Article Directory
1. Overview of firewall hot backup:
Generally speaking, a firewall is deployed at the egress of the company network to restrict all access traffic entering and leaving the company. However, if the firewall is deployed at the egress of the company network, once the firewall fails, it will affect the entire network business. Therefore, in order to improve the reliability of the firewall, you can configure the firewall dual-system hot backup technology similar to the VRRP technology in routing and switching devices.
In the firewall double-click hot backup architecture, when one firewall fails, business traffic can be smoothly switched to another firewall to ensure uninterrupted traffic and services, making it transparent to internal and external network users and unable to perceive the failure of the firewall.
2. This topology design diagram involves a variety of protocol configurations, including:
1. Eth-Trunk link bundling
2. VLAN underlying configuration
3. MSTP multiple spanning tree
4. VRRP gateway configuration
5. DHCP relay
6. DHCP snooping configuration
7. Access to the FTP control list
8. Firewall basic configuration and dual-machine hot standby
9. ISP1, ISP2 and connection to FW1, FW2 core switch interface configuration
10. OSPF configuration
11. wlan configuration
12. Some functional tests
3. Design requirements:
1. The intranet terminal can automatically obtain an IP address from the DHCP server
2. Intranet departments cannot communicate with each other, and they can all access the external network. The living room cannot access the intranet FTP server
3. When the internal network accesses the external network, ISP1 is preferred, and when the link of ISP1 fails, it will be switched to ISP2
4. Dual-machine hot standby FW1 is the main link. FW2 is the backup link, when FW1 fails, the line switches to FW2
5. The core switch uses VRRP for load sharing and redundancy design, but if one device fails, it can be switched to the other normally.
6. The AC is side-mounted on SW2, and the wlan is configured to log in the living room without a password, and other departments need a password to log in to the network
The topology diagram is as follows:
Four: Configuration process and corresponding commands:
1. eth-trunk link configuration between core switches:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys LW1
[LW1]
[LW1]int eth-trunk 1 进入聚合端口
[LW1-Eth-Trunk1]mode lacp-static 定义为LACP模式
[LW1-Eth-Trunk1]po link-type tr
[LW1-Eth-Trunk1]po trunk allow-pass vlan all 允许所有流量通行
[LW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/5 添加聚合端口
<sw>sy
Enter system view, return user view with Ctrl+Z.
[sw]sys LW2
[LW2]int eth-trunk 1
[LW2-Eth-Trunk1]mode lacp-static
[LW2-Eth-Trunk1]po link-type tr
[LW2-Eth-Trunk1]po tr allow-pass vlan all
[LW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/5
2. VLAN Layer 2 configuration:
LW1:
[LW1]vlan batch 10 20 30 40 50 200 201 111
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW1]int g0/0/6
[LW1-GigabitEthernet0/0/6]po link-type tr
[LW1-GigabitEthernet0/0/6]po tr allow-pass vlan 10 111
[LW1-GigabitEthernet0/0/6]int g0/0/7
[LW1-GigabitEthernet0/0/7]po link-type tr
[LW1-GigabitEthernet0/0/7]po tr allow-pass vlan 20 111
[LW1-GigabitEthernet0/0/7]int g0/0/8
[LW1-GigabitEthernet0/0/8]po link-type tr
[LW1-GigabitEthernet0/0/8]po tr allow-pass vlan 30 111
[LW1-GigabitEthernet0/0/8]int g0/0/9
[LW1-GigabitEthernet0/0/9]po link-type tr
[LW1-GigabitEthernet0/0/9]po tr allow-pass vlan 40 111
[LW1-GigabitEthernet0/0/9]int g0/0/10
[LW1-GigabitEthernet0/0/10]po link-type tr
[LW1-GigabitEthernet0/0/10]po tr allow-pass vlan 50 111
[LW1-GigabitEthernet0/0/10]int g0/0/1
[LW1-GigabitEthernet0/0/1]po link-ty ac
[LW1-GigabitEthernet0/0/1]po default vlan 200
[LW1-GigabitEthernet0/0/1]int g0/0/2
[LW1-GigabitEthernet0/0/2]po link-type ac
[LW1-GigabitEthernet0/0/2]po default vlan 201
LW2:
[LW2]vlan batch 10 20 30 40 50 100 101
