HCIP-综合实验
- 实验需求及步骤
- 实验拓扑
- 配置命令及实现
- 01.Eth-Trunk
- 02.VLAN与端口类型
- 03.MSTP多实例与优化
- 04.VRRP
- 05.端口安全
- 06.DHCP冗余部署
- 07.WLAN双链路热备
- 08.防火墙双机热备 及内容安全
- 10.OSPF多区域
- 11.OSPF特性(Vlink,认证,特殊区域,LSA3过滤,优化路径)
- 12.NAPT
- 13.SSH
- 14.NAT SERVER与NAT-ALG
- 15.PPOE&easy-ip
- 16.WLAN二层组网与VLAN_Pool
- 17.VLAN聚合
- 18.DHCP中继及OSPF
- 19.DHCP Snooping与ARP安全
- 20..防火墙NAT
- 21.ISIS多区域
- 22.MPLS LDP
- 23.MP-BGP
- 24.PE-CE使用BGP接入
- 25.ISIS路由渗透,BGP AS替换
- 26.BGP过滤与MPLS调优
- 27.IPSec VPN冗余部署
- 28.组播-PIM-SM
- 29.DHCPv6
- 30.OSPFv3
- 31.NAT64
- 32.6to4自动隧道
- 33.配置QOS
- 34.BFD&NQA
实验需求及步骤
交换部分
-
主校区部分
-
1.Eth-Trunk
汇聚交换机之间部署Eth-Trunk提升带宽,提升冗余,仅放行VLAN78,VLAN254 -
2.VLAN与端口类型
配置PC1,PC2位于VLAN10,无线用户位于VLAN20,SERVER1位于VLAN30
接口交换机与汇聚交换机之间部署Trunk,放行必要VLAN,链接AP的接口设置为Hybrid接口 -
3.配置MSTP实现以下需求
VLAN10,VLAN20通过SW1转发,VLAN30通过SW2转发
连接PC1,PC2接口支持快速接入,禁止用户私自接入交换机 -
4.VRRP
实现用户业务(VLAN10,VLAN20)通过SW1转发,服务器(VLAN30)通过SW2转发
若检测到上行链路故障,切换VRRP主备 -
5.局域网加固
PC1,PC2属于相同VLAN,但是不能互通
PC1,PC2连接的端口配置端口安全,抵御MAC泛洪或MAC地址欺骗攻击 -
6.SW1,SW2配置DHCP服务器,对STA1,无线客户端,AP分配地址采用冗余配置
WLAN部署
AC1,AC2部署VRRP双机热备
AC1地址:10.1.78.10
AC2地址:10.1.78.20
VRRP双机地址:10.1.78.254
SSID:HQ
安全模板:WPA2-PSK Huawei@123
转发方式:隧道模式
业务VLAN:20
S1,S2接口配置DHCP对AP分配地址
无线用户用户VLAN20,地址10.1.20.0/24 网关地址:10.1.20.254
支持无线漫游,保障用户连接到其他AP时,业务不中断
防火墙内容安全
- 配置防火墙双机热备采用负载分担的方式
- 若接口故障切换转发角色
- 防火墙部署双机热备负载分担,若检测接口故障切换主备角色
- 使用web方式配置以下业务
- 1)禁止外网用户上传病毒文件到内部服务器
- 2)配置URL过滤,规范用户的上网行为
- 3)配置入侵防御对于访问公共服务器抵御注入跨站脚本类攻击
- 4)开启单包攻击防御机制
路由部分
- 主校区部分
- FW1,FW2,SW1,SW2,AR1位于OSPF区域0
- SW1,SW2互联位于区域2
- SW1,SW2下行链路位于区域1,上行链路位于区域0
- OSPF区域0开启MD5认证保障安全
- 更改ospf网络类型为P2P,缩短hello包的老化时间
- SW1,SW2添加Vlink防止区域0分裂
- VLAN10,VLAN20,VLAN30的网关以及FW1链接服务器的端口关闭OSPF邻居发现机制
- 修改VLAN10,VLAN20,VLAN30的开销配合VRRP的业务转发路径
WAN部分(公网部分)
-
主校区
- 配置AR1和AR2的对应IP地址
- AR1部署默认路由访问公网,使用NAPT的方式进行地址转换
- AR1配置地址转换,其中地址池:136.1.12.16-136.1.12.19
- FW1和FW2上放行相应策略,使得内部客户端可以访问到internet
- 使得AR1配置远程连接,使用ssh保证连接更加稳定
-
Internet访问
- Home作为互联网用户,采用PPPoE接入,其中Home作为PPPoE客户端,Internet作为PPPoE服务端
拨号账户:USER/HUAWEI - Home节点配置EASY_IP访问公网
- AR1映射DMZ服务器SERVER1到公网:136.1.12.10 映射FTP与HTTP服务(nat server)
- Home作为互联网用户,采用PPPoE接入,其中Home作为PPPoE客户端,Internet作为PPPoE服务端
分校区部分
- WLAN及OSPF
- 1)WLAN二层组网与vlan规划 AP管理vlan:254
- AP地址:172.16.254.0/24网关172.16.254.5
- AC地址:172.16.254.10
- 2)WLAN业务规划
- 用户位于VLAN11,VLAN12,以便减少广播内主机的数量 (做vlan聚合)
- 保障所有用户位于相同网段
- 用户流量转发采用直接转发
- SSID:SPOKE
- 安全模板:WPA2-PSK Huawei@123
- 3)配置FW-2作为DHCP服务器,SW5作为中继DHCP,对无线用户与AP分配地址
- 4)配置OSPF
- 配置FW3,SW5部署OSPF区域0
- SW5所有接口位于区域0
- 5)激活DHCP Snooping保护内网DHCP服务器的安全
- 配置防火墙NAT,让内网用户可以访问到internet
广域互联部分(MPLS专线)
-
部署ISP部分
-
R1部署ISIS区域49.0000,设置级别为Level-2
-
R2,R3位于区域49.0001.R3作为level-1节点
-
添加互联接口与Loopback接口到ISIS进程
-
部署MPLS VPN满足以下需求
- 1)R1,R3作为PE节点,R2作为VPNv4路由反射器
- AR1,FW3作为CE节点
- 2)PE,CE之间采用EBGP接入
- 3)MPLS LSR-ID为设备的Loopback0
- 4)部署MPLS VPN实现主校区与分校区通信
- 1)R1,R3作为PE节点,R2作为VPNv4路由反射器
-
R1,R2,R3之间部署BGP,位于AS100
-
AR1与R1之间部署BGP,主小区位于AS65000
-
FW-3与R3之间部署BGP,其中分校区AS65000
-
解决AR1与FW-3的环路问题,让分校区和主校区可以获得相应的路由
-
为了减少路由条目,使得分校区只获得去往主校区的服务器的网段
-
-
IPSec VPN部分
- FW1,FW2与FW3部署IPSec HA VPN实现以下需求
- IPSEC流量 配置IPSec VPN实现分校区无线用户可以访问主校区内部服务器(SERVER1)
- IKE提议
- 共享密钥认证(HUAWEI)
- DH组2
- 加密认证:3DES/SHA1
- IPSec提议
- 数据加密算法:ESP-3DES/ESP-SHA1
组播部分
部分组播网络满足以下需求
MCS作为组播服务器
PC5作为组播接收者
C-RP,C-BSR位于R2的Lo0
组地址:239.1.1.1
IGMP版本:v2
RP的组播服务范围:239.1.1.0/24
若PC5加入组224.1.1.1也能收到224.1.1.1的组播流量
实现组播接收者能够接收到组播源的流量
IPv6部分
1)PC4配置IPv6地址:2001:155:1:1::10/64
- 网关地址2001:155:1:1::1/64
2)PC5作为DHCPv6 Client通过R3有状态地址自动配置
- 获取前缀信息为2001:155:1:3::/64
- DNS:2001:150:1:2::2
3)PC5作为IPv6主机,地址2001:172:16:5::10/64
- S5-VLANIF作为网关接口,网关地址2001:172:16:5::5/64
- FW2,SW5互联部署Link-local地址并部署OSPFv3
4)配置NAT64实现PC5能够访问130.1.2.2/32
- 采用动态NAT64实现
- NAT64前缀:2001:172:13::/96
5)配置R1,R3之间部署6TO4自动隧道实现PC4,PC5通信
实验拓扑
配置命令及实现
01.Eth-Trunk
sysname SW1
#
interface Eth-Trunk1
mode lacp-static
