2023年全国职业院校技能大赛
GZ073网络系统管理赛项
赛题第3套
模块A:网络构建
目 录
任务清单
(一)基础配置
(二)有线网络配置
(三)无线网络配置
(四)出口网络配置
(五)网络运维配置
(六)SDN网络配置
附录1:拓扑图
附录2:地址规划表
附录1:拓扑图
附录2:地址规划表
任务清单
(一)基础配置
1.根据附录1、附录2,配置设备接口信息。
2.所有交换机和无线控制器开启SSH服务,用户名密码分别为admin、admin1234;密码为明文类型,特权密码为admin。
ssh server enable
public-key local create rsa
public-key local create dsa
local-user admin
password simple admin1234
authorization-attribute user-role network-admin
service-type ssh
user-interface vty 0 4
authentication-mode scheme
protocol inbound ssh
3.交换机配置SNMP功能,向主机172.16.0.254发送Trap消息版本采用V2C,读写的Community为“Test”,只读的Community为“public”,开启Trap消息。
snmp-agent
snmp-agent community write test
snmp-agent community read public
snmp-agent trap enable
snmp-agent target-host trap address udp-domain 172.16.0.254 params securityname admin V2C
snmp-agent sys-info version V2C(二)有线网络配置
1.在全网Trunk链路上做VLAN修剪。
vlan 10 20 30 40 50
int g1/0/x
port link-type trunk
port trunk permit vlan 10 20 30 40 50
undo port trunk permit vlan 1
2.为了规避网络末端接入设备上出现环路影响全网,要求在分校接入设备S6,S7进行防环处理。具体要求如下:接口开启BPDU防护功能;接口下开启环路检测功能,检测到环路后处理方式为关闭端口;连接终端的所有端口配置为边缘端口;如果端口被BPDU防护检测进入禁用状态,再过300秒后会自动恢复,重新检测是否有环路。
int g1/0/1
loopback-detection enable vlan 10
loopback-detection action shutdown
stp edged-port enable
stp port bpdu-protection enable
shutdown-interval 3003.为了保证接入区DHCP服务安全及伪IP源地址攻击,具体要求如下:DHCP服务器搭建于S3上对VLAN10以内的用户进行地址分配;
s3:
dhcp enable
dhcp server ip-pool 10
gateway-list 192.1.10.254
network 192.1.10.0 mask 255.255.255.0
forbidden-ip 192.1.10.252
forbidden-ip 192.1.10.2534.在本部交换机S3、S4上配置MSTP防止二层环路;要求VLAN10、VLAN20、VLAN30数据流经过S3转发,VLAN40、VLAN50、VLAN100数据流经过S4转发,S3、S4其中一台宕机时均可无缝切换至另一台进行转发。所配置的参数要求如下:region-name为test;revision版本为1;实例1,包含VLAN10,VLAN20,VLAN30;实例2,包含VLAN40,VLAN50,VLAN100;S3作为实例0、1中的主根,S4作为实例0、1的从根;S4作为实例2中的主根,S3作为实例2的从根;主根优先级为4096,从根优先级为8192;在S3和S4上配置VRRP,实现主机的网关冗余。所配置的参数要求如表1;S3、S4各VRRP组中高优先级设置为150,低优先级设置为120。
表1 S3和S4的VRRP参数表
s3:
stp region-configuration
region-name test
revision-level 1
instance 1 vlan 10 20 30
instance 2 vlan 40 50 100
active region-configuration
#
stp instance 0 to 1 priority 4096
stp instance 2 priority 8192
stp global enable
#
interface Vlan-interface10
description Office10
ip address 192.1.10.252 255.255.255.0
vrrp vrid 10 virtual-ip 192.1.10.254
vrrp vrid 10 priority 150
#
interface Vlan-interface20
description Office20
ip address 192.1.20.252 255.255.255.0
vrrp vrid 20 virtual-ip 192.1.20.254
vrrp vrid 20 priority 150
#
interface Vlan-interface30
description Office30
ip address 192.1.30.252 255.255.255.0
vrrp vrid 30 virtual-ip 192.1.30.254
vrrp vrid 30 priority 150
#
interface Vlan-interface40
description Office40
ip address 192.1.40.252 255.255.255.0
vrrp vrid 40 virtual-ip 192.1.40.254
vrrp vrid 40 priority 120
#
interface Vlan-interface50
description AP
ip address 192.1.50.252 255.255.255.0
vrrp vrid 50 virtual-ip 192.1.50.254
vrrp vrid 50 priority 120
#
interface Vlan-interface60
#
interface Vlan-interface100
description Manage
ip address 192.1.100.252 255.255.255.0
