双击热备旁挂组网

实验拓扑和需求

需求分析

1.需要双机热备和负载分担，所以sw1和sw2分别需要转换成VRF和PUBLIC两部分，fw1，fw2和sw1，sw2之间需要八个vrrp

2.需要做智能选路，设置主从设备和优先级

3.实现全网通，需要做ospf和静态路由

 配置

各设备ip网关配置省略

SW3（主网关 ）：

[SW3]vlan batch 2 3
[SW3]int g0/0/3
[SW3-GigabitEthernet0/0/3]po li t
[SW3-GigabitEthernet0/0/3]po t all v 2 3
[SW3-GigabitEthernet0/0/3]dis this   ---查看
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 2 to 3
#
return
 
[SW3-GigabitEthernet0/0/3]int g0/0/4
[SW3-GigabitEthernet0/0/4]po li t
[SW3-GigabitEthernet0/0/4]po t all v 2 3
[SW3-GigabitEthernet0/0/4]dis this   ---查看
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 2 to 3
#
return
 
[SW3]stp enable   ---生成树配置
[SW3]stp mode mstp 
[SW3]stp region-configuration 
[SW3-mst-region]region-name aa   ---域名
[SW3-mst-region]instance 1 vlan 2   ---实例1映射vlan2
[SW3-mst-region]instance 2 vlan 3   ---实例2映射vlan3
[SW3-mst-region]active region-configuration   ---激活配置
[SW3]stp instance 1 root primary   ---实例1主根
[SW3]stp instance 2 root secondary    ---实例2备份根
 
 
[SW3]interface Vlanif 2   ---ip地址规划
turned into UP state.
[SW3-Vlanif2]ip add 192.168.2.1 24
[SW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[SW3-Vlanif2]vrrp vrid 1 priority 120
[SW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20   ---抢占延时
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[SW3]interface Vlanif 3
[SW3-Vlanif3]ip add 192.168.3.1 24
[SW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
 
 
 

SW4:

[SW4]vlan batch 2 3
[SW4]int g0/0/3
[SW4-GigabitEthernet0/0/3]po li t
[SW4-GigabitEthernet0/0/3]po t all v 2 3
[SW4-GigabitEthernet0/0/3]int g0/0/4
[SW4-GigabitEthernet0/0/4]po li t
[SW4-GigabitEthernet0/0/4]po t all v 2 3
 
[SW4]stp enable 
[SW4]stp mode mstp 
[SW4]stp region-configuration 
[SW4-mst-region]region-name aa
[SW4-mst-region]instance 1 vlan 2
[SW4-mst-region]instance 2 vlan 3
[SW4-mst-region]active region-configuration 
[SW4]stp instance 1 root secondary 
[SW4]stp instance 2 root primary 
 
[SW4]interface Vlanif 2
[SW4-Vlanif2]ip add 192.168.2.2 24
[SW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[SW4]interface Vlanif 3
[SW4-Vlanif3]ip add 192.168.3.2 24
[SW4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3
[SW4-Vlanif3]vrrp vrid 1 priority 120
[SW4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
 
 
 

SW5:

[SW5]vlan batch 2 3
[SW5]int g0/0/3
[SW5-GigabitEthernet0/0/3]po li a
[SW5-GigabitEthernet0/0/3]po de v 2
[SW5-GigabitEthernet0/0/3]int g 0/0/4
[SW5-GigabitEthernet0/0/4]po li a
[SW5-GigabitEthernet0/0/4]po de v 3
[SW5-GigabitEthernet0/0/4]int g0/0/1
[SW5-GigabitEthernet0/0/1]po li t
[SW5-GigabitEthernet0/0/1]po t all v 2 3
[SW5-GigabitEthernet0/0/1]int g0/0/2
[SW5-GigabitEthernet0/0/2]po li t
[SW5-GigabitEthernet0/0/2]po t all v 2 3
[SW5]stp mode mstp
[SW5]stp enable 
[SW5]stp region-configuration 
[SW5-mst-region]region-name aa
[SW5-mst-region]instance 1 vlan 2
[SW5-mst-region]instance 2 vlan 3
[SW5-mst-region]active region-configuration 

汇聚到核心层路由配置

SW1-SW2 ： VLAN 102---10.10.2.0/24
SW1-SW3 ： VLAN 103---10.10.3.0/24
SW1-SW4 ： VLAN 104---10.10.4.0/24
SW2-SW3 ： VLAN 203---10.20.3.0/24
SW2-SW4 ： VLAN 204---10.20.4.0/24

SW3:

