一. 办公室网络设计说明

1. 网络架构设计

1.1 三层网络架构

采用经典的三层网络架构：

• 核心层（Core Layer）：高速数据转发，连接汇聚层
• 汇聚层（Distribution Layer）：策略控制，连接核心层和接入层
• 接入层（Access Layer）：用户接入，连接终端设备

1.2 网络拓扑特点

• 核心层双机热备，保证高可用性
• 汇聚层每层部署2台，提供冗余
• 接入层星型连接到汇聚层
• 无线网络独立部署，统一管理

2. VLAN规划

2.1 VLAN分配表

2.2 VLAN设计原则

1. 安全隔离：不同部门/功能区域独立VLAN
2. 便于管理：VLAN ID与楼层/功能对应
3. 扩展性：预留VLAN ID空间
4. 性能优化：广播域控制在合理范围

3. IP地址规划

3.1 地址分配原则

• 私有地址：使用RFC1918私有地址段
• 层次化：按楼层和功能分配
• 预留空间：每个网段预留30%地址
• 管理地址：设备管理使用独立网段

3.2 设备IP地址分配

核心设备

汇聚交换机

3.3 DHCP地址池

每个VLAN配置DHCP地址池，自动分配IP地址：

• 地址范围：网段的50%-90%
• 租期：8小时（办公时间）
• DNS服务器：114.114.114.114, 8.8.8.8
• 域名：company.local

4. 路由设计

4.1 路由协议

• 内部路由：OSPF（Open Shortest Path First）
• 外部路由：BGP（Border Gateway Protocol）
• 默认路由：指向出口路由器

4.2 OSPF区域规划

• Area 0：骨干区域，包含核心设备
• Area 1：办公区域
• Area 2：服务器区域
• Area 3：DMZ区域

5. 安全设计

5.1 网络安全策略

1. 边界防护：部署防火墙，控制南北向流量
2. 内网隔离：VLAN隔离，ACL访问控制
3. 无线安全：WPA3加密，MAC地址认证
4. 设备安全：SSH管理，SNMP v3

5.2 访问控制列表（ACL）

• 禁止办公网访问服务器管理端口
• 允许特定管理员访问设备管理VLAN
• 限制访客网络访问内网资源
• 防止VLAN间非授权访问

6. QoS设计

6.1 流量分类

• 语音流量：最高优先级（EF）
• 视频流量：高优先级（AF41）
• 关键业务：中等优先级（AF31）
• 普通数据：默认优先级（BE）

6.2 带宽保证

• 语音流量：保证带宽，低延迟
• 视频会议：保证带宽，低抖动
• 关键业务：带宽保证50%
• 普通上网：剩余带宽

7. 网络管理

7.1 监控指标

• 设备状态：CPU、内存、温度
• 接口状态：带宽利用率、错误包
• 网络性能：延迟、丢包率、吞吐量
• 安全事件：入侵检测、异常流量

7.2 管理工具

• 华为eSight：统一网管平台
• SNMP监控：实时状态监控
• Syslog日志：集中日志管理
• NetStream分析：流量分析

8. 容灾备份

8.1 设备冗余

• 核心交换机：双机热备
• 出口路由器：双机热备
• 防火墙：双机热备
• 无线控制器：双机热备

8.2 链路冗余

• 核心到汇聚：双链路聚合
• 汇聚到接入：双上联（部分关键区域）
• 外网链路：双运营商接入

9. 扩展规划

9.1 端口扩展

• 接入层预留30%端口
• 汇聚层预留40%端口
• 核心层预留50%端口

9.2 带宽扩展

• 核心骨干：支持40G扩展到100G
• 汇聚上联：支持万兆扩展
• 接入下联：全千兆部署

9.3 功能扩展

• 预留服务器机柜空间
• 支持云网融合
• 预留IoT设备接入
• 支持SD-WAN部署

二. 采购设备说明

办公室基本信息

• 总面积：3000平米
• 预计工位：300个
• 楼层：3层，每层1000平米
• 会议室：15个
• 服务器机房：1个（50平米）

核心设备清单

1. 核心交换机

2. 汇聚交换机

3. 接入交换机

4. 路由器

5. 防火墙

6. 无线设备

7. 服务器设备

8. 网络管理

线缆及配件

光纤线缆

• 万兆多模光纤：200米
• 千兆多模光纤：500米
• 万兆单模光纤：100米

网线

• 六类网线：15000米
• 超六类网线：5000米

机柜及配件

• 42U标准机柜：8个
• 24U壁挂机柜：15个
• PDU电源：30个
• 理线器：100个

设备特点

1. 高可靠性：核心设备双机热备，99.99%可用性
2. 高性能：万兆骨干，千兆到桌面
3. PoE供电：支持IP电话、无线AP供电
4. 绿色节能：华为设备功耗优化
5. 易扩展：预留30%端口扩展空间

三. 主要网络设备配置部署

配置原则

1. 自下而上：从核心设备开始，逐步向接入设备配置
2. 先基础后高级：先配置基本连通性，再配置高级功能
3. 分阶段验证：每个阶段完成后进行连通性测试
4. 备份配置：每次重要配置后及时保存

第一阶段：核心设备基础配置

1.1 核心交换机1配置（Core-Switch-1）

设备信息

• 设备型号：华为 S12700E-6
• 管理IP：192.168.10.11/24
• 角色：主核心交换机

配置步骤

步骤1：初始化设备

# 通过Console口连接设备
# 首次启动，进入系统视图
<Huawei>system-view
[Huawei]sysname Core-Switch-1
[Core-Switch-1]clock timezone BJ add 08:00:00

步骤2：创建管理用户

# 创建本地用户
[Core-Switch-1]aaa
[Core-Switch-1-aaa]local-user admin password cipher Huawei@123
[Core-Switch-1-aaa]local-user admin privilege level 15
[Core-Switch-1-aaa]local-user admin service-type ssh telnet terminal
[Core-Switch-1-aaa]quit

# 配置用户界面
[Core-Switch-1]user-interface vty 0 4
[Core-Switch-1-ui-vty0-4]authentication-mode aaa
[Core-Switch-1-ui-vty0-4]protocol inbound ssh
[Core-Switch-1-ui-vty0-4]quit

步骤3：配置SSH服务

# 生成RSA密钥
[Core-Switch-1]rsa local-key-pair create
# 启用SSH服务
[Core-Switch-1]ssh server enable
[Core-Switch-1]stelnet server enable

步骤4：创建管理VLAN

# 创建管理VLAN
[Core-Switch-1]vlan 10
[Core-Switch-1-vlan10]description Management
[Core-Switch-1-vlan10]quit

# 配置管理接口
[Core-Switch-1]interface vlanif 10
[Core-Switch-1-Vlanif10]ip address 192.168.10.11 24
[Core-Switch-1-Vlanif10]quit

