1000人规模冗余设置

1000人规模冗余设置

步骤①：Vlan Trunk Eth-trunk 底层配置

#eth-trunk配置： 
sw1 ： 
int eth-trunk 2 
mode lacp-static 
trunkport gi 0/0/2 
trunkport gi 0/0/3 
sw2 ： 
int eth-trunk 2 
mode lacp-static 
 trunkport gi 0/0/1 
trunkport gi 0/0/2 
 
sw3 ： 
int eth-trunk 1 
mode lacp-static 
trunkport Ethernet 0/0/4 
trunkport Ethernet 0/0/5 
sw6 ： 
int eth-trunk 1 
mode lacp-static 
trunkport Ethernet 0/0/1 
trunkport Ethernet 0/0/3 
sw5： 
vlan batch 2 to 5 999 
 interface Ethernet0/0/1 
port link-type trunk 
port trunk allow-pass vlan 2 999 
# 
interface Ethernet0/0/2 
port link-type access 
port default vlan 2 
 
sw6： 
vlan batch 2 to 5 999 
interface Eth-Trunk1 
port link-type trunk 
port trunk allow-pass vlan 3 999 
 
# 
interface Ethernet0/0/2 
port link-type access 
port default vlan 3 
 
sw3： 
vlan batch 2 to 5 999 
interface Eth-Trunk1 
port link-type trunk 
port trunk allow-pass vlan 3 999 
mode lacp-static 
# 
interface Ethernet0/0/1 
port link-type trunk 
port trunk allow-pass vlan 2 to 3 999 
# 
interface Ethernet0/0/2 
port link-type trunk
port trunk allow-pass vlan 2 to 3 999 
# 
interface Ethernet0/0/3 
port link-type trunk 
port trunk allow-pass vlan 2 999 
 
sw7： 
vlan batch 2 to 5 999 
interface Ethernet0/0/1 
 port link-type trunk 
port trunk allow-pass vlan 4 to 5 999 
# 
interface Ethernet0/0/2 
port link-type access 
port default vlan 4 
# 
interface Ethernet0/0/3 
port link-type access 
port default vlan 5 
 
sw4： 
vlan batch 2 to 5 999 
interface Ethernet0/0/1 
port link-type trunk 
port trunk allow-pass vlan 4 to 5 999 
interface Ethernet0/0/2 
port link-type trunk 
port trunk allow-pass vlan 4 to 5 999 
# 
interface Ethernet0/0/3 
port link-type trunk 
port trunk allow-pass vlan 4 to 5 999 
 
sw8： 
interface Ethernet0/0/1 
port link-type trunk 
port trunk allow-pass vlan 200 999 
# 
interface Ethernet0/0/2 
port link-type trunk 
port trunk allow-pass vlan 200 999 
# 
interface Ethernet0/0/3 
port link-type access 
port default vlan 200 
# 
interface Ethernet0/0/4 
port link-type access 
port default vlan 200 
 
sw1： 
vlan batch 2 to 5 200 800 999 
interface Eth-Trunk2 
port link-type trunk 
port trunk allow-pass vlan 2 to 5 200 999 
mode lacp-static 
# 
interface GigabitEthernet0/0/1 
port link-type trunk 
port trunk allow-pass vlan 2 to 3 999 
# 
interface GigabitEthernet0/0/4 
port link-type trunk 
port trunk allow-pass vlan 4 to 5 999 
# 
interface GigabitEthernet0/0/5 
port link-type trunk 
port trunk allow-pass vlan 200 999 
# 
interface GigabitEthernet0/0/6 
port link-type access 
port default vlan 800 
 
sw2： 
vlan batch 2 to 5 200 801 999 
interface Eth-Trunk2 
port link-type trunk
port trunk allow-pass vlan 2 to 5 200 999 
mode lacp-static 
# 
interface GigabitEthernet0/0/3 
port link-type trunk 
port trunk allow-pass vlan 200 999 
# 
interface GigabitEthernet0/0/4 
port link-type trunk 
port trunk allow-pass vlan 4 to 5 999 
# 
interface GigabitEthernet0/0/5 
port link-type trunk 
port trunk allow-pass vlan 2 to 3 999 
# 
interface GigabitEthernet0/0/6 
port link-type access 
port default vlan 801