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
sysname SW2
#
interface Eth-Trunk1
mode lacp-static
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
02.VLAN与端口类型
SW1
vlan batch 10 20 30 78 127 254
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 127
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk allow-pass vlan 20 78
#
interface GigabitEthernet0/0/11
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/12
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/13
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
SW2
vlan batch 10 20 30 78 138 254
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 138
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk allow-pass vlan 20 78
#
interface GigabitEthernet0/0/11
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/12
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/13
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
Acc1
sysname Acc1
#
vlan batch 10 20 30 254
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
Acc2
sysname Acc2
#
vlan batch 10 20 30 254
#
interface Ethernet0/0/1
port hybrid pvid vlan 254
port hybrid untagged vlan 254
#
interface Ethernet0/0/2
port hybrid pvid vlan 254
port hybrid untagged vlan 254
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
Acc3
sysname Acc3
#
vlan batch 10 20 30 254
#
interface Ethernet0/0/1
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
#
03.MSTP多实例与优化
SW1
stp instance 1 root primary
stp instance 2 root secondary
#
stp region-configuration
region-name MST
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 30
active region-configuration
#
interface GigabitEthernet0/0/11
stp loop-protection
#
interface GigabitEthernet0/0/12
stp loop-protection
#
interface GigabitEthernet0/0/13
stp loop-protection
SW2
stp instance 1 root secondary
stp instance 2 root primary
#
stp region-configuration
region-name MST
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 30
active region-configuration
#
interface GigabitEthernet0/0/11
stp loop-protection
#
interface GigabitEthernet0/0/12
stp loop-protection
#
interface GigabitEthernet0/0/13
stp loop-protection
Acc1
stp region-configuration
region-name MST
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 30
active region-configuration
#
interface GigabitEthernet0/0/1
stp loop-protection //开启防止环路保护
stp edged-port disable //关闭边缘端口
#
interface GigabitEthernet0/0/2
stp loop-protection
stp edged-port disable
#
stp edged-port default //开启全局边缘端口
stp bpdu-protection //开启bpdu保护功能
#
//300秒后自动打开shutdown的端口
error-down auto-recovery cause bpdu-protection interval 300
#
Acc2
stp edged-port default
#
stp region-configuration
region-name MST
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 30
active region-configuration
#
interface GigabitEthernet0/0/1
stp loop-protection
stp edged-port disable
#
interface GigabitEthernet0/0/2
stp loop-protection
stp edged-port disable
#
Acc3
stp edged-port default
#
stp region-configuration
region-name MST
revision-level 1
instance 1 vlan 10 20
instance 2 vlan 30
active region-configuration
#
interface Ethernet0/0/1
stp root-protection //服务器侧开启根端口保护
#
interface GigabitEthernet0/0/1
stp loop-protection
stp edged-port disable
#
interface GigabitEthernet0/0/2
stp loop-protection
stp edged-port disable
#
04.VRRP
SW1
#
interface Vlanif10
ip address 10.1.10.7 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.254
vrrp vrid 1 priority 101
vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 5
#
interface Vlanif20
ip address 10.1.20.7 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.20.254
vrrp vrid 2 priority 101
vrrp vrid 2 track interface GigabitEthernet0/0/1 reduced 5
#
interface Vlanif30
ip address 10.1.30.7 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.30.254
