|
|
一、实验环境
6 K& s* ?; u& o, W0 Z0 K( v6 H5 I6 ]' D* E4 |! |$ n3 o
7 I6 O+ N, _3 J) x# S/ c( L( F二、创建VLAN# U- s- q) y. l. U& x" l
[huawei]sy AC1- Y+ u& n D2 `. h. E, A
[AC1]un in en6 w$ w5 c% K. C' m6 j* B* Q7 r
[AC1]vlan batch 100 101 102 8003 l6 {! ^6 w. o0 b. G6 S
1 U! y& W7 h- v t7 ^
interface GigabitEthernet0/0/3
\4 \7 U0 L: q; C0 x port link-type access6 K7 e; {7 H! x$ R8 H. [
port default vlan 800 q o/ P5 l7 y, h, H. W: S
q
+ Q7 F! j3 R, k: _3 [) s0 E G8 m* q# t# y# S( M
interface Vlanif800' G' O$ U' r( V# F, I6 X: Q
ip address 192.168.240.1 255.255.255.252
# i. O* [$ ~8 J3 A2 L0 L% \( R q8 j2 |$ }* e6 S
7 ~/ V% p' U* @0 b" Z! |
三、AP上线0 N# ~) ~9 u/ e/ W- Z0 d( q& p# b
AP与AC之间打trunk。将管理vlan100设为trunk的本征vlan。; W6 U' s7 i; t/ ] s/ N! `
$ X. }1 {; S& [5 R6 \" n9 [
什么是本征vlan?
8 H6 w- _* c/ t" ? Z4 C% ]2 h2 J; b6 |* A+ N% v% t
关于本征vlan的概念总是忘记,重新搜索了一下加深一下记忆,总结了几条:
4 \7 E7 _) s6 y# O. S6 C: f) C/ ]1、本征vlan默认是vlan1,并且是可以修改的,修改后,不加tag的帧全都送给本征vlan来在中继端口上传输;4 i4 m& r. J" G$ G
2、交换机的access口是不存在本征vlan的概念的,这个概念只存在中继端口上;
0 I$ W- f) O) Y( b2 N- f. }3、本来所有经过中继口上的帧都应该打上标记的,中继通过allow vlan *** 来放行相关vlan通行,但是交换机之间不管存在穿越帧,还存在交换机之间协商信息的帧,如果将这些帧打上tag,也就是那些交换机管理信息,那么这些信息传递到目的地,并不需要送往对应vlan中,而是让交换机接收的信息,那么这时候就需要本征vlan了,不打tag的帧全送到本征vlan进行传送;
- r) ?3 @/ ?( X- R: ^; V+ i, O4、本征vlan收到带tag的帧是会丢弃的。
- f# F9 ~9 U |7 ?/ v0 o3 z# c* U7 j( z! K. i: W2 M1 X4 P
默认情况下,Trunk 端口的缺省VLAN 为VLAN1。对 Trunk 端口,执行undo vlan 命令删除端口的缺省VLAN 后,端口的缺省VLAN 配置不会改变的,即使用已经不存在的VLAN 作为缺省VLAN。; F1 N L% _9 Y& X, b
- m! K& H: n3 A3 Zinterface GigabitEthernet0/0/1
7 D/ q: Y/ ?# e9 W. @7 u6 i1 n. F% M port link-type trunk
$ M k) `6 E3 m9 n" V( ~ port trunk pvid vlan 100 #将vlan100配置为本征vlan
, H# H- H/ r& K" ~4 {( L6 } port trunk allow-pass vlan 100 to 101 #允许vlan100和vlan101通过3 U3 X6 I/ n# J" G
q
- d% u- Y0 q' x! { N
! W9 ?2 U! W" J1 p% X( Sinterface GigabitEthernet0/0/2
6 @! `' s K# O. E, I# ` port link-type trunk
$ \; @- l" n! N1 K port trunk pvid vlan 100 #将vlan100配置为本征vlan# V: o0 \$ V; A
port trunk allow-pass vlan 100 to 102 #允许vlan100和vlan101通过
7 p0 D& }0 H3 ]( b" ` q, D/ ~1 @4 R5 w7 \
8 Q! S8 i* |% w7 I' }
注意事项:将vlan100配置为本征vlan,目的是使得AP发来的不打tag的DHCP请求报文,归为vlan100的流量,从而使得AP获取到IP地址。AP和AC之间交互的管理流量都是不打tag的。9 U9 w( H( |) o& \4 A+ r
, [- F( x+ Y+ E/ A1 o查看一下vlan接口信息 i C( J/ C' I7 E- ^
3 l" H: V+ K2 T0 X( @: ?
