基于ENSP的校园网络搭建与配置全解析
基于ENSP的校园网络搭建与配置全解析
本文基于华为ENSP模拟器,搭建了一套包含核心交换机、接入交换机、AC、路由器、防火墙及ISP路由的完整企业网络,严格遵循原始配置命令,补充关键注释说明配置用途,助力大家理解网络搭建逻辑与设备配置要点。
📌 本人博客原文链接:Breeze
一、实验拓扑图(ENSP)
拓扑结构概述
本实验拓扑包含以下设备及连接关系,可直接在ENSP中还原:
-
核心层:2台核心交换机(Core-SW1、Core-SW2),通过Eth-Trunk链路聚合互联,实现冗余备份
-
接入层:7台接入交换机(LSW3~LSW9),分别连接至核心交换机,对应不同业务VLAN
-
无线控制:1台AC(AC1),连接核心交换机,管理无线AP,提供WLAN服务
-
路由层:2台核心路由器(Core-R1、Core-R2),连接核心交换机与防火墙,运行OSPF协议
-
安全层:1台防火墙(FW1),连接路由器与ISP,实现访问控制、NAT转换
-
外部网络:1台ISP路由器(ISP-R),模拟公网环境
拓扑图
二、设备配置详情(ENSP)
| 网段 | 用途 | 网关/虚拟IP | 关联设备 |
|---|---|---|---|
| 192.168.10.0/24 | 接入层VLAN10终端 | 192.168.10.252(VRRP) | LSW9 |
| 192.168.20.0/24 | 接入层VLAN20终端 | 192.168.20.252(VRRP) | LSW3 |
| 192.168.30.0/24 | 接入层VLAN30终端 | 192.168.30.252(VRRP) | LSW4 |
| 192.168.40.0/24 | 接入层VLAN40终端 | 192.168.40.252(VRRP) | LSW5 |
| 192.168.50.0/24 | 接入层VLAN50终端 | 192.168.50.252(VRRP) | LSW6 |
| 192.168.60.0/24 | 接入层VLAN60终端 | 192.168.60.252(VRRP) | LSW7 |
| 192.168.100.0/24 | 无线用户网段 | 192.168.100.254 | AC1、Core-SW1/2 |
| 192.168.101.0/24 | AC与AP管理网段 | 192.168.101.1 | AC1 |
| 192.168.200.0/24 | DMZ区域(服务器) | 192.168.200.1 | FW1 |
| 192.168.2-8.0/24 | 核心路由互联网段 | - | Core-R1/2、FW1 |
| 200.10.10.0/30 | 防火墙-ISP互联网段 | - | FW1、ISP-R |
| 200.10.20.0/28 | ISP公网网段 | 200.10.20.1 | ISP-R |
1. 核心交换机 Core-SW1 配置
<Huawei>sys # 进入系统视图
[Huawei]undo info-center enable # 关闭信息中心,减少日志干扰
[Huawei]sys Core-SW1 # 重命名设备为Core-SW1
[Core-SW1]vlan batch 10 20 30 40 50 60 100 101 # 批量创建业务VLAN及管理VLAN
# 配置VLAN10接口及VRRP(虚拟路由冗余),优先级120为主设备
[Core-SW1]int Vlanif 10
[Core-SW1-Vlanif10]ip address 192.168.10.254 24 # 配置接口IP
[Core-SW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.252 # 虚拟网关IP
[Core-SW1-Vlanif10]vrrp vrid 10 priority 120 # 优先级120(默认100,值高为主)
[Core-SW1-Vlanif10]vrrp vrid 10 track interface g0/0/1 # 跟踪G0/0/1接口状态
[Core-SW1-Vlanif10]vrrp vrid 10 track interface g0/0/2 # 跟踪G0/0/2接口状态
[Core-SW1-Vlanif10]quit
# 配置VLAN20-VLAN60接口及VRRP,与VLAN10逻辑一致,Core-SW1为VLAN10-30主设备
[Core-SW1]int Vlanif 20
[Core-SW1-Vlanif20]ip add 192.168.20.254 24
[Core-SW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.252
[Core-SW1-Vlanif20]vrrp vrid 20 priority 120
[Core-SW1-Vlanif20]vrrp vrid 20 track interface g0/0/1
[Core-SW1-Vlanif20]vrrp vrid 20 track interface g0/0/2
[Core-SW1-Vlanif20]int Vlanif 30
[Core-SW1-Vlanif30]ip address 192.168.30.254 24
[Core-SW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.252
[Core-SW1-Vlanif30]vrrp vrid 30 priority 120
[Core-SW1-Vlanif30]vrrp vrid 30 track interface g0/0/1
[Core-SW1-Vlanif30]vrrp vrid 30 track interface g0/0/2
# VLAN40-VLAN60 Core-SW1为备设备,不设置优先级(默认100)
[Core-SW1-Vlanif30]int Vlanif 40
[Core-SW1-Vlanif40]ip address 192.168.40.254 24
[Core-SW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.252