#
interface Vlanif78
ip address 10.1.78.7 255.255.255.0
#
interface Vlanif127
ip address 10.1.127.7 255.255.255.0
#
interface Vlanif254
ip address 10.1.254.7 255.255.255.0
#
SW2
interface Vlanif10
ip address 10.1.10.8 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.254
#
interface Vlanif20
ip address 10.1.20.8 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.20.254
#
interface Vlanif30
ip address 10.1.30.8 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.30.254
vrrp vrid 3 priority 101
vrrp vrid 3 track interface GigabitEthernet0/0/1 reduced 5
#
interface Vlanif78
ip address 10.1.78.8 255.255.255.0
#
interface Vlanif138
ip address 10.1.138.8 255.255.255.0
#
interface Vlanif254
ip address 10.1.254.8 255.255.255.0
#
05.端口安全
Acc1
interface Ethernet0/0/1
port-security enable
port-security protect-action shutdown
port-security max-mac-num 2
port-security mac-address sticky
#
interface Ethernet0/0/2
port-security enable
port-security protect-action shutdown
port-security max-mac-num 2
port-security mac-address sticky
//undo mac-address all 清空mac地址表,包括静态的
//dis mac-address 查看mac地址表
端口隔离
Acc1
interface Ethernet0/0/1
port-isolate enable group 1
#
interface Ethernet0/0/2
port-isolate enable group 1
#
//把两个接口加入同一个组里,就可以隔离开了
//dis port-isolate group all //查看当前隔离组
06.DHCP冗余部署
SW1
dhcp enable
#
ip pool dhcp_pool
gateway-list 10.1.20.254
network 10.1.20.0 mask 255.255.255.0
excluded-ip-address 10.1.20.128 10.1.20.253
#
interface Vlanif20
dhcp select global
#
interface Vlanif254
dhcp select interface
dhcp server excluded-ip-address 10.1.254.128 10.1.254.254
//使用option43 推送两个AC的地址,实现双机双备份
dhcp server option 43 sub-option 2 ip-address 10.1.78.10 10.1.78.20
#
//重置dhcp已分配的地址
<SW1>reset ip pool interface vlanif254 used
//查看地址池状态
[SW1]dis ip pool interface vlanif254
SW2
dhcp enable
#
ip pool dhcp_pool
gateway-list 10.1.20.254
network 10.1.20.0 mask 255.255.255.0
excluded-ip-address 10.1.20.1 10.1.20.7
excluded-ip-address 10.1.20.9 10.1.20.127
#
interface Vlanif20
dhcp select global
#
interface Vlanif254
dhcp select interface
dhcp server excluded-ip-address 10.1.254.1 10.1.254.7
dhcp server excluded-ip-address 10.1.254.9 10.1.254.127
dhcp server option 43 sub-option 2 ip-address 10.1.78.10 10.1.78.20
07.WLAN双链路热备
AC1
//AC1与AC2配置好IP地址后,测试AC1与AC2是否可以通信
sysname AC1
#
vlan batch 20 78
#
interface Vlanif78
ip address 10.1.78.10 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 78
#
ip route-static 0.0.0.0 0.0.0.0 10.1.78.7
#
//双机双链路热备份
hsb-service 0
//指定两端的对等体,本端的和对端的IP地址以及通讯端口
service-ip-port local-ip 10.1.78.10 peer-ip 10.1.78.20 local-data-port 10240 pe
er-data-port 10240
#
//配置hsb的同步内容,使用用户的上线信息做热备份
hsb-service-type access-user hsb-service 0
#
//配置hsb的同步内容,使用AP的上线信息热备份
hsb-service-type ap hsb-service 0
dis hsb-service 0 //查看hsb的状态
#
wlan
//配置双机双链路使能优先级,越小越优 这里AC1为主设备
ac protect enable protect-ac 10.1.78.20 priority 1
//dis ac protect 查看一下状态是否激活
//配置AP上线
ap-id 1 ap-mac 00e0-fc8a-1c70
ap-name AREA_1
ap-id 2 ap-mac 00e0-fc99-0f60
ap-name AREA_2
//业务配置
//安全模板,加密的方式
security-profile name SEC_PRO
security wpa2 psk pass-phrase Huawei@123 aes
//ssid,无线的名字为HQ
ssid-profile name SSID_PRO
ssid HQ
//业务模板
vap-profile name VAP_PRO
forward-mode tunnel //流量转发方式为通过AC集中转发
service-vlan vlan-id 20
ssid-profile SSID_PRO
security-profile SEC_PRO
//关联到AP
ap-id 1
vap-profile VAP_PRO wlan 1 radio 0
vap-profile VAP_PRO wlan 1 radio 1
ap-id 2
vap-profile VAP_PRO wlan 1 radio 0
vap-profile VAP_PRO wlan 1 radio 1
#
capwap source interface vlanif78 //指定capwap接口
#
//dis ap all 查看AP上线状态
//dis station all 查看客户端在线状态
AC2
sysname AC2
#
vlan batch 20 78
#
interface Vlanif78
ip address 10.1.78.20 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 78
#
ip route-static 0.0.0.0 0.0.0.0 10.1.78.8
#
hsb-service 0