vrrp vrid 100 virtual-ip 192.1.100.254
vrrp vrid 100 priority 120
s4:
stp region-configuration
region-name test
revision-level 1
instance 1 vlan 10 20 30
instance 2 vlan 40 50 100
active region-configuration
#
stp instance 0 to 1 priority 8192
stp instance 2 priority 4096
stp global enable
#
interface Vlan-interface10
description Office10
ip address 192.1.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 192.1.10.254
vrrp vrid 10 priority 120
#
interface Vlan-interface20
description Office20
ip address 192.1.20.253 255.255.255.0
vrrp vrid 20 virtual-ip 192.1.20.254
vrrp vrid 20 priority 120
#
interface Vlan-interface30
description Office30
ip address 192.1.30.253 255.255.255.0
vrrp vrid 30 virtual-ip 192.1.30.254
vrrp vrid 30 priority 120
#
interface Vlan-interface40
description Office40
ip address 192.1.40.253 255.255.255.0
vrrp vrid 40 virtual-ip 192.1.40.254
vrrp vrid 40 priority 150
#
interface Vlan-interface50
description AP
ip address 192.1.50.253 255.255.255.0
vrrp vrid 50 virtual-ip 192.1.50.254
vrrp vrid 50 priority 150
#
interface Vlan-interface60
#
interface Vlan-interface100
description Manage
ip address 192.1.100.253 255.255.255.0
vrrp vrid 100 virtual-ip 192.1.100.254
vrrp vrid 100 priority 1505.本部内网使用静态路由、OSPF多协议组网。其中S3、S4、S5、EG1、EG2、R1使用OSPF协议,本部其余三层设备间使用静态路由协议。本部与分校广域网间使用静态路由协议(R1除外),各分校局域网环境使用静态路由协议。要求网络具有安全性、稳定性。具体要求如下:本部OSPF进程号为10,规划多区域;区域0(S3、S4),区域1(S3,S4,S5),区域2(S3,S4,EG1,EG2),区域3(S4、R1);区域1为完全NSSA区域;AP使用静态路由协议;本部与分校通过重分发引入彼此路由;要求本部业务网段中不出现协议报文;不允许重发布直连路由,Network方式发布本地明细路由;为了管理方便,需要发布Loopback地址;优化OSPF相关配置,以尽量加快OSPF收敛;重发布路由进OSPF中使用类型1。
6.不允许在R1设备使用IPv4静态路由。
s3:
ospf 10 router-id 11.1.0.33
import-route static type 1
silent-interface Vlan-interface10
silent-interface Vlan-interface20
silent-interface Vlan-interface30
silent-interface Vlan-interface40
silent-interface Vlan-interface50
area 0.0.0.0
network 11.1.0.33 0.0.0.0
network 192.1.10.0 0.0.0.255
network 192.1.20.0 0.0.0.255
network 192.1.30.0 0.0.0.255
network 192.1.40.0 0.0.0.255
network 192.1.50.0 0.0.0.255
network 192.1.100.0 0.0.0.255
area 0.0.0.1
network 10.1.0.0 0.0.0.3
nssa no-summary
area 0.0.0.2
network 10.1.0.4 0.0.0.3
network 10.1.0.40 0.0.0.3
ip route-static 11.1.0.204 32 192.1.100.2
ip route-static 11.1.0.205 32 192.1.100.3
ip route-static 192.1.60.0 24 192.1.100.2
ip route-static 192.1.60.0 24 192.1.100.3
ip route-static 194.1.0.0 16 10.1.0.14
ip route-static 195.1.0.0 16 10.1.0.14
s4:
ospf 10 router-id 11.1.0.34
import-route static type 1
silent-interface Vlan-interface10
silent-interface Vlan-interface20
silent-interface Vlan-interface30
silent-interface Vlan-interface40
silent-interface Vlan-interface50
area 0.0.0.0
network 11.1.0.34 0.0.0.0
network 192.1.10.0 0.0.0.255
network 192.1.20.0 0.0.0.255
network 192.1.30.0 0.0.0.255
network 192.1.40.0 0.0.0.255
network 192.1.50.0 0.0.0.255
network 192.1.100.0 0.0.0.255
area 0.0.0.1
network 10.1.0.32 0.0.0.3
nssa no-summary
area 0.0.0.2
network 10.1.0.8 0.0.0.3