[Core-SW1-Vlanif40]vrrp vrid 40 track interface g0/0/1
[Core-SW1-Vlanif40]vrrp vrid 40 track interface g0/0/2
[Core-SW1-Vlanif40]int vlan 50
[Core-SW1-Vlanif50]ip address 192.168.50.254 24
[Core-SW1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.252
[Core-SW1-Vlanif50]vrrp vrid 50 track interface g0/0/1
[Core-SW1-Vlanif50]vrrp vrid 50 track interface g0/0/2
[Core-SW1-Vlanif50]int vlan 60
[Core-SW1-Vlanif60]ip address 192.168.60.254 24
[Core-SW1-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.252
[Core-SW1-Vlanif60]vrrp vrid 60 track interface g0/0/1
[Core-SW1-Vlanif60]vrrp vrid 60 track interface g0/0/2
# 配置管理VLAN100(AC互联)
[Core-SW1-Vlanif60]int vlan 100
[Core-SW1-Vlanif100]ip address 192.168.100.254 24
[Core-SW1-Vlanif100]undo shutdown # 启用接口
[Core-SW1-Vlanif100]qu
# 创建VLAN5、7(连接路由器Core-R1、Core-R2)
[Core-SW1]vlan batch 5 7
[Core-SW1]int Vlanif 5
[Core-SW1-Vlanif5]ip address 192.168.5.2 24 # 与Core-R1 G2/0/0互联
[Core-SW1-Vlanif5]int Vlanif 7
[Core-SW1-Vlanif7]ip address 192.168.7.2 24 # 与Core-R2 G2/0/1互联
[Core-SW1-Vlanif7]qu
# 配置与路由器连接的接口,设为access模式,划入对应VLAN
[Core-SW1]int g0/0/1
[Core-SW1-GigabitEthernet0/0/1]port link-type access # 接口类型为access
[Core-SW1-GigabitEthernet0/0/1]port default vlan 5 # 默认划入VLAN5
[Core-SW1-GigabitEthernet0/0/1]int g0/0/2
[Core-SW1-GigabitEthernet0/0/2]port link-type access
[Core-SW1-GigabitEthernet0/0/2]port default vlan 7 # 默认划入VLAN7
[Core-SW1-GigabitEthernet0/0/2]qu
# 配置链路聚合Eth-Trunk1,连接Core-SW2,提升带宽与冗余
[Core-SW1]int Eth-Trunk 1
[Core-SW1-Eth-Trunk1]port link-type trunk # 链路类型为trunk,允许跨VLAN通行
[Core-SW1-Eth-Trunk1]port trunk allow-pass vlan all # 允许所有VLAN通过
[Core-SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 # 加入成员接口G0/0/3
[Core-SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 # 加入成员接口G0/0/4
# 配置与接入交换机连接的接口,设为trunk模式,允许所有VLAN通过
[Core-SW1]int GigabitEthernet 0/0/5
[Core-SW1-GigabitEthernet0/0/5]port link-type trunk
[Core-SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/5]int GigabitEthernet 0/0/6
[Core-SW1-GigabitEthernet0/0/6]port link-type trunk
[Core-SW1-GigabitEthernet0/0/6]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/6]int GigabitEthernet 0/0/7
[Core-SW1-GigabitEthernet0/0/7]port link-type trunk
[Core-SW1-GigabitEthernet0/0/7]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/7]int GigabitEthernet 0/0/8
[Core-SW1-GigabitEthernet0/0/8]port link-type trunk
[Core-SW1-GigabitEthernet0/0/8]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/8]int GigabitEthernet 0/0/9
[Core-SW1-GigabitEthernet0/0/9]port link-type trunk
[Core-SW1-GigabitEthernet0/0/9]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/9]int GigabitEthernet 0/0/10