service-ip-port local-ip 10.1.78.20 peer-ip 10.1.78.10 local-data-port 10240 peer-data-port 10240
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
//配置双机双链路使能优先级,越小越优
ac protect enable protect-ac 10.1.78.10 priority 5
//dis ac protect 查看一下状态是否激活
//配置AP上线
ap-id 1 ap-mac 00e0-fc8a-1c70
ap-name AREA_1
ap-id 2 ap-mac 00e0-fc99-0f60
ap-name AREA_2
//业务配置
//安全模板,加密的方式
security-profile name SEC_PRO
security wpa2 psk pass-phrase Huawei@123
//ssid,无线的名字为HQ
ssid-profile name SSID_PRO
ssid HQ
//业务模板
vap-profile name VAP_PRO
forward-mode tunnel //流量转发方式为通过AC集中转发
service-vlan vlan-id 20
ssid-profile SSID_PRO
security-profile SEC_PRO
//关联到AP
ap-id 1
vap-profile VAP_PRO wlan 1 radio 0
vap-profile VAP_PRO wlan 1 radio 1
ap-id 2
vap-profile VAP_PRO wlan 1 radio 0
vap-profile VAP_PRO wlan 1 radio 1
#
capwap source interface vlanif78 //指定capwap接口
#
//dis ap all 查看AP上线状态
//dis station all 查看客户端在线状态
08.防火墙双机热备 及内容安全
sysname FW-1
#
//控制台初始化
user-interface con 0
idle-timeout 0 0
//空闲超时配置为0,因此会话永远不会因为超时而断开连接。
#
firewall zone name Heart
add interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/3
ip address 10.0.0.12 255.255.255.0
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
//配置双机热备
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.0.0.13
hrp mirror session enable //双火机制,开启会话备份
#
//dis hrp state 查看双机热备激活状态
sysname FW-2
#
user-interface con 0
idle-timeout 0 0
#
interface GigabitEthernet1/0/3
ip address 10.0.0.13 255.255.255.0
#
firewall zone name Heart
add interface GigabitEthernet1/0/3
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.0.0.12
hrp mirror session enable
#
FW1 //这个配置也可以到后面在进行配置
interface GigabitEthernet0/0/0
ip address 配置桥接地址 //桥接到本地
service-manage https permit //开启网页服务
#
https://本机桥接ip地址:8443 //就可以访问到模拟器中的防火墙
- 保证内网安全,把常用的攻击报文都丢弃
- 公共区域防止入侵
- 激活根据内网情况激活一部分签名
- 提交配置
- 应用到相应的策略里 选择上面做的入侵防御
- 设置反病毒
- 配置上网行为管理
- 新建需要控制的网站即可
- 配置好后应用到策略里就行了,和上面操作差不多
10.OSPF多区域
sysname AR1
#
interface GigabitEthernet0/0/1
ip address 10.1.121.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.131.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.0.0 0.0.255.255
FW1
interface GigabitEthernet1/0/0
ip address 10.1.121.12 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.1.127.12 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.0.12 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/0
#
ospf 1
area 0.0.0.0
network 10.1.0.0 0.0.255.255
#
FW2
interface GigabitEthernet1/0/0
ip address 10.1.131.13 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.1.138.13 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.0.13 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/0
#
ospf 1
area 0.0.0.0
network 10.1.0.0 0.0.255.255
SW1
ospf 1 router-id 10.1.7.7
area 0
area 1
area 2
#
interface Vlanif10
ospf enable 1 area 0.0.0.1
#
interface Vlanif20
ospf enable 1 area 0.0.0.1
#
interface Vlanif30
ospf enable 1 area 0.0.0.1
#
interface Vlanif78
ospf enable 1 area 0.0.0.2
#
interface Vlanif127
ospf enable 1 area 0.0.0.0
#
SW2
ospf 1 router-id 10.1.8.8
area 0
area 1
area 2
#
interface Vlanif10
ospf enable 1 area 0.0.0.1
#
interface Vlanif20
ospf enable 1 area 0.0.0.1
#
interface Vlanif30
ospf enable 1 area 0.0.0.1
#
interface Vlanif78
ospf enable 1 area 0.0.0.2
#
interface Vlanif138
ospf enable 1 area 0.0.0.0
#
//dis ospf lsdb 查看ospf数据库
11.OSPF特性(Vlink,认证,特殊区域,LSA3过滤,优化路径)
AR1
interface GigabitEthernet0/0/1
ospf network-type p2p
#
interface GigabitEthernet0/0/2
ospf network-type p2p
#
ospf 1
area 0.0.0.0
authentication-mode md5 1 plain HUAWEI
FW1
interface GigabitEthernet1/0/0
ospf network-type p2p
#
interface GigabitEthernet1/0/1
ospf network-type p2p
#
ospf 1
silent-interface GigabitEthernet1/0/2
area 0.0.0.0
authentication-mode md5 1 plain HUAWEI
FW2
interface GigabitEthernet1/0/0