network 10.1.0.36 0.0.0.3
area 0.0.0.3
network 10.1.0.12 0.0.0.3
ip route-static 11.1.0.204 32 192.1.100.2
ip route-static 11.1.0.205 32 192.1.100.3
ip route-static 192.1.60.0 24 192.1.100.2
ip route-static 192.1.60.0 24 192.1.100.3
ip route-static 194.1.0.0 16 10.1.0.14
ip route-static 195.1.0.0 16 10.1.0.14
s5:
ospf 10 router-id 11.1.0.5
area 0.0.0.1
network 10.1.0.0 0.0.0.3
network 10.1.0.32 0.0.0.3
network 11.1.0.5 0.0.0.0
nssa no-summary
EG1:
ospf 10 router-id 11.1.0.11
default-route-advertise always type 1
area 0.0.0.2
network 10.1.0.4 0.0.0.3
network 10.1.0.36 0.0.0.3
network 11.1.0.11 0.0.0.0
ip route-static 0.0.0.0 0 196.1.0.3
ip route-static 0.0.0.0 0 197.1.0.3
EG2:
ospf 10 router-id 11.1.0.12
default-route-advertise always type 1
area 0.0.0.2
network 10.1.0.8 0.0.0.3
network 10.1.0.40 0.0.0.3
network 11.1.0.12 0.0.0.0
ip route-static 0.0.0.0 0 196.1.0.3
ip route-static 0.0.0.0 0 197.1.0.3
R1:
ospf 10 router-id 11.1.0.1
area 0.0.0.3
network 10.1.0.12 0.0.0.3
network 11.1.0.1 0.0.0.0
各个接口邻居工作类型设置为点到点(加快收敛)
ospf network-type p2p7.本部路由器R1与广州校区路由器R3 使用两根链路保证可靠性,使用三层链路聚合协议进行聚合端口。Vlan100作为三层互联vlan。
R1:
interface Route-Aggregation1
ip address 10.1.0.22 255.255.255.252
interface GigabitEthernet0/0/7
port link-aggregation group 1
interface GigabitEthernet0/0/8
port link-aggregation group 1
R3:
interface Route-Aggregation1
ip address 10.1.0.21 255.255.255.252
interface GigabitEthernet0/0/7
port link-aggregation group 1
interface GigabitEthernet0/0/8
port link-aggregation group 18.考虑到广域网线路安全性较差,所以需要使用IPSec对各分校到总校的业务数据进行加密。要求使用动态隧道主模式,安全协议采用esp协议,加密算法采用3des,认证算法采用md5,以IKE方式建立IPsec SA。
9.在R1上所配置的参数要求如下:ipsec加密转换集名称为myset;动态ipsec加密图名称为dymymap;预共享密钥为明文123456;静态的ipsec加密图mymap。
10.在R2和R3上所配置的参数要求如下:ACL编号为101;静态的ipsec加密图mymap;预共享密钥为明文123456。
R1:
ipsec transform-set myset
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec transform-set myset2
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template dymymap 1
transform-set myset
local-address 20.0.0.1
ike-profile myset
reverse-route dynamic
reverse-route preference 100
#
ipsec policy-template dymymap2 1
transform-set myset2
local-address 10.1.0.22
ike-profile myset2
reverse-route dynamic
reverse-route preference 100
#
ipsec policy dymymap 1 isakmp template dymymap
#
ipsec policy dymymap2 1 isakmp template dymymap2
#
ike profile myset
keychain 1
local-identity address 20.0.0.1
match remote identity address 0.0.0.0 0.0.0.0
match local address GigabitEthernet0/0/1
proposal 1
#
ike profile myset2
keychain 2
local-identity address 10.1.0.22
match remote identity address 0.0.0.0 0.0.0.0
match local address Route-Aggregation1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 1
match local address GigabitEthernet0/0/1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher 123456
ike keychain 2
match local address Route-Aggregation1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher 123456
#
interface GigabitEthernet0/0/1
ipsec apply policy dymymap