步骤5：配置默认路由（临时）

# 配置临时默认路由用于管理
[Core-Switch-1]ip route-static 0.0.0.0 0.0.0.0 192.168.10.1

步骤6：保存配置

[Core-Switch-1]save
# 确认保存
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y

1.2 核心交换机2配置（Core-Switch-2）

设备信息

• 设备型号：华为 S12700E-6
• 管理IP：192.168.10.12/24
• 角色：备核心交换机

配置步骤

重复核心交换机1的步骤1-6，注意以下差异：

# 设备名称
[Huawei]sysname Core-Switch-2

# 管理IP地址
[Core-Switch-2]interface vlanif 10
[Core-Switch-2-Vlanif10]ip address 192.168.10.12 24

1.3 验证核心交换机基础连通性

# 在Core-Switch-1上测试
[Core-Switch-1]ping 192.168.10.12
# 应该能够ping通Core-Switch-2

# 测试SSH连接
[Core-Switch-1]ssh client 192.168.10.12

第二阶段：核心设备完整配置

2.1 核心交换机1完整VLAN配置

# 创建所有业务VLAN
[Core-Switch-1]vlan batch 100 to 102 200 to 202 300 400 500 600

# 配置VLAN描述
[Core-Switch-1]vlan 100
[Core-Switch-1-vlan100]description Office-1F
[Core-Switch-1-vlan100]quit

[Core-Switch-1]vlan 101
[Core-Switch-1-vlan101]description Office-2F
[Core-Switch-1-vlan101]quit

[Core-Switch-1]vlan 102
[Core-Switch-1-vlan102]description Office-3F
[Core-Switch-1-vlan102]quit

[Core-Switch-1]vlan 200
[Core-Switch-1-vlan200]description Meeting-1F
[Core-Switch-1-vlan200]quit

[Core-Switch-1]vlan 201
[Core-Switch-1-vlan201]description Meeting-2F
[Core-Switch-1-vlan201]quit

[Core-Switch-1]vlan 202
[Core-Switch-1-vlan202]description Meeting-3F
[Core-Switch-1-vlan202]quit

[Core-Switch-1]vlan 300
[Core-Switch-1-vlan300]description Server
[Core-Switch-1-vlan300]quit

[Core-Switch-1]vlan 400
[Core-Switch-1-vlan400]description DMZ
[Core-Switch-1-vlan400]quit

[Core-Switch-1]vlan 500
[Core-Switch-1-vlan500]description Guest-Wireless
[Core-Switch-1-vlan500]quit

[Core-Switch-1]vlan 600
[Core-Switch-1-vlan600]description Office-Wireless
[Core-Switch-1-vlan600]quit

2.2 配置VLANIF接口和DHCP中继

# 配置办公区VLANIF接口
[Core-Switch-1]interface vlanif 100
[Core-Switch-1-Vlanif100]ip address 192.168.100.252 24
[Core-Switch-1-Vlanif100]dhcp select relay
[Core-Switch-1-Vlanif100]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif100]quit

[Core-Switch-1]interface vlanif 101
[Core-Switch-1-Vlanif101]ip address 192.168.101.252 24
[Core-Switch-1-Vlanif101]dhcp select relay
[Core-Switch-1-Vlanif101]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif101]quit

[Core-Switch-1]interface vlanif 102
[Core-Switch-1-Vlanif102]ip address 192.168.102.252 24
[Core-Switch-1-Vlanif102]dhcp select relay
[Core-Switch-1-Vlanif102]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif102]quit

# 配置会议室VLANIF接口
[Core-Switch-1]interface vlanif 200
[Core-Switch-1-Vlanif200]ip address 192.168.200.252 24
[Core-Switch-1-Vlanif200]dhcp select relay
[Core-Switch-1-Vlanif200]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif200]quit

[Core-Switch-1]interface vlanif 201
[Core-Switch-1-Vlanif201]ip address 192.168.201.252 24
[Core-Switch-1-Vlanif201]dhcp select relay
[Core-Switch-1-Vlanif201]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif201]quit

[Core-Switch-1]interface vlanif 202
[Core-Switch-1-Vlanif202]ip address 192.168.202.252 24
[Core-Switch-1-Vlanif202]dhcp select relay
[Core-Switch-1-Vlanif202]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif202]quit

# 配置服务器和DMZ VLANIF接口
[Core-Switch-1]interface vlanif 300
[Core-Switch-1-Vlanif300]ip address 192.168.30.252 24
[Core-Switch-1-Vlanif300]quit

[Core-Switch-1]interface vlanif 400
[Core-Switch-1-Vlanif400]ip address 192.168.40.252 24
[Core-Switch-1-Vlanif400]quit

# 配置无线VLANIF接口
[Core-Switch-1]interface vlanif 500
[Core-Switch-1-Vlanif500]ip address 192.168.50.252 24
[Core-Switch-1-Vlanif500]dhcp select relay
[Core-Switch-1-Vlanif500]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif500]quit

[Core-Switch-1]interface vlanif 600
[Core-Switch-1-Vlanif600]ip address 192.168.60.252 24
[Core-Switch-1-Vlanif600]dhcp select relay
[Core-Switch-1-Vlanif600]dhcp relay server-ip 192.168.10.100
[Core-Switch-1-Vlanif600]quit

2.3 配置物理接口

# 配置连接核心交换机2的接口（链路聚合）
[Core-Switch-1]interface eth-trunk 1
[Core-Switch-1-Eth-Trunk1]description Link-to-Core-Switch-2
[Core-Switch-1-Eth-Trunk1]port link-type trunk
[Core-Switch-1-Eth-Trunk1]port trunk allow-pass vlan all
[Core-Switch-1-Eth-Trunk1]quit

[Core-Switch-1]interface 10ge 1/0/1
[Core-Switch-1-10GE1/0/1]eth-trunk 1
[Core-Switch-1-10GE1/0/1]quit

[Core-Switch-1]interface 10ge 1/0/2
[Core-Switch-1-10GE1/0/2]eth-trunk 1
[Core-Switch-1-10GE1/0/2]quit

# 配置连接出口路由器的接口
[Core-Switch-1]interface 10ge 1/0/3
[Core-Switch-1-10GE1/0/3]description Link-to-Router-1
[Core-Switch-1-10GE1/0/3]port link-type trunk
[Core-Switch-1-10GE1/0/3]port trunk allow-pass vlan 10 300 400
[Core-Switch-1-10GE1/0/3]quit