ospf network-type p2p
#
interface GigabitEthernet1/0/1
ospf network-type p2p
#
ospf 1
silent-interface GigabitEthernet1/0/2
area 0.0.0.0
authentication-mode md5 1 plain HUAWEI
#
SW1
interface Vlanif78
ospf network-type p2p
#
interface Vlanif127
ospf network-type p2p
#
ospf 1
silent-interface all
undo silent-interface Vlanif78
undo silent-interface Vlanif127
area 0.0.0.0
authentication-mode md5 1 plain HUAWEI
area 0.0.0.1
stub no-summary
area 0.0.0.2
filter ip-prefix DENY_ALL import
vlink-peer 10.1.8.8
#
ip ip-prefix DENY_ALL index 10 deny 0.0.0.0 0 less-equal 32
#
SW2
interface Vlanif78
ospf network-type p2p
#
interface Vlanif138
ospf network-type p2p
#
ospf 1 router-id 10.1.8.8
silent-interface all
undo silent-interface Vlanif78
undo silent-interface Vlanif138
area 0.0.0.0
authentication-mode md5 1 plain HUAWEI
area 0.0.0.1
stub no-summary
area 0.0.0.2
filter ip-prefix DENY_ALL import
vlink-peer 10.1.7.7
#
ip ip-prefix DENY_ALL index 10 deny 0.0.0.0 0 less-equal 32
#
- 总部站点路径优化
SW1
interface Vlanif30
ospf cost 10
#
SW2
interface Vlanif10
ospf cost 10
#
interface Vlanif20
ospf cost 10
#
//确保流量来回走的都是同一条路
//配置到这里,来回流量有问题需要检查一下
12.NAPT
Internet(AR2)
sysname Internet
#
interface Ethernet1/0/0
ip address 136.1.142.2 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 136.1.12.2 255.255.255.0
#
interface LoopBack0
ip address 130.1.2.2 255.255.255.255
AR1
acl number 2000
rule 5 permit source 10.1.10.0 0.0.0.255
rule 10 permit source 10.1.20.0 0.0.0.255
#
nat address-group 1 136.1.12.16 136.1.12.19
#
interface GigabitEthernet0/0/0
ip address 136.1.12.1 255.255.255.0
nat outbound 2000 address-group 1
#
ip route-static 0.0.0.0 0.0.0.0 136.1.12.2
#
ospf 1
default-route-advertise //引入缺省路由
#
FW1
security-policy
rule name LOCAL->ANY
source-zone local
action permit
rule name IN->OUT
source-zone trust
destination-zone untrust
source-address 10.1.10.0 mask 255.255.255.0
source-address 10.1.20.0 mask 255.255.255.0
action permit
FW2
//由于做了双机热备份,所以FW2会自动同步FW1的配置
security-policy
rule name LOCAL->ANY
source-zone local
action permit
rule name IN->OUT
source-zone trust
destination-zone untrust
source-address 10.1.10.0 mask 255.255.255.0
source-address 10.1.20.0 mask 255.255.255.0
action permit
//做完这些此时内部有线PC以及无线用户都可以正常访问Internet
13.SSH
AR1
stelnet server enable //开启服务
#
rsa local-key-pair create //创建rsa密钥对 全局配置查不到
Y
1024
#
acl number 2001
rule 5 permit source 10.1.0.0 0.0.255.255
#
aaa
local-user user password cipher HUAWEI
local-user user privilege level 15
local-user user service-type ssh
#
ssh user USER authentication-type password 全局配置查不到
//加一些规则,只允许内网用户远程访问
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
acl 2001 inbound
//dis users 查看ssh在线用户
SW1
ssh client first-time enable
stelnet 10.1.1.1
#
FW1
//如果用交换机测试连接,需要暂时放行一下
security-policy
default action permit
dis security-policy rule all //查看防火墙放行规则命中次数
14.NAT SERVER与NAT-ALG
AR1
nat alg ftp enable //开启ftp多信道
#
interface GigabitEthernet0/0/0
ip address 136.1.12.1 255.255.255.0
nat server protocol tcp global 136.1.12.10 www inside 10.1.0.10 www
nat server protocol tcp global 136.1.12.10 ftp inside 10.1.0.10 ftp
//公共服务器对应开启ftp以及web服务
#
security-policy
rule name OUT->DMZ
source-zone untrust
destination-zone dmz
destination-address 10.1.0.10 mask 255.255.255.255
action permit
FW2
security-policy
rule name OUT->DMZ
source-zone untrust
destination-zone dmz
destination-address 10.1.0.10 mask 255.255.255.255
action permit
15.PPOE&easy-ip
sysname Home
#
interface Dialer1
link-protocol ppp
ppp ipcp default-route //协商成功后自动生成一条默认路由
ppp chap user USER
ppp chap password simple HUAWEI
mtu 1492
ip address ppp-negotiate
dialer user TEST
dialer bundle 1
#
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
pppoe-client dial-bundle-number 1