#
interface Route-Aggregation1
ipsec apply policy dymymap2
R2:
acl advanced 3000
rule 5 permit ip source 194.1.0.0 0.0.255.255 destination 192.1.0.0 0.0.255.255
rule 10 permit ip source 192.1.0.0 0.0.255.255 destination 194.1.0.0 0.0.255.255
rule 11 permit ip source 11.1.0.204 0 destination 194.1.0.0 0.0.255.255
rule 15 permit ip source 194.1.0.0 0.0.255.255 destination 11.1.0.204 0
rule 16 permit ip source 11.1.0.205 0 destination 194.1.0.0 0.0.255.255
rule 20 permit ip source 194.1.0.0 0.0.255.255 destination 11.1.0.205 0
rule 25 permit ip source 194.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 30 permit ip source 194.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 35 permit ip source 196.1.0.0 0.0.0.255 destination 194.1.0.0 0.0.255.255
rule 40 permit ip source 197.1.0.0 0.0.0.255 destination 194.1.0.0 0.0.255.255
ipsec transform-set myset
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy mymap 1 isakmp
transform-set myset
security acl 3000
local-address 20.0.0.2
remote-address 20.0.0.1
ike-profile 1
reverse-route dynamic
reverse-route preference 100
#
ike profile 1
keychain 1
match remote identity address 20.0.0.1 255.255.255.255
match local address GigabitEthernet0/0/1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 1
match local address GigabitEthernet0/0/1
pre-shared-key address 20.0.0.1 255.255.255.255 key cipher 123456
#
interface GigabitEthernet0/0/1
ipsec apply policy mymap
R3:
acl advanced 3000
rule 5 permit ip source 195.1.0.0 0.0.255.255 destination 192.1.0.0 0.0.255.255
rule 10 permit ip source 192.1.0.0 0.0.255.255 destination 195.1.0.0 0.0.255.255
rule 15 permit ip source 195.1.0.0 0.0.255.255 destination 11.1.0.204 0
rule 20 permit ip source 195.1.0.0 0.0.255.255 destination 11.1.0.205 0
rule 25 permit ip source 11.1.0.204 0 destination 195.1.0.0 0.0.255.255
rule 30 permit ip source 11.1.0.205 0 destination 195.1.0.0 0.0.255.255
rule 35 permit ip source 195.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 40 permit ip source 195.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 45 permit ip source 196.1.0.0 0.0.0.255 destination 195.1.0.0 0.0.255.255
rule 50 permit ip source 197.1.0.0 0.0.0.255 destination 195.1.0.0 0.0.255.255
#
ipsec transform-set myset
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy mymap 1 isakmp
transform-set myset
security acl 3000
local-address 10.1.0.21
remote-address 10.1.0.22
ike-profile 1
reverse-route dynamic
reverse-route preference 100
#
ike profile 1
keychain 1
match remote identity address 10.1.0.22 255.255.255.255
match local address Route-Aggregation1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 1
match local address Route-Aggregation1
pre-shared-key address 10.1.0.22 255.255.255.255 key cipher 123456
#
interface Route-Aggregation1
ipsec apply policy mymap
11.考虑到数据分流及负载均衡的目的,针对本部与各分校数据流走向要求如下:通过修改OSPF接口COST达到分流的目的,且其值必须为5或10;OSPF通过路由引入时改变引入路由的COST值,且其值必须为5或10;本部VLAN10,VLAN20,VLAN30用户与互联网互通主路径规划为:S3-EG1;本部VLAN40用户与互联网互通主路径规划为:S4-EG2;各分校用户与互联网互通主路径规划为:S4-EG2;云平台服务器与互联网互通主路径规划为S3-EG1;主链路故障可无缝切换到备用链路上。