步骤②：mstp配置

#所有汇聚、核心交换机以及服务器组交换机sw8：（sw1 sw2 sw3 sw4 sw8 ） 
stp region-configuration 
region-name aa revision-level 1 
instance 1 vlan 2 to 3 200 
instance 2 vlan 4 to 5 
active region-configuration 
sw1： 
stp instance 1 root primary 
stp instance 2 root secondary 
 
sw2： 
stp instance 1 root secondary 
stp instance 2 root primary 

3-3 步骤③ ：vrrp配置

sw1： 
interface Vlanif2 
ip address 192.168.2.254 255.255.255.0 
vrrp vrid 2 virtual-ip 192.168.2.1 
vrrp vrid 2 priority 105 
# 
interface Vlanif3 
ip address 192.168.3.254 255.255.255.0 
vrrp vrid 3 virtual-ip 192.168.3.1 
vrrp vrid 3 priority 105 
# 
interface Vlanif4 
ip address 192.168.4.254 255.255.255.0 
vrrp vrid 4 virtual-ip 192.168.4.1 
# 
interface Vlanif5 
ip address 192.168.5.254 255.255.255.0 
vrrp vrid 5 virtual-ip 192.168.5.1 
# 
interface Vlanif200 
ip address 192.168.200.254 255.255.255.0 
vrrp vrid 200 virtual-ip 192.168.200.1 
vrrp vrid 200 priority 105 
 # 
sw2： 
interface Vlanif2 
ip address 192.168.2.253 255.255.255.0 
vrrp vrid 2 virtual-ip 192.168.2.1 
# 
interface Vlanif3 
ip address 192.168.3.253 255.255.255.0 
vrrp vrid 3 virtual-ip 192.168.3.1 
# 
interface Vlanif4 
ip address 192.168.4.253 255.255.255.0 
vrrp vrid 4 virtual-ip 192.168.4.1 
vrrp vrid 4 priority 105 
# 
interface Vlanif5 
ip address 192.168.5.253 255.255.255.0 
vrrp vrid 5 virtual-ip 192.168.5.1 
vrrp vrid 5 priority 105 
# 
interface Vlanif200 
ip address 192.168.200.253 255.255.255.0 
vrrp vrid 200 virtual-ip 192.168.200.1

步骤④：BFD配置

sw1： 
bfd 
bfd bb bind peer-ip 192.168.12.1 source-ip 192.168.12.2 auto 
commit 
 
interface Vlanif2 
ip address 192.168.2.254 255.255.255.0 
vrrp vrid 2 virtual-ip 192.168.2.1 
vrrp vrid 2 priority 105 
vrrp vrid 2 track interface GigabitEthernet0/0/1 
vrrp vrid 2 track bfd-session session-name bb 
#
interface Vlanif3
ip address 192.168.3.254 255.255.255.0
vrrp vrid 3 virtual-ip 192.168.3.1
vrrp vrid 3 priority 105
vrrp vrid 3 track interface GigabitEthernet0/0/1 
vrrp vrid 3 track bfd-session session-name bb 
#
interface Vlanif200
ip address 192.168.200.254 255.255.255.0
vrrp vrid 200 virtual-ip 192.168.200.1
vrrp vrid 200 priority 105
vrrp vrid 200 track interface GigabitEthernet0/0/5 
vrrp vrid 200 track bfd-session session-name bb
sw2： bfd
bfd cc bind peer-ip 192.168.23.1 source-ip 192.168.23.2 auto commit
interface Vlanif4 
ip address 192.168.4.253 255.255.255.0
vrrp vrid 4 virtual-ip 192.168.4.1 
vrrp vrid 4 priority 105 
vrrp vrid 4 track interface GigabitEthernet0/0/4 
vrrp vrid 4 track bfd-session session-name cc 
# 
interface Vlanif5 
ip address 192.168.5.253 255.255.255.0 
vrrp vrid 5 virtual-ip 192.168.5.1 
vrrp vrid 5 priority 105 
vrrp vrid 5 track interface GigabitEthernet0/0/4 
vrrp vrid 5 track bfd-session session-name cc 
R1: 
bfd 
bfd bb bind peer-ip 192.168.12.2 source-ip 192.168.12.1 auto commit 
# 
bfd cc bind peer-ip 192.168.23.2 source-ip 192.168.23.1 auto commit 