#
//客户端配置完成后查看pppoe拨号状态
dis pppoe-client session summary
AR2
interface Virtual-Template1
ppp authentication-mode chap
remote address 136.1.2.1
//ip地址借用接口g0/0/1的ip地址
ip address unnumbered interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1
pppoe-server bind Virtual-Template 1
ip address 136.1.2.2 255.255.255.0
#
aaa
local-user user password cipher HUAWEI
local-user user service-type ppp
#
//easy-ip
Home
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
#
interface Dialer1
nat outbound 2000
16.WLAN二层组网与VLAN_Pool
sysname SW5
#
vlan batch 5 10 to 12 145 254
#
interface Vlanif5
ip address 172.16.5.5 255.255.255.0
#
interface Vlanif10
ip address 172.16.10.5 255.255.255.0
#
interface Vlanif145
ip address 172.16.145.5 255.255.255.0
#
interface Vlanif254
ip address 172.16.254.5 255.255.255.0
#
interface GigabitEthernet0/0/1
port hybrid pvid vlan 254
port hybrid untagged vlan 254
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk allow-pass vlan 254
//AC这里只需要放行一个管理vlan就行了,用户流量不经过AC
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 5
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 145
#
sysname AC3
#
vlan batch 254
#
interface Vlanif254
ip address 172.16.254.10 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 254
#
vlan pool VLAN_POOL //用于给AP用户使用不同的vlan
assignment even
vlan 11 to 12
#
Wlan
ap-id 1 ap-mac 00e0-fcab-0b30
ap-name AREA_3
security-profile name SEC_PRO
security wpa2 psk pass-phrase Huawei@123 aes
ssid-profile name SSID_PRO
ssid SPOKE
vap-profile name VAP_PRO
service-vlan vlan-pool VLAN_POOL
ssid-profile SSID_PRO
security-profile SEC_PRO
forward-mode direct-forward //默认转发方式
ap-id 1
vap-profile VAP_PRO wlan 1 radio 0
vap-profile VAP_PRO wlan 1 radio 1
#
capwap source interface vlanif254
17.VLAN聚合
SW5
vlan 10
aggregate-vlan
access-vlan 11 to 12
#
interface GigabitEthernet0/0/1
port hybrid tagged vlan 11 to 12
#
interface Vlanif10
arp-proxy inter-sub-vlan-proxy enable
dhcp select relay
dhcp relay server-ip 172.16.145.14
//dis super-vlan 查看聚合vlan是否成功建立
18.DHCP中继及OSPF
FW3
sysname FW-3
#
dhcp enable
#
ip pool AP_POOL
gateway-list 172.16.254.5
network 172.16.254.0 mask 255.255.255.0
#
ip pool DHCP_POOL
gateway-list 172.16.10.5
network 172.16.10.0 mask 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 136.1.142.14 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 172.16.145.14 255.255.255.0
dhcp select global
#
interface GigabitEthernet1/0/2
ip address 100.1.143.14 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/0
#
firewall zone name MPLS id 4
add interface GigabitEthernet1/0/2
#
ospf 1
area 0.0.0.0
network 172.16.0.0 0.0.255.255
SW5
dhcp enable
#
interface Vlanif254
dhcp select relay
dhcp relay server-ip 172.16.145.14
#
interface Vlanif10
dhcp select relay
dhcp relay server-ip 172.16.145.14
#
ospf 1
area 0.0.0.0
network 172.16.0.0 0.0.255.255
19.DHCP Snooping与ARP安全
SW5
dhcp snooping enable
dhcp snooping user-bind autosave flash:/dhcp.tbl //根据绑定表项导出,便于以后查询
arp dhcp-snooping-detect enable //开启ARP映射条目检查
#
vlan 11
dhcp snooping enable
dhcp snooping check dhcp-chaddr enable //检查客户端硬件地址,防止恶意消耗地址
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 10 //限速,每秒分配十个地址
vlan 12
dhcp snooping enable
dhcp snooping check dhcp-chaddr enable
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 10
#
interface GigabitEthernet0/0/24
dhcp snooping trusted //加入信任接口
#
//dis dhcp snooping user-bind all 查询dhcp snooping绑定表项
20…防火墙NAT
security-policy
rule name LOCAL->ANY
source-zone local
action permit
rule name IN->OUT
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
action permit
#
nat-policy
rule name EASY_IP
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
action source-nat easy-ip
#
ospf 1
default-route-advertise
#
ip route-static 0.0.0.0 0 136.1.142.2