S3:
acl advanced 3000
rule 0 permit ip source 192.1.100.0 0.0.0.255 destination 196.1.0.0 0.0.0.255
rule 5 permit ip source 192.1.100.0 0.0.0.255 destination 197.1.0.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip source 192.1.10.0 0.0.0.255 destination 196.1.0.0 0.0.0.255
rule 5 permit ip source 192.1.20.0 0.0.0.255 destination 196.1.0.0 0.0.0.255
rule 10 permit ip source 192.1.30.0 0.0.0.255 destination 196.1.0.0 0.0.0.255
rule 15 permit ip source 192.1.10.0 0.0.0.255 destination 197.1.0.0 0.0.0.255
rule 20 permit ip source 192.1.30.0 0.0.0.255 destination 197.1.0.0 0.0.0.255
rule 25 permit ip source 192.1.20.0 0.0.0.255 destination 197.1.0.0 0.0.0.255
#
policy-based-route fenliu permit node 1
if-match acl 3000
apply next-hop 10.1.0.6
#
policy-based-route fenliu permit node 5
#
policy-based-route fenliu2 permit node 10
if-match acl 3001
apply next-hop 10.1.0.6
#
policy-based-route fenliu2 permit node 11
#
interface Vlan-interface10
ip policy-based-route fenliu2
ospf cost 5
interface Vlan-interface20
ip policy-based-route fenliu2
ospf cost 5
interface Vlan-interface30
ip policy-based-route fenliu2
ospf cost 5
interface Vlan-interface40
ospf cost 10
#
interface GigabitEthernet1/0/5
ip policy-based-route fenliu
ospf cost 5
S4:
acl advanced 3000
rule 0 permit ip source 194.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 5 permit ip source 194.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 10 permit ip source 195.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 15 permit ip source 195.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip source 192.1.40.0 0.0.0.255 destination 196.1.0.0 0.0.0.255
rule 5 permit ip source 192.1.40.0 0.0.0.255 destination 197.1.0.0 0.0.0.255
#
policy-based-route fenliu permit node 1
if-match acl 3000
apply next-hop 10.1.0.10
#
policy-based-route fenliu permit node 2
#
policy-based-route fenliu2 permit node 10
if-match acl 3001
apply next-hop 10.1.0.10
#
policy-based-route fenliu2 permit node 11
#
interface Vlan-interface10
ospf cost 10
interface Vlan-interface20
ospf cost 10
interface Vlan-interface30
ospf cost 10
interface Vlan-interface40
ospf cost 5
ip policy-based-route fenliu2
interface GigabitEthernet1/0/5
ospf cost 5
interface GigabitEthernet1/0/7
ip policy-based-route fenliu
S5:
interface GigabitEthernet1/0/23
ospf cost 5
interface GigabitEthernet1/0/24
ospf cost 10
(三)无线网络配置
CII集团公司拟投入13.5万元(网络设备采购部分),项目要求重点覆盖楼层、走廊和办公室。平面布局如图1所示。
1.绘制AP点位图(包括:AP型号、编号、信道等信息,其中信道采用2.4G的1、6、11三个信道进行规划)。
2.使用无线地勘软件,输出AP点位图的2.4G频道的信号仿真热图(仿真信号强度要求大于-65db)。
3.根据表2无线产品价格表,制定该无线网络工程项目设备的预算表。
表2 无线产品价格表
4.使用AC为本部无线用户DHCP服务器,使用S3、S4为本部AP的DHCP服务器,S3分配AP地址范围为其网段的1至100,S4分配AP地址范围为其网段的101至200。
AC1:
dhcp enable
dhcp server ip-pool 60
gateway-list 192.1.60.252
network 192.1.60.0 mask 255.255.255.0
AC2:
dhcp enable
dhcp server ip-pool 60
gateway-list 192.1.60.253