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW2]vlan batch 111 102 200 201
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW2]int g0/0/6
[LW2-GigabitEthernet0/0/6]po link-type tr
[LW2-GigabitEthernet0/0/6]po tr allow-pass vlan 10 111 100 101 102
[LW2-GigabitEthernet0/0/6]int g0/0/7
[LW2-GigabitEthernet0/0/7]po link-type tr
[LW2-GigabitEthernet0/0/7]po tr allow-pass vlan 20 100 101 102 111
[LW2-GigabitEthernet0/0/7]int g0/0/8
[LW2-GigabitEthernet0/0/8]po link-type tr
[LW2-GigabitEthernet0/0/8]po tr allow-pass vlan 30 100 101 102 111
[LW2-GigabitEthernet0/0/8]int g0/0/9
[LW2-GigabitEthernet0/0/9]po link-type tr
[LW2-GigabitEthernet0/0/9]po tr allow-pass vlan 40 100 101 102 111
[LW2-GigabitEthernet0/0/9]int g0/0/10
[LW2-GigabitEthernet0/0/10]po link-type tr
[LW2-GigabitEthernet0/0/10]po tr allow-pass vlan 50 111
[LW2-GigabitEthernet0/0/10]int g0/0/1
[LW2-GigabitEthernet0/0/1]po link-type ac
[LW2-GigabitEthernet0/0/1]po de vlan 201
[LW2-GigabitEthernet0/0/1]int g0/0/2
[LW2-GigabitEthernet0/0/2]po link-ty ac
[LW2-GigabitEthernet0/0/2]po de vlan 200
JR1:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR1
[JR1]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR1]int g0/0/1
[JR1-GigabitEthernet0/0/1]po link-ty tr
[JR1-GigabitEthernet0/0/1]po tr allow-pass vlan 10 111
[JR1-GigabitEthernet0/0/1]int g0/0/2
[JR1-GigabitEthernet0/0/2]po link-type tr
[JR1-GigabitEthernet0/0/2]po tr allow-pass vlan 10 111 100 101 102
[JR1-GigabitEthernet0/0/2]int g0/0/3
[JR1-GigabitEthernet0/0/3]po link-ty ac
[JR1-GigabitEthernet0/0/3]po de vlan 10
[JR1-GigabitEthernet0/0/3]int g0/0/4
[JR1-GigabitEthernet0/0/4]po link-ty tr
[JR1-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR1-GigabitEthernet0/0/4]po tr pvid vlan 100
JR2:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR2
[JR2]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR2]int g0/0/1
[JR2-GigabitEthernet0/0/1]po link-ty tr
[JR2-GigabitEthernet0/0/1]po tr allow-pass vlan 20 111
[JR2-GigabitEthernet0/0/1]int g0/0/2
[JR2-GigabitEthernet0/0/2]po link-ty tr
[JR2-GigabitEthernet0/0/2]po tr allow-pass vlan 20 111 100 101 102
[JR2-GigabitEthernet0/0/2]int g0/0/3
[JR2-GigabitEthernet0/0/3]po link-ty ac
[JR2-GigabitEthernet0/0/3]po de vlan 20
[JR2-GigabitEthernet0/0/3]int g0/0/4
[JR2-GigabitEthernet0/0/4]po link-ty tr
[JR2-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR2-GigabitEthernet0/0/4]po tr pvid vlan 100
JR3:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR3
[JR3]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR3]int g0/0/1
[JR3-GigabitEthernet0/0/1]po link-ty tr
[JR3-GigabitEthernet0/0/1]po tr allow-pass vlan 30 111
[JR3-GigabitEthernet0/0/1]int g0/0/2
[JR3-GigabitEthernet0/0/2]po link-ty tr
[JR3-GigabitEthernet0/0/2]po tr allow-pass vlan 30 111 100 101 102
[JR3-GigabitEthernet0/0/2]
[JR3-GigabitEthernet0/0/2]int g0/0/3
[JR3-GigabitEthernet0/0/3]po link-ty ac
[JR3-GigabitEthernet0/0/3]po de vlan 30
[JR3-GigabitEthernet0/0/3]int g0/0/4
[JR3-GigabitEthernet0/0/4]po link-ty tr
[JR3-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR3-GigabitEthernet0/0/4]po tr pvid vlan 100
JR4:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR4
[JR4]vlan batch 10 20 30 40 50 111 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR4]int g0/0/1
[JR4-GigabitEthernet0/0/1]po link-ty tr
[JR4-GigabitEthernet0/0/1]po tr allow-pass vlan 40 111
[JR4-GigabitEthernet0/0/1]int g0/0/2
[JR4-GigabitEthernet0/0/2]po link-ty tr
[JR4-GigabitEthernet0/0/2]po tr allow-pass vlan 40 111 100 101 102
[JR4-GigabitEthernet0/0/2]int g0/0/3
[JR4-GigabitEthernet0/0/3]po link-ty ac
[JR4-GigabitEthernet0/0/3]po de vlan 40
[JR4-GigabitEthernet0/0/3]int g0/0/4
[JR4-GigabitEthernet0/0/4]po link-ty tr
[JR4-GigabitEthernet0/0/4]po tr allow-pass vlan 100 101 102
[JR4-GigabitEthernet0/0/4]po tr pvid vlan 100
JR5:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sys JR5
[JR5]vlan batch 10 20 30 40 50 111
Info: This operation may take a few seconds. Please wait for a moment...done.
