aes  # WPA2加密,密码huawei@123
[AC1-wlan-sec-prof-sec]qu

[AC1-wlan-view]ssid-profile name ssid-1  # 创建SSID模板ssid-1
[AC1-wlan-ssid-prof-ssid-1]ssid huawei  # SSID名称为huawei
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-ssid-prof-ssid-1]qu

[AC1-wlan-view]vap-profile name vap-1  # 创建VAP模板vap-1
[AC1-wlan-vap-prof-vap-1]forward-mode tunnel  # 转发模式为隧道转发(AC集中转发)
[AC1-wlan-vap-prof-vap-1]service-vlan vlan-id 100  # 业务VLAN为100
[AC1-wlan-vap-prof-vap-1]security-profile sec  # 绑定安全模板
[AC1-wlan-vap-prof-vap-1]ssid-profile ssid-1  # 绑定SSID模板

# 将VAP模板绑定到AP组,启用射频0
[AC1-wlan-view]ap-group name ap-huawei
[AC1-wlan-ap-group-ap-huawei]vap-profile vap-1 wlan 1 radio 0  # 射频0启用该VAP

5. 核心路由器 Core-R1 配置



<Huawei>sys
[Huawei]undo info-center enable  # 关闭信息中心
[Huawei]sysname Core-R1  # 重命名为Core-R1

# 配置与核心交换机、防火墙连接的接口IP
[Core-R1]int g2/0/0
[Core-R1-GigabitEthernet2/0/0]ip address 192.168.5.1 24  # 与Core-SW1 VLAN5互联
[Core-R1-GigabitEthernet2/0/0]int g2/0/1
[Core-R1-GigabitEthernet2/0/1]ip address 192.168.6.1 24  # 与Core-SW2 VLAN6互联
[Core-R1-GigabitEthernet2/0/1]int g0/0/1
[Core-R1-GigabitEthernet0/0/1]ip address 192.168.4.1 24  # 与Core-R2互联
[Core-R1-GigabitEthernet0/0/1]int g0/0/0
[Core-R1-GigabitEthernet0/0/0]ip address 192.168.2.2 24  # 与FW1 G1/0/0互联

# 配置OSPF路由协议,宣告直连网络
[Core-R1]ospf 30  # 启动OSPF进程30
[Core-R1-ospf-30]area 0  # 进入骨干区域0
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.5.0 0.0.0.255  # 宣告192.168.5.0网段
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.6.0 0.0.0.25  # 原命令子网掩码不完整,保留原样
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.4.0 0.0.0.255  # 宣告192.168.4.0网段
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.2.0 0.0.0.255  # 宣告192.168.2.0网段

6. 核心路由器 Core-R2 配置



<Huawei>sys
[Huawei]undo info-center enable  # 关闭信息中心
[Huawei]sysname Core-R2  # 重命名为Core-R2

# 配置与核心交换机、防火墙连接的接口IP
[Core-R2]int g2/0/0
[Core-R2-GigabitEthernet2/0/0]ip address 192.168.8.1 24  # 与Core-SW2 VLAN8互联
[Core-R2-GigabitEthernet2/0/0]int g2/0/1
[Core-R2-GigabitEthernet2/0/1]ip address 192.168.7.1 24  # 与Core-SW1 VLAN7互联
[Core-R2-GigabitEthernet2/0/1]int g0/0/0
[Core-R2-GigabitEthernet0/0/0]ip address 192.168.4.2 24  # 与Core-R1互联
[Core-R2-GigabitEthernet0/0/0]int g0/0/1
[Core-R2-GigabitEthernet0/0/1]ip address 192.168.3.2 24  # 与FW1 G1/0/1互联

# 配置OSPF路由协议,宣告直连网络
[Core-R2]ospf 40  # 启动OSPF进程40
[Core-R2-ospf-40]area 0  # 进入骨干区域0
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.3.0 0.0.0.255  # 宣告192.168.3.0网段
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.4.0 0.0.0.255  # 宣告192.168.4.0网段
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.7.0 0.0.0.255  # 宣告192.168.7.0网段
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.8.0 0.0.0.255  # 宣告192.168.8.0网段

7. 防火墙 FW1 配置




# 登录前修改密码:用户名admin,原密码Admin@123,新密码Admin@1234
<USG6000V1>sys
[USG6000V1]undo info-center enable  # 关闭信息中心
[USG6000V1]sysname FW1  # 重命名为FW1

# 配置各接口IP地址
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip address 192.168.2.1 24  # 与Core-R1 G0/0/0互联
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip address 192.168.3.1 24  # 与Core-R2 G0/0/1互联
[FW1-GigabitEthernet1/0/1]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip address 192.168.200.1 24  # DMZ区域接口
[FW1-GigabitEthernet1/0/3]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip address 200.10.10.1 30  # 与ISP-R互联(公网口)
[FW1-GigabitEthernet1/0/2]qu

