华三中小企业组网

一、组网需求

在中小园区中，S5130系列或S5130S系列以太网交换机通常部署在网络的接入层，S5560X系列或

S6520X系列以太网交换机通常部署在网络的核心，出口路由器一般选用MSR系列路由器。

核心交换机配置VRRP保证网络可靠性。
园区网中不同的业务部门划分到不同的VLAN中，部门间的业务在核心交换机上通过VLAN接口三层互通。
核心交换机作为DHCP服务器，为园区网用户分配IP地址。
接入交换机上配置DHCP Snooping功能，防止内网用户私接小路由器分配IP地址；同时配置IP Source Guard功能，防止内网用户私自更改IP地址。
在出口路由器上对双向流量配置基于IP的限速。

二、配置思路与数据规划

(1) 登录设备

(2) 配置管理IP地址和Telnet功能

(3) 配置网络互连互通

(4) 配置核心交换机DHCP功能

(5) 配置核心交换机OSPF功能

(6) 配置核心交换可靠性功能

(7) 配置限速

配置数据表

配置步骤	配置项	配置数据	说明
登录设备	通过Console口登录	设置传输速率等通信参数	PC端通过终端仿真软件登录设备
配置管理IP和telnet功能	管理VLAN	VLAN 5	交换机缺省VLAN为VLAN 1。一般不将其配置为管理VLAN 本文将VLAN5配置为管理VLAN
配置管理IP和telnet功能	管理用以太网口或管理VLAN接口IP地址	10.10.1.1/24	此处以ACCSW1为例。有管理用以太网口的交换机，可为管理用以太网口M-GigabitEthernet0/0/0配置IP地址用于登录交换机。没有管理用以太网口的交换机，可为管理VLAN接口配置IP地址。
配置接口和VLAN	端口类型	连接交换机的端口建议设置为trunk，连接PC的端口设置为access。	trunk类型端口一般用于连接交换机。 access类型端口一般用于连接PC。 hybrid类型端口是通用端口，既可以用来连接交换机，也可用来连接PC。
配置接口和VLAN	VLAN ID	ACCSW1：VLAN 10、20 CORESW1：VLAN 10、20、30、40、50、100、300	为实现部门A和部门B二层隔离，将部门A划分到VLAN10中，部门B划分到VLAN20中。核心交换机1通过Vlan-int100连接出口路由器
核心交换机上配置DHCP服务器功能	DHCP Server	CORESW1、CORESW2	在核心交换机1、核心交换机2上部署DHCPServer
	地址池	VLAN 10：ip pool 10 VLAN 20：ip pool 20	部门A的终端从ip pool 10中获取IP地址部门B的终端从ip pool 20中获取IP地址
	地址分配方式	基于全局地址池	无
配置核心交换机路由	IP地址	以CORESW1为例： Vlan-int10：192.168.10.1/24 Vlan-int20：192.168.20.1/24 Vlan-int100：172.16.1.1/24 Vlan-int300：172.16.3.1/24	Vlan-int100用于核心交换机1与园区出口路由器对接。Vlan-int300用于核心交换机1与核心交换机2对接在核心交换机1上配置Vlan-int10、Vlan-int20的IP地址后，部门A与部门B之间可以通过核心交换机1互访
配置出口路由器	公网接口的IP地址	GE0/0：202.101.100.2/30	GE0/0为出口路由器连接Internet的接口，一般称为公网接口
	公网网关	202.101.100.1/30	该地址是与出口路由器对接的运营商设备的IP地址，出口路由器上需要配置一条缺省路由指向该地址，用于指导内网流量转发至Internet
	DNS地址	202.101.100.199	DNS服务器用于将域名解析成IP地址
	内网接口的IP地址	GE0/1：172.16.1.2/24 GE0/2：172.16.2.2/24	GE0/1、GE0/2为出口路由器连接内网的接口，GE0/1连接主设备，GE0/2连接备设备
在接入交换机上配置DHCP Snooping和IP Source Guard	信任接口	GE1/0/1 GE1/0/2	配置信任接口后，用户只会接收从信任接口进入的DHCP报文，防止内网私接小路由器为主机分配IP地址