[JR5]int g0/0/1
[JR5-GigabitEthernet0/0/1]po link-ty tr
[JR5-GigabitEthernet0/0/1]po tr allow-pass vlan 50 111
[JR5-GigabitEthernet0/0/1]int g0/0/2
[JR5-GigabitEthernet0/0/2]po link-ty tr
[JR5-GigabitEthernet0/0/2]po tr allow-pass vlan 50 111
[JR5-GigabitEthernet0/0/2]int g0/0/3
[JR5-GigabitEthernet0/0/3]po link-ty ac
[JR5-GigabitEthernet0/0/3]po de vlan 50
[JR5-GigabitEthernet0/0/3]int g0/0/4
[JR5-GigabitEthernet0/0/4]po link-ty ac
[JR5-GigabitEthernet0/0/4]po de vlan 50
3. MSTP configuration:
LW1:
[LW1]stp en
[LW1]stp mode mstp 定义为MSTP
[LW1]stp region-configuration 进入stp视图
[LW1-mst-region]region-name stp 命名
[LW1-mst-region]revision-level 1
[LW1-mst-region]instance 1 vlan 10 20 50 配置生成树实例和VLAN的映射关系
[LW1-mst-region]instance 2 vlan 30 40
[LW1-mst-region]active region-configuration 激活MST域的配置(这个命令必须开启)
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW1-mst-region]
[LW1-mst-region]stp instance 1 root primary 配置当前设备为生成树实例1的根桥设备
[LW1]stp instance 2 root secondary 配置当前设备为生成树实例2的备份根桥设备
LW2:
[LW2]stp en
[LW2]stp mode mstp
[LW2]stp region-configuration
[LW2-mst-region]region-name stp
[LW2-mst-region]revision-level 1
[LW2-mst-region]instance 1 vlan 10 20 50
[LW2-mst-region]instance 2 vlan 30 40
[LW2-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[LW2-mst-region]
[LW2-mst-region]stp instance 1 root secondary
[LW2]stp instance 2 root primary
JR1:
[JR1]stp en
[JR1]stp mode mstp
[JR1]stp region-configuration
[JR1-mst-region]region-name stp
[JR1-mst-region]revision-level 1
[JR1-mst-region]instance 1 vlan 10 20 50
[JR1-mst-region]instance 2 vlan 30 40
[JR1-mst-region]active region-configuration
JR2:
[JR2]stp en
[JR2]stp mode mstp
[JR2]stp region-configuration
[JR2-mst-region]region-name stp
[JR2-mst-region]revision-level 1
[JR2-mst-region]instance 1 vlan 10 20 50
[JR2-mst-region]instance 2 vlan 30 40
[JR2-mst-region]active region-configuration
JR3:
[JR3]stp en
[JR3]stp mode mstp
[JR3]stp region-configuration
[JR3-mst-region]region-name stp
[JR3-mst-region]revision-level 1
[JR3-mst-region]instance 1 vlan 10 20 50
[JR3-mst-region]instance 2 vlan 30 40
[JR3-mst-region]active region-configuration
JR4:
[JR4]stp en
[JR4]stp mode mstp
[JR4]stp region-configuration
[JR4-mst-region]region-name stp
[JR4-mst-region]revision-level 1
[JR4-mst-region]instance 1 vlan 10 20 50
[JR4-mst-region]instance 2 vlan 30 40
[JR4-mst-region]active region-configuration
JR5:
[JR5]stp en
[JR5]stp mode mstp
[JR5]stp region-configuration
[JR5-mst-region]region-name stp
[JR5-mst-region]revision-level 1
[JR5-mst-region]instance 1 vlan 10 20 50
[JR5-mst-region]instance 2 vlan 30 40
[JR5-mst-region]active region-configuration
4. VRRP gateway redundancy configuration:
LW1:
[LW1]int vlan 10 进入vlanif视图
[LW1-Vlanif10]ip add 192.168.10.254 24 配置vlanif10虚拟地址
[LW1-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.1 配置vrid 1 中的虚拟网关地址
[LW1-Vlanif10]vrrp vrid 10 priority 120 配置该接口在vrid 1 中的优先级,缺省为100(数值越大越优先)
[LW1-Vlanif10]int vlan 20
[LW1-Vlanif20]ip add 192.168.20.254 24
[LW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[LW1-Vlanif20]vrrp vrid 20 priority 120
[LW1-Vlanif20]int vlan 30
[LW1-Vlanif30]ip add 192.168.30.254 24
[LW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[LW1-Vlanif30]int vlan 40
[LW1-Vlanif40]ip add 192.168.40.254 24
[LW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[LW1-Vlanif40]int vlan 50
[LW1-Vlanif50]ip add 192.168.50.254 24
[LW1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
[LW1-Vlanif50]vrrp vrid 50 priority 120
LW2:
[LW2]int vlan 10
[LW2-Vlanif10]ip add 192.168.10.253 24
[LW2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.1
[LW2-Vlanif10]int vlan 20
[LW2-Vlanif20]ip add 192.168.20.253 24
[LW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[LW2-Vlanif20]int vlan 30
[LW2-Vlanif30]ip add 192.168.30.253 24
[LW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[LW2-Vlanif30]vrrp vrid 30 priority 120
[LW2-Vlanif30]int vlan 40
[LW2-Vlanif40]ip add 192.168.40.253 24
[LW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[LW2-Vlanif40]vrrp vrid 40 priority 120
[LW2-Vlanif40]int vlan 50
[LW2-Vlanif50]ip add 192.168.50.253 24
[LW2-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
5. DHCP server configuration and relay configuration:
DHCP:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]sys DHCP
[DHCP]
[DHCP]dhcp en 开启DHCP功能
Info: The operation may take a few seconds. Please wait for a moment.done.