[Core-SW1-GigabitEthernet0/0/10]port link-type trunk
[Core-SW1-GigabitEthernet0/0/10]port trunk allow-pass vlan all
# 配置与AC连接的接口,设置PVID为VLAN101(CAPWAP隧道VLAN)
[Core-SW1-GigabitEthernet0/0/10]int GigabitEthernet 0/0/12
[Core-SW1-GigabitEthernet0/0/12]port link-type trunk
[Core-SW1-GigabitEthernet0/0/12]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/12]int GigabitEthernet 0/0/13
[Core-SW1-GigabitEthernet0/0/13]port link-type trunk
[Core-SW1-GigabitEthernet0/0/13]port trunk pvid vlan 101 # 未打标签帧划入VLAN101
[Core-SW1-GigabitEthernet0/0/13]port trunk allow-pass vlan all
[Core-SW1-GigabitEthernet0/0/13]qu
# 配置STP(生成树协议),防止环路
[Core-SW1]stp enable # 启用STP
[Core-SW1]stp region-configuration # 进入MST区域配置
[Core-SW1-mst-region]region-name huawei # 区域名称为huawei
[Core-SW1-mst-region]revision-level 5 # 修订级别为5
[Core-SW1-mst-region]instance 1 vlan 10 20 30 100 # 实例1包含VLAN10、20、30、100
[Core-SW1-mst-region]instance 2 vlan 40 50 60 # 实例2包含VLAN40、50、60
[Core-SW1-mst-region]active region-configuration # 激活MST区域配置
[Core-SW1-mst-region]qu
[Core-SW1]stp instance 1 root primary # 实例1为根桥(主根)
[Core-SW1]stp instance 2 root secondary # 实例2为备份根桥
# 配置OSPF路由协议,宣告所有直连网络
[Core-SW1]ospf 10 # 启动OSPF进程10
[Core-SW1-ospf-10]area 0 # 进入区域0(骨干区域)
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.10.0 0.0.0.255 # 宣告VLAN10网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.20.0 0.0.0.255 # 宣告VLAN20网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.30.0 0.0.0.255 # 宣告VLAN30网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.40.0 0.0.0.255 # 宣告VLAN40网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.50.0 0.0.0.255 # 宣告VLAN50网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.60.0 0.0.0.255 # 宣告VLAN60网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.100.0 0.0.0.255 # 宣告VLAN100网段
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.5.0 0.0.0.255 # 宣告VLAN5网段(连R1)
[Core-SW1-ospf-10-area-0.0.0.0]network 192.168.7.0 0.0.0.255 # 宣告VLAN7网段(连R2)
2. 核心交换机 Core-SW2 配置
<Huawei>sys
[Huawei]undo info enable
[Huawei]sys Core-SW2 # 重命名设备为Core-SW2
[Core-SW2]vlan batch 10 20 30 40 50 60 100 101 6 8 # 批量创建VLAN,含连接路由器的VLAN6、8
# 配置VLAN10-VLAN30接口及VRRP,Core-SW2为备设备(默认优先级100)
[Core-SW2]int Vlanif 10
[Core-SW2-Vlanif10]ip address 192.168.10.253 24 # 与Core-SW1形成冗余IP
[Core-SW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.252 # 统一虚拟网关
[Core-SW2-Vlanif10]vrrp vrid 10 track interface g0/0/1 # 跟踪接口状态
[Core-SW2-Vlanif10]vrrp vrid 10 track interface g0/0/2
[Core-SW2-Vlanif10]int vlan 20
[Core-SW2-Vlanif20]ip address 192.168.20.253 24
[Core-SW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.252
[Core-SW2-Vlanif20]vrrp vrid 20 track interface g0/0/1
[Core-SW2-Vlanif20]vrrp vrid 20 track interface g0/0/2