[SW3]vlan batch 103 203   ---划vlan
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]po li a
[SW3-GigabitEthernet0/0/1]po de v 103
[SW3-GigabitEthernet0/0/1]undo stp enable
[SW3-GigabitEthernet0/0/1]int g0/0/2
[SW3-GigabitEthernet0/0/2]po li a
[SW3-GigabitEthernet0/0/2]po de v 203
[SW3-GigabitEthernet0/0/2]undo stp enable 
[SW3]interface Vlanif 103
[SW3-Vlanif103]ip add 10.10.3.3 24
[SW3]interface Vlanif 203
[SW3-Vlanif203]ip add 10.20.3.3 24
 
[SW3]ospf 1 router-id 3.3.3.3   ---ospf
[SW3-ospf-1]a 0
[SW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0	
[SW3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[SW3-ospf-1]silent-interface Vlanif 2 
[SW3-ospf-1]silent-interface Vlanif 3
 

SW4:

[SW4]vlan batch 104 204
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]po li a
[SW4-GigabitEthernet0/0/1]po de v 204
[SW4-GigabitEthernet0/0/1]int g0/0/2
[SW4-GigabitEthernet0/0/2]po li a
[SW4-GigabitEthernet0/0/2]po de v 104
[SW4]int g0/0/1
[SW4-GigabitEthernet0/0/1]undo stp enable 
[SW4-GigabitEthernet0/0/1]int g0/0/2
[SW4-GigabitEthernet0/0/2]undo stp enable
 
[SW4]int v 104
[SW4-Vlanif104]ip add 10.10.4.4 24
[SW4-Vlanif104]int v 204
[SW4-Vlanif204]ip add 10.20.4.4 24
 
[SW4]ospf 1 router-id 4.4.4.4
[SW4-ospf-1]a 0
[SW4-ospf-1-area-0.0.0.0]network 10.10.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 10.20.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.3.2 0.0.0.0
[SW4-ospf-1]silent-interface Vlanif 2
[SW4-ospf-1]silent-interface Vlanif 3

因为 SW1 和 SW2 需要被分割为两台设备，分别与上下行设备连接，故需要先创建 VRF 空间，其中GE0/0/3-GE0/0/6 属于该空间接口。

VRF 空间配置信息：

          名称： VRF

          RD ： 100:1

          RT ： 100:1

SW1:

[SW1]ip vpn-instance VRF   ---创建VRF空间
[SW1-vpn-instance-VRF]route-distinguisher 100:1   --设定RD值
[SW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both    ---设定RT值
 
[SW1]vlan batch 102 103 104
[SW1]int g 0/0/5
[SW1-GigabitEthernet0/0/5]po li a
[SW1-GigabitEthernet0/0/5]po de v 103
[SW1-GigabitEthernet0/0/5]undo stp enable 
[SW1-GigabitEthernet0/0/5]int g0/0/6
[SW1-GigabitEthernet0/0/6]po li a
[SW1-GigabitEthernet0/0/6]po de v 104
[SW1-GigabitEthernet0/0/6]undo stp enable 
[SW1]int g0/0/4
[SW1-GigabitEthernet0/0/4]po li t   ---不能用access
[SW1-GigabitEthernet0/0/4]undo po t all v 1
[SW1-GigabitEthernet0/0/4]po t all v 102
[SW1-GigabitEthernet0/0/4]undo stp enable 
 
[SW1]interface Vlanif 102
[SW1-Vlanif102]ip binding vpn-instance VRF   -------将接口划入到VRF这个交换机中，在接口进行
配置之前执行
[SW1-Vlanif102]ip add 10.10.2.1 24
[SW1]interface Vlanif 103
[SW1-Vlanif103]ip binding vpn-instance VRF
[SW1-Vlanif103]ip add 10.10.3.1 24
[SW1]interface Vlanif 104
[SW1-Vlanif104]ip binding vpn-instance VRF
[SW1-Vlanif104]ip add 10.10.4.1 24
 
[SW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.10.2.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.3.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.4.1 0.0.0.0

SW2:

[SW2]ip vpn-instance VRF
[SW2-vpn-instance-VRF]route-distinguisher 100:1
[SW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both 
 
[SW2]vlan batch 102 203 204
[SW2]int g0/0/5
[SW2-GigabitEthernet0/0/5]po li a
[SW2-GigabitEthernet0/0/5]po de v 204
[SW2-GigabitEthernet0/0/5]undo stp enable 
[SW2-GigabitEthernet0/0/5]int g0/0/6
[SW2-GigabitEthernet0/0/6]po li a
[SW2-GigabitEthernet0/0/6]po de v 203
[SW2-GigabitEthernet0/0/6]undo stp enable 
[SW2-GigabitEthernet0/0/6]int g 0/0/4
[SW2-GigabitEthernet0/0/4]po li t
[SW2-GigabitEthernet0/0/4]po t all v 102
[SW2-GigabitEthernet0/0/4]undo po t all v 1
[SW2-GigabitEthernet0/0/4]undo stp enable
 