# 配置连接汇聚交换机的接口
[Core-Switch-1]interface 10ge 1/0/4
[Core-Switch-1-10GE1/0/4]description Link-to-Agg-Switch-1F-1
[Core-Switch-1-10GE1/0/4]port link-type trunk
[Core-Switch-1-10GE1/0/4]port trunk allow-pass vlan 10 100 200 500 600
[Core-Switch-1-10GE1/0/4]quit

[Core-Switch-1]interface 10ge 1/0/5
[Core-Switch-1-10GE1/0/5]description Link-to-Agg-Switch-1F-2
[Core-Switch-1-10GE1/0/5]port link-type trunk
[Core-Switch-1-10GE1/0/5]port trunk allow-pass vlan 10 100 200 500 600
[Core-Switch-1-10GE1/0/5]quit

# 继续配置其他汇聚交换机连接...

2.4 配置OSPF路由协议

# 启用OSPF
[Core-Switch-1]ospf 1 router-id 192.168.10.11
[Core-Switch-1-ospf-1]area 0
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.101.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.102.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.201.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.202.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.40.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.50.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]network 192.168.60.0 0.0.0.255
[Core-Switch-1-ospf-1-area-0.0.0.0]quit
[Core-Switch-1-ospf-1]quit

2.5 配置VRRP（网关冗余）

# 在各VLANIF接口配置VRRP
[Core-Switch-1]interface vlanif 100
[Core-Switch-1-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[Core-Switch-1-Vlanif100]vrrp vrid 100 priority 120
[Core-Switch-1-Vlanif100]vrrp vrid 100 preempt-mode timer delay 20
[Core-Switch-1-Vlanif100]quit

[Core-Switch-1]interface vlanif 101
[Core-Switch-1-Vlanif101]vrrp vrid 101 virtual-ip 192.168.101.254
[Core-Switch-1-Vlanif101]vrrp vrid 101 priority 120
[Core-Switch-1-Vlanif101]vrrp vrid 101 preempt-mode timer delay 20
[Core-Switch-1-Vlanif101]quit

# 继续配置其他VLAN的VRRP...

2.6 保存核心交换机1配置

[Core-Switch-1]save

2.7 核心交换机2配置

重复2.1-2.6的配置，注意以下差异：

# OSPF Router ID
[Core-Switch-2]ospf 1 router-id 192.168.10.12

# VRRP优先级（备设备优先级较低）
[Core-Switch-2]interface vlanif 100
[Core-Switch-2-Vlanif100]vrrp vrid 100 virtual-ip 192.168.100.254
[Core-Switch-2-Vlanif100]vrrp vrid 100 priority 100
[Core-Switch-2-Vlanif100]quit

第三阶段：路由器配置

3.1 出口路由器配置（Router-1）

设备信息

• 设备型号：华为 AR6300-S
• 管理IP：192.168.10.1/24
• 角色：主出口路由器

配置步骤

步骤1：基础配置

<Huawei>system-view
[Huawei]sysname Router-1
[Router-1]clock timezone BJ add 08:00:00

# 创建管理用户
[Router-1]aaa
[Router-1-aaa]local-user admin password cipher Huawei@123
[Router-1-aaa]local-user admin privilege level 15
[Router-1-aaa]local-user admin service-type ssh telnet terminal
[Router-1-aaa]quit

# 配置SSH
[Router-1]user-interface vty 0 4
[Router-1-ui-vty0-4]authentication-mode aaa
[Router-1-ui-vty0-4]protocol inbound ssh
[Router-1-ui-vty0-4]quit

[Router-1]rsa local-key-pair create
[Router-1]ssh server enable
[Router-1]stelnet server enable

步骤2：配置接口

# 配置管理接口
[Router-1]interface gigabitethernet 0/0/0
[Router-1-GigabitEthernet0/0/0]description Management
[Router-1-GigabitEthernet0/0/0]ip address 192.168.10.1 24
[Router-1-GigabitEthernet0/0/0]quit

# 配置外网接口（连接ISP）
[Router-1]interface gigabitethernet 0/0/1
[Router-1-GigabitEthernet0/0/1]description WAN-to-ISP
[Router-1-GigabitEthernet0/0/1]ip address 202.96.128.100 30
[Router-1-GigabitEthernet0/0/1]quit

# 配置内网接口（连接核心交换机）
[Router-1]interface gigabitethernet 0/0/2
[Router-1-GigabitEthernet0/0/2]description LAN-to-Core
[Router-1-GigabitEthernet0/0/2]quit

# 创建子接口
[Router-1]interface gigabitethernet 0/0/2.10
[Router-1-GigabitEthernet0/0/2.10]description Management-VLAN
[Router-1-GigabitEthernet0/0/2.10]dot1q termination vid 10
[Router-1-GigabitEthernet0/0/2.10]ip address 192.168.10.2 24
[Router-1-GigabitEthernet0/0/2.10]arp broadcast enable
[Router-1-GigabitEthernet0/0/2.10]quit

[Router-1]interface gigabitethernet 0/0/2.300
[Router-1-GigabitEthernet0/0/2.300]description Server-VLAN
[Router-1-GigabitEthernet0/0/2.300]dot1q termination vid 300
[Router-1-GigabitEthernet0/0/2.300]ip address 192.168.30.1 24
[Router-1-GigabitEthernet0/0/2.300]arp broadcast enable
[Router-1-GigabitEthernet0/0/2.300]quit

[Router-1]interface gigabitethernet 0/0/2.400
[Router-1-GigabitEthernet0/0/2.400]description DMZ-VLAN
[Router-1-GigabitEthernet0/0/2.400]dot1q termination vid 400
[Router-1-GigabitEthernet0/0/2.400]ip address 192.168.40.1 24
[Router-1-GigabitEthernet0/0/2.400]arp broadcast enable
[Router-1-GigabitEthernet0/0/2.400]quit

步骤3：配置路由

# 配置默认路由
[Router-1]ip route-static 0.0.0.0 0.0.0.0 202.96.128.101

# 配置OSPF
[Router-1]ospf 1 router-id 192.168.10.1
[Router-1-ospf-1]default-route-advertise always
[Router-1-ospf-1]area 0
[Router-1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[Router-1-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255
[Router-1-ospf-1-area-0.0.0.0]network 192.168.40.0 0.0.0.255
[Router-1-ospf-1-area-0.0.0.0]quit
[Router-1-ospf-1]quit

步骤4：配置NAT

# 创建ACL用于NAT
[Router-1]acl number 2000
[Router-1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255
[Router-1-acl-basic-2000]quit

# 配置NAT
[Router-1]nat address-group 1 202.96.128.100 202.96.128.100
[Router-1]interface gigabitethernet 0/0/1
[Router-1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
[Router-1-GigabitEthernet0/0/1]quit