[Core-SW2-Vlanif20]int vlan 30
[Core-SW2-Vlanif30]ip address 192.168.30.253 24
[Core-SW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.252
[Core-SW2-Vlanif30]vrrp vrid 30 track interface g0/0/1
[Core-SW2-Vlanif30]vrrp vrid 30 track interface g0/0/2
# 配置VLAN40-VLAN60接口及VRRP,Core-SW2为主设备(优先级120)
[Core-SW2-Vlanif30]int vlan 40
[Core-SW2-Vlanif40]ip address 192.168.40.253 24
[Core-SW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.252
[Core-SW2-Vlanif40]vrrp vrid 40 priority 120 # 设为120,成为主设备
[Core-SW2-Vlanif40]vrrp vrid 40 track interface g0/0/1
[Core-SW2-Vlanif40]vrrp vrid 40 track interface g0/0/2
[Core-SW2-Vlanif40]int vlan 50
[Core-SW2-Vlanif50]ip address 192.168.50.253 24
[Core-SW2-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.252
[Core-SW2-Vlanif50]vrrp vrid 50 priority 120
[Core-SW2-Vlanif50]vrrp vrid 50 track interface g0/0/1
[Core-SW2-Vlanif50]vrrp vrid 50 track interface g0/0/2
[Core-SW2-Vlanif50]int vlan 60
[Core-SW2-Vlanif60]ip address 192.168.60.253 24
[Core-SW2-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.252
[Core-SW2-Vlanif60]vrrp vrid 60 priority 120
[Core-SW2-Vlanif60]vrrp vrid 60 track interface g0/0/1
[Core-SW2-Vlanif60]vrrp vrid 60 track interface g0/0/2
# 配置VLAN6、8(连接路由器Core-R1、Core-R2)
[Core-SW2-Vlanif60]int vlan 6
[Core-SW2-Vlanif6]ip address 192.168.6.2 24 # 与Core-R1 G2/0/1互联
[Core-SW2-Vlanif6]int vlan 8
[Core-SW2-Vlanif8]ip address 192.168.8.2 24 # 与Core-R2 G2/0/0互联
[Core-SW2-Vlanif8]qu
# 配置与路由器连接的接口,access模式划入对应VLAN
[Core-SW2]int g0/0/1
[Core-SW2-GigabitEthernet0/0/1]port link-type access
[Core-SW2-GigabitEthernet0/0/1]port default vlan 8 # 划入VLAN8(连R2)
[Core-SW2-GigabitEthernet0/0/1]int g0/0/2
[Core-SW2-GigabitEthernet0/0/2]port link-type access
[Core-SW2-GigabitEthernet0/0/2]port default vlan 6 # 划入VLAN6(连R1)
[Core-SW2-GigabitEthernet0/0/2]qu
# 配置链路聚合Eth-Trunk1,与Core-SW1互联
[Core-SW2]int Eth-Trunk 1
[Core-SW2-Eth-Trunk1]port link-type trunk
[Core-SW2-Eth-Trunk1]port trunk allow-pass vlan all
[Core-SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/3
[Core-SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/4
[Core-SW2-Eth-Trunk1]QU # 简化命令,等价于quit
# 配置与接入交换机连接的接口,trunk模式允许所有VLAN
[Core-SW2]int g0/0/5
[Core-SW2-GigabitEthernet0/0/5]port link-type trunk
[Core-SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan all
[Core-SW2-GigabitEthernet0/0/5]int g0/0/6
[Core-SW2-GigabitEthernet0/0/6]port link-type trunk
[Core-SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan all
[Core-SW2-GigabitEthernet0/0/6]int g0/0/7
[Core-SW2-GigabitEthernet0/0/7]port link-type trunk
[Core-SW2-GigabitEthernet0/0/7]port trunk allow-pass vlan all
[Core-SW2-GigabitEthernet0/0/7]int g0/0/8
