一、本地機房
去年進來公司時,才二十人,到現在發展到100號人。當時辦公室還是蠻小,至多容納40號人辦公。到了7月份,公司計劃就要搬遷辦公室。鑑於當時辦公環境,其實傻瓜交換機與路由,加上網線與電話線相互纏繞,跟一個蜘蛛網似的,掉線,也是常有發生。當超過40號人,去查看路由負裁,100%,能連上網,但掉包極爲嚴重。鑑於,這種情況,建一個穩定的本地辦公機房環境,就非常有必要了。
二、機器選型
序號 | 產品型號 | 描述 | 數量 |
路由器 | |||
1 | MSR2600-10-WiNet | H3C MSR 2600-10-WiNet路由器主機 | 1 |
上網行爲管理 | |||
1 | NS-ACG1010+LIS-1 | H3C SecPath ACG1010 應用控制網關主機(12GE電口),含一年特徵庫升級 | 1 |
核心交換機 | |||
1 | LS-5500-24P-WiNet | H3C S5500-24P-WiNet 以太網交換機主機(24GE+4SFP Combo) | 1 |
接入POE交換機 | |||
1 | LS-5120-28P-POE-WiNet | H3C S5120-28P-POE-WiNet L2以太網交換機主機,24個10/100/1000BASE-T,4個SFP,支持AC110/220V,POE | 1 |
無線AC控制器 |
1 | EWP-WAC360 | 缺省管理16個AP,不可擴容,最大管理用戶數512;1xWAN+4xLAN+2xUSB | 1 |
無線AP | |||
1 | EWP-WAP722-FIT | 內置天線,不可外接天線,2.4/5GHz雙頻866M,自帶電源,胖瘦一體,吸頂面板式 | 9 |
網絡機櫃 | |||
1 | WD8632-A | 寬深高800*600*1600,標配 風扇4只,層板2塊 1個電源排插,黑色 | 1 |
48口百兆接入交換 | |||
1 | LS-S3110-52TP-SI | H3C S3110-52TP-SI 以太網交換機主機(48FE+2GE+2SFP,交流供電) | 4 |
非屏蔽48口配線架 | |||
1 | 935548 | 索爾超五類非屏蔽48口配線架(滿配) | 8 |
電話程控交換機 |
1 | WS824-9H | 8外線64分機 不可擴容 | 1 |
機房佈線實施 | |||
1 | 機房佈線 | 機房打線,捋線等工作,150信息點 |
三、拓撲結構
四、配置步聚
路由器S2600-10
1.1 配置Telnet用戶登錄採用AAA認證方式
<H3C-S2600>system-view
開啓Router的Telnet服務器功能。
telnet server enable
配置Telnet用戶登錄採用AAA認證方式。
user-interface vty 0 4 authentication-mode scheme
設置Telnet用戶和密碼
local-user admin password cipher 填寫密碼 authorization-attribute level 3 service-type telnet terminal service-type web
1.2 撥號1設置
interface Dialer1 nat outbound 3001 link-protocol ppp ppp chap user 撥號賬號 ppp chap password cipher 密碼 ppp pap local-user 撥號賬號 password cipher 密碼 ip address ppp-negotiate tcp mss 1024 dialer user 賬號 dialer-group 1 dialer bundle 1
1.3 撥號2設置
interface Dialer2 nat outbound 3002 link-protocol ppp ppp chap user 賬號 ppp chap password cipher 密碼 ppp pap local-user 賬號 password cipher 密碼 ip address ppp-negotiate tcp mss 1024 dialer user 賬號 dialer-group 2 dialer bundle 2
1.4配置ACL
acl number 3001 rule 0 permit ip acl number 3002 rule 0 permit ip source 10.1.9.0 0.0.0.255
1.5創建策略節點5,並應用到G0/2
policy-based-route server permit node 5 if-match acl 3002 apply output-interface GigabitEthernet0/2 policy-based-route server permit node 10
1.6 工作模式設置爲三層模式(Rout),則作爲一個三層以太網接口使用
G0/0接口
interface GigabitEthernet0/0 port link-mode route pppoe-client dial-bundle-number 1
G0/2接口
interface GigabitEthernet0/2 port link-mode route pppoe-client dial-bundle-number 2
1.7配置管理IP地址
interface GigabitEthernet0/1 port link-mode route ip address 10.1.7.1 255.255.255.0 tcp mss 1024 ip policy-based-route server
1.8設定靜態路由
ip route-static 0.0.0.0 0.0.0.0 Dialer1 ip route-static 10.1.0.0 255.255.0.0 10.1.7.3
1.9 啓啓DHCP
dhcp enable
1.10 設定觸發撥號條件
dialer-rule 1 ip permit dialer-rule 2 ip permit
這條命令用於設定觸發撥號的條件,這條命令表示IP包可以
觸發撥號。後面接口配置模式下的dialer-group命令與這條命令對應,用於指定該撥號接口
所使用的觸發撥號條件。
1.11 查看接口詳情
2.上網行爲管理NS-ACG1010