[DHCP]
[DHCP]ip pool vlan10 创建地址池
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24 配置网络段及掩码
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.1 配置网关
[DHCP-ip-pool-vlan10]dns-list 8.8.8.8 配置DNS服务器
[DHCP-ip-pool-vlan10]excluded-ip-address 192.168.10.250 192.168.10.254 排除该地址不能获取
[DHCP-ip-pool-vlan10]ip pool vlan20
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[DHCP-ip-pool-vlan20]dns-list 8.8.8.8
[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.250 192.168.20.254
[DHCP-ip-pool-vlan20]ip pool vlan30
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 24
[DHCP-ip-pool-vlan30]gateway-list 192.168.30.1
[DHCP-ip-pool-vlan30]dns-list 8.8.8.8
[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.250 192.168.30.254
[DHCP-ip-pool-vlan30]ip pool vlan40
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 24
[DHCP-ip-pool-vlan40]gateway-list 192.168.40.1
[DHCP-ip-pool-vlan40]dns-list 8.8.8.8
[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.250 192.168.40.254
[DHCP-ip-pool-vlan40]int g0/0/0
[DHCP-GigabitEthernet0/0/0]ip add 192.168.50.3 24
[DHCP-GigabitEthernet0/0/0]dhcp select global 在全局中获取地址
[DHCP-GigabitEthernet0/0/0]ip route-s 0.0.0.0 0 192.168.50.1 配置静态路由
LW1:
[LW1]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[LW1]int vlan 10
[LW1-Vlanif10]dhcp select relay 配置该vlanif为中继
[LW1-Vlanif10]dhcp relay server-ip 192.168.50.3 自动获取的地址在该接口地址处获取
[LW1-Vlanif10]int vlan 20
[LW1-Vlanif20]dhcp select relay
[LW1-Vlanif20]dhcp relay server-ip 192.168.50.3
[LW1-Vlanif20]int vlan 30
[LW1-Vlanif30]dhcp select relay
[LW1-Vlanif30]dhcp relay server-ip 192.168.50.3
[LW1-Vlanif30]int v 40
[LW1-Vlanif40]dhcp select relay
[LW1-Vlanif40]dhcp relay server-ip 192.168.50.3
LW2:
[LW2]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[LW2]int vlan 10
[LW2-Vlanif10]dhcp select relay
[LW2-Vlanif10]dhcp relay server-ip 192.168.50.3
[LW2-Vlanif10]int vlan 20
[LW2-Vlanif20]dhcp select relay
[LW2-Vlanif20]dhcp relay server-ip 192.168.50.3
[LW2-Vlanif20]int vlan 30
[LW2-Vlanif30]dhcp select relay
[LW2-Vlanif30]dhcp relay server-ip 192.168.50.3
[LW2-Vlanif30]int v 40
[LW2-Vlanif40]dhcp select relay
[LW2-Vlanif40]dhcp relay server-ip 192.168.50.3
6. DHCP snooping configuration:
JR1:
[JR1]dhcp en 开启DHCP
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR1]dhcp snooping en 开启DHCP Snooping 功能
[JR1]vlan 10
[JR1-vlan10]dhcp snooping en 在vlan10 snooping功能开启
[JR1-vlan10]int g0/0/1
[JR1-GigabitEthernet0/0/1]dhcp snooping trusted 配置snooping信任接口
[JR1-GigabitEthernet0/0/1]int g0/0/2
[JR1-GigabitEthernet0/0/2]dhcp snooping trusted
JR2:
[JR2]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR2]dhcp snooping en
[JR2]vlan 20
[JR2-vlan20]dhcp snooping en
[JR2-vlan20]int g0/0/1
[JR2-GigabitEthernet0/0/1]dhcp snooping trusted
[JR2-GigabitEthernet0/0/1]int g0/0/2
[JR2-GigabitEthernet0/0/2]dhcp snooping trusted
JR3:
[JR3]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR3]dhcp snooping en
[JR3]vlan 30
[JR3-vlan30]dhcp snooping en
[JR3-vlan30]int g0/0/1
[JR3-GigabitEthernet0/0/1]dhcp snooping trusted
[JR3-GigabitEthernet0/0/1]int g0/0/2
[JR3-GigabitEthernet0/0/2]dhcp snooping trusted
JR4:
[JR4]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[JR4]dhcp snooping en
[JR4]vlan 40
[JR4-vlan40]dhcp snooping en
[JR4-vlan40]int g0/0/1
[JR4-GigabitEthernet0/0/1]dhcp snooping trusted
[JR4-GigabitEthernet0/0/1]int g0/0/2
[JR4-GigabitEthernet0/0/2]dhcp snooping trusted
7. ACL access control list configuration:
LW1:控制会客厅及wlan流量不能访问FTP
[LW1]acl 3000 开启acl视图
acl number 3000
acl number 3000
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.2 0 #拒接192.168.10.0/24网段地址访问192.168.50.2
rule 10 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.50.2 0
rule 15 deny ip source 192.168.101.0 0.0.0.255 destination 192.168.50.2 0
rule 100 permit ip 允许所有地址访问
[LW1]int g0/0/10
[LW1-GigabitEthernet0/0/10] traffic-filter outbound acl 3000 #在该接口处出口方向加入acl3000
[LW1]:控制部门之间不能互访。
acl number 3001
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 #拒绝192.168.10.0/24网段访问192.168.20.0/24网段设备
rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 15 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 25 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 30 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 35 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 40 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 45 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 50 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 55 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 60 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 200 permit ip
[LW1]int g0/0/6
[LW1-GigabitEthernet0/0/6]tr
[LW1-GigabitEthernet0/0/6]traffic-filter i
[LW1-GigabitEthernet0/0/6]traffic-filter inbound a
[LW1-GigabitEthernet0/0/6]traffic-filter inbound acl 3001 在该接口进口方向配置acl3000策略
