路由策略版:mstp +vrrp +双线nat
拓扑
使用技术
使用到的技术:
单区域ospf
dhcp
nat
mstp
vrrp+track
端口聚合
nqa+路由策略
接入层
jieruA
sys
sysname jieruA
# 创建vlan
vlan batch 10 20 30 40
# 端口分配
int e0/0/1
port link-type access
port default vlan 10
int e0/0/2
port link-type access
port default vlan 20
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
int e0/0/4
port link-type trunk
port trunk allow-pass vlan all
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
jieruB
sys
sysname jieruB
# 创建vlan
vlan batch 10 20 30 40
# 端口分配
int e0/0/1
port link-type access
port default vlan 30
int e0/0/2
port link-type access
port default vlan 40
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
int e0/0/4
port link-type trunk
port trunk allow-pass vlan all
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
核心层
coreA
sys
sysname coreA
# 创建vlan
vlan batch 10 20 30 40 50
# 端口分配
int g0/0/2
port link-type access
port default vlan 50
int g0/0/3
port link-type trunk
port trunk allow-pass vlan all
int g0/0/4
port link-type trunk
port trunk allow-pass vlan all
# 链路聚合
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
# 加入
int g0/0/23
eth-trunk 1
int g0/0/24
eth-trunk 1
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
quit
# mstp 根桥指定
stp instance 1 root primary
stp instance 2 root secondary
# vrrp配置
int vlan 10
ip address 192.168.10.252 24
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 10 track interface g0/0/2 reduced 50
int vlan 20
ip address 192.168.20.252 24
vrrp vrid 20 virtual-ip 192.168.20.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 20 track interface g0/0/2 reduced 50
int vlan 30
ip address 192.168.30.252 24
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 30 track interface g0/0/2 reduced 50
int vlan 40
ip address 192.168.40.252 24
vrrp vrid 40 virtual-ip 192.168.40.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 40 track interface g0/0/2 reduced 50
## 这里配置完,建议display ip int brief
## 顺带验证vlan pc间是否能够通信
# 上联接口vlan
int vlan 50
ip address 192.168.252.1 24
# 配置ospf
ospf 100 router-id 1.1.1.1
area 0
network 0.0.0.0 255.255.255.255
# dhcp,两台核心上都要配置
dhcp enable
ip pool dhcp10
dns-list 8.8.8.8
gateway-list 192.168.10.254
# 对应网段
network 192.168.10.0 mask 24
# 应用
int vlan 10
dhcp select global
ip pool dhcp20
dns-list 8.8.8.8
gateway-list 192.168.20.254
# 对应网段
network 192.168.20.0 mask 24
# 应用
int vlan 20
dhcp select global
coreB
sys
sysname coreB
# 创建vlan
vlan batch 10 20 30 40 60
# 端口分配
int g0/0/1
port link-type access
port default vlan 60
int g0/0/3
port link-type trunk
port trunk allow-pass vlan all
int g0/0/4
port link-type trunk
port trunk allow-pass vlan all
# 链路聚合
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
# 加入
int g0/0/23
eth-trunk 1
int g0/0/24
eth-trunk 1
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
quit
# mstp 根桥指定
stp instance 2 root primary
stp instance 1 root secondary
# vrrp 配置
int vlan 10
ip address 192.168.10.253 24
vrrp vrid 10 virtual-ip 192.168.10.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 10 track interface g0/0/1 reduced 50
int vlan 20