步骤⑤ ：OSPF NAT配置

核心 sw1： 
ospf 1 
area 0.0.0.0 
network 192.168.2.0 0.0.0.255 
network 192.168.3.0 0.0.0.255 
network 192.168.4.0 0.0.0.255 
network 192.168.5.0 0.0.0.255 
network 192.168.200.0 0.0.0.255 
network 192.168.12.0 0.0.0.255 
# 
 
核心 sw2： 
ospf 1 
area 0.0.0.0 
network 192.168.2.0 0.0.0.255 
network 192.168.3.0 0.0.0.255 
network 192.168.4.0 0.0.0.255 
network 192.168.5.0 0.0.0.255 
network 192.168.200.0 0.0.0.255 
network 192.168.23.0 0.0.0.255 
 
出口 R1： 
ospf 1 
area 0.0.0.0 
network 14.1.1.0 0.0.0.255 
network 192.168.12.0 0.0.0.255 
network 192.168.23.0 0.0.0.255 
 
分支 R4: 
ospf 1 
area 0.0.0.0 
network 14.1.1.0 0.0.0.255
network 192.168.100.0 0.0.0.255 
配置rip协议模拟运营商公网路由： 
R2: 
rip 1 
version 2 
network 12.0.0.0 
network 25.0.0.0 
 
R3: 
rip 1 
version 2 
network 13.0.0.0 
network 35.0.0.0 
R5： 
rip 1 
version 2 
network 25.0.0.0 
network 35.0.0.0 
network 5.0.0.0 
 
sw1： 
ip route-static 0.0.0.0 0.0.0.0 192.168.12.1 
ip route-static 0.0.0.0 0.0.0.0 192.168.23.1 preference 65 
 
sw2： 
ip route-static 0.0.0.0 0.0.0.0 192.168.23.1 
ip route-static 0.0.0.0 0.0.0.0 192.168.12.1 preference 65 
 
R1: NAT配置 
ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 
acl number 2000 
rule 5 permit source 192.168.0.0 0.0.255.255
interface GigabitEthernet1/0/0 
ip address 13.1.1.1 255.255.255.0 
nat outbound 2000 
 
ospf cost 值调整：尽可能保证来回路径一致 且最短
sw1：
interface Vlanif4 ospf cost 4 
# 
interface Vlanif5 ospf cost 4 
 
sw2： 
interface Vlanif2 ospf cost 4 
# 
interface Vlanif3 ospf cost 4 
interface Vlanif200 ospf cost 4 

步骤⑥：dhcp 中继 配置

DHCP server： 
dhcp enable 
# 
ip pool vlan2 
gateway-list 192.168.2.1 
network 192.168.2.0 mask 255.255.255.0 
excluded-ip-address 192.168.2.249 192.168.2.254 
dns-list 114.114.114.114 8.8.8.8 
# 
ip pool vlan3 
gateway-list 192.168.3.1 
network 192.168.3.0 mask 255.255.255.0 
excluded-ip-address 192.168.3.249 192.168.3.254 
dns-list 114.114.114.114 8.8.8.8 
ip pool vlan4 
gateway-list 192.168.4.1 
network 192.168.4.0 mask 255.255.255.0 
excluded-ip-address 192.168.4.249 192.168.4.254 
dns-list 114.114.114.114 8.8.8.8 
# 
ip pool vlan5 
gateway-list 192.168.5.1 
network 192.168.5.0 mask 255.255.255.0 
excluded-ip-address 192.168.5.249 192.168.5.254 
dns-list 114.114.114.114 8.8.8.8 
# 
 
sw1 sw2: 
dhcp enable 
int vlanif 2 
dhcp select relay 
dhcp relay server-ip 192.168.200.3 
int vlanif 3 
dhcp select relay 
dhcp relay server-ip 192.168.200.3 
int vlanif 4 
dhcp select relay 
dhcp relay server-ip 192.168.200.3 
int vlanif 5 
dhcp select relay 
dhcp relay server-ip 192.168.200.3 
dhcp调试命令： 
dis ip pool name vlan2 used 
< >reset ip pool name vlan2 used 
 
dhcp安全技术：dhcp snooping 
接入交换机 
sw5 sw6 sw7 
dhcp enable 
dhcp snooping enable 
sw5: 
vlan 2 
dhcp snooping enable 
int e0/0/1 
dhcp snooping trusted 
sw6: 
vlan 3 
dhcp snooping enable 
int eth-trunk 1 
dhcp snooping trusted 
sw7: 
vlan 4 
dhcp snooping enable 
vlan 5 
dhcp snooping enable 
int e0/0/1 
dhcp snooping trusted 
 