[LW1-GigabitEthernet0/0/6]int g0/0/7
[LW1-GigabitEthernet0/0/7]traffic-filter inbound acl 3001
[LW1-GigabitEthernet0/0/7]int g0/0/8
[LW1-GigabitEthernet0/0/8]traffic-filter inbound acl 3001
[LW1-GigabitEthernet0/0/8]int g0/0/9
[LW1-GigabitEthernet0/0/9]traffic-filter inbound acl 3001
LW2:
[LW2]ACL 3000
acl number 3000
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.50.2 0
rule 10 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.50.2 0
rule 15 deny ip source 192.168.101.0 0.0.0.255 destination 192.168.50.2 0
rule 100 permit ip
[LW2]int g0/0/10
[LW2-GigabitEthernet0/0/10]traffic-filter outbound acl 3000
acl number 3001
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 10 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 15 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 20 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 25 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 30 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 35 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule 40 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 45 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 50 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 55 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 60 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 200 permit ip
[LW2]int g0/0/6
[LW2-GigabitEthernet0/0/6]tr
[LW2-GigabitEthernet0/0/6]traffic-filter i
[LW2-GigabitEthernet0/0/6]traffic-filter inbound a
[LW2-GigabitEthernet0/0/6]traffic-filter inbound acl 3001
[LW2-GigabitEthernet0/0/6]int g0/0/7
[LW2-GigabitEthernet0/0/7]tr
[LW2-GigabitEthernet0/0/7]traffic-filter in
[LW2-GigabitEthernet0/0/7]traffic-filter inbound a
[LW2-GigabitEthernet0/0/7]traffic-filter inbound acl 3001
[LW2-GigabitEthernet0/0/7]int g0/0/8
[LW2-GigabitEthernet0/0/8]traffic-filter inbound acl 3001
[LW2-GigabitEthernet0/0/8]int g0/0/9
[LW2-GigabitEthernet0/0/9]traffic-filter inbound acl 3001
8. Firewall configuration and dual-machine hot standby (NAT conversion from the outgoing interface):
FW1:
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sys FW1
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.200.1 24
[FW1-GigabitEthernet1/0/0]service-manage all permit 允许所有流量访问
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 192.168.1.1 24
[FW1-GigabitEthernet1/0/1]service-manage all permit
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/2]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/3]int g1/0/4
[FW1-GigabitEthernet1/0/4]ip add 192.168.201.1 24
[FW1-GigabitEthernet1/0/4]service-manage all permit
[FW1-GigabitEthernet1/0/4]firewall zone trust 配置安全域(可信任安全域)
[FW1-zone-trust]add int g1/0/0 加入端口
[FW1-zone-trust]add int g1/0/4
[FW1-zone-trust]firewall zone untrust 配置安全域(不可信任安全域)
[FW1-zone-untrust]add int g1/0/2
[FW1-zone-untrust]add int g1/0/3
[FW1-zone-untrust]firewall zone dmz 配置安全域(服务器安全域)
[FW1-zone-dmz]add int g1/0/1
[FW1-zone-dmz]ip route-s 0.0.0.0 0 10.1.1.5 配置通往ISP1的静态路由
[FW1]ip route-s 0.0.0.0 0 20.1.1.5 preference 70 配置通往ISP2的静态路由为备份路由
[FW1]security-policy 配置安全策略
[FW1-policy-security]rule name local_dmz 命名
[FW1-policy-security-rule-local_dmz]source-zone local 始(源)区域
[FW1-policy-security-rule-local_dmz]destination-zone dmz 目的区域
[FW1-policy-security-rule-local_dmz]action permit 允许通过
[FW1-policy-security-rule-local_dmz]
[FW1-policy-security-rule-local_dmz]rule name trust_untrust
[FW1-policy-security-rule-trust_untrust]source-zone trust
[FW1-policy-security-rule-trust_untrust]destination-zone untrust
[FW1-policy-security-rule-trust_untrust]action permit
[FW1]nat-policy 配置nat视图
[FW1-policy-nat]rule name ISP
[FW1-policy-nat-rule-ISP]source-zone trust 源区域
[FW1-policy-nat-rule-ISP]destination-zone untrust 目的区域
[FW1-policy-nat-rule-ISP]source-address 192.168.10.0 24 源地址
[FW1-policy-nat-rule-ISP]source-address 192.168.20.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.30.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.40.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.100.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.101.0 24
[FW1-policy-nat-rule-ISP]source-address 192.168.102.0 24
[FW1-policy-nat-rule-ISP]action source-nat easy-ip 使用出接口地址转换
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 200 virtual-ip 192.168.200.254 active 该接口虚拟网关为(master)优先级
[FW1-GigabitEthernet1/0/0]int g1/0/2
[FW1-GigabitEthernet1/0/2]vrrp vrid 10 virtual-ip 10.1.1.254 active
[FW1-GigabitEthernet1/0/2]int g1/0/3
[FW1-GigabitEthernet1/0/3]vrrp vrid 20 virtual-ip 20.1.1.254 active
[FW1-GigabitEthernet1/0/3]int g1/0/4
[FW1-GigabitEthernet1/0/4]vrrp vrid 201 virtual-ip 192.168.201.254 active
[FW1-GigabitEthernet1/0/4]
[FW1-GigabitEthernet1/0/4]hrp interface g1/0/1 remote 192.168.1.2 指定心跳口: hrp interface [心跳口] remote [邻居心跳口IP地址]
[FW1]
[FW1]hrp en 开启HRP功能,开启后提示符出现HRP_S
Info: NAT IP detect function is disabled.