[Core-SW2-GigabitEthernet0/0/8]port link-type trunk
[Core-SW2-GigabitEthernet0/0/8]port trunk allow-pass vlan all
[Core-SW2-GigabitEthernet0/0/8]int g0/0/9
[Core-SW2-GigabitEthernet0/0/9]port link-type trunk
[Core-SW2-GigabitEthernet0/0/9]port trunk allow-pass vlan all
[Core-SW2-GigabitEthernet0/0/9]int g0/0/10
[Core-SW2-GigabitEthernet0/0/10]port link-type trunk
[Core-SW2-GigabitEthernet0/0/10]port trunk allow-pass vlan all
[Core-SW2-GigabitEthernet0/0/10] qu
# 配置STP,与Core-SW1保持一致,实现负载均衡
[Core-SW2]stp enable
[Core-SW2]stp region-configuration
[Core-SW2-mst-region]region-name huawei # 区域名称统一为huawei
[Core-SW2-mst-region]revision-level 5 # 修订级别一致
[Core-SW2-mst-region]instance 1 vlan 10 20 30 100 # 实例划分与Core-SW1一致
[Core-SW2-mst-region]instance 2 vlan 40 50 60
[Core-SW2-mst-region]active region-configuration
[Core-SW2-mst-region]qu
[Core-SW2]stp instance 1 root primary # 实例1主根(与Core-SW1一致,需根据拓扑调整,此处按原命令保留)
[Core-SW2]stp instance 2 root secondary # 实例2备份根
# 配置OSPF路由协议,宣告直连网络
[Core-SW2]ospf 20 # 启动OSPF进程20
[Core-SW2-ospf-20]area 0 # 进入骨干区域0
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.40.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.50.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.60.0 0.0.0.255
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.6.0 0.0.0.255 # 宣告VLAN6网段(连R1)
[Core-SW2-ospf-20-area-0.0.0.0]network 192.168.8.0 0.0.0.255 # 宣告VLAN8网段(连R2)
3. 接入交换机 LSW9 配置(LSW3~LSW7 配置逻辑一致,仅VLAN不同)
<Huawei>sys
[Huawei]undo info-center en # 简化命令,关闭信息中心
[Huawei]sysname LSW9 # 重命名为LSW9
[LSW9]vlan batch 10 20 30 40 50 60 100 101 # 批量创建所需VLAN
# 配置STP,加入MST区域,与核心交换机保持一致
[LSW9]stp enable
[LSW9]stp region-configuration
[LSW9-mst-region]region-name huawei # 区域名称统一
[LSW9-mst-region]revision-level 5 # 修订级别统一
[LSW9-mst-region]instance 1 vlan 10 20 30 100 # 实例划分一致
[LSW9-mst-region]instance 2 vlan 40 50 60
[LSW9-mst-region]instance 2 vlan 40 50 60 # 原命令重复,保留原样
[LSW9-mst-region]active region-configuration # 激活配置
[LSW9-mst-region]qu
# 配置与核心交换机连接的接口,trunk模式允许所有VLAN
[LSW9]int e0/0/1
[LSW9-Ethernet0/0/1]port link-type trunk
[LSW9-Ethernet0/0/1]port trunk allow-pass vlan all
[LSW9-Ethernet0/0/1]int e0/0/2
[LSW9-Ethernet0/0/2]port link-type trunk
[LSW9-Ethernet0/0/2]port trunk allow-pass vlan all
# 配置接入终端的接口,access模式划入VLAN10
[LSW9-Ethernet0/0/2]int e0/0/3
[LSW9-Ethernet0/0/3]port link-type access
[LSW9-Ethernet0/0/3]port default vlan 10 # 终端接入VLAN10
[LSW9-Ethernet0/0/3]int e0/0/4
[LSW9-Ethernet0/0/4]port link-type access
[LSW9-Ethernet0/0/4]port default vlan 10 # 终端接入VLAN10
接入交换机 LSW3~LSW7 补充说明
-
LSW3:接入接口划入VLAN20,对应业务终端
-
LSW4:接入接口划入VLAN30,对应业务终端
-
LSW5:接入接口划入VLAN40,对应业务终端
-
LSW6:接入接口划入VLAN50,对应业务终端
-
LSW7:接入接口划入VLAN60,对应业务终端
-