 
[SW2]int v 102
[SW2-Vlanif102]ip binding vpn-instance VRF
[SW2-Vlanif102]ip add 10.10.2.2 24
[SW2]int v 203
[SW2-Vlanif203]ip binding vpn-instance VRF
[SW2-Vlanif203]ip add 10.20.3.2 24
[SW2-Vlanif203]int v 204
[SW2-Vlanif204]ip binding vpn-instance VRF
[SW2-Vlanif204]ip add 10.20.4.2 24
 
[SW2]ospf 1 router-id 2.2.2.2 vpn-instance VRF	
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 10.10.2.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.3.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.4.2 0.0.0.0

路由策略配置

[SW3]ospf 1
[SW3-ospf-1]a 0
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0
[SW3-ospf-1]dis th
#
ospf 1 router-id 3.3.3.3
 silent-interface Vlanif2
 silent-interface Vlanif3
 area 0.0.0.0
  network 10.20.3.3 0.0.0.0
  network 10.10.3.3 0.0.0.0
 
 

1、抓流量
[SW3]ip ip-prefix aa permit 192.168.3.0 24
[SW3]ip ip-prefix bb permit 192.168.2.0 24
 
2、做策略
[SW3]route-policy aa permit node 10
[SW3-route-policy]if-match ip-prefix aa
[SW3-route-policy]apply cost 5
[SW3]route-policy aa permit node 20
[SW3-route-policy]if-match ip-prefix bb
 
3、调用
[SW3]ospf 1
[SW3-ospf-1]import-route direct route-policy aa
 

sw4

[SW4]ospf 1
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0
[SW4-ospf-1]dis th
#
ospf 1 router-id 4.4.4.4
 silent-interface Vlanif2
 silent-interface Vlanif3
 area 0.0.0.0
  network 10.10.4.4 0.0.0.0
  network 10.20.4.4 0.0.0.0
#
return

1、抓流量
[SW4]ip ip-prefix aa permit 192.168.2.0 24
[SW4]ip ip-prefix bb permit 192.168.3.0 24
 
2、做策略
[SW4]route-policy aa permit node 10
[SW4-route-policy]if-match ip-prefix aa
[SW4-route-policy]apply cost 5
[SW4]route-policy aa permit node 20
[SW4-route-policy]if-match ip-prefix bb
 
3、调用
[SW4]ospf 1
[SW4-ospf-1]import-route direct route-policy aa

sw1 sw2

SW1:
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200   ---上行路由
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70
[SW1]ip route-static 192.168.0.0 16 10.40.3.200   ---下行路由
[SW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70
 
 
SW2:
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70
[SW2]ip route-static 192.168.0.0 16 10.40.4.200
[SW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

防火墙物理接口激活：

HRP_M[FW1]int g 1/0/2 (+B)
HRP_M[FW1-GigabitEthernet1/0/2]ip add 1.1.1.1 24
HRP_M[FW1-GigabitEthernet1/0/2]undo ip add
HRP_M[FW1]int g 1/0/3 (+B)
HRP_M[FW1-GigabitEthernet1/0/3]ip add 1.1.1.1 24
HRP_M[FW1-GigabitEthernet1/0/3]undo ip add

最外围网络

R5:

[R5]int g 0/0/2
[R5-GigabitEthernet0/0/2]ip add 12.0.0.5 24
[R5]ip route-static 0.0.0.0 0 12.0.0.100
[R5]ospf 1
[R5-ospf-1]default-route-advertise
[R5]acl 2000
[R5-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R5]int g0/0/2
[R5-GigabitEthernet0/0/2]nat outbound 2000

r6

[R6]int g 0/0/2
[R6-GigabitEthernet0/0/2]ip add 13.0.0.6 24
[R6]ip route-static 0.0.0.0 0 13.0.0.100
[R6]ospf 1
[R6-ospf-1]default-route-advertise
[R6-ospf-1]q
[R6]acl 2000
[R6-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R6-acl-basic-2000]q
[R6]int g0/0/2
[R6-GigabitEthernet0/0/2]nat outbound 2000

ISP：

[ISP]int g 0
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.100 24
[ISP-GigabitEthernet0/0/0]int g 0/0/1
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24
[ISP]interface LoopBack 0
[ISP-LoopBack0]ip add 100.1.1.1 24