//至此分校区客户端可以访问公网
21.ISIS多区域
sysname R1
#
isis 1
is-level level-2
network-entity 49.0000.0000.0000.0001.00
#
interface Ethernet0/0/1
ip address 155.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 155.1.12.1 255.255.255.0
isis enable 1
#
interface LoopBack0
ip address 150.1.1.1 255.255.255.255
isis enable 1
#
sysname R2
#
isis 1
network-entity 49.0001.0000.0000.0002.00
#
interface GigabitEthernet0/0/0
ip address 155.1.12.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet0/0/1
ip address 155.1.23.2 255.255.255.0
isis enable 1
#
interface LoopBack0
ip address 150.1.2.2 255.255.255.255
isis enable 1
#
sysname R3
#
isis 1
is-level level-1
network-entity 49.0001.0000.0000.0003.00
#
interface Ethernet0/0/0
ip address 155.1.3.3 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 155.1.23.3 255.255.255.0
isis enable 1
#
interface LoopBack0
ip address 150.1.3.3 255.255.255.255
isis enable 1
22.MPLS LDP
R1
mpls lsr-id 150.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
mpls
mpls ldp
#
R2
mpls lsr-id 150.1.2.2
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
mpls
mpls ldp
#
R3
mpls lsr-id 150.1.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
mpls
mpls ldp
#
//dis mpls ldp session 查看mpls建立状态
23.MP-BGP
R1
bgp 100
peer 150.1.2.2 as-number 100
peer 150.1.2.2 connect-interface LoopBack0
#
ipv4-family vpnv4
policy vpn-target
peer 150.1.2.2 enable
#
R2
bgp 100
peer 150.1.1.1 as-number 100
peer 150.1.1.1 connect-interface LoopBack0
peer 150.1.3.3 as-number 100
peer 150.1.3.3 connect-interface LoopBack0
#
ipv4-family vpnv4
undo policy vpn-target //关闭RT过滤
peer 150.1.1.1 enable
peer 150.1.1.1 reflect-client
peer 150.1.3.3 enable
peer 150.1.3.3 reflect-client
#
R3
bgp 100
peer 150.1.2.2 as-number 100
peer 150.1.2.2 connect-interface LoopBack0
#
ipv4-family vpnv4
peer 150.1.2.2 enable
//dis bgp vpnv4 all peer 查看vpnv4邻居关系
24.PE-CE使用BGP接入
AR1
interface Ethernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 65000
peer 100.1.1.100 as-number 100
import-route ospf 1
#
FW3
bgp 65000
peer 100.1.143.100 as-number 100
import-route ospf 1
#
R1
ip vpn-instance VRF_A
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:14 import-extcommunity
#
bgp 100
ipv4-family vpn-instance VRF_A
peer 100.1.1.1 as-number 65000
#
interface Ethernet0/0/0
ip binding vpn-instance VRF_A
ip address 100.1.1.100 255.255.255.0
#
R3
ip vpn-instance VRF_A
ipv4-family
route-distinguisher 100:14
vpn-target 100:14 export-extcommunity
vpn-target 100:1 import-extcommunity
#
bgp 100
ipv4-family vpn-instance VRF_A
peer 100.1.143.14 as-number 65000
#
interface Ethernet0/0/1
ip binding vpn-instance VRF_A
ip address 100.1.143.100 255.255.255.0
#
25.ISIS路由渗透,BGP AS替换
R2
// 测试R1与R3之间的 LSP隧道是否互通
// ping lsp ip 150.1.3.3 32
// 测试R3与R1之间的 LSP隧道是否互通
// ping lsp ip 150.1.1.1 32
// dis mpls lsp 查看lsp标签情况
isis 1
//由于l2的路由无法进入l1
import-route isis level-2 into level-1 //isis路由渗透
//解决EBGP 防环
R1
bgp 100
ipv4-family vpn-instance VRF_A
peer 100.1.1.1 substitute-as
#
R3
bgp 100
ipv4-family vpn-instance VRF_A
peer 100.1.143.14 substitute-as
#
26.BGP过滤与MPLS调优
AR1
ip ip-prefix FROM_HQ index 10 permit 10.1.30.0 24
#
bgp 65000
peer 100.1.1.100 ip-prefix FROM_HQ export
//此时查看分校区过来的路由,只能看到主校区服务器的网络
FW3
security-policy
rule name IN->MPLS
source-zone trust
destination-zone MPLS
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action permit
FW1
security-policy
rule name OUT->IN
source-zone untrust
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action permit
//由于网络过于庞大,MPLS从路由分发标签改为实例分发标签,节约资源
R1
ip vpn-instance VRF_A
ipv4-family
apply-label per-instance
#
R3
ip vpn-instance VRF_A
ipv4-family
apply-label per-instance
#
//至此分校区已经可以正常访问到主校区的服务器
27.IPSec VPN冗余部署
FW1
ike proposal 10 //ipSec策略提议
encryption-algorithm 3des //加密