所有接入交换机STP、 trunk接口配置与LSW9完全一致,仅接入接口VLAN不同。
4. AC(AC1)配置(无线控制)
<AC6605>system-view # 进入系统视图
[AC6605]sysname AC1 # 重命名为AC1
[AC1]vlan batch 100 101 # 创建VLAN100(业务VLAN)、VLAN101(CAPWAP隧道VLAN)
# 配置VLAN100接口(与核心交换机互联,业务数据转发)
[AC1]int Vlanif 100
[AC1-Vlanif100]ip address 192.168.100.1 24 # 与Core-SW1 VLAN100互联
[AC1-Vlanif100]qu
# 启用DHCP,为无线终端分配IP
[AC1]dhcp enable
[AC1]int Vlanif 100
[AC1-Vlanif100]dhcp select global # 采用全局地址池分配IP
[AC1-Vlanif100]qu
# 配置VLAN101接口(CAPWAP隧道,管理AP)
[AC1]int Vlanif 101
[AC1-Vlanif101]ip address 192.168.101.1 24
[AC1-Vlanif101]dhcp select interface # 接口地址池为AP分配IP
[AC1-Vlanif101]qu
# 配置全局DHCP地址池(VLAN100终端)
[AC1]ip pool vlan100
[AC1-ip-pool-vlan100]gateway-list 192.168.100.254 # 网关指向Core-SW1 VLAN100接口
[AC1-ip-pool-vlan100]network 192.168.100.0 # 地址池网段
[AC1-ip-pool-vlan100]dns-list 192.168.200.4 # DNS服务器地址
[AC1-ip-pool-vlan100]excluded-ip-address 192.168.100.1 # 排除AC自身IP,不分配
[AC1-ip-pool-vlan100]qu
# 配置WLAN相关参数,管理AP
[AC1]wlan
[AC1-wlan-view]ap-group name ap-huawei # 创建AP组ap-huawei
[AC1-wlan-ap-group-ap-huawei]qu
# 配置 regulatory-domain-profile(区域信道配置)
[AC1-wlan-view]regulatory-domain-profile name huawei-domain
[AC1-wlan-regulate-domain-huawei-domain]country-code CN # 国家代码为中国
[AC1-wlan-regulate-domain-huawei-domain]QU # 简化命令,等价于quit
# 为AP组绑定区域配置
[AC1-wlan-view]ap-group name ap-huawei
[AC1-wlan-ap-group-ap-huawei]regulatory-domain-profile huawei-domain
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y # 确认修改,重置AP
[AC1-wlan-ap-group-ap-huawei]qu
# 配置CAPWAP隧道源接口(VLAN101)
[AC1-wlan-view]qu
[AC1]capwap source interface Vlanif 101 # 指定CAPWAP隧道的源接口
# 配置AP认证模式为MAC认证,添加AP
[AC1]wlan
[AC1-wlan-view]ap auth-mode mac-auth # AP认证方式为MAC地址认证
[AC1-wlan-view]ap-id 0 ap-mac 00E0-FC5E-3540 # 添加AP,ID为0,MAC为00E0-FC5E-3540
[AC1-wlan-ap-0]ap-name area-1 # AP命名为area-1
[AC1-wlan-ap-0]ap-group ap-huawei # 将AP加入ap-huawei组
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y # 确认,AP重启生效
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-0]qu
# 配置与核心交换机连接的接口,trunk模式允许所有VLAN
[AC1-wlan-view]qu
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC1-GigabitEthernet0/0/1]q
# 配置WLAN安全、SSID、VAP参数
[AC1]wlan
[AC1-wlan-view]security-profile name sec # 创建安全模板sec
[AC1-wlan-sec-prof-sec]security wpa2 psk pass-phrase huawei@123 aes # WPA2加密,密码huawei@123
[AC1-wlan-sec-prof-sec]qu
[AC1-wlan-view]ssid-profile name ssid-1 # 创建SSID模板ssid-1
[AC1-wlan-ssid-prof-ssid-1]ssid huawei # SSID名称为huawei
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-ssid-prof-ssid-1]qu
[AC1-wlan-view]vap-profile name vap-1 # 创建VAP模板vap-1
[AC1-wlan-vap-prof-vap-1]forward-mode tunnel # 转发模式为隧道转发(AC集中转发)
[AC1-wlan-vap-prof-vap-1]service-vlan vlan-id 100 # 业务VLAN为100
[AC1-wlan-vap-prof-vap-1]security-profile sec # 绑定安全模板