# 配置防火墙区域,划分接口
[FW1]firewall zone trust  # 进入信任区域(内网)
[FW1-zone-trust]add interface g1/0/0  # 加入G1/0/0(连R1)
[FW1-zone-trust]add interface g1/0/1  # 加入G1/0/1(连R2)
[FW1-zone-trust]qu

[FW1]firewall zone untrust  # 进入非信任区域(公网)
[FW1-zone-untrust]add interface g1/0/2  # 加入G1/0/2(连ISP)
[FW1-zone-untrust]qu

[FW1]firewall zone dmz  # 进入DMZ区域(服务器区)
[FW1-zone-dmz]add interface g1/0/3  # 加入G1/0/3(DMZ)
[FW1-zone-dmz]qu

# 配置安全策略,允许内网访问公网
[FW1]security-policy
[FW1-policy-security]rule name tr-untr  # 策略名称tr-untr
[FW1-policy-security-rule-tr-untr]source-zone trust  # 源区域为信任区(内网)
[FW1-policy-security-rule-tr-untr]destination-zone untrust  # 目的区域为非信任区(公网)
[FW1-policy-security-rule-tr-untr]action permit  # 允许访问
[FW1-policy-security-rule-tr-untr]qu

# 配置安全策略,允许内网访问DMZ区
[FW1-policy-security]rule name tr-dmz
[FW1-policy-security-rule-tr-dmz]source-zone trust
[FW1-policy-security-rule-tr-dmz]destination-zone dmz
[FW1-policy-security-rule-tr-dmz]action permit
[FW1-policy-security-rule-tr-dmz]qu

# 配置NAT转换,实现内网地址公网转换
[FW1]nat-policy
[FW1-policy-nat]rule name trust-untrust  # NAT策略名称
[FW1-policy-nat-rule-trust-untrust]source-zone trust  # 源区域信任区
[FW1-policy-nat-rule-trust-untrust]destination-zone untrust  # 目的区域非信任区
[FW1-policy-nat-rule-trust-untrust]action source-nat easy-ip  # 采用Easy IP方式转换
[FW1-policy-nat-rule-trust-untrust]qu
[FW1-policy-nat]qu

# 配置静态路由,指向公网(ISP)
[FW1]ip route-static 0.0.0.0 0.0.0.0 200.10.10.2  # 默认路由指向ISP-R接口IP
[FW1]qu

8. ISP路由器(ISP-R)配置



<Huawei>sys
[Huawei]undo info-center enable  # 关闭信息中心
[Huawei]sysname ISP-R  # 重命名为ISP-R

# 配置与防火墙互联的接口IP
[ISP-R]int g0/0/0
[ISP-R-GigabitEthernet0/0/0]ip address 200.10.10.2 30  # 与FW1 G1/0/2互联
[ISP-R-GigabitEthernet0/0/0]undo shutdown  # 启用接口
[ISP-R-GigabitEthernet0/0/0]qu

# 配置静态路由,指向内网(防火墙),实现公网与内网互通
[ISP-R]ip route-static 192.168.0.0 255.255.0.0 200.10.10.1  # 内网网段路由指向FW1公网口
[ISP-R]qu

三、实验验证要点(ENSP)

配置完成后,可通过以下步骤验证网络连通性与功能可用性,确保实验正常运行:

  • 设备互联验证:在各设备上使用 ping 命令测试直连设备接口IP,例如Core-SW1 ping Core-R1(192.168.5.1)、FW1 ping ISP-R(200.10.10.2),确保直连链路通畅。
  • 路由可达验证:在内网终端(如VLAN10终端)ping公网地址(如200.10.10.2),测试OSPF路由与NAT转换是否生效,确保内网可访问公网。
  • 无线功能验证:在ENSP中启动AP,终端搜索SSID“huawei”,输入密码“huawei@123”连接,ping核心交换机VLAN100接口(192.168.100.254),验证无线接入与数据转发。
  • 冗余功能验证:断开Core-SW1与Core-R1的链路(G0/0/1),查看VRRP状态切换,确保备用设备正常接管,网络不中断。

四、实验总结

本实验基于ENSP模拟器搭建了完整的企业网络架构,涵盖核心交换、接入交换、无线控制、路由转发、安全防护全环节,严格遵循原始配置命令,通过补充注释明确了每一步配置的核心目的。

网络核心采用双交换机链路聚合与VRRP冗余设计,提升了网络可靠性;路由层通过OSPF协议实现全网路由可达,防火墙结合安全策略与NAT转换保障内网安全与公网访问;AC与AP配合实现无线覆盖,满足企业多样化接入需求。

实验过程中需注意设备接口类型(access/trunk)、VLAN划分、路由宣告及防火墙区域配置的一致性,避免因配置冲突导致网络不通。如需进一步优化,可添加ACL访问控制、QoS流量限速等功能,丰富网络应用场景。

eNSP
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
eNSP搭建企业网毕设(详细配置命令)