华为VPN实例配置OA和OT隔离(含无线)
组网需求:
通过VPN实例,实现OA和OT的逻辑分区隔离,逻辑分区通过OSPF通讯。
如下图所示,汇聚交换机划分两个VPN实例,OA和OT。OA实例分别应用到VLAN10、30、40、2000,其中VLAN30是作为所有AP设备的管理地址,VLAN40是无线用户地址,VLAN2000是作为和核心交换机的通讯主要接口。OT实例分别应用到VLAN20、50、2001,其中VLAN50是作为无线用户地址,VLAN2001是作为和核心交换机通讯的主要接口。核心交换机配置VLAN2000和2001对应汇聚的VPN实例。控制器配置2003,与核心通讯,实现无线AP管控。
实验目的
无论是有线还是无线,实现OA和OT逻辑分区,互访采用OSPF。默认所有的无线AP全放到OA的VLAN30统一管理,业务依然按照OA和OT区分
配置汇聚交换机
1、配置VLAN和VPN实例
vlan batch 10 20 30 40 50 2000 to 2001 ip vpn-instance OA ipv4-family ip vpn-instance OT ipv4-family
2、配置IP地址和地址池,以及VPN实例应用
interface Vlanif10 ip binding vpn-instance OA ip address 172.30.10.1 255.255.255.0 dhcp select global # interface Vlanif30 ip binding vpn-instance OA ip address 172.30.30.1 255.255.255.0 dhcp select global # interface Vlanif40 ip binding vpn-instance OA ip address 172.30.40.1 255.255.255.0 dhcp select global # interface Vlanif2000 ip binding vpn-instance OA ip address 172.30.1.1 255.255.255.0 # interface Vlanif20 ip binding vpn-instance OT ip address 172.30.20.1 255.255.255.0 dhcp select global # interface Vlanif50 ip binding vpn-instance OT ip address 172.30.50.1 255.255.255.0 dhcp select global # interface Vlanif2001 ip binding vpn-instance OT ip address 172.30.2.1 255.255.255.0 # ip pool 10 vpn-instance OA gateway-list 172.30.10.1 network 172.30.10.0 mask 255.255.255.0 option 43 ip-address 172.30.3.2 # ip pool 30 vpn-instance OA gateway-list 172.30.30.1 network 172.30.30.0 mask 255.255.255.0 option 43 sub-option 2 ip-address 172.30.3.2 # ip pool 40 vpn-instance OA gateway-list 172.30.40.1 network 172.30.40.0 mask 255.255.255.0 # ip pool 20 vpn-instance OT gateway-list 172.30.20.1 network 172.30.20.0 mask 255.255.255.0 # ip pool 50 vpn-instance OT gateway-list 172.30.50.1 network 172.30.50.0 mask 255.255.255.0
3、配置接口
interface GigabitEthernet0/0/1 port link-type access port default vlan 2000 # interface GigabitEthernet0/0/2 port link-type access port default vlan 2001 # interface GigabitEthernet0/0/3 port link-type access port default vlan 10 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 # interface GigabitEthernet0/0/5 port link-type trunk port trunk pvid vlan 30 port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/6 port link-type trunk port trunk pvid vlan 30 port trunk allow-pass vlan 2 to 4094
4、配置OSPF
ospf 1 vpn-instance OA area 0.0.0.0 network 172.30.1.0 0.0.0.255 network 172.30.10.0 0.0.0.255 network 172.30.30.0 0.0.0.255 network 172.30.40.0 0.0.0.255 # ospf 2 vpn-instance OT area 0.0.0.0 network 172.30.20.0 0.0.0.255 network 172.30.2.0 0.0.0.255 network 172.30.50.0 0.0.0.255
配置核心交换机
1、配置接口和地址
interface Vlanif2000 ip address 172.30.1.2 255.255.255.0 # interface Vlanif2001 ip address 172.30.2.2 255.255.255.0 # interface Vlanif2003 ip address 172.30.3.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 2000 # interface GigabitEthernet0/0/2 port link-type access port default vlan 2001 stp disable # interface GigabitEthernet0/0/3 port link-type access port default vlan 2003
2、配置路由
ospf 1 area 0.0.0.0 network 172.30.1.0 0.0.0.255 network 172.30.2.0 0.0.0.255 network 172.30.3.0 0.0.0.255
配置无线AC控制器
1、配置接口和IP地址
interface Vlanif2003 ip address 172.30.3.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access # interface GigabitEthernet0/0/2 port link-type access port default vlan 2003
2、配置静态路由
ip route-static 0.0.0.0 0.0.0.0 172.30.3.1
3、配置AC
3.1、配置AC基本信息
3.2、配置AP组,命名OA,用于管理所有的无线AP,纳入改组
3.3、在OA组中配置SSID,命名OA和OT,采用免密认证
3.4、配置AP,分配到OA组