network 192.1.60.0 mask 255.255.255.0
S3:
dhcp enable
dhcp server ip-pool 50
gateway-list 192.1.50.254
network 192.1.50.0 mask 255.255.255.0
address range 192.1.50.1 192.1.50.100
option 138 ip-address 11.1.0.204 11.1.0.205
S4:
dhcp enable
dhcp server ip-pool 50
gateway-list 192.1.50.254
network 192.1.50.0 mask 255.255.255.0
address range 192.1.50.101 192.1.50.200
option 138 ip-address 11.1.0.204 11.1.0.2055.创建本部SSID(WLAN-ID 1)为test-ZX_XX(XX现场提供),AP-Group为ZX,本部无线用户关联SSID后可自动获取地址,启用802.1X认证方式。
6.AC1为主用,AC2为备用。AP与AC1、AC2均建立隧道,当AP与AC1失去连接时能无缝切换至AC2并提供服务。
7.要求本部无线用户启用集中转发模式。
8.限制AP1关联用户数最高为16。
9. 本部关闭低速率(1M,6M)应用接入。
10.在同一个AP中的用户在某些时候出于安全性的考虑,需要将他们彼此之间进行隔离,实现用户之间彼此不能互相访问,配置AP1实现同AP下用户间隔离功能。
AC1:
wlan global-configuration
firmware-upgrade disable
#
wlan auto-ap enable
wlan auto-persistent enable
#
wlan ap-group fx
priority 7
wlan tunnel-preempt enable
backup-ac ip 11.1.0.205
vlan 1
ap test-FX_01
ap test-FX_02
ap-model WA6320-HCL
radio 1
radio enable
service-template 2
radio 2
radio enable
service-template 2
gigabitethernet 1
#
wlan ap-group zx
priority 7
wlan tunnel-preempt enable
backup-ac ip 11.1.0.205
vlan 1
ap test-ZX_01
ap-model WA6320-HCL
radio 1
rate mandatory 12 24
rate disabled 6
radio enable
client max-count 16
service-template 1
radio 2
rate mandatory 2 5.5 11
rate supported 9 12 18 24 36 48 54
rate disabled 1 6
radio enable
client max-count 16
service-template 1
gigabitethernet 1
#
wlan ap test-FX_01 model WA6320-HCL
serial-id H3C_8A-8C-C3-61-0F-00
vlan 1
radio 1
radio 2
gigabitethernet 1
#
wlan ap test-FX_02 model WA6320-HCL
serial-id H3C_8A-8D-2E-9E-11-00
vlan 1
radio 1
radio 2
gigabitethernet 1
#
wlan ap test-ZX_01 model WA6320-HCL
serial-id H3C_8A-8B-AF-BE-07-00
vlan 1
radio 1
radio 2
gigabitethernet 1
#
wlan service-template 1
ssid test-ZX_01
vlan 60
user-isolation enable
service-template enable
#
wlan service-template 2
ssid test-FX_01
vlan 20
client forwarding-location ap
service-template enable
#
ip route-static 0.0.0.0 0 192.1.100.252
#
AC2:
wlan global-configuration
firmware-upgrade disable
#
wlan auto-ap enable
wlan auto-persistent enable
#
wlan ap-group fx
wlan tunnel-preempt enable
backup-ac ip 11.1.0.204
vlan 1
ap test-FX_01
ap test-FX_02
ap-model WA6320-HCL
radio 1
radio enable
service-template 2
radio 2
radio enable
service-template 2
gigabitethernet 1
#
wlan ap-group zx
wlan tunnel-preempt enable
backup-ac ip 11.1.0.204
vlan 1
ap test-ZX_01
ap-model WA6320-HCL
radio 1
rate mandatory 12 24
rate disabled 6
radio enable
client max-count 16
service-template 1
radio 2
rate mandatory 2 5.5 11
rate supported 9 12 18 24 36 48 54
rate disabled 1 6
radio enable
client max-count 16
service-template 1
gigabitethernet 1
#
wlan ap test-FX_01 model WA6320-HCL
serial-id H3C_8A-8C-C3-61-0F-00
vlan 1
radio 1
radio 2
gigabitethernet 1
#
wlan ap test-FX_02 model WA6320-HCL
serial-id H3C_8A-8D-2E-9E-11-00
vlan 1
radio 1
radio 2
gigabitethernet 1
#
wlan ap test-ZX_01 model WA6320-HCL
serial-id H3C_8A-8B-AF-BE-07-00