HRP_S[FW1]hrp mirror session enable 启动会话快速备份
HRP_S[FW1]hrp auto-sync 开启自动备份(系统默认开启)
FW2:
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]un in en
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]sys FW2
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 192.168.200.3 24
[FW2-GigabitEthernet1/0/0]service-manage all permit
[FW2-GigabitEthernet1/0/0]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 192.168.1.2 24
[FW2-GigabitEthernet1/0/1]service-manage all permit
[FW2-GigabitEthernet1/0/1]int g1/0/2
[FW2-GigabitEthernet1/0/2]ip add 20.1.1.2 24
[FW2-GigabitEthernet1/0/2]int g1/0/3
[FW2-GigabitEthernet1/0/3]ip add 10.1.1.2 24
[FW2-GigabitEthernet1/0/3]int g1/0/4
[FW2-GigabitEthernet1/0/4]ip add 192.168.201.3 24
[FW2-GigabitEthernet1/0/4]service-manage all permit
[FW2-GigabitEthernet1/0/4]firewall zone trust
[FW2-zone-trust]add int g1/0/0
[FW2-zone-trust]add int g1/0/4
[FW2-zone-trust]firewall zone untrust
[FW2-zone-untrust]add int g1/0/2
[FW2-zone-untrust]add int g1/0/3
[FW2-zone-untrust]firewall zone dmz
[FW2-zone-dmz]add int g1/0/1
[FW2-zone-dmz]ip route-s 0.0.0.0 0 10.1.1.5
[FW2]ip route-s 0.0.0.0 0 20.1.1.5 preference 70
[FW2]security-policy
[FW2-policy-security]rule name local_dmz
[FW2-policy-security-rule-local_dmz]source-zone local
[FW2-policy-security-rule-local_dmz]destination-zone dmz
[FW2-policy-security-rule-local_dmz]action permit
[FW2-policy-security-rule-local_dmz]
[FW2-policy-security-rule-local_dmz]rule name trust_untrust
[FW2-policy-security-rule-trust_untrust]source-zone trust
[FW2-policy-security-rule-trust_untrust]destination-zone untrust
[FW2-policy-security-rule-trust_untrust]action permit
[FW2]nat-policy
[FW2-policy-nat]rule name ISP
[FW2-policy-nat-rule-ISP]source-zone trust
[FW2-policy-nat-rule-ISP]destination-zone untrust
[FW2-policy-nat-rule-ISP]source-address 192.168.10.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.20.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.30.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.40.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.100.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.101.0 24
[FW2-policy-nat-rule-ISP]source-address 192.168.102.0 24
[FW2-policy-nat-rule-ISP]action source-nat easy-ip
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]vrrp vrid 200 virtual-ip 192.168.200.254 standby 该接口虚拟网关为备份
[FW2-GigabitEthernet1/0/0]int g1/0/2
[FW2-GigabitEthernet1/0/2]vrrp vrid 10 virtual-ip 20.1.1.254 standby
[FW2-GigabitEthernet1/0/2]int g1/0/3
[FW2-GigabitEthernet1/0/3]vrrp vrid 20 virtual-ip 10.1.1.254 standby
[FW2-GigabitEthernet1/0/3]int g1/0/4
[FW2-GigabitEthernet1/0/4]vrrp vrid 201 virtual-ip 192.168.201.254 standby
[FW2-GigabitEthernet1/0/4]
[FW2-GigabitEthernet1/0/4]hrp interface g1/0/1 remote 192.168.1.1
[FW2]
[FW2]hrp en
Info: NAT IP detect function is disabled.