三、配置步骤

3.1 配置接入交换机

PS：接入交换机ACCSW1、ACCSW2、ACCSW3和ACCSW4的配置基本相同。本文以配置接入

交换机ACCSW1为例说明配置方法。

3.1.1 通过Console口首次登录设备

# 将PC断电。

因为PC的串口不支持热插拔，请不要在PC带电的情况下，将串口线插入或者拔出PC。

# 使用产品随机附带的配置口电缆连接PC机和设备。请先将配置口电缆的DB-9（孔）插头插入PC

机的9芯（针）串口中，再将RJ-45插头端插入设备的Console口中。

将设备与PC通过配置口电缆进行连接。

# 给PC上电。

# 在PC上打开终端仿真程序，按照要求设置终端参数。

终端参数设置：

参数	值
波特率	9600
数据位	8
停止位	1
奇偶校验	无
流量控制	无

# 给设备上电。

在设备自检结束后，用户可键入回车进入命令交互界面。

PS：缺省情况下，通过Console登录设备的认证方式为None，即不需要用户名、密码即可登录设

备。首次登录后，建议修改通过Console口登录设备的认证方式以增强设备的安全性。

3.1.2 配置IP地址和Telnet

# 创建VLAN 5，并将接口Ten-GigabitEthernet1/0/10加入到VLAN 5中。假设连接网管的接口是

Ten-GigabitEthernet1/0/10。

<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] sysname ACCSW1
[ACCSW1] vlan 5
[ACCSW1-vlan5] port ten-gigabitethernet 1/0/10
[ACCSW1-vlan5] quit

# 创建VLAN接口5，并将接口IP地址配置为10.10.1.1/24。

[ACCSW1] interface vlan-interface 5
[ACCSW1-Vlan-interface5] ip address 10.10.1.1 24
[ACCSW1-Vlan-interface5] quit

# 开启Telnet服务。

[ACCSW1] telnet server enable

# 配置Telnet登录使用scheme认证方式。

[ACCSW1] line vty 0 63
[ACCSW1-line-vty0-63] authentication-mode scheme
[ACCSW1-line-vty0-63] quit

# 创建本地用户，并配置本地用户的密码、用户角色和服务类型。本例中用户名和密码均为

admin，服务类型为telnet，用户角色为network-admin。

[ACCSW1] local-user admin
New local user added.
[ACCSW1-luser-manage-admin] password simple hello12345
[ACCSW1-luser-manage-admin] authorization-attribute user-role network-admin
[ACCSW1-luser-manage-admin] service-type telnet
[ACCSW1-luser-manage-admin] quit

# 在终端上通过Telnet登录到设备，输入正确的用户名和密码后，出现用户视图的命令行提示符表

示登录成功。

C:\Users\Administrator> telnet 10.10.1.1
****************************************************************************** 
* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.* 
* Without the owner's prior written consent,                                 * 
* no decompiling or reverse-engineering shall be allowed.                    * 
****************************************************************************** 
                                                                                
login: admin                                                                   
Password:                                                                      
...

PS：上述终端输出信息是以S5560X-30C-PWR-EI设备（Release 1118P07版本）为例。

3.1.3 配置接口与VLAN

# 在接入交换机上创建VLAN 10和VLAN 20。

[ACCSW1] vlan 10 20

# 将连接PC1的接口GigabitEthernet1/0/1加入VLAN 10，并配置为边缘端口。

[ACCSW1] interface gigabitethernet 1/0/1
[ACCSW1-GigabitEthernet1/0/1] port link-type access
[ACCSW1-GigabitEthernet1/0/1] port acess vlan 10
[ACCSW1-GigabitEthernet1/0/1] stp edged-port
[ACCSW1-GigabitEthernet1/0/1] quit

# 将连接PC1的接口GigabitEthernet1/0/2加入VLAN 20，并配置为边缘端口。

[ACCSW1] interface gigabitethernet 1/0/2
[ACCSW1-GigabitEthernet1/0/2] port link-type access
[ACCSW1-GigabitEthernet1/0/2] port acess vlan 20
[ACCSW1-GigabitEthernet1/0/2] stp edged-port
[ACCSW1-GigabitEthernet1/0/2] quit

# 将接口GigabitEthernet1/0/3和GigabitEthernet1/0/4的链路类型配置为Trunk并允许VLAN 10和

VLAN 20的报文通过。

[ACCSW1] interface gigabitethernet 1/0/3
[ACCSW1-GigabitEthernet1/0/3] port link-type trunk
[ACCSW1-GigabitEthernet1/0/3] port trunk permit vlan 10 20
[ACCSW1-GigabitEthernet1/0/3] quit
[ACCSW1] interface gigabitethernet 1/0/4
[ACCSW1-GigabitEthernet1/0/4] port link-type trunk
[ACCSW1-GigabitEthernet1/0/4] port trunk permit vlan 10 20
[ACCSW1-GigabitEthernet1/0/4] quit