# 配置服务器端口映射（示例）
[Router-1]nat server protocol tcp global 202.96.128.100 80 inside 192.168.30.10 80
[Router-1]nat server protocol tcp global 202.96.128.100 443 inside 192.168.30.10 443

步骤5：保存配置

[Router-1]save

第四阶段：防火墙配置

4.1 防火墙配置（Firewall-1）

设备信息

• 设备型号：华为 USG6650
• 管理IP：192.168.10.20/24
• 部署模式：透明模式

配置步骤

步骤1：基础配置

<USG6650>system-view
[USG6650]sysname Firewall-1
[Firewall-1]clock timezone BJ add 08:00:00

# 创建管理用户
[Firewall-1]aaa
[Firewall-1-aaa]local-user admin password cipher Huawei@123
[Firewall-1-aaa]local-user admin privilege level 15
[Firewall-1-aaa]local-user admin service-type ssh web terminal
[Firewall-1-aaa]quit

# 配置SSH和Web管理
[Firewall-1]user-interface vty 0 4
[Firewall-1-ui-vty0-4]authentication-mode aaa
[Firewall-1-ui-vty0-4]protocol inbound ssh
[Firewall-1-ui-vty0-4]quit

[Firewall-1]rsa local-key-pair create
[Firewall-1]ssh server enable
[Firewall-1]stelnet server enable

[Firewall-1]web-manager enable
[Firewall-1]web-manager port 8443

步骤2：配置接口

# 配置管理接口
[Firewall-1]interface gigabitethernet 0/0/0
[Firewall-1-GigabitEthernet0/0/0]description Management
[Firewall-1-GigabitEthernet0/0/0]ip address 192.168.10.20 24
[Firewall-1-GigabitEthernet0/0/0]service-manage ping permit
[Firewall-1-GigabitEthernet0/0/0]service-manage ssh permit
[Firewall-1-GigabitEthernet0/0/0]service-manage https permit
[Firewall-1-GigabitEthernet0/0/0]quit

# 配置外网接口
[Firewall-1]interface gigabitethernet 1/0/0
[Firewall-1-GigabitEthernet1/0/0]description WAN-Interface
[Firewall-1-GigabitEthernet1/0/0]ip address 202.96.128.102 30
[Firewall-1-GigabitEthernet1/0/0]quit

# 配置内网接口
[Firewall-1]interface gigabitethernet 1/0/1
[Firewall-1-GigabitEthernet1/0/1]description LAN-Interface
[Firewall-1-GigabitEthernet1/0/1]ip address 192.168.1.1 24
[Firewall-1-GigabitEthernet1/0/1]quit

# 配置DMZ接口
[Firewall-1]interface gigabitethernet 1/0/2
[Firewall-1-GigabitEthernet1/0/2]description DMZ-Interface
[Firewall-1-GigabitEthernet1/0/2]ip address 192.168.40.1 24
[Firewall-1-GigabitEthernet1/0/2]quit

步骤3：配置安全区域

# 创建安全区域
[Firewall-1]firewall zone trust
[Firewall-1-zone-trust]add interface gigabitethernet 1/0/1
[Firewall-1-zone-trust]quit

[Firewall-1]firewall zone untrust
[Firewall-1-zone-untrust]add interface gigabitethernet 1/0/0
[Firewall-1-zone-untrust]quit

[Firewall-1]firewall zone dmz
[Firewall-1-zone-dmz]add interface gigabitethernet 1/0/2
[Firewall-1-zone-dmz]quit

[Firewall-1]firewall zone local
[Firewall-1-zone-local]add interface gigabitethernet 0/0/0
[Firewall-1-zone-local]quit

步骤4：配置安全策略

# 内网访问外网策略
[Firewall-1]security-policy
[Firewall-1-policy-security]rule name trust_to_untrust
[Firewall-1-policy-security-rule-trust_to_untrust]source-zone trust
[Firewall-1-policy-security-rule-trust_to_untrust]destination-zone untrust
[Firewall-1-policy-security-rule-trust_to_untrust]action permit
[Firewall-1-policy-security-rule-trust_to_untrust]quit

# 外网访问DMZ策略
[Firewall-1-policy-security]rule name untrust_to_dmz
[Firewall-1-policy-security-rule-untrust_to_dmz]source-zone untrust
[Firewall-1-policy-security-rule-untrust_to_dmz]destination-zone dmz
[Firewall-1-policy-security-rule-untrust_to_dmz]destination-address 192.168.40.10 mask 255.255.255.255
[Firewall-1-policy-security-rule-untrust_to_dmz]service http https
[Firewall-1-policy-security-rule-untrust_to_dmz]action permit
[Firewall-1-policy-security-rule-untrust_to_dmz]quit

# 内网访问DMZ策略
[Firewall-1-policy-security]rule name trust_to_dmz
[Firewall-1-policy-security-rule-trust_to_dmz]source-zone trust
[Firewall-1-policy-security-rule-trust_to_dmz]destination-zone dmz
[Firewall-1-policy-security-rule-trust_to_dmz]action permit
[Firewall-1-policy-security-rule-trust_to_dmz]quit

[Firewall-1-policy-security]quit

步骤5：保存配置

[Firewall-1]save

第五阶段：汇聚交换机配置

5.1 一楼汇聚交换机配置（Agg-Switch-1F-1）

设备信息

• 设备型号：华为 S5735-L48T4S-A1
• 管理IP：192.168.10.21/24
• 角色：一楼汇聚交换机1

配置步骤

步骤1：基础配置

<Huawei>system-view
[Huawei]sysname Agg-Switch-1F-1
[Agg-Switch-1F-1]clock timezone BJ add 08:00:00

# 创建管理用户
[Agg-Switch-1F-1]aaa
[Agg-Switch-1F-1-aaa]local-user admin password cipher Huawei@123
[Agg-Switch-1F-1-aaa]local-user admin privilege level 15
[Agg-Switch-1F-1-aaa]local-user admin service-type ssh telnet terminal
[Agg-Switch-1F-1-aaa]quit

# 配置SSH
[Agg-Switch-1F-1]user-interface vty 0 4
[Agg-Switch-1F-1-ui-vty0-4]authentication-mode aaa
[Agg-Switch-1F-1-ui-vty0-4]protocol inbound ssh
[Agg-Switch-1F-1-ui-vty0-4]quit

[Agg-Switch-1F-1]rsa local-key-pair create
[Agg-Switch-1F-1]ssh server enable
[Agg-Switch-1F-1]stelnet server enable