沒有做過多限制,僅用來查看當前網帶帶寬情況,這裏以配置文件展示了,可以作參考
!config authorized-table admin authorized read all authorized write all ! user administrator admin local secret Hg6MAD7MGTUEcoT9gHG+LhDc6E07QwG71SmiEodL/fQT/YirzsAURqDjk69469y authorized-table admin user administrator admin authorized-address first 0.0.0.0/0 ! ! timezone 57 ! pki ca crl update-period 30 ! ! interface bvi2 ip address 10.1.7.2/24 allow access https allow access http allow access ping allow access telnet ! interface ge0 ip address 192.168.1.1/24 allow access https allow access http allow access ping ! interface ge1 ! interface ge2 bridge-group 2 ! interface ge3 bridge-group 2 ! interface ge4 ! interface ge5 ! interface ge6 ! interface ge7 ! interface ge8 ! interface ge9 ! interface ge10 ! interface ge11 ! !address ! !address6 ! !address-group ! !service ! !service-group ! !schedule-day ! !schedule-week ! !schedule-month ! !schedule-once ! !user ! !user-group ! ! !user-policy ! ! ! ! ! ! ! policy default-action permit policy white-list enable ! snmp community secret 6NSjZ2FJfHqUtCqRXdechDETsW7nP4FFcq1ujxx1HotuCZoZGsn14R7gwFVplw1 write-community secret QuVJ8MPv5S7noa5Lp+C7xY4UnIZD5gm5LCCvi9RLtC2fYqVZdaKQ0rdwLAIf36P ! dhcp ! ! ! ip route 0.0.0.0/0 10.1.7.1 ! !user-param ! user-param recognition threshold 60000 !user-webauth ! !ip session limit ! ! ! ! ! ! qos-profile line 01 limit ingress maxbandwidth ingress 1000 match interface ge0 ! qos-profile channel def_01 parent 01 ! policy6 default-action permit ! ha-config !end
3.核心交換機LS-5500-24
3.1 配置都在web界面,創建vlan1,vlan2,vlan5,vlan6,vlan7,vlan9,vlan100
3.2配置路由,以及開啓DHCP
3.3 接口設爲Trunk模式
3.4 接口20的設置
相關定義
1、Trunk口,Trunk口上可以同時傳送多個VLAN的包,一般用於交換機之間的鏈接。
2、Hybrid口,Hybrid口上可以同時傳送多個VLAN的包,一般用於交換機之間的鏈接或交換機於服務器的鏈接。
3、Access口,Access口只能屬於1個VLAN,一般用於連接計算機的端口。
4、Tag和Untag,tag是指vlan的標籤,即vlan的id,用於指明數據包屬於那個vlan,untag指數據包不屬於任何vlan,沒有vlan標記。
5、pvid,即端口vlan id號,是非標記端口的vlan id 設定,當非標記數據包進入交換機,交換機將檢查vlan設定並決定是否進行轉發。一個ip包進入交換機端口的時候,如果沒有帶tag頭,且該端口上配置了pvid,那麼,該數據包就會被打上相應的tag頭!如果進入的ip包已經帶有tag頭(vlan數據)的話,那麼交換機一般不會再增加tag頭,即使是端口上配置了pvid號;當非標記數據包進入交換機。
4.接入層交換
4.1 S3110-01
4.1.2 初始配置
sysname H3C-S3110-01 # domain default enable system # ipv6 # telnet server enable # password-recovery enable # domain system access-limit disable state active idle-cut disable self-service-url disable # user-group system group-attribute allow-guest # local-user admin password cipher 密碼 authorization-attribute level 3 service-type telnet terminal service-type web # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user-interface vty 5 15
4.1.3 創建vlan
vlan 1 # vlan 2 # vlan 5 to 7 # vlan 100 #
4.1.4 配置管理地址
interface Vlan-interface1 ip address 10.1.1.4 255.255.255.0
4.1.5 將當前的Access 端口加入到指定的VLAN2中