HRP_S[FW2]hrp mirror session enable
HRP_S[FW2]hrp auto-sync
9. Configuration of ISP1, ISP2 and core switch interfaces connected to FW1 and FW2:
LW1:连接防火墙的上行接口配置
[LW1]int vlan 200
[LW1-Vlanif200]ip add 192.168.200.2 24
[LW1-Vlanif200]int v 201
[LW1-Vlanif201]ip add 192.168.201.2 24
[LW1-Vlanif201]int g0/0/1
[LW1-GigabitEthernet0/0/1]po link-ty ac
[LW1-GigabitEthernet0/0/1]po de vlan 200
[LW1-GigabitEthernet0/0/1]int g0/0/2
[LW1-GigabitEthernet0/0/2]po link-ty ac
[LW1-GigabitEthernet0/0/2]po de vlan 201
[LW1-GigabitEthernet0/0/2]ip route-s 0.0.0.0 0 192.168.200.254 配置上行口连接FW1的静态路由
[LW1]ip route-s 0.0.0.0 0 192.168.201.254 pre 70 配置上行口连接FW2的静态路由
LW2:连接防火墙上行接口配置
[LW2]int vlan 200
[LW2-Vlanif200]ip add 192.168.200.4 24
[LW2-Vlanif200]int v 201
[LW2-Vlanif201]ip add 192.168.201.4 24
[LW2-Vlanif201]int g0/0/1
[LW2-GigabitEthernet0/0/1]po link-ty ac
[LW2-GigabitEthernet0/0/1]po de vlan 200
[LW2-GigabitEthernet0/0/1]int g0/0/2
[LW2-GigabitEthernet0/0/2]po link-ty ac
[LW2-GigabitEthernet0/0/2]po de vlan 201
[LW2-GigabitEthernet0/0/2]ip route-s 0.0.0.0 0 192.168.201.254
[LW2]ip route-s 0.0.0.0 0 192.168.200.254 pre 70
LSP1:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]sys LSP1
[LSP1]
[LSP1]int g0/0/0
[LSP1-GigabitEthernet0/0/0]
[LSP1-GigabitEthernet0/0/0]ip add 10.1.1.5 24
[LSP1-GigabitEthernet0/0/0]
[LSP1-GigabitEthernet0/0/0]int loopback 0 配置回环口(用作测试)
[LSP1-LoopBack0]
[LSP1-LoopBack0]ip add 5.5.5.5 32
[LSP1-LoopBack0]ip route-s 0.0.0.0 0 10.1.1.254 配置下行口连接防火墙的静态路由
LSP2:
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]sys LSP2
[LSP2]
[LSP2]int g0/0/0
[LSP2-GigabitEthernet0/0/0]
[LSP2-GigabitEthernet0/0/0]ip add 20.1.1.5 24
[LSP2-GigabitEthernet0/0/0]
[LSP2-GigabitEthernet0/0/0]int loopback 0
[LSP2-LoopBack0]
[LSP2-LoopBack0]ip add 6.6.6.6 32
[LSP2-LoopBack0]ip route-s 0.0.0.0 0 20.1.1.25410. ospf configuration:
LW1:
[LW1]ospf router-id 1.1.1.1 配置router-id,唯一的,方便识别
[LW1-ospf-1]area 0
[LW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255 宣告该网段地址
[LW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255
[LW1-ospf-1-area-0.0.0.0]
LW2:
[LW2]ospf router-id 2.2.2.2
[LW2-ospf-1]area 0
[LW2-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[LW2-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255
FW1:
HRP_M[FW1]ospf router-id 3.3.3.3
HRP_M[FW1-ospf-1]area 0
HRP_M[FW1-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
HRP_M[FW1-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255
FW2:
HRP_M[FW2]ospf router-id 4.4.4.4
HRP_M[FW2-ospf-1]area 0
HRP_M[FW2-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
HRP_M[FW2-ospf-1-area-0.0.0.0]net 192.168.201.0 0.0.0.255
11. Configuration of wlan:
LW2:
[LW2]int v 100
[LW2-Vlanif100]ip add 192.168.100.1 24
[LW2-Vlanif100]dhcp sel global
[LW2-Vlanif100]
[LW2-Vlanif100]int v 101
[LW2-Vlanif101]ip add 192.168.101.1 24
[LW2-Vlanif101]dhcp sel global
[LW2-Vlanif101]
[LW2-Vlanif101]int v 102
[LW2-Vlanif102]ip add 192.168.102.1 24
[LW2-Vlanif102]dhcp sel global
[LW2-Vlanif102]
[LW2-Vlanif102]ip pool AP_GL
Info:It's successful to create an IP address pool.
[LW2-ip-pool-ap_gl]gateway-list 192.168.100.1
[LW2-ip-pool-ap_gl]network 192.168.100.0 mask 24
[LW2-ip-pool-ap_gl]excluded-ip-address 192.168.100.254
[LW2-ip-pool-ap_gl]
[LW2-ip-pool-ap_gl]ip pool AP_YW1
Info:It's successful to create an IP address pool.
[LW2-ip-pool-ap_yw1]gateway-list 192.168.101.1
[LW2-ip-pool-ap_yw1]network 192.168.101.0 mask 24
[LW2-ip-pool-ap_yw1]
[LW2-ip-pool-ap_yw1]ip pool AP_YW2
Info:It's successful to create an IP address pool.
[LW2-ip-pool-ap_yw2]gateway-list 192.168.102.1
[LW2-ip-pool-ap_yw2]network 192.168.102.0 mask 24
[LW2]INT G0/0/11
[LW2-GigabitEthernet0/0/11]po link-ty tr
[LW2-GigabitEthernet0/0/11]po tr allow-pass vlan all
AC配置:
<AC6005>sy
Enter system view, return user view with Ctrl+Z.