步骤2：创建VLAN

# 创建相关VLAN
[Agg-Switch-1F-1]vlan batch 10 100 200 500 600

# 配置VLAN描述
[Agg-Switch-1F-1]vlan 10
[Agg-Switch-1F-1-vlan10]description Management
[Agg-Switch-1F-1-vlan10]quit

[Agg-Switch-1F-1]vlan 100
[Agg-Switch-1F-1-vlan100]description Office-1F
[Agg-Switch-1F-1-vlan100]quit

[Agg-Switch-1F-1]vlan 200
[Agg-Switch-1F-1-vlan200]description Meeting-1F
[Agg-Switch-1F-1-vlan200]quit

[Agg-Switch-1F-1]vlan 500
[Agg-Switch-1F-1-vlan500]description Guest-Wireless
[Agg-Switch-1F-1-vlan500]quit

[Agg-Switch-1F-1]vlan 600
[Agg-Switch-1F-1-vlan600]description Office-Wireless
[Agg-Switch-1F-1-vlan600]quit

步骤3：配置管理接口

[Agg-Switch-1F-1]interface vlanif 10
[Agg-Switch-1F-1-Vlanif10]ip address 192.168.10.21 24
[Agg-Switch-1F-1-Vlanif10]quit

步骤4：配置上联接口（连接核心交换机）

# 配置上联接口1（连接Core-Switch-1）
[Agg-Switch-1F-1]interface gigabitethernet 0/0/49
[Agg-Switch-1F-1-GigabitEthernet0/0/49]description Uplink-to-Core-Switch-1
[Agg-Switch-1F-1-GigabitEthernet0/0/49]port link-type trunk
[Agg-Switch-1F-1-GigabitEthernet0/0/49]port trunk allow-pass vlan 10 100 200 500 600
[Agg-Switch-1F-1-GigabitEthernet0/0/49]quit

# 配置上联接口2（连接Core-Switch-2）
[Agg-Switch-1F-1]interface gigabitethernet 0/0/50
[Agg-Switch-1F-1-GigabitEthernet0/0/50]description Uplink-to-Core-Switch-2
[Agg-Switch-1F-1-GigabitEthernet0/0/50]port link-type trunk
[Agg-Switch-1F-1-GigabitEthernet0/0/50]port trunk allow-pass vlan 10 100 200 500 600
[Agg-Switch-1F-1-GigabitEthernet0/0/50]quit

步骤5：配置下联接口（连接接入交换机）

# 配置连接接入交换机的接口
[Agg-Switch-1F-1]interface gigabitethernet 0/0/1
[Agg-Switch-1F-1-GigabitEthernet0/0/1]description Link-to-Access-Switch-1F-Office-1
[Agg-Switch-1F-1-GigabitEthernet0/0/1]port link-type trunk
[Agg-Switch-1F-1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 100
[Agg-Switch-1F-1-GigabitEthernet0/0/1]quit

[Agg-Switch-1F-1]interface gigabitethernet 0/0/2
[Agg-Switch-1F-1-GigabitEthernet0/0/2]description Link-to-Access-Switch-1F-Office-2
[Agg-Switch-1F-1-GigabitEthernet0/0/2]port link-type trunk
[Agg-Switch-1F-1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 100
[Agg-Switch-1F-1-GigabitEthernet0/0/2]quit

[Agg-Switch-1F-1]interface gigabitethernet 0/0/3
[Agg-Switch-1F-1-GigabitEthernet0/0/3]description Link-to-Access-Switch-1F-Meeting
[Agg-Switch-1F-1-GigabitEthernet0/0/3]port link-type trunk
[Agg-Switch-1F-1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 200
[Agg-Switch-1F-1-GigabitEthernet0/0/3]quit

步骤6：配置STP

# 启用STP
[Agg-Switch-1F-1]stp enable
[Agg-Switch-1F-1]stp mode rstp
[Agg-Switch-1F-1]stp priority 4096

步骤7：配置OSPF

[Agg-Switch-1F-1]ospf 1 router-id 192.168.10.21
[Agg-Switch-1F-1-ospf-1]area 0
[Agg-Switch-1F-1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[Agg-Switch-1F-1-ospf-1-area-0.0.0.0]quit
[Agg-Switch-1F-1-ospf-1]quit

步骤8：保存配置

[Agg-Switch-1F-1]save

第六阶段：接入交换机配置

6.1 一楼办公区接入交换机配置（Access-Switch-1F-Office-1）

设备信息

• 设备型号：华为 S2750-28TP-PWR-EI
• 管理IP：192.168.10.31/24
• 角色：一楼办公区接入交换机1

配置步骤

步骤1：基础配置

<Huawei>system-view
[Huawei]sysname Access-Switch-1F-Office-1
[Access-Switch-1F-Office-1]clock timezone BJ add 08:00:00

# 创建管理用户
[Access-Switch-1F-Office-1]aaa
[Access-Switch-1F-Office-1-aaa]local-user admin password cipher Huawei@123
[Access-Switch-1F-Office-1-aaa]local-user admin privilege level 15
[Access-Switch-1F-Office-1-aaa]local-user admin service-type ssh telnet terminal
[Access-Switch-1F-Office-1-aaa]quit

# 配置SSH
[Access-Switch-1F-Office-1]user-interface vty 0 4
[Access-Switch-1F-Office-1-ui-vty0-4]authentication-mode aaa
[Access-Switch-1F-Office-1-ui-vty0-4]protocol inbound ssh
[Access-Switch-1F-Office-1-ui-vty0-4]quit

[Access-Switch-1F-Office-1]rsa local-key-pair create
[Access-Switch-1F-Office-1]ssh server enable
[Access-Switch-1F-Office-1]stelnet server enable

步骤2：创建VLAN

[Access-Switch-1F-Office-1]vlan batch 10 100

[Access-Switch-1F-Office-1]vlan 10
[Access-Switch-1F-Office-1-vlan10]description Management
[Access-Switch-1F-Office-1-vlan10]quit

[Access-Switch-1F-Office-1]vlan 100
[Access-Switch-1F-Office-1-vlan100]description Office-1F
[Access-Switch-1F-Office-1-vlan100]quit

步骤3：配置管理接口

[Access-Switch-1F-Office-1]interface vlanif 10
[Access-Switch-1F-Office-1-Vlanif10]ip address 192.168.10.31 24
[Access-Switch-1F-Office-1-Vlanif10]quit

步骤4：配置上联接口

[Access-Switch-1F-Office-1]interface gigabitethernet 0/0/25
[Access-Switch-1F-Office-1-GigabitEthernet0/0/25]description Uplink-to-Agg-Switch-1F-1
[Access-Switch-1F-Office-1-GigabitEthernet0/0/25]port link-type trunk
[Access-Switch-1F-Office-1-GigabitEthernet0/0/25]port trunk allow-pass vlan 10 100
[Access-Switch-1F-Office-1-GigabitEthernet0/0/25]quit