[AC1-wlan-vap-prof-vap-1]ssid-profile ssid-1 # 绑定SSID模板
# 将VAP模板绑定到AP组,启用射频0
[AC1-wlan-view]ap-group name ap-huawei
[AC1-wlan-ap-group-ap-huawei]vap-profile vap-1 wlan 1 radio 0 # 射频0启用该VAP
5. 核心路由器 Core-R1 配置
<Huawei>sys
[Huawei]undo info-center enable # 关闭信息中心
[Huawei]sysname Core-R1 # 重命名为Core-R1
# 配置与核心交换机、防火墙连接的接口IP
[Core-R1]int g2/0/0
[Core-R1-GigabitEthernet2/0/0]ip address 192.168.5.1 24 # 与Core-SW1 VLAN5互联
[Core-R1-GigabitEthernet2/0/0]int g2/0/1
[Core-R1-GigabitEthernet2/0/1]ip address 192.168.6.1 24 # 与Core-SW2 VLAN6互联
[Core-R1-GigabitEthernet2/0/1]int g0/0/1
[Core-R1-GigabitEthernet0/0/1]ip address 192.168.4.1 24 # 与Core-R2互联
[Core-R1-GigabitEthernet0/0/1]int g0/0/0
[Core-R1-GigabitEthernet0/0/0]ip address 192.168.2.2 24 # 与FW1 G1/0/0互联
# 配置OSPF路由协议,宣告直连网络
[Core-R1]ospf 30 # 启动OSPF进程30
[Core-R1-ospf-30]area 0 # 进入骨干区域0
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.5.0 0.0.0.255 # 宣告192.168.5.0网段
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.6.0 0.0.0.25 # 原命令子网掩码不完整,保留原样
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.4.0 0.0.0.255 # 宣告192.168.4.0网段
[Core-R1-ospf-30-area-0.0.0.0]network 192.168.2.0 0.0.0.255 # 宣告192.168.2.0网段
6. 核心路由器 Core-R2 配置
<Huawei>sys
[Huawei]undo info-center enable # 关闭信息中心
[Huawei]sysname Core-R2 # 重命名为Core-R2
# 配置与核心交换机、防火墙连接的接口IP
[Core-R2]int g2/0/0
[Core-R2-GigabitEthernet2/0/0]ip address 192.168.8.1 24 # 与Core-SW2 VLAN8互联
[Core-R2-GigabitEthernet2/0/0]int g2/0/1
[Core-R2-GigabitEthernet2/0/1]ip address 192.168.7.1 24 # 与Core-SW1 VLAN7互联
[Core-R2-GigabitEthernet2/0/1]int g0/0/0
[Core-R2-GigabitEthernet0/0/0]ip address 192.168.4.2 24 # 与Core-R1互联
[Core-R2-GigabitEthernet0/0/0]int g0/0/1
[Core-R2-GigabitEthernet0/0/1]ip address 192.168.3.2 24 # 与FW1 G1/0/1互联
# 配置OSPF路由协议,宣告直连网络
[Core-R2]ospf 40 # 启动OSPF进程40
[Core-R2-ospf-40]area 0 # 进入骨干区域0
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.3.0 0.0.0.255 # 宣告192.168.3.0网段
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.4.0 0.0.0.255 # 宣告192.168.4.0网段
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.7.0 0.0.0.255 # 宣告192.168.7.0网段
[Core-R2-ospf-40-area-0.0.0.0]network 192.168.8.0 0.0.0.255 # 宣告192.168.8.0网段
7. 防火墙 FW1 配置
# 登录前修改密码:用户名admin,原密码Admin@123,新密码Admin@1234
<USG6000V1>sys
[USG6000V1]undo info-center enable # 关闭信息中心
[USG6000V1]sysname FW1 # 重命名为FW1
# 配置各接口IP地址
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip address 192.168.2.1 24 # 与Core-R1 G0/0/0互联
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip address 192.168.3.1 24 # 与Core-R2 G0/0/1互联
[FW1-GigabitEthernet1/0/1]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip address 192.168.200.1 24 # DMZ区域接口