vlan 1
radio 1
radio 2
gigabitethernet 1
#
wlan service-template 1
ssid test-ZX_01
vlan 60
user-isolation enable
service-template enable
#
wlan service-template 2
ssid test-FX_01
vlan 20
client forwarding-location ap
service-template enable
#
ip route-static 0.0.0.0 0 192.1.100.253由于模拟器限制,无法实现胖AP的部署和认证,因此分部我将其改成了本地转发
11.AP3创建SSID(WLAN-ID 1)为test-GZ_XX(XX现场提供),启用白名单校验,放通PC3无线网卡。
12.AP3以路由模式进行部署,本地部署DHCP为无线终端分配地址。
13.AP2创建SSID(WLAN-ID 1)为test-BJ_XX(XX现场提供),采用WEB进行认证,认证用户名为user1,密码为XX(现场提供)。
14.AP2以透明模式进行部署,S6部署DHCP为无线终端和AP分配地址。
15.北京校区与广州校区使用无线AP胖模式进行部署。
16.认证服务器(IP:194.1.100.100)建立总部认证用户user1,user2,分部认证用户user3,user4分别对应WEB、DOT1X认证;
为了保证合法用户连接入本部内网,本部无线用户使用MAC校验方式。在本部的AC设备上配置白名单只允许PC1(无线网卡ipconfig确定MAC地址)接入无线网络中,并设置AC白名单数量最多为10
17. 认证服务器(IP:194.1.100.100)建立总部认证用户user1,user2,分部认证用户user3,user4分别对应WEB、DOT1X认证;
S6:
dhcp enable
dhcp server ip-pool 10
gateway-list 194.1.10.254
network 194.1.10.0 mask 255.255.255.0
#
dhcp server ip-pool 20
gateway-list 194.1.20.254
network 194.1.20.0 mask 255.255.255.0
#
dhcp server ip-pool 30
gateway-list 194.1.30.254
network 194.1.30.0 mask 255.255.255.0
option 138 ip-address 11.1.0.204 11.1.0.205
#
interface Vlan-interface10
description Wire_user
ip address 194.1.10.254 255.255.255.0
#
interface Vlan-interface20
description Wireless_user
ip address 194.1.20.254 255.255.255.0
#
interface Vlan-interface30
description AP
ip address 194.1.30.254 255.255.255.0
S7:
dhcp enable
#
dhcp server ip-pool 10
gateway-list 195.1.10.254
network 195.1.10.0 mask 255.255.255.0
#
dhcp server ip-pool 20
gateway-list 195.1.20.254
network 195.1.20.0 mask 255.255.255.0
#
dhcp server ip-pool 30
gateway-list 195.1.30.254
network 195.1.30.0 mask 255.255.255.0
option 138 ip-address 11.1.0.204 11.1.0.205
#
interface Vlan-interface10
description Wire_user
ip address 195.1.10.254 255.255.255.0
#
interface Vlan-interface20
ip address 195.1.20.254 255.255.255.0
#
interface Vlan-interface30
ip address 195.1.30.254 255.255.255.0
在华三中本地转发需要注意的细节:
AP需要手动内部创建业务vlan以及在连接AP服务器对应的接口中设置为trunk并且允许vlan流的通过,否则客户端将无法获取ip地址
vlan 20
interface GigabitEthernet0/0/0
port link-mode bridge
port link-type trunk
port trunk permit vlan all(四)出口网络配置
1.本部出口网关上配置访问控制列表,允许本部、分部有线无线业务网段(ACL编号110)通过NAPT访问联通、教育网资源。
EG1:
acl advanced 3000
rule 0 permit ip source 192.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 5 permit ip source 192.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 10 permit ip source 194.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 15 permit ip source 194.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 20 permit ip source 195.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 25 permit ip source 195.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0 196.1.0.3
ip route-static 0.0.0.0 0 197.1.0.3
#
interface GigabitEthernet1/0/1
nat outbound 3000
interface GigabitEthernet1/0/2
nat outbound 3000
#
EG2:
acl advanced 3000