步骤⑦:PPPOE配置客户端：R1

acl 2001 
rule permit source 192.168.0.0 0.0.255.255 
interface Dialer 1 
link-protocol ppp 
ip address ppp-negotiate 
ppp pap local-user 0531 password simple 123456 
dialer user 0531 
dialer bundle 2 
nat outbound 2001 
 
interface gi0/0/2 
pppoe-client dial-bundle-number 2 
 
ip route-static 0.0.0.0 0 dialer1 preference 85 
优化配置：由于原始以太网报文在传输过程中增加了PPPOE（6字节）和
PPP（2字节）的包头，为了使得传输数据在传输过程中不分片（提高传输
效率），建议在dialer 1 口更改数据封装的MTU值。(因为以太网接口mtu
默认是1500 字节）即： 
R1： 
int dialer 1 
mtu 1492 
 
服务端R2: 
PPPOE服务端： R2： 
① ip pool 
ip pool pool1 
network 12.1.1.0 mask 24 
gateway-list 12.1.1.2 
 
② 用户名 密码 aaa 
local-user 0531 password cipher 123456 
local-user 0531 service-type ppp 
 
③ virtual-template 虚拟拨入接口 
interface Virtual-Template 1 
ppp authentication-mode pap 
remote address pool pool1 
ip address 12.1.1.2 255.255.255.0 
 
interface Gi0/0/0 
pppoe-server bind Virtual-Template 1 将虚拟接口virtual-Template1 和
物理接口关联 

步骤⑧：出口路由配置

让电信的PPPOE 作为联通的备份出口 
R1： 
ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 
ip route-static 0.0.0.0 0.0.0.0 Dialer1 preference 85 
这两条配置上面的步骤已经完成

步骤⑨：NAT server

R1: 
interface GigabitEthernet1/0/0 
ip address 13.1.1.1 255.255.255.0 
nat server protocol tcp global current-interface www inside  192.168.200.2 www 

步骤⑩：ACL配置

R1: 
acl number 3005 
rule 5 permit ip source 192.168.5.0 0.0.0.255 destination 192.168.0.0 
0.0.255.255 
rule 10 deny ip source 192.168.5.0 0.0.0.255 
 
interface GigabitEthernet0/0/0 
ip address 192.168.12.1 255.255.255.0 
traffic-filter inbound acl 3005 
# 
interface GigabitEthernet0/0/1 
ip address 192.168.23.1 255.255.255.0 
traffic-filter inbound acl 3005

步骤11：策略路由配置 （模拟器bug 不生效）

acl number 3008 
rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 
rule 10 permit ip source 192.168.3.0 0.0.0.255 
# 
traffic classifier VLAN_3 
if-match acl 3008 
# 
traffic behavior VLAN_3 
redirect interface Dialer1 
traffic policy aa 
classifier VLAN_3 behavior VLAN_3 
 
interface GigabitEthernet0/0/0 
ip address 192.168.12.1 255.255.255.0 
traffic-filter inbound acl 3005 
traffic-policy aa inbound 
# 
interface GigabitEthernet0/0/1 
ip address 192.168.23.1 255.255.255.0 
traffic-filter inbound acl 3005 
traffic-policy aa inbound

步骤12：telnet 配置

aaa 
local-user hcie privilege level 3 password cipher 123 
local-user hcie service-type telnet
user-interface vty 0 4 
authentication-mode aaa 
protocol inbound telnet 
 
sw1: 
interface Vlanif999 
ip address 192.168.255.254 255.255.255.0 
vrrp vrid 255 virtual-ip 192.168.255.1 
 
sw2: 
interface Vlanif999 
ip address 192.168.255.253 255.255.255.0 
vrrp vrid 255 virtual-ip 192.168.255.1 
 
其他汇聚 和接入层交换机： 
int vlanif 999 
ip add 192.168.255.x 24 
ip route-s 0.0.0.0 0 192.168.255.1 
例如： 
sw6： 
int vlanif 999 
ip add 192.168.255.6 24 
ip route-s 0.0.0.0 0 192.168.255.1