[FW1-GigabitEthernet1/0/3]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip address 200.10.10.1 30 # 与ISP-R互联(公网口)
[FW1-GigabitEthernet1/0/2]qu
# 配置防火墙区域,划分接口
[FW1]firewall zone trust # 进入信任区域(内网)
[FW1-zone-trust]add interface g1/0/0 # 加入G1/0/0(连R1)
[FW1-zone-trust]add interface g1/0/1 # 加入G1/0/1(连R2)
[FW1-zone-trust]qu
[FW1]firewall zone untrust # 进入非信任区域(公网)
[FW1-zone-untrust]add interface g1/0/2 # 加入G1/0/2(连ISP)
[FW1-zone-untrust]qu
[FW1]firewall zone dmz # 进入DMZ区域(服务器区)
[FW1-zone-dmz]add interface g1/0/3 # 加入G1/0/3(DMZ)
[FW1-zone-dmz]qu
# 配置安全策略,允许内网访问公网
[FW1]security-policy
[FW1-policy-security]rule name tr-untr # 策略名称tr-untr
[FW1-policy-security-rule-tr-untr]source-zone trust # 源区域为信任区(内网)
[FW1-policy-security-rule-tr-untr]destination-zone untrust # 目的区域为非信任区(公网)
[FW1-policy-security-rule-tr-untr]action permit # 允许访问
[FW1-policy-security-rule-tr-untr]qu
# 配置安全策略,允许内网访问DMZ区
[FW1-policy-security]rule name tr-dmz
[FW1-policy-security-rule-tr-dmz]source-zone trust
[FW1-policy-security-rule-tr-dmz]destination-zone dmz
[FW1-policy-security-rule-tr-dmz]action permit
[FW1-policy-security-rule-tr-dmz]qu
# 配置NAT转换,实现内网地址公网转换
[FW1]nat-policy
[FW1-policy-nat]rule name trust-untrust # NAT策略名称
[FW1-policy-nat-rule-trust-untrust]source-zone trust # 源区域信任区
[FW1-policy-nat-rule-trust-untrust]destination-zone untrust # 目的区域非信任区
[FW1-policy-nat-rule-trust-untrust]action source-nat easy-ip # 采用Easy IP方式转换
[FW1-policy-nat-rule-trust-untrust]qu
[FW1-policy-nat]qu
# 配置静态路由,指向公网(ISP)
[FW1]ip route-static 0.0.0.0 0.0.0.0 200.10.10.2 # 默认路由指向ISP-R接口IP
[FW1]qu
8. ISP路由器(ISP-R)配置
<Huawei>sys
[Huawei]undo info-center enable # 关闭信息中心
[Huawei]sysname ISP-R # 重命名为ISP-R
# 配置与防火墙互联的接口IP
[ISP-R]int g0/0/0
[ISP-R-GigabitEthernet0/0/0]ip address 200.10.10.2 30 # 与FW1 G1/0/2互联
[ISP-R-GigabitEthernet0/0/0]undo shutdown # 启用接口
[ISP-R-GigabitEthernet0/0/0]qu
# 配置静态路由,指向内网(防火墙),实现公网与内网互通
[ISP-R]ip route-static 192.168.0.0 255.255.0.0 200.10.10.1 # 内网网段路由指向FW1公网口
[ISP-R]qu
三、实验验证要点(ENSP)
配置完成后,可通过以下步骤验证网络连通性与功能可用性,确保实验正常运行:
-
设备互联验证:在各设备上使用
ping命令测试直连设备接口IP,例如Core-SW1 ping Core-R1(192.168.5.1)、FW1 ping ISP-R(200.10.10.2),确保直连链路通畅。 -
路由可达验证:在内网终端(如VLAN10终端)ping公网地址(如200.10.10.2),测试OSPF路由与NAT转换是否生效,确保内网可访问公网。
-
无线功能验证:在ENSP中启动AP,终端搜索SSID“huawei”,输入密码“huawei@123”连接,ping核心交换机VLAN100接口(192.168.100.254),验证无线接入与数据转发。
-
冗余功能验证:断开Core-SW1与Core-R1的链路(G0/0/1),查看VRRP状态切换,确保备用设备正常接管,网络不中断。
四、实验总结
本实验基于ENSP模拟器搭建了完整的企业网络架构,涵盖核心交换、接入交换、无线控制、路由转发、安全防护全环节,严格遵循原始配置命令,通过补充注释明确了每一步配置的核心目的。
网络核心采用双交换机链路聚合与VRRP冗余设计,提升了网络可靠性;路由层通过OSPF协议实现全网路由可达,防火墙结合安全策略与NAT转换保障内网安全与公网访问;AC与AP配合实现无线覆盖,满足企业多样化接入需求。
实验过程中需注意设备接口类型(access/trunk)、VLAN划分、路由宣告及防火墙区域配置的一致性,避免因配置冲突导致网络不通。如需进一步优化,可添加ACL访问控制、QoS流量限速等功能,丰富网络应用场景。
📌 本人博客原文链接:Breeze