rule 0 permit ip source 192.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 5 permit ip source 192.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 10 permit ip source 194.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 15 permit ip source 194.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
rule 20 permit ip source 195.1.0.0 0.0.255.255 destination 196.1.0.0 0.0.0.255
rule 25 permit ip source 195.1.0.0 0.0.255.255 destination 197.1.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0 196.1.0.3
ip route-static 0.0.0.0 0 197.1.0.3
#
interface GigabitEthernet1/0/1
nat outbound 3000
interface GigabitEthernet1/0/2
nat outbound 3000
防火墙预配置(防火墙需要将接口划入安全域内且需要设置之间的流量互通,否则无法通信)
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/3
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
#
security-policy ip
rule 0 name 0
action pass
source-zone Local
source-zone Trust
source-zone Untrust
destination-zone Local
destination-zone Trust
destination-zone Untrust2.在本部EG1上配置,使本部核心交换S4(11.1.0.34)设备的Telnet服务可以通过互联网被访问,将其地址映射至联通线路上,映射地址为196.1.0.10。
EG1:
interface GigabitEthernet1/0/1
nat server protocol tcp global 196.1.0.10 22 inside 11.1.0.34 22 rule ServerRule_13.需确保NAT映射数据流来回一致,启用EG源进源出功能保证任何外网用户(联通、电信、移动、教育……)均可访问映射地址196.1.0.10。
在所有外网口上配置:
ip last-hop hold4.在本部网关上启用Web Portal认证服务,并创建user1、user2,密码均为123456;
有线用户需进行WEB认证访问互联网。
5.无线用户不需在EG上进行WEB认证即可访问互联网。
EG1和EG2都需要配置
local-user user1 class network
password cipher 123456
authorization-attribute user-role network-operator
local-user user2 class network
password cipher 123456
authorization-attribute user-role network-operator
portal free-rule 2000 source ip 192.1.60.0 255.255.255.0
portal free-rule 2001 source ip 194.1.20.0 255.255.255.0
portal free-rule 2002 source ip 195.1.20.0 255.255.255.06.本部针对访问外网WEB流量限速每IP 1000Kbps,内网WEB总流量不超过100M(策略及通道名称均为:WEB)。
traffic-policy
rule 1 name WEB
action qos profile web
source-zone Local
source-zone Trust
destination-zone Untrust
service http
service https
profile name web
bandwidth total maximum 100000
bandwidth total maximum per-ip 1000 7.工作日(周一到周五:上午9点到下午5点)阻断并审计P2P应用软件使用(策略名称:P2P)。
8.对创建的用户user1用户上网活动不进行监控审计。
time-range 9:00 to 17:00 working-day
object-group service p2p
0 service udp
uapp-control
policy name P2P audit
time-range rule default-action deny
service p2p
rule 1 any behavior any bhcontent any keyword include any action deny
policy name oaudit
user user19.本部与分校用户数据流匹配EG内置联通与教育地址库,实现访问联通资源走联通线路,访问教育资源走教育线路;除联通、教育资源之外默认所有数据流在联通与教育线路间进行负载转发。
(五)网络运维配置
1.完成整网连通后,进入网络监控运维阶段,运维软件已安装在PC1的虚拟机OPMSrv中(访问运维平台的URL为http://192.1.100.100),通过运维平台监控本部校区内所有设备(具体设备:S1-S5、EG1、EG2)。
2.通过运维平台将本部校区的被监控设备纳入监控范围;通过拓扑配置功能,将本部校区的网络拓扑配置到平台中;
3.将本部校区S3和EG1、EG2的两条链路作为重点监测链路,纳入链路监控;
4.自定义监控大屏(名称:Chinaskills_network),将网络拓扑、设备运行状态(CPU使用率)、链路运行状态实时显示在大屏中。
(六)SDN网络配置
1.SDN控制器登录地址:192.168.1.2/24,默认用户密码为admin/test@123。
2.使用S1/S2/S4构建SDN网络,S1/S2连接SDN控制器的6653端口。S1/S2所有业务流转发需经SDN控制器统一控制管理。
3.通过SDN控制器手工给S2下发一条流表项名称为drop的流表,执行动作为丢弃,并在交换机上查看流表,测试普通PC禁止ping通高性能PC。
4.通过SDN控制器流表管理实现PC1/PC2与本部业务网段互联互通。