ip address 192.168.20.253 24
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 20 track interface g0/0/1 reduced 50
int vlan 30
ip address 192.168.30.253 24
vrrp vrid 30 virtual-ip 192.168.30.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 30 track interface g0/0/1 reduced 50
int vlan 40
ip address 192.168.40.253 24
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 40 track interface g0/0/1 reduced 50
## 这里配置完,建议display ip int brief,验证vlan ip
## 顺带验证vlan pc间是否能够通信
# 上联接口vlan
int vlan 60
ip address 192.168.253.1 24
# 配置ospf
ospf 100 router-id 2.2.2.2
area 0
network 0.0.0.0 255.255.255.255
# dhcp,两台核心上都要配置
dhcp enable
ip pool dhcp10
dns-list 8.8.8.8
gateway-list 192.168.10.254
# 对应网段
network 192.168.10.0 mask 24
# 应用
int vlan 10
dhcp select global
ip pool dhcp20
dns-list 8.8.8.8
gateway-list 192.168.20.254
# 对应网段
network 192.168.20.0 mask 24
# 应用
int vlan 20
dhcp select global
出口
ARA
sys
sysname ARA
int g0/0/2
ip address 192.168.252.2 24
int g0/0/1
ip address 23.1.1.1 24
int g0/0/0
ip address 120.36.2.1 24
# 默认路由
ip route-static 0.0.0.0 0.0.0.0 120.36.2.2
# ospf
ospf 100 router-id 3.3.3.3
# 默认路由重分布
default-route-advertise
area 0
network 192.168.0.0 0.0.255.255
network 23.1.1.0 0.0.0.255
# nat ,配置nat后,可以测试pc和远端设备通信情况
acl 3000
rule 5 permit ip source 192.168.0.0 0.0.255.255
int g0/0/0
nat outbound 3000
# pbr 配置,两个路由上都要,在netx-hop、nqa配置中目的地址略有不同
## pbr acl感兴趣流量配置
acl 3200
rule 5 permit ip source 192.168.20.0 0.0.0.255
quit
## 流量分类
traffic classifier 20
if-match acl 3200
## 流量行为
quit
traffic behavior 20
## 没有添加nqa 之前,是所有情况都转发流量,nqa添加后,只有在nqa测试通过(链路畅通)时,才会转发
redirect ip-nexthop 23.1.1.2 track nqa admin vlan20
## 流量策略,绑定流量行为和流量分类
quit
traffic policy 20
classifier 20 behavior 20
## 在对内网的接口上,应用
int g0/0/2
traffic-policy 20 inbound
# nqa 配置
nqa test-instance admin vlan20
test-type icmp
## 这里ip是目的地址(需要检测的地址)
destination-address ipv4 59.56.101.1
frequency 10
probe-count 5
start now
ARB
sys
sysname ARA
int g0/0/2
ip address 59.56.101.1 24
int g1/0/0
ip address 23.1.1.2 24
int g0/0/1
ip address 192.168.253.2 24
# 默认路由
ip route-static 0.0.0.0 0.0.0.0 59.56.101.2
# ospf
ospf 100 router-id 3.3.3.3
# 默认路由重分布
default-route-advertise
area 0
network 192.168.0.0 0.0.255.255
network 23.1.1.0 0.0.0.255
# nat ,配置nat后,可以测试pc和远端设备通信情况
acl 3000
rule 5 permit ip source 192.168.0.0 0.0.255.255
int g0/0/2
nat outbound 3000
# pbr 配置,两个路由上都要,在netx-hop、nqa配置中目的地址略有不同
## pbr acl感兴趣流量配置
acl 3100
rule 5 permit ip source 192.168.10.0 0.0.0.255
quit
## 流量分类
traffic classifier 10
if-match acl 3100
## 流量行为
quit
traffic behavior 10
## 没有添加nqa 之前,是所有情况都转发流量,nqa添加后,只有在nqa测试通过(链路畅通)时,才会转发
redirect ip-nexthop 23.1.1.1 track nqa admin vlan10
## 流量策略,绑定流量行为和流量分类
quit
traffic policy 10
classifier 10 behavior 10
## 在对内网的接口上,应用
int g0/0/1
traffic-policy 10 inbound
# nqa 配置
nqa test-instance admin vlan10
test-type icmp
## 这里ip是目的地址(需要检测的地址)
destination-address ipv4 120.36.2.1
frequency 10
probe-count 5
start now
外网ISP
sys
sysname ISP
int g1/0/0
ip address 120.36.2.2 24
int g0/0/0
ip address 59.56.101.2 24
int g0/0/1
ip address 8.8.8.254 24