interface Ethernet1/0/1 port access vlan 2 # interface Ethernet1/0/2 port access vlan 2 # interface Ethernet1/0/3 port access vlan 2 # interface Ethernet1/0/4 port access vlan 2 # interface Ethernet1/0/5 port access vlan 2 # interface Ethernet1/0/6 port access vlan 2 # interface Ethernet1/0/7 port access vlan 2 # interface Ethernet1/0/8 port access vlan 2 # interface Ethernet1/0/9 port access vlan 2 # interface Ethernet1/0/10 port access vlan 2 # interface Ethernet1/0/11 port access vlan 2 # interface Ethernet1/0/12 port access vlan 2 # interface Ethernet1/0/13 port access vlan 2 # interface Ethernet1/0/14 port access vlan 2 # interface Ethernet1/0/15 port access vlan 2 # interface Ethernet1/0/16 port access vlan 2 # interface Ethernet1/0/17 port access vlan 2 # interface Ethernet1/0/18 port access vlan 2 # interface Ethernet1/0/19 port access vlan 2 # interface Ethernet1/0/20 port access vlan 2 # interface Ethernet1/0/21 port access vlan 2 # interface Ethernet1/0/22 port access vlan 2 # interface Ethernet1/0/23 port access vlan 2 # interface Ethernet1/0/24 port access vlan 2 # interface Ethernet1/0/25 port access vlan 2 # interface Ethernet1/0/26 port access vlan 2 # interface Ethernet1/0/27 port access vlan 2 # interface Ethernet1/0/28 port access vlan 2 # interface Ethernet1/0/29 port access vlan 2 # interface Ethernet1/0/30 port access vlan 2 # interface Ethernet1/0/31 port access vlan 2 # interface Ethernet1/0/32 port access vlan 2 # interface Ethernet1/0/33 port access vlan 2 # interface Ethernet1/0/34 port access vlan 2 # interface Ethernet1/0/35 port access vlan 2 # interface Ethernet1/0/36 port access vlan 2 # interface Ethernet1/0/37 port access vlan 2 # interface Ethernet1/0/38 port access vlan 2 # interface Ethernet1/0/39 port access vlan 2 # interface Ethernet1/0/40 port access vlan 2 # interface Ethernet1/0/41 port access vlan 2 # interface Ethernet1/0/42 port access vlan 2 # interface Ethernet1/0/43 port access vlan 2 # interface Ethernet1/0/44 port access vlan 2 # interface Ethernet1/0/45 port access vlan 2 # interface Ethernet1/0/46 port access vlan 2 # interface Ethernet1/0/47 port access vlan 2 # interface Ethernet1/0/48 port access vlan 2
4.1.6 每個交換機有4個級聯口,而且每個都以52接口配置trunk模式
interface GigabitEthernet1/0/52 port link-type trunk port trunk permit vlan all
4.1.7 配置靜態路由
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
4.2 同樣,另外三個交換也是同理的配置,不過在S3110-04的配置多了vlan9
# interface Ethernet1/0/6 port access vlan 9 # interface Ethernet1/0/8 port access vlan 9 # interface Ethernet1/0/10 port access vlan 9 # interface Ethernet1/0/12 port access vlan 9 # interface Ethernet1/0/14 port access vlan 9 # interface Ethernet1/0/16 port access vlan 9 # interface Ethernet1/0/18 port access vlan 9 # interface Ethernet1/0/20 port access vlan 9 # interface Ethernet1/0/22 port access vlan 9 # interface Ethernet1/0/24 port access vlan 9 # interface Ethernet1/0/26 port access vlan 9 # interface Ethernet1/0/28 port access vlan 9 # interface Ethernet1/0/30 port access vlan 9 # interface Ethernet1/0/32 port access vlan 9
5.接入POE交換機LS-5120