# 查看ACCSW1上VLAN 10和VLAN 20的配置信息。

[ACCSW1] display vlan 10
 VLAN ID: 10
 VLAN type: Static
 Route interface: Not configured
 Description: VLAN 0010
 Name: VLAN 0010
 Tagged ports:
    GigabitEthernet1/0/3
    GigabitEthernet1/0/4
 Untagged ports:
    GigabitEthernet1/0/1

[ACCSW1] display vlan 20
 VLAN ID: 20
 VLAN type: Static
 Route interface: Not configured
 Description: VLAN 0020
 Name: VLAN 0020
 Tagged ports:
    GigabitEthernet1/0/3
    GigabitEthernet1/0/4
 Untagged ports:
    GigabitEthernet1/0/2

3.1.4 配置BPDU保护功能

[ACCSW1] stp bpdu-protection

3.1.5 配置DHCP snooping

# 开启DHCP Snooping功能。

[ACCSW1] dhcp snooping enable

# 指定GigabitEthernet1/0/3为DHCP Snooping功能的信任端口。

[ACCSW1] interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] dhcp snooping trust

[ACCSW1-GigabitEthernet1/0/3] quit

3.1.6 配置IP Source Guard

# 开启接口GigabitEthernet1/0/1、GigabitEthernet1/0/2的IPv4接口绑定功能，绑定源IP地址和

MAC地址，并启用接口的DHCP Snooping 表项记录功能。

[ACCSW1] interface gigabitethernet 1/0/1
[ACCSW1-GigabitEthernet1/0/1] ip verify source ip-address mac-address
[ACCSW1-GigabitEthernet1/0/1] dhcp snooping binding record
[ACCSW1-GigabitEthernet1/0/1] quit
[ACCSW1] interface gigabitethernet 1/0/2
[ACCSW1-GigabitEthernet1/0/2] ip verify source ip-address mac-address
[ACCSW1-GigabitEthernet1/0/2] dhcp snooping binding record
[ACCSW1-GigabitEthernet1/0/2] quit

3.1.7 保存配置

# 保存接入交换机上的配置（以ACCSW1为例）。

[ACCSW1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

3.2 配置核心交换机

PS：核心交换机CORESW1和CORESW2的配置基本相同。本文如无特殊说明，以配置核心交

换机CORESW1为例说明配置方法。

3.2.1 配置接口与VLAN

# 创建VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 100和VLAN 300。

<Sysname> system-view
[Sysname] sysname CORESW1
[CORESW1] vlan 10 20 30 40 50 100 300

# 配置接口GigabitEthernet1/0/1的链路类型为Trunk，并允许VLAN 10和20的报文通过。

[CORESW1] interface gigabitethernet 1/0/1
[CORESW1-GigabitEthernet1/0/1] port link-type trunk
[CORESW1-GigabitEthernet1/0/1] port trunk permit vlan 10 20
[CORESW1-GigabitEthernet1/0/1] quit

# 配置接口GigabitEthernet1/0/5的链路类型为Trunk，并允许VLAN 300的报文通过。

[CORESW1] interface gigabitethernet 1/0/5
[CORESW1-GigabitEthernet1/0/5] port link-type trunk
[CORESW1-GigabitEthernet1/0/5] port trunk permit vlan 300
[CORESW1-GigabitEthernet1/0/5] quit

# 配置其他接口的链路类型并允许对应的VLAN通过，具体配置过程略。

3.2.2 配置VLAN接口

# 创建VLAN接口10，并将接口的IP地址配置为192.168.10.1/24。

[CORESW1] interface vlan-interface 10
[CORESW1-Vlan-interface10] ip address 192.168.10.1 24
[CORESW1-Vlan-interface10] quit

# 创建VLAN接口20，并将接口的IP地址配置为192.168.20.1/24。

[CORESW1] interface vlan-interface 20
[CORESW1-Vlan-interface20] ip address 192.168.20.1 24
[CORESW1-Vlan-interface20] quit

# 创建VLAN接口100，并将接口的IP地址配置为172.16.1.1/24。

[CORESW1] interface vlan-interface 100
[CORESW1-Vlan-interface100] ip address 172.16.1.1 24
[CORESW1-Vlan-interface100] quit

# 创建VLAN接口300，并将接口的IP地址配置为172.16.3.1/24。

[CORESW1] interface vlan-interface 300
[CORESW1-Vlan-interface300] ip address 172.16.3.1 24
[CORESW1-Vlan-interface300] quit