[AC1]dis port vlan
" k9 z8 D4 ~8 P) Q# G' TPort Link Type PVID Trunk VLAN List+ { G* h Y" v% c, D% ]+ v1 U# r
-------------------------------------------------------------------------------- @- U8 p7 k2 ?$ ~0 A
GigabitEthernet0/0/1 trunk 100 1 100-101# `& }, V$ K$ i- |2 h9 h4 G
GigabitEthernet0/0/2 trunk 100 1 100-102
/ x1 [9 j7 n/ jGigabitEthernet0/0/3 access 800 - . k) s; i/ N+ P
GigabitEthernet0/0/4 hybrid 1 - + J8 N/ d& k- c/ E6 P2 K8 R
GigabitEthernet0/0/5 hybrid 1 - . P, a2 a* ?" \: D1 R9 [4 s; {" _
... q( P/ }0 k0 ~
2 Z9 D! |6 L4 \- G8 f
创建AP地址池
% y( U5 ?8 g5 @2 F这里是基于接口的DHCP配置,用于给AP分配IP地址。5 I2 Q: v/ [: i3 ?# A; M" R
8 ?; M# L" r8 T; W) b/ \4 x
dhcp enable
8 s6 Z7 ?" Y+ p% Z' ~interface Vlanif100
* v1 L# W2 r8 S5 k+ m ip address 192.168.100.1 255.255.255.01 A1 o/ H" g( P# L
dhcp select interface
a6 U, k! |1 \3 [$ t* J dhcp server dns-list 114.114.114.114 8.8.8.8
( W1 H0 b0 q" l: H/ A
- I8 }" u- B& v3 c6 r验证AP上线
- V: E+ M( L: M在AC上查看
5 O5 z% w3 `! a5 p0 K3 N- P
' u" g, E. t4 F+ v( r% D[AC1]dis ip pool interface Vlanif100 used + i* d" H& R% [
Pool-name : Vlanif1001 h& ^. ]; e$ z4 C$ y6 R& q- V4 }6 E
Pool-No : 0
) Q9 t7 H6 C) l5 y' m5 w# H1 w4 L ? Lease : 1 Days 0 Hours 0 Minutes
$ l. F% m. s k- A4 }+ A Domain-name : -2 X, k" `8 J: d: A. T; o
DNS-server0 : 114.114.114.114 ' Y6 |, u3 y3 v1 M& p( T
DNS-server1 : 8.8.8.8 . N; d0 o9 j' ]' @% X
NBNS-server0 : -
- t4 n6 o; X" `6 k4 z Netbios-type : - . I t) Z4 l7 K) q" ^5 o
Position : Interface Status : Unlocked J, ?5 E9 X3 v1 j( d
Gateway-0 : - ! [& N3 L8 l& `
Network : 192.168.100.0" Y6 M' m T7 \9 b9 R
Mask : 255.255.255.0
7 @: l- v) R$ ?- J% b/ m8 I Logging : Disable
7 x% i6 g; Q; O7 E3 p% ? Conflicted address recycle interval: -
2 V D: d; O/ W! }4 W: ? _! c Address Statistic: Total :254 Used :2
8 f2 s: c( ^1 D& u! [ Idle :252 Expired :0
! _, j7 a8 C. v6 e! r5 } Conflict :0 Disabled :0
% l4 d9 i) }6 X1 y$ T1 D8 B
4 @! w; W A& R$ ] u3 ~+ h -------------------------------------------------------------------------------7 \$ @4 E2 `: Y1 [) E, E4 G
Network section
& O% ?' t/ L" M/ V5 U! N* T$ c Start End Total Used Idle(Expired) Conflict Disabled
, \: K* s; k' Y -------------------------------------------------------------------------------
, g0 y* Y2 V" W- m1 \4 }+ ?9 X. Q* ` 192.168.100.1 192.168.100.254 254 2 252(0) 0 0
. F' y( s. J# K/ f# J& d -------------------------------------------------------------------------------/ ~$ d6 O" g1 E4 h& ~5 }, @# o
Client-ID format as follows: # s/ S; w- {" ]" K
DHCP : mac-address PPPoE : mac-address
: C; Z5 J- K* n) p- a, t% B IPSec : user-id/portnumber/vrf PPP : interface index
$ W! v/ n9 ?9 r4 C& ` L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id4 a9 J, S+ B( Y1 ?( d7 O5 T
-------------------------------------------------------------------------------6 ?2 O( }; j6 R3 R- i
Index IP Client-ID Type Left Status 0 r+ c7 S9 W! s6 H) Z0 p8 C