5.1 G1/0/24配置trunk模式,以及虛擬子接口1的IP,路由表設置
5.2 POE設置
6.無線控制器EWP-WAC360
6.1創建vlan
# vlan 2 # vlan 4 to 7 # vlan 100 #
6.2 設置登錄用戶與密碼
local-user admin password cipher 密碼 authorization-attribute level 3 service-type telnet terminal service-type web
6.3 射頻速率設置
wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54
6.4 無線接入服務,
6.4.1一個本公司,另一個是客戶訪問
wlan service-template 2 crypto ssid Company bind WLAN-ESS 2 cipher-suite ccmp security-ie rsn service-template enable
6.4.2 另一個是客戶訪問
# wlan service-template 3 crypto ssid CompanyVistor bind WLAN-ESS 3 cipher-suite ccmp security-ie rsn service-template enable
6.5接口管理
6.5.1 配置它的管理IP地址
interface Vlan-interface100 ip address 10.1.100.254 255.255.255.0
6.5.1 把G1/0/1接口切換爲二層模式,作爲一個二層以太網端口使用,同時
interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk port trunk permit vlan all
6.6 創建預共享密鑰
6.6.1 且允許客戶訪問vlan6
interface WLAN-ESS2 port access vlan 6 port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase cipher
6.6.2且允許客戶訪問vlan5
interface WLAN-ESS3 port access vlan 5 port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase cipher
6.7 AP設置,用到序列號
6.7.1 創建AP名稱
wlan ap-group default_group ap ap1 ap ap2 ap ap3 ap ap4 ap ap5 ap ap6 ap ap7 ap ap8 ap ap9 dot11a service-template 1 dot11bg service-template 1 dot11a radio enable dot11bg radio enable
6.7.1 添加AP
6.7.1.1
wlan ap ap2 model WAP722 id 2 serial-id 219801A0Q19154G00032 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.7.1.2
wlan ap ap3 model WAP722 id 3 serial-id 219801A0Q19154G00025 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.7.1.3
wlan ap ap4 model WAP722 id 4 serial-id 219801A0Q19154G00052 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.7.1.4
wlan ap ap5 model WAP722 id 5 serial-id 219801A0Q19154G00338 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.7.1.5
wlan ap ap6 model WAP722 id 6 serial-id 219801A0Q19154G00110 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.7.1.6
wlan ap ap7 model WAP722 id 7 serial-id 219801A0Q19154G00195 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.7.1.7
wlan ap ap8 model WAP722 id 8 serial-id 219801A0Q19154G00080 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.7.1.8
wlan ap ap9 model WAP722 id 9 serial-id 219801A0Q19154G00038 radio 1 service-template 2 service-template 3 radio enable radio 2 service-template 2 service-template 3 radio enable
6.8 配置靜態路由
ip route-static 0.0.0.0 0.0.0.0 10.1.100.253
6.9 最後開啓telnet
user-interface con 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3
五、效果圖
機櫃是買小,線道上,都塞滿了,本地服務器也好幾臺,沒有多餘空間,就買了塔式的(本地服務器都是用來集羣測試用的)。這次機房建設沒有很好考慮到擴展性!吸取教訓,爲一下次完善機房做準備吧!