# 创建其他VLAN接口，并配置IP地址，具体配置过程略。

# 查看CORESW1上VLAN 10、VLAN 20、VLAN 100、VLAN 300的配置信息。

[CORESW1] display vlan 10
 VLAN ID: 10
 VLAN type: Static
 Route interface: Configured
 IPv4 address: 192.168.10.1
 IPv4 subnet mask: 255.255.255.0
 Description: VLAN 0010
 Name: VLAN 0010
 Tagged ports:
    GigabitEthernet1/0/1
 Untagged ports:   None

[CORESW1] display vlan 20
 VLAN ID: 20
 VLAN type: Static
 Route interface: Configured
 IPv4 address: 192.168.20.1
 IPv4 subnet mask: 255.255.255.0
 Description: VLAN 0020
 Name: VLAN 0020
 Tagged ports:
    GigabitEthernet1/0/2
 Untagged ports:   None

[CORESW1] display vlan 100
 VLAN ID: 100
 VLAN type: Static
 Route interface: Configured
 IPv4 address: 172.16.1.1
 IPv4 subnet mask: 255.255.255.0
 Description: VLAN 0100
 Name: VLAN 0100
 Tagged ports:   None
 Untagged ports:   None

[CORESW1] display vlan 300
 VLAN ID: 300
 VLAN type: Static
 Route interface: Configured
 IPv4 address: 172.16.3.1
 IPv4 subnet mask: 255.255.255.0
 Description: VLAN 0300
 Name: VLAN 0300
 Tagged ports:
    GigabitEthernet1/0/5
 Untagged ports:   None

3.2.3 配置VRRP备份

正常情况下内网用户流量都上送到CORESW1进行处理，只有当CORESW1或CORESW1的上行

链路出故障之后，VRRP备份组切换CORESW2为主设备，内网用户流量上送到CORESW2。

# 在CORESW1上配置VRRP备份组功能。

# 创建VRRP备份组1，并配置VRRP备份组1的虚拟IP地址为172.16.3.10。

[CORESW1] interface vlan-interface 300
[CORESW1-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10

# 设置CORESW1在VRRP备份组1中的优先级为120，高于CORESW2的优先级100，以保证

CORESW1成为Master负责转发流量。

[CORESW1-Vlan-interface300] vrrp vrid 1 priority 120

# 设置CORESW1工作在抢占方式，以保证CORESW1故障恢复后，能再次抢占成为Master，即只

要CORESW1正常工作，就由CORESW1负责转发流量。为了避免频繁地进行状态切换，配置抢占

延迟时间为5000厘秒。

[CORESW1-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000
[CORESW1-Vlan-interface300] quit

# 创建和上行接口GigabitEthernet1/0/7物理状态关联的Track项1。如果Track项的状态为

Negative，则说明CORESW1的上行接口出现故障。

[CORESW1] track 1 interface gigabitethernet 1/0/7
[CORESW1-track-1] quit

# 设置监视Track项。

[CORESW1] interface vlan-interface 300
[CORESW1-Vlan-interface300] vrrp vrid 1 track 1 priority reduced 30

# 在CORESW2上配置VRRP备份组功能。创建VRRP备份组1，并配置VRRP备份组1的虚拟IP地

址为172.16.3.10。

<Sysname> system-view
[Sysname] sysname CORESW2
[CORESW2] interface vlan-interface 300
[CORESW2-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10

# 配置CORESW2在VRRP备份组1中的优先级为100。

[CORESW2-Vlan-interface300] vrrp vrid 1 priority 100

# 配置CORESW2工作在抢占方式，抢占延迟时间为5000厘秒。

[CORESW2-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000
[CORESW2-Vlan-interface300] quit

# 在CORESW1上使用display vrrp verbose命令查询VRRP备份组信息。

[CORESW1] display vrrp verbose
IPv4 Virtual Router Information:
 Running mode : Standard
 Total number of virtual routers : 1
   Interface Vlan-interface300
     VRID             : 1                   Adver Timer  : 100
     Admin Status     : Up                  State        : Master
     Config Pri       : 120                 Running Pri  : 120
     Preempt Mode     : Yes                 Delay Time   : 5000
     Auth Type        : None
     Virtual IP       : 172.16.3.10
     Virtual MAC      : 0000-5e00-0101
     Master IP        : 172.16.3.1
   VRRP Track Information:
     Track Object   : 1                   State : Positive   Pri Reduced : 30