[Access-Switch-1F-Office-1]interface gigabitethernet 0/0/26
[Access-Switch-1F-Office-1-GigabitEthernet0/0/26]description Uplink-to-Agg-Switch-1F-2
[Access-Switch-1F-Office-1-GigabitEthernet0/0/26]port link-type trunk
[Access-Switch-1F-Office-1-GigabitEthernet0/0/26]port trunk allow-pass vlan 10 100
[Access-Switch-1F-Office-1-GigabitEthernet0/0/26]quit

步骤5：配置用户接入端口

# 批量配置用户端口
[Access-Switch-1F-Office-1]port-group group-member ethernet 0/0/1 to ethernet 0/0/24
[Access-Switch-1F-Office-1-port-group]port link-type access
[Access-Switch-1F-Office-1-port-group]port default vlan 100
[Access-Switch-1F-Office-1-port-group]poe enable
[Access-Switch-1F-Office-1-port-group]port-security enable
[Access-Switch-1F-Office-1-port-group]port-security max-mac-num 3
[Access-Switch-1F-Office-1-port-group]quit

# 单独配置特殊端口（如打印机端口）
[Access-Switch-1F-Office-1]interface ethernet 0/0/24
[Access-Switch-1F-Office-1-Ethernet0/0/24]description Printer-1F-Office-1
[Access-Switch-1F-Office-1-Ethernet0/0/24]port-security max-mac-num 1
[Access-Switch-1F-Office-1-Ethernet0/0/24]quit

步骤6：配置STP和其他功能

# 启用STP
[Access-Switch-1F-Office-1]stp enable
[Access-Switch-1F-Office-1]stp mode rstp

# 配置环路检测
[Access-Switch-1F-Office-1]loopback-detection enable
[Access-Switch-1F-Office-1]interface range ethernet 0/0/1 to ethernet 0/0/24
[Access-Switch-1F-Office-1-if-range]loopback-detection enable
[Access-Switch-1F-Office-1-if-range]loopback-detection action block
[Access-Switch-1F-Office-1-if-range]quit

# 配置DHCP Snooping
[Access-Switch-1F-Office-1]dhcp snooping enable
[Access-Switch-1F-Office-1]dhcp snooping binding enable
[Access-Switch-1F-Office-1]interface vlan 100
[Access-Switch-1F-Office-1-Vlanif100]dhcp snooping enable
[Access-Switch-1F-Office-1-Vlanif100]quit

# 配置上联口为信任端口
[Access-Switch-1F-Office-1]interface gigabitethernet 0/0/25
[Access-Switch-1F-Office-1-GigabitEthernet0/0/25]dhcp snooping trusted
[Access-Switch-1F-Office-1-GigabitEthernet0/0/25]quit

[Access-Switch-1F-Office-1]interface gigabitethernet 0/0/26
[Access-Switch-1F-Office-1-GigabitEthernet0/0/26]dhcp snooping trusted
[Access-Switch-1F-Office-1-GigabitEthernet0/0/26]quit

步骤7：保存配置

[Access-Switch-1F-Office-1]save

第七阶段：无线控制器配置

7.1 无线控制器配置（Wireless-Controller-1）

设备信息

• 设备型号：华为 AC6605
• 管理IP：192.168.10.50/24
• 角色：主无线控制器

配置步骤

步骤1：基础配置

<AC6605>system-view
[AC6605]sysname Wireless-Controller-1
[Wireless-Controller-1]clock timezone BJ add 08:00:00

# 创建管理用户
[Wireless-Controller-1]aaa
[Wireless-Controller-1-aaa]local-user admin password cipher Huawei@123
[Wireless-Controller-1-aaa]local-user admin privilege level 15
[Wireless-Controller-1-aaa]local-user admin service-type ssh web terminal
[Wireless-Controller-1-aaa]quit

# 配置SSH和Web管理
[Wireless-Controller-1]user-interface vty 0 4
[Wireless-Controller-1-ui-vty0-4]authentication-mode aaa
[Wireless-Controller-1-ui-vty0-4]protocol inbound ssh
[Wireless-Controller-1-ui-vty0-4]quit

[Wireless-Controller-1]rsa local-key-pair create
[Wireless-Controller-1]ssh server enable
[Wireless-Controller-1]stelnet server enable

[Wireless-Controller-1]web-manager enable
[Wireless-Controller-1]web-manager port 8443

步骤2：创建VLAN

[Wireless-Controller-1]vlan batch 10 500 600

[Wireless-Controller-1]vlan 10
[Wireless-Controller-1-vlan10]description Management
[Wireless-Controller-1-vlan10]quit

[Wireless-Controller-1]vlan 500
[Wireless-Controller-1-vlan500]description Guest-Wireless
[Wireless-Controller-1-vlan500]quit

[Wireless-Controller-1]vlan 600
[Wireless-Controller-1-vlan600]description Office-Wireless
[Wireless-Controller-1-vlan600]quit

步骤3：配置接口

# 配置管理接口
[Wireless-Controller-1]interface vlanif 10
[Wireless-Controller-1-Vlanif10]ip address 192.168.10.50 24
[Wireless-Controller-1-Vlanif10]quit

# 配置访客无线网络接口
[Wireless-Controller-1]interface vlanif 500
[Wireless-Controller-1-Vlanif500]ip address 192.168.50.1 24
[Wireless-Controller-1-Vlanif500]dhcp select relay
[Wireless-Controller-1-Vlanif500]dhcp relay server-ip 192.168.10.100
[Wireless-Controller-1-Vlanif500]quit

# 配置办公无线网络接口
[Wireless-Controller-1]interface vlanif 600
[Wireless-Controller-1-Vlanif600]ip address 192.168.60.1 24
[Wireless-Controller-1-Vlanif600]dhcp select relay
[Wireless-Controller-1-Vlanif600]dhcp relay server-ip 192.168.10.100
[Wireless-Controller-1-Vlanif600]quit

# 配置物理接口
[Wireless-Controller-1]interface gigabitethernet 0/0/1
[Wireless-Controller-1-GigabitEthernet0/0/1]description Link-to-Core-Switch
[Wireless-Controller-1-GigabitEthernet0/0/1]port link-type trunk
[Wireless-Controller-1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 500 600
[Wireless-Controller-1-GigabitEthernet0/0/1]quit