-------------------------------------------------------------------------------
8 b: _4 P2 D( v' C. J0 V 83 192.168.100.84 00e0-fc59-48f0 DHCP 85055 Used
$ C# H" r: \: ^8 J7 N" j/ E6 ^& \ 156 192.168.100.157 00e0-fcd9-2cc0 DHCP 85055 Used 7 T6 q- c" N: X4 u6 J4 Y0 F
-------------------------------------------------------------------------------
- s4 V1 @: H4 n- G% {6 h3 ^
/ I$ B" N, M) j; K% k4 p但是现在我们没法分清楚哪个是AP1、AP2,接下来我们可以到AP上分别去查看。- q* j- k1 a* @. h
' O9 k1 f- d Z5 {' ~4 O9 P" I
我们看到AP1拿到的地址是192.168.100.84
Z. m3 D' }2 l2 @. u6 N( E! x8 t& P* W4 g, X
#在AP1上查看
1 w) h5 N7 |8 ~6 O0 u( Y[Huawei]dis ip in b% m* a. u. w. `
*down: administratively down! Z/ R" `' ]+ n& o
^down: standby; H/ f9 j9 R$ B: |
(l): loopback, C: S+ }) n- v8 P/ `! C
(s): spoofing
" U6 \, a5 K% h: A1 g0 |$ |(E): E-Trunk down
+ m% d- H( ?/ y) M. ?2 F" eThe number of interface that is UP in Physical is 2
1 Q/ u, p1 b" F: }& j! m8 I lThe number of interface that is DOWN in Physical is 0% Y7 Y# ~* p) }+ W, x+ c+ [% h
The number of interface that is UP in Protocol is 24 x& }8 X* r* I+ |
The number of interface that is DOWN in Protocol is 0 g' q6 e8 f- p8 g
3 s1 q# I: [: K: V3 F1 E* E
Interface IP Address/Mask Physical Protocol
+ L# w/ k' m# l' O) Q* tNULL0 unassigned up up(s)
2 m) y, q+ c& R) T- q8 c) iVlanif1 192.168.100.84/24 up up
- ?* p7 l8 l' A
2 T4 x' Z8 L- M[Huawei]ping 192.168.100.11 K( C# B0 f5 t# A. P, p8 ]
PING 192.168.100.1: 56 data bytes, press CTRL_C to break- x2 ^3 d a& i
Reply from 192.168.100.1: bytes=56 Sequence=1 ttl=255 time=110 ms- ^! h+ c% i/ f
Reply from 192.168.100.1: bytes=56 Sequence=2 ttl=255 time=1 ms, ~5 ~' O8 z# P6 U9 u6 I7 D% b
Reply from 192.168.100.1: bytes=56 Sequence=3 ttl=255 time=1 ms6 g7 V6 Z) y/ @" H- p7 A8 `$ X
Reply from 192.168.100.1: bytes=56 Sequence=4 ttl=255 time=1 ms
' g0 s E* E) k- p9 h Reply from 192.168.100.1: bytes=56 Sequence=5 ttl=255 time=10 ms; O O _7 M, H3 X
! i, }( k' G- p- q
--- 192.168.100.1 ping statistics ---; s' }. Y2 l3 ~' [
5 packet(s) transmitted, Y1 g* k; m) t
5 packet(s) received$ f/ \; N {! V
0.00% packet loss
9 }- U! F0 N( K0 h0 k+ |/ n round-trip min/avg/max = 1/24/110 ms
1 d5 m `5 M* A6 \; G- R& Y F, m7 Z* x( m. B6 @
AP2拿到了192.168.100.1578 W4 O8 r! V: d* c& F$ H
! y6 G& y1 M6 V# c! o D K在AP2上查看3 h6 O' j1 N" @5 c. _
<Huawei>dis ip in b
8 f% i& N7 P$ Y$ b*down: administratively down
4 o& k( V: S1 x^down: standby- A: C/ Y3 {- c! O
(l): loopback0 D3 U* r6 f" e7 k4 p8 r# U
(s): spoofing6 H) E% ^! _. _3 [( T
(E): E-Trunk down
+ E+ U: L, H! T5 H' @: `$ [The number of interface that is UP in Physical is 2! j& p: a% z" L
The number of interface that is DOWN in Physical is 09 i% X3 q7 Z6 f. |3 B- E
The number of interface that is UP in Protocol is 2* O: a4 J2 s; {& J
The number of interface that is DOWN in Protocol is 0
' U/ A! b- e) C6 c$ o8 P, }. {- q0 B" i; E3 F
Interface IP Address/Mask Physical Protocol