# 在CORESW2上使用display vrrp verbose命令查询VRRP备份组信息。

[CORESW2] display vrrp verbose
IPv4 Virtual Router Information:
 Running mode : Standard
 Total number of virtual routers : 1
   Interface Vlan-interface300
     VRID             : 1                   Adver Timer  : 100
     Admin Status     : Up                  State        : Backup
     Config Pri       : 100                 Running Pri  : 100
     Preempt Mode     : Yes                 Delay Time   : 5000
     Become Master    : 27810ms left
     Auth Type        : None
     Virtual IP       : 172.16.3.10
     Virtual MAC      : 0000-5e00-0101
     Master IP        : 172.16.3.1

# 由此可见，VRRP备份组创建成功，CORESW1为Master设备，CORESW2为Backup设备。

3.2.4 配置DHCP服务器，并查看配置

# 开启DHCP服务。

[CORESW1] dhcp enable

# 创建DHCP地址池1，用来为192.168.10.0/24网段内的客户端分配动态IP地址，并配置DNS服务

器地址、出口网关、租期，为打印机配置固定的IP地址192.168.10.254。

[CORESW1] dhcp server ip-pool 1
[CORESW1-dhcp-pool-1] network 192.168.10.0 mask 255.255.255.0
[CORESW1-dhcp-pool-1] gateway-list 192.168.10.1
[CORESW1-dhcp-pool-1] dns-list 202.101.100.199
[CORESW1-dhcp-pool-1] expired day 30
[CORESW1-dhcp-pool-1] static-bind ip-address 192.168.10.254 24 client-identifier aabb-cccc-dd
[CORESW1-dhcp-pool-1] quit

# 创建DHCP地址池2，用来为192.168.20.0/24网段内的客户端分配动态IP地址，并配置DNS服务

器地址、出口网关、租期。

[CORESW1] dhcp server ip-pool 2
[CORESW1-dhcp-pool-2] network 192.168.20.0 mask 255.255.255.0
[CORESW1-dhcp-pool-2] gateway-list 192.168.20.1
[CORESW1-dhcp-pool-2] dns-list 202.101.100.199
[CORESW1-dhcp-pool-2] expired day 30
[CORESW1-dhcp-pool-2] quit

# 配置VLAN接口10和VLAN接口20工作在DHCP服务器模式。

[CORESW1] interface vlan-interface 10
[CORESW1-Vlan-interface10] dhcp select server
[CORESW1-Vlan-interface10] quit
[CORESW1 interface vlan-interface 20
[CORESW1-Vlan-interface20] dhcp select server
[CORESW1-Vlan-interface20] quit

# 使用display dhcp server pool命令查看DHCP地址池的信息。

[CORESW1] display dhcp server pool
Pool name: 1
  Network: 192.168.10.0 mask 255.255.255.0
  expired 30 0 0 0
  gateway-list 192.168.10.1
  static bindings:
    ip-address 192.168.10.254 mask 255.255.255.0
      client-identifier aabb-cccc-dd
Pool name: 2
  Network: 192.168.20.0 mask 255.255.255.0
  expired 30 0 0 0
  gateway-list 192.168.20.1

3.2.5 配置OSPF

CORESW1的OSPF配置。

[CORESW1] ospf 100 router-id 2.2.2.2
[CORESW1-ospf-100] area 0
[CORESW1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[CORESW1-ospf-100-area-0.0.0.0] quit
[CORESW1-ospf-100] quit

CORESW2的OSPF配置。

[CORESW2] ospf 100 router-id 3.3.3.3
[CORESW2-ospf-100] area 0
[CORESW2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[CORESW2-ospf-100-area-0.0.0.0] quit
[CORESW2-ospf-100] quit

# 使用display ospf peer命令查看CORESW1上的OSPF邻居信息。

[CORESW1] display ospf peer

         OSPF Process 100 with Router ID 2.2.2.2
               Neighbor Brief Information

 Area: 0.0.0.0
 Router ID       Address         Pri Dead-Time  State             Interface
 3.3.3.3         172.16.3.2      1   33         Full/DR           Vlan300

# 使用display ospf peer命令查看CORESW2上的OSPF邻居信息。

[CORESW2] display ospf peer

         OSPF Process 100 with Router ID 3.3.3.3
               Neighbor Brief Information

 Area: 0.0.0.0
 Router ID       Address         Pri Dead-Time  State             Interface
 2.2.2.2         172.16.3.1      1   36         Full/BDR          Vlan300

3.2.6 保存配置

# 保存核心交换机上的配置（以CORESW1为例）。

[CORESW1] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

3.3 配置出口路由器

3.3.1 配置内网接口和公网接口IP

# 配置内网接口IP地址。

[Router] interface GigabitEthernet 0/1
[Router-GigabitEthernet0/1] ip address 172.16.1.2 24
[Router-GigabitEthernet0/1] quit
[Router] interface GigabitEthernet 0/2
[Router-GigabitEthernet0/2] ip address 172.16.2.2 24
[Router-GigabitEthernet0/2] quit