[AC6005]vlan b 100 101 102
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6005]int g0/0/1
[AC6005-GigabitEthernet0/0/1]port link-ty tr
[AC6005-GigabitEthernet0/0/1]po tr allow-pass vlan all
[AC6005]int v 100
[AC6005-Vlanif100]ip add 192.168.100.254 24
[AC6005]capwap source interface Vlanif 100 建立CAPWAP隧道的源接口
[AC6005]wlan 进入wlan视图
[AC6005-wlan-view]regulatory-domain-profile name d1 配置安全域D1
[AC6005-wlan-regulate-domain-d1]country-code cn 配置为CN模式
[AC6005-wlan-view]regulatory-domain-profile name d2
[AC6005-wlan-regulate-domain-d2]country-code cn
[AC6005-wlan-view]ap-group name ap1 配置ap策略组ap1
[AC6005-wlan-ap-group-ap1]regulatory-domain-profile d1 将安全域加入该策略组
[AC6005-wlan-view]ap-group name ap2
regulatory-domain-profile d2
[AC6005-wlan-view]ap auth-mode mac-auth ap认证设定为MACrenz
[AC6005-wlan-view]ap-id 0 ap-mac 00E0-FC22-11A0 绑定AP mac地址
[AC6005-wlan-ap-0]ap-name area0 该ap命名为:area0
[AC6005-wlan-ap-0]ap-group ap1 将该ap加入ap1组
[AC6005-wlan-view]ap-id 1 ap-mac 00E0-FC22-11A1
[AC6005-wlan-ap-1]ap-
[AC6005-wlan-ap-1]ap-name area1
[AC6005-wlan-ap-1]ap-g
[AC6005-wlan-ap-1]ap-group ap2
[AC6005-wlan-view]ap-id 2 ap-mac 00E0-FC22-11A2
[AC6005-wlan-ap-2]ap-n
[AC6005-wlan-ap-2]ap-name area2
[AC6005-wlan-ap-2]ap-g
[AC6005-wlan-ap-2]ap-group ap2
[AC6005-wlan-view]ap-id 3 ap-mac 00E0-FC22-11A3
[AC6005-wlan-ap-3]ap-n
[AC6005-wlan-ap-3]ap-name area3
[AC6005-wlan-ap-3]ap-g
[AC6005-wlan-ap-3]ap-group ap2
[AC6005-wlan-view]security-profile name s1 命名密码视图s1
[AC6005-wlan-sec-prof-s1]security open 开放式密码(无需密码)
[AC6005-wlan-view]security-profile name s2
[AC6005-wlan-sec-prof-s2]security wpa-wpa2 psk pass-phrase 12345678 aes 配置密码模式
[AC6005-wlan-view]ssid-profile name ssid1 ssid命名
[AC6005-wlan-ssid-prof-ssid1]ssid huike
[AC6005-wlan-view]ssid-profile name ssid2
[AC6005-wlan-ssid-prof-ssid2]ssid bumen
[AC6005-wlan-view]vap-profile name vap1 vap命名
[AC6005-wlan-vap-prof-vap1]forward-mode tunnel 转发模式为隧道直发
[AC6005-wlan-vap-prof-vap1]service-vlan vlan-id 101 用户在vlan101获取地址
[AC6005-wlan-vap-prof-vap1]security-profile s1 加入密码策略
[AC6005-wlan-vap-prof-vap1]ssid-profile ssid1 加入ssid策略
[AC6005-wlan-view]vap-profile name vap2
[AC6005-wlan-vap-prof-vap2]forward-mode tunnel
[AC6005-wlan-vap-prof-vap2]service-vlan vlan-id 102
[AC6005-wlan-vap-prof-vap2]security-profile s2
[AC6005-wlan-vap-prof-vap2]ssid-profile ssid2
AC6005-wlan-view]ap-group name ap1
[AC6005-wlan-ap-group-ap1]vap-profile vap1 wlan 1 radio all 把vap1加入ap1组
[AC6005-wlan-view]ap-group name ap2
[AC6005-wlan-ap-group-ap2]vap-profile vap2 wlan 1 radio all
12. Some functional tests:
Summarize
This experiment covers a lot of content. In fact, it is not limited to dual-machine hot backup technology. It took about a week to do this experiment. It took a lot of time to troubleshoot. I also borrowed ideas from several great gods on CSDN. . But there are a few parts I still can't figure out:
1. After wlan is up, the tunnel between AC and AP has been established, and AP can obtain the management address of AC, but the address of STA pool cannot be obtained automatically. I do not do other configurations on individual devices, but only configure WLAN and all devices can work normally. I have checked the information for a long time, and it is said that it is caused by the BUG of the ENSP software, and the tunnel forwarding is unstable. If someone sees it, I hope to give pointers.
2. The DHCP server is up and down, and sometimes it cannot obtain an address. But I didn't find the STP loop when I captured the packet, but sometimes I can't PING the address of the outbound interface of the DHCP server