步骤4：配置无线射频模板

# 创建2.4GHz射频模板
[Wireless-Controller-1]wlan
[Wireless-Controller-1-wlan-view]radio-2g-profile name default_radio_2g
[Wireless-Controller-1-wlan-radio-2g-prof-default_radio_2g]channel-width 40
[Wireless-Controller-1-wlan-radio-2g-prof-default_radio_2g]channel auto
[Wireless-Controller-1-wlan-radio-2g-prof-default_radio_2g]power auto
[Wireless-Controller-1-wlan-radio-2g-prof-default_radio_2g]quit

# 创建5GHz射频模板
[Wireless-Controller-1-wlan-view]radio-5g-profile name default_radio_5g
[Wireless-Controller-1-wlan-radio-5g-prof-default_radio_5g]channel-width 80
[Wireless-Controller-1-wlan-radio-5g-prof-default_radio_5g]channel auto
[Wireless-Controller-1-wlan-radio-5g-prof-default_radio_5g]power auto
[Wireless-Controller-1-wlan-radio-5g-prof-default_radio_5g]quit

步骤5：配置SSID和安全模板

# 创建办公SSID安全模板
[Wireless-Controller-1-wlan-view]security-profile name office_security
[Wireless-Controller-1-wlan-sec-prof-office_security]security wpa-wpa2 psk pass-phrase Huawei@2024 aes
[Wireless-Controller-1-wlan-sec-prof-office_security]quit

# 创建访客SSID安全模板
[Wireless-Controller-1-wlan-view]security-profile name guest_security
[Wireless-Controller-1-wlan-sec-prof-guest_security]security wpa2 psk pass-phrase Guest@123 aes
[Wireless-Controller-1-wlan-sec-prof-guest_security]quit

# 创建办公SSID模板
[Wireless-Controller-1-wlan-view]ssid-profile name office_ssid
[Wireless-Controller-1-wlan-ssid-prof-office_ssid]ssid Office-WiFi
[Wireless-Controller-1-wlan-ssid-prof-office_ssid]quit

# 创建访客SSID模板
[Wireless-Controller-1-wlan-view]ssid-profile name guest_ssid
[Wireless-Controller-1-wlan-ssid-prof-guest_ssid]ssid Guest-WiFi
[Wireless-Controller-1-wlan-ssid-prof-guest_ssid]quit

步骤6：创建VAP模板

# 创建办公VAP模板
[Wireless-Controller-1-wlan-view]vap-profile name office_vap
[Wireless-Controller-1-wlan-vap-prof-office_vap]forward-mode tunnel
[Wireless-Controller-1-wlan-vap-prof-office_vap]service-vlan vlan-id 600
[Wireless-Controller-1-wlan-vap-prof-office_vap]ssid-profile office_ssid
[Wireless-Controller-1-wlan-vap-prof-office_vap]security-profile office_security
[Wireless-Controller-1-wlan-vap-prof-office_vap]quit

# 创建访客VAP模板
[Wireless-Controller-1-wlan-view]vap-profile name guest_vap
[Wireless-Controller-1-wlan-vap-prof-guest_vap]forward-mode tunnel
[Wireless-Controller-1-wlan-vap-prof-guest_vap]service-vlan vlan-id 500
[Wireless-Controller-1-wlan-vap-prof-guest_vap]ssid-profile guest_ssid
[Wireless-Controller-1-wlan-vap-prof-guest_vap]security-profile guest_security
[Wireless-Controller-1-wlan-vap-prof-guest_vap]quit

步骤7：创建AP组和AP模板

# 创建AP组
[Wireless-Controller-1-wlan-view]ap-group name default_ap_group
[Wireless-Controller-1-wlan-ap-group-default_ap_group]quit

# 创建AP模板
[Wireless-Controller-1-wlan-view]ap-profile name default_ap_profile
[Wireless-Controller-1-wlan-ap-prof-default_ap_profile]radio 0 radio-profile default_radio_2g
[Wireless-Controller-1-wlan-ap-prof-default_ap_profile]radio 0 vap-profile office_vap wlan 1
[Wireless-Controller-1-wlan-ap-prof-default_ap_profile]radio 0 vap-profile guest_vap wlan 2
[Wireless-Controller-1-wlan-ap-prof-default_ap_profile]radio 1 radio-profile default_radio_5g
[Wireless-Controller-1-wlan-ap-prof-default_ap_profile]radio 1 vap-profile office_vap wlan 1
[Wireless-Controller-1-wlan-ap-prof-default_ap_profile]radio 1 vap-profile guest_vap wlan 2
[Wireless-Controller-1-wlan-ap-prof-default_ap_profile]quit

# 将AP模板应用到AP组
[Wireless-Controller-1-wlan-view]ap-group name default_ap_group
[Wireless-Controller-1-wlan-ap-group-default_ap_group]ap-profile default_ap_profile
[Wireless-Controller-1-wlan-ap-group-default_ap_group]quit

步骤8：配置AP

# 配置一楼AP
[Wireless-Controller-1-wlan-view]ap auth-mode mac-auth
[Wireless-Controller-1-wlan-view]ap-id 1 ap-mac 00e0-fc12-3456
[Wireless-Controller-1-wlan-ap-1]ap-name AP-1F-Office-1
[Wireless-Controller-1-wlan-ap-1]ap-group default_ap_group
[Wireless-Controller-1-wlan-ap-1]quit

[Wireless-Controller-1-wlan-view]ap-id 2 ap-mac 00e0-fc12-3457
[Wireless-Controller-1-wlan-ap-2]ap-name AP-1F-Office-2
[Wireless-Controller-1-wlan-ap-2]ap-group default_ap_group
[Wireless-Controller-1-wlan-ap-2]quit

# 继续配置其他楼层AP（示例）
[Wireless-Controller-1-wlan-view]ap-id 3 ap-mac 00e0-fc12-3458
[Wireless-Controller-1-wlan-ap-3]ap-name AP-2F-Office-1
[Wireless-Controller-1-wlan-ap-3]ap-group default_ap_group
[Wireless-Controller-1-wlan-ap-3]quit

[Wireless-Controller-1-wlan-view]quit

步骤9：配置CAPWAP

# 配置CAPWAP源接口
[Wireless-Controller-1]capwap source interface vlanif 10

步骤10：保存配置

[Wireless-Controller-1]save

第八阶段：DHCP服务器配置

8.1 DHCP服务器配置

设备信息

• 服务器IP：192.168.10.100/24
• 操作系统：Linux
• 角色：DHCP服务器

配置步骤

步骤1：安装DHCP服务

# CentOS/RHEL系统
sudo yum install dhcp -y

# Ubuntu/Debian系统
sudo apt-get install isc-dhcp-server -y

步骤2：配置DHCP服务

# 编辑DHCP配置文件
sudo vi /etc/dhcp/dhcpd.conf

# 添加以下配置内容：
# 全局配置
default-lease-time 86400;
max-lease-time 172800;
authoritative;

# DNS服务器
option domain-name-servers 114.114.114.114, 8.8.8.8;
option ntp-servers 192.168.10.1;

# 一楼办公区DHCP池
subnet 192.168.100.0 netmask 255.255.255.0 {
    range 192.168.100.10 192.168.100.200;
    option routers 192.168.100.254;
    option broadcast-address 192.168.100.255;
    default-lease-time 86400;
    max-lease-time 172800;
}