# 配置公网接口IP地址。

[Router] interface GigabitEthernet 0/0
[Router-GigabitEthernet0/0] ip address 202.101.100.2 30
[Router-GigabitEthernet0/0] quit

3.3.2 配置允许上网的ACL

# 配置ACL。

[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 192.168.20.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 172.16.1.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 172.16.2.0 0.0.0.255
[Router-acl-ipv4-basic-2000] rule permit source 172.16.3.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit

# 配置报文过滤。

[Router] interface gigabitethernet 0/1
[Router-GigabitEthernet0/1] packet-filter 2000 inbound
[Router-GigabitEthernet0/1] quit
[Router] interface gigabitethernet 0/2
[Router-GigabitEthernet0/2] packet-filter 2000 inbound
[Router-GigabitEthernet0/2] quit
[Router] packet-filter default deny

# 使用display acl命令查看ACL的配置信息。

[Router] display acl 200
Basic IPv4 ACL 2000, 5 rules,
ACL's step is 5, start ID is 0
 rule 0 permit source 192.168.10.0 0.0.0.255
 rule 5 permit source 192.168.20.0 0.0.0.255
 rule 10 permit source 172.16.1.0 0.0.0.255
 rule 15 permit source 172.16.2.0 0.0.0.255
 rule 20 permit source 172.16.3.0 0.0.0.255

# 使用display packet-filter命令查看ACL在报文过滤中的应用情况。

[Router] display packet-filter interface gigabitethernet 0/1 inbound
Interface: GigabitEthernet0/1
 Inbound policy:
  IPv4 ACL 2000

[Router] display packet-filter interface gigabitethernet 0/2 inbound
Interface: GigabitEthernet0/2
 Inbound policy:
  IPv4 ACL 2000

3.3.3 配置OSPF

配置一条缺省路由指向运营商。

[Router] ip route-static 0.0.0.0 0.0.0.0 202.101.100.1

出口路由器的OSPF配置。在OSPF中引入缺省路由，从而连接内网和公网。

[Router] ospf 10 router-id 1.1.1.1
[Router-ospf-10] default-route-advertise always
[Router-ospf-10] area 0
[Router-ospf-10-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Router-ospf-10-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Router-ospf-10-area-0.0.0.0] quit
[Router-ospf-10] quit

# 使用display ospf peer命令查看Router上的OSPF邻居信息。

[Router] display ospf peer

         OSPF Process 100 with Router ID 1.1.1.1
               Neighbor Brief Information

 Area: 0.0.0.0
 Router ID       Address         Pri Dead-Time  State             Interface
 2.2.2.2         172.16.1.1      1   31         Full/DR           GE0/1
 3.3.3.3         172.16.2.1      1   39         Full/BDR          GE0/2

# 使用display ospf routing命令查看CORESW1上的OSPF路由表信息。

[CORESW1] display ospf routing

         OSPF Process 100 with Router ID 2.2.2.2
                  Routing Table

                Topology base (MTID 0)

 Routing for network
 Destination        Cost     Type    NextHop         AdvRouter       Area
 172.16.1.0/24      1        Transit 0.0.0.0         2.2.2.2         0.0.0.0
 172.16.2.0/24      2        Transit 172.16.3.2      1.1.1.1         0.0.0.0
 172.16.2.0/24      2        Transit 172.16.1.2      1.1.1.1         0.0.0.0
 172.16.3.0/24      1        Transit 0.0.0.0         3.3.3.3         0.0.0.0


 Routing for ASEs
 Destination        Cost     Type    Tag         NextHop         AdvRouter
 0.0.0.0/0          1        Type2   1           172.16.1.2      1.1.1.1


 Total nets: 5
 Intra area: 4  Inter area: 0  ASE: 1  NSSA: 0

# 使用display ospf routing命令查看CORESW2上的OSPF路由表信息。

[CORESW2] display ospf routing

         OSPF Process 100 with Router ID 3.3.3.3
                  Routing Table

                Topology base (MTID 0)


 Routing for network
 Destination        Cost     Type    NextHop         AdvRouter       Area
 172.16.1.0/24      2        Transit 172.16.3.1      2.2.2.2         0.0.0.0
 172.16.1.0/24      2        Transit 172.16.2.2      2.2.2.2         0.0.0.0
 172.16.2.0/24      1        Transit 0.0.0.0         1.1.1.1         0.0.0.0
 172.16.3.0/24      1        Transit 0.0.0.0         3.3.3.3         0.0.0.0