4 _: a/ U! R1 ~- f. W7 K' V/ |NULL0 unassigned up up(s) 8 C% g; B0 Y3 ?; n$ }( N$ L" h3 R
Vlanif1 192.168.100.157/24 up up - n0 s! o: u8 t. S4 y
+ G( c* j3 b8 \! e: F0 `/ R我们看到AP1拿到的地址是192.168.100.84,现在我们可以在AC上ping一下1 m* g% d3 ~: e6 w& F6 i
) P4 [+ B2 g. k0 p4 X2 S7 t5 g[AC1]ping 192.168.100.84
% K1 k# u: y* i4 g# v. o! X+ v PING 192.168.100.84: 56 data bytes, press CTRL_C to break0 | M7 A3 A6 B0 [2 U! W! r
Reply from 192.168.100.84: bytes=56 Sequence=1 ttl=255 time=1 ms! W* `$ p# T% Y; `9 K' k
Reply from 192.168.100.84: bytes=56 Sequence=2 ttl=255 time=1 ms0 o$ T/ s; b, l' F( t# W9 `
Reply from 192.168.100.84: bytes=56 Sequence=3 ttl=255 time=10 ms$ D5 L9 ]6 L% Q# u0 I+ l% W
Reply from 192.168.100.84: bytes=56 Sequence=4 ttl=255 time=1 ms
0 @3 [/ b. _) R Reply from 192.168.100.84: bytes=56 Sequence=5 ttl=255 time=1 ms# a1 e( u# [* M# s7 ] S
. o, D1 h/ Z3 ?) v% ` V
--- 192.168.100.84 ping statistics ---
' k/ n$ Z! L) d3 R+ p9 K 5 packet(s) transmitted: w/ W: s; J: P
5 packet(s) received' G: ~! I& X2 h2 l2 n$ ?' r0 H
0.00% packet loss
7 H& K2 }; Q. H7 n round-trip min/avg/max = 1/2/10 ms
) K3 z- f/ p7 X9 z# y' N5 Y3 z. A$ C
[AC1]ping 192.168.100.157
$ R- R" F6 D7 n0 m PING 192.168.100.157: 56 data bytes, press CTRL_C to break
# O& P: }- v: P' p Reply from 192.168.100.157: bytes=56 Sequence=1 ttl=255 time=1 ms% G) Y2 z" |8 j( a- o- D9 U( U2 ~9 t
Reply from 192.168.100.157: bytes=56 Sequence=2 ttl=255 time=1 ms( Q* \$ L5 C8 p
Reply from 192.168.100.157: bytes=56 Sequence=3 ttl=255 time=1 ms( d- w% x% d) c3 l. z
Reply from 192.168.100.157: bytes=56 Sequence=4 ttl=255 time=10 ms$ b. \' i# Q7 m. x" E
Reply from 192.168.100.157: bytes=56 Sequence=5 ttl=255 time=1 ms; Y% W {0 \1 ?" b3 _: A. B+ G9 \
; p S) S: `1 F3 @0 y --- 192.168.100.157 ping statistics ---/ x% l7 E6 p4 O6 z0 W
5 packet(s) transmitted; s0 `% H3 A5 J
5 packet(s) received
7 I* { L6 ^8 t$ G$ B 0.00% packet loss
6 G$ p2 ^, R5 ]7 ^ w round-trip min/avg/max = 1/2/10 ms
8 R$ j; f/ F# i2 ~$ A, W- k9 L) M5 c4 S- S& i& O4 S( [0 T1 ^
A7 {9 P- k* d) T/ N5 k. h0 `- {四、创建用户群地址池* C. g4 B0 Z9 C7 ~7 T- @. M$ t
用户群A的DHCP
3 s1 k6 t1 \! y* W0 f; @! d用于给用户群A分配IP地址
, [% b) p- H0 M7 c0 J B; \2 t4 ~/ D; F8 |( D- Q/ ?, a; P
interface Vlanif101
' q+ e# R2 o1 q) \* H. b# Y4 U ip address 192.168.101.1 255.255.255.0
0 f" `# B& M) W dhcp select interface9 u% G* I2 n5 d0 P+ V+ w& A
dhcp server dns-list 114.114.114.114 8.8.8.8
8 G- \' Q9 D, K1 f/ g' H$ a3 W7 ^! X8 v( H/ u% Q- d
用户群B的DHCP
8 ^6 d# N* H/ d, S用于给用户群A分配IP地址
6 L* w& ~6 M! M& b9 n# ^0 R- h$ K. {7 U6 ]( ^
interface Vlanif102
2 J2 t' }$ a2 l& d& K: w& S ip address 192.168.102.1 255.255.255.0
* u- ^" v9 P$ S% v( }* O. ? dhcp select interface
1 G3 r \3 P! z! ^2 I! j/ d dhcp server dns-list 114.114.114.114 8.8.8.8 l; ^8 A3 ~- B
- j9 J3 g' |/ L+ G' V% E
! @# Q; |! I5 n1 W2 u
* b. Y7 t" P! `% Y! t
|
|
发表于 2022-3-16 10:00:02