# 二楼办公区DHCP池
subnet 192.168.101.0 netmask 255.255.255.0 {
    range 192.168.101.10 192.168.101.200;
    option routers 192.168.101.254;
    option broadcast-address 192.168.101.255;
    default-lease-time 86400;
    max-lease-time 172800;
}

# 访客无线网络DHCP池
subnet 192.168.50.0 netmask 255.255.255.0 {
    range 192.168.50.10 192.168.50.200;
    option routers 192.168.50.254;
    option broadcast-address 192.168.50.255;
    default-lease-time 3600;
    max-lease-time 7200;
}

# 办公无线网络DHCP池
subnet 192.168.60.0 netmask 255.255.255.0 {
    range 192.168.60.10 192.168.60.200;
    option routers 192.168.60.254;
    option broadcast-address 192.168.60.255;
    default-lease-time 86400;
    max-lease-time 172800;
}

步骤3：启动DHCP服务

# 启动并设置开机自启
sudo systemctl start dhcpd
sudo systemctl enable dhcpd

# 检查服务状态
sudo systemctl status dhcpd

第九阶段：网络管理平台配置

9.1 eSight网管平台配置

配置步骤

步骤1：安装eSight

# 在管理服务器上安装eSight
# 按照华为eSight安装指南进行安装

步骤2：添加设备

# 通过Web界面添加设备
# 访问 https://192.168.10.101:8443
# 使用admin/Huawei@123登录

# 添加核心交换机
设备IP：192.168.10.11
SNMP团体名：public
设备类型：交换机

# 添加路由器
设备IP：192.168.10.1
SNMP团体名：public
设备类型：路由器

# 添加防火墙
设备IP：192.168.10.20
SNMP团体名：public
设备类型：防火墙

第十阶段：配置验证和测试

10.1 网络连通性测试

步骤1：基础连通性测试

# 在核心交换机上测试
[Core-Switch-1]ping 192.168.10.12  # 测试到Core-Switch-2
[Core-Switch-1]ping 192.168.10.1   # 测试到Router-1
[Core-Switch-1]ping 192.168.10.21  # 测试到Agg-Switch-1F-1

# 在路由器上测试
[Router-1]ping 8.8.8.8  # 测试外网连通性
[Router-1]ping 192.168.10.11  # 测试到核心交换机

步骤2：VLAN间路由测试

# 从办公区测试到其他VLAN
ping 192.168.101.1  # 测试VLAN间路由
ping 192.168.200.1  # 测试到会议室VLAN
ping 8.8.8.8        # 测试外网访问

步骤3：DHCP功能测试

# 在客户端测试DHCP
ipconfig /release
ipconfig /renew
ipconfig /all  # 查看获取的IP地址

步骤4：无线网络测试

# 测试无线连接
# 连接Office-WiFi SSID
# 密码：Huawei@2024
# 测试网络连通性

10.2 故障切换测试

步骤1：VRRP切换测试

# 在Core-Switch-1上关闭VLANIF接口
[Core-Switch-1]interface vlanif 100
[Core-Switch-1-Vlanif100]shutdown
[Core-Switch-1-Vlanif100]quit

# 在客户端测试网关是否切换到Core-Switch-2
ping 192.168.100.254

# 恢复接口
[Core-Switch-1]interface vlanif 100
[Core-Switch-1-Vlanif100]undo shutdown
[Core-Switch-1-Vlanif100]quit

步骤2：链路冗余测试

# 断开主链路，测试备用链路是否生效
# 观察STP收敛时间
# 测试网络连通性恢复情况

四. 运维与检查

配置部署注意事项

安全注意事项

1. 密码安全：所有设备使用强密码，定期更换
2. 访问控制：限制管理访问来源IP
3. SNMP安全：使用SNMPv3或更改默认团体名
4. 固件更新：及时更新设备固件和安全补丁

配置备份

1. 定期备份：每周备份所有设备配置
2. 版本管理：记录配置变更历史
3. 恢复测试：定期测试配置恢复流程

监控告警

1. 性能监控：监控设备CPU、内存、接口利用率
2. 故障告警：配置设备故障、链路中断告警
3. 安全监控：监控异常访问和安全事件

文档维护

1. 配置文档：及时更新配置文档
2. 网络拓扑：保持拓扑图与实际一致
3. 操作记录：记录所有配置变更操作

故障排除指南

常见问题处理

问题1：设备无法SSH登录

# 检查SSH服务状态
display ssh server status

# 重新生成密钥
rsa local-key-pair create

# 检查用户配置
display aaa local-user

问题2：VLAN间无法通信

# 检查VLANIF接口状态
display interface vlanif brief

# 检查路由表
display ip routing-table

# 检查OSPF邻居
display ospf peer

问题3：DHCP客户端无法获取IP

# 检查DHCP中继配置
display dhcp relay server-group

# 检查DHCP服务器状态
sudo systemctl status dhcpd

# 查看DHCP日志
sudo tail -f /var/log/dhcpd.log

问题4：无线客户端无法连接

# 检查AP状态
[Wireless-Controller-1-wlan-view]display ap all

# 检查VAP状态
[Wireless-Controller-1-wlan-view]display vap all

# 检查SSID配置
[Wireless-Controller-1-wlan-view]display ssid-profile all

配置完成检查清单

设备配置检查

• 所有设备基础配置完成
• 管理IP地址配置正确
• SSH访问正常
• SNMP配置完成
• 时间同步配置

网络功能检查

• VLAN创建和配置
• VLANIF接口配置
• 路由协议配置
• VRRP冗余配置
• STP配置

安全功能检查

• 防火墙策略配置
• ACL访问控制
• 端口安全配置
• DHCP Snooping配置

无线网络检查

• 无线控制器配置
• AP注册和上线
• SSID广播正常
• 无线客户端连接测试

服务功能检查

• DHCP服务正常
• DNS解析正常
• NTP时间同步
• 网管平台监控

连通性测试

• 内网连通性测试
• VLAN间路由测试
• 外网访问测试
• 无线网络测试

冗余测试

• VRRP切换测试
• 链路故障切换测试
• 设备故障切换测试

配置部署完成后，请确保所有检查项目都已通过验证，并及时保存所有设备配置。