 Routing for ASEs
 Destination        Cost     Type    Tag         NextHop         AdvRouter
 0.0.0.0/0          1        Type2   1           172.16.2.2      1.1.1.1


 Total nets: 5
 Intra area: 4  Inter area: 0  ASE: 1  NSSA: 0

3.3.4 配置DNS解析

[Router] dns server 202.101.100.199
[Router] dns proxy enable

3.3.5 配置基于IP或IP网段的限速

# 配置CAR列表。

[Router] qos carl 1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
[Router] qos carl 2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
[Router] qos carl 3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
[Router] qos carl 4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

# 配置限速。

[Router] interface gigabitethernet 0/1
[Router-GigabitEthernet0/1] qos car inbound carl 1 cir 512
[Router-GigabitEthernet0/1] qos car inbound carl 2 cir 512
[Router-GigabitEthernet0/1] qos car outbound carl 3 cir 512
[Router-GigabitEthernet0/1] qos car outbound carl 4 cir 512
[Router-GigabitEthernet0/1] quit
[Router] interface gigabitethernet 0/2
[Router-GigabitEthernet0/2] qos car inbound carl 1 cir 512
[Router-GigabitEthernet0/2] qos car inbound carl 2 cir 512
[Router-GigabitEthernet0/2] qos car outbound carl 3 cir 512
[Router-GigabitEthernet0/2] qos car outbound carl 4 cir 512
[Router-GigabitEthernet0/2] quit

# 使用display qos carl命令查看CAR列表。

[Router] display qos carl
List  Rules
1     source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
2     source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
3     destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
4     destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

# 使用display qos car interface命令查看接口的流量监管配置情况和统计信息。

[Router] display qos car interface gigabitethernet 0/1
Interface: GigabitEthernet0/1
 Direction: inbound
  Rule: If-match carl 1
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)
  Rule: If-match carl 2
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)
 Direction: outbound
  Rule: If-match carl 3
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)
  Rule: If-match carl 4
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)

[Router] display qos car interface gigabitethernet 0/2
Interface: GigabitEthernet0/2
 Direction: inbound
  Rule: If-match carl 1
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)
  Rule: If-match carl 2
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)
 Direction: outbound
  Rule: If-match carl 3
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)
  Rule: If-match carl 4
   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)
   Green action  : pass
   Yellow action : pass
   Red action    : discard
   Green packets : 0 (Packets), 0 (Bytes)
   Yellow packets: 0 (Packets), 0 (Bytes)
   Red packets   : 0 (Packets), 0 (Bytes)

3.3.6 保存配置

# 保存出口路由器Router上的配置。

[Router] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

3.4 验证配置

3.4.1 同一个部门内部两台PC间可以ping通。

# 以VLAN 10所在的业务部门为例，PC间是通过ACCSW1实现二层互通的。如果用户间互ping测

试正常，则说明二层互通正常。

<PC1> ping 192.168.10.83
Ping 192.168.10.83 (192.168.10.83): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.10.83: icmp_seq=0 ttl=255 time=1.328 ms
56 bytes from 192.168.10.83: icmp_seq=1 ttl=255 time=0.808 ms
56 bytes from 192.168.10.83: icmp_seq=2 ttl=255 time=0.832 ms
56 bytes from 192.168.10.83: icmp_seq=3 ttl=255 time=0.904 ms
56 bytes from 192.168.10.83: icmp_seq=4 ttl=255 time=0.787 ms


--- Ping statistics for 192.168.10.83 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.787/0.932/1.328/0.202 ms

3.4.2 两个不同部门内的PC可以ping通。

# 部门间的通信是通过CORESW1或CORESW2实现的。如果用户之间互ping测试正常，则说明两

个部门之间通过VLAN接口实现三层互通正常。

<PC1> ping 192.168.20.5
Ping 192.168.20.5 (192.168.20.5): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.20.5: icmp_seq=0 ttl=255 time=69.146 ms
56 bytes from 192.168.20.5: icmp_seq=1 ttl=255 time=1.735 ms
56 bytes from 192.168.20.5: icmp_seq=2 ttl=255 time=1.356 ms
56 bytes from 192.168.20.5: icmp_seq=3 ttl=255 time=1.302 ms
56 bytes from 192.168.20.5: icmp_seq=4 ttl=255 time=1.379 ms


--- Ping statistics for 192.168.20.5 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.302/14.984/69.146/27.082 ms

3.4.3 每个部门各选一台PC可以ping通外网。

# 以VLAN 10所在的业务部门为例，通过在PC1上ping公网网关地址（即与出口路由器对接的运营

商设备的IP地址）来验证是否可以访问外网，如果ping测试正常，则说明内网用户访问外网正常。

测试方法与步骤1类似。

3.5 配置文件

3.5.1 接入交换机ACCSW1

#
 sysname ACCSW1
#
 telnet server enable
#
 dhcp snooping enable
#
vlan 5
#
vlan 10
#
vlan 20
#
 stp bpdu-protection
#
interface Vlan-interface5
 ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 10
 stp edged-port
 ip verify source ip-address mac-address
 dhcp snooping binding record
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port access vlan 20
 stp edged-port
 ip verify source ip-address mac-address
 dhcp snooping binding record
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 10 20
 dhcp snooping trust
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 10 20
#
interface Ten-GigabitEthernet1/0/10
 port link-mode bridge
 port access vlan 5
#
line vty 0 63
 authentication-mode scheme
#
local-user admin class manage
 password hash $h$6$ZJSf20ub4uEzjy2F$cXW3O3Jt5Ci21ECze7w2MdRpLebMaE4vXBo59frUrIZs+Knxw76oNBu+HiB0zqkTfrnw1Phe0rSRa5d+OSIIbg==
 service-type telnet
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator

# 接入交换机ACCSW2、ACCSW3、ACCSW4：

接入交换机ACCSW2、ACCSW3、ACCSW4除了VLAN ID、管理VLAN接口IP地址、接口编号与

ACCSW1不同外，其他配置与ACCSW1相同，配置文件略。

3.5.2 核心交换机CORESW1

#
 sysname CORESW1
#
track 1 interface GigabitEthernet1/0/7
#
ospf 100 router-id 3.3.3.3
 area 0.0.0.0
  network 172.16.1.0 0.0.0.255
  network 172.16.3.0 0.0.0.255
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
#
 dhcp enable
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 100
#
vlan 300
#
ftth
#
dhcp server ip-pool 1
 gateway-list 192.168.10.1
 network 192.168.10.0 mask 255.255.255.0
 dns-list 202.101.100.199
 expired day 30
 static-bind ip-address 192.168.10.254 mask 255.255.255.0 client-identifier aabb-cccc-dd
#
dhcp server ip-pool 2
 gateway-list 192.168.20.1
 network 192.168.20.0 mask 255.255.255.0
 dns-list 202.101.100.199
 expired day 30
#
interface Vlan-interface10
 ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
 ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface100
 ip address 172.16.1.1 255.255.255.0
#
interface Vlan-interface30
 ip address 172.16.3.1 255.255.255.0
 vrrp vrid 1 virtual-ip 172.16.3.10
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode delay 5000
 vrrp vrid 1 track 1 priority reduced 30
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 10
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 20
#
interface GigabitEthernet1/0/5
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 300
#

# 核心交换机CORESW2：

核心交换机CORESW2除了VLAN ID、接口编号、OSPF的router-id、VRRP备份组1的优先级与

CORESW1不同外，其他配置与CORESW1相同，配置文件略。

3.5.3 出口路由器Router

#
 sysname Router
#
 packet-filter default deny
#
 qos carl 1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
 qos carl 2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
 qos carl 3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth
 qos carl 4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth
#
ospf 10 router-id 1.1.1.1
 default-route-advertise always
 area 0.0.0.0
  network 172.16.1.0 0.0.0.255
  network 172.16.2.0 0.0.0.255
#
 dns proxy enable
 dns server 202.101.100.199
#
interface GigabitEthernet0/1
 port link-mode route
 ip address 172.16.1.2 255.255.255.0
 packet-filter 2000 inbound
 qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
 qos car inbound carl 2 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
 qos car outbound carl 3 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
 qos car outbound carl 4 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
#
interface GigabitEthernet0/2
 port link-mode route
 ip address 172.16.2.2 255.255.255.0
 packet-filter 2000 inbound
 qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
 qos car inbound carl 2 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
 qos car outbound carl 3 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
 qos car outbound carl 4 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass
#
interface GigabitEthernet0/0
 port link-mode route
 ip address 202.101.100.2 255.255.255.252
#
 ip route-static 0.0.0.0 0 202.101.100.1
#
acl basic 2000
 rule 0 permit source 192.168.10.0 0.0.0.255
 rule 5 permit source 192.168.20.0 0.0.0.255
 rule 10 permit source 172.16.1.0 0.0.0.255
 rule 15 permit source 172.16.2.0 0.0.0.255
 rule 20 permit source 172.16.3.0 0.0.0.255
#