dh group2
authentication-algorithm sha1 //完整性检查
authentication-method pre-share //对等体验证使用共享密钥,更加方便
integrity-algorithm hmac-sha2-256 //创建密钥的算法
prf hmac-sha2-256
#
ike peer FW-3 //设置对等体
pre-shared-key HUAWEI //指定共享密钥
ike-proposal 10 //关联提议
remote-address 136.1.142.14 //指定远端地址
#
acl number 3000 //设置需要保护的流量
rule 5 permit ip source 10.1.30.0 0.0.0.255 destination 172.16.10.0 0.0.0.255
#
ipsec proposal LAN_SET //IPSEC提议对数据的保护
esp authentication-algorithm sha1 //认证
esp encryption-algorithm 3des //加密
#
ipsec policy LAN_MAP 10 isakmp //设置IPSec的策略
security acl 3000
ike-peer FW-3
proposal LAN_SET
#
interface Tunnel0 //不能直接使用本地接口,直接使用会导致上网有问题
//这里通过隧道借用本地端口
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy LAN_MAP
#
firewall zone dmz //把隧道接口加入到dmz
add interface Tunnel0
#
FW2
//由于FW1和FW2做的是双火,FW2会自动同步一部分FW1的配置
//这个没有同步过来,手动创建一下
interface Tunnel0
ip address unnumbered interface GigabitEthernet1/0/0
tunnel-protocol ipsec
ipsec policy LAN_MAP
#
AR1
interface GigabitEthernet0/0/0
nat server protocol udp global 136.1.12.12 500 inside 10.1.121.12 500
nat server protocol udp global 136.1.12.13 500 inside 10.1.131.13 500
nat server protocol udp global 136.1.12.12 4500 inside 10.1.121.12 4500
nat server protocol udp global 136.1.12.13 4500 inside 10.1.131.13 4500
FW3
acl number 3000
rule 5 permit ip source 172.16.10.0 0.0.0.255 destination 10.1.30.0 0.0.0.255
#
ipsec proposal LAN_SET
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer ALL
pre-shared-key HUAWEI
ike-proposal 10
#
ipsec policy-template DY_MAP 10
security acl 3000
ike-peer ALL
proposal LAN_SET
#
ipsec policy LAN_MAP 10 isakmp template DY_MAP
#
interface GigabitEthernet1/0/0 //作用再接口上
ipsec policy LAN_MAP
#
security-policy
rule name OUT->LOCAL
source-zone untrust
destination-zone local
service protocol udp destination-port 4500
service protocol udp destination-port 500
action permit
FW1
security-policy
rule name DMZ->IN
source-zone dmz
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action permit
#
ipsec policy LAN_MAP 10 isakmp
sa trigger-mode auto //自动建立IPSec
//dis ike sa 查看建立状态
//dis security-policy rule all 查看防火墙策略状态
FW3
nat-policy
rule name NO_NAT //IPSec直接作用再接口上会优先走easyip,这里增加一条nat策略让他访问服务器的数据优匹配这个
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 10.1.30.0 mask 255.255.255.0
action no-nat
rule move NO_NAT top //把这条策略移动到最前面
#
FW1
ipsec policy LAN_MAP 10 isakmp
route inject dynamic //添加一条反向路由
#
ospf 1 //引入到ospf,镇压默认路由
import-route unr
#
IPSEC与MPLS备份 优化
FW1
ipsec policy LAN_MAP 10 isakmp
route inject dynamic preference 151 //修改ipsec的优先级,使得MPLS专线线路更优
AR1
ospf 1
import-route bgp
#
bgp 65000
preference 149 255 255 //修改EBGP的优先级
//icmp ttl-exceeded send 可以使防火墙显示在追踪路径上
28.组播-PIM-SM
R1
multicast routing-enable //开启组播
#
interface Ethernet0/0/1
pim sm //稀疏模式
#
interface GigabitEthernet0/0/0
pim sm
R2
multicast routing-enable
#
interface GigabitEthernet0/0/0
pim sm
#
interface GigabitEthernet0/0/1
pim sm
#
interface LoopBack0
pim sm
#
pim
c-bsr LoopBack0
c-rp LoopBack0
R3
multicast routing-enable
#
interface Ethernet0/0/0
pim sm
igmp enable
#
interface GigabitEthernet0/0/1
pim sm
#
29.DHCPv6
R3
ipv6
#
dhcp enable
#
dhcpv6 pool DHCPv6_POOL //创建ipv6地址池
address prefix 2001:155:1:3::/64 //有状态地址自动配置
#
interface Ethernet0/0/0
ipv6 enable
ipv6 address 2001:155:1:3::3/64
undo ipv6 nd ra halt //打开ipv6的ra通告
ipv6 nd autoconfig managed-address-flag //设置ipv6 地址配置的M比特置位强制有状态
dhcpv6 server DHCPv6_POOL //关联ipv6服务器
#
30.OSPFv3
FW3
ipv6
#
ospfv3 1
router-id 172.16.14.14
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address auto link-local
ospfv3 1 area 0.0.0.0
#
//dis ospfv3 peer 查看ospfv3邻居关系
//dis ospfv3 routing 查看ospfv3路由表
SW5
ipv6
#
ospfv3 1
router-id 172.16.5.5
#
interface Vlanif5
ipv6 enable
ipv6 address 2001:172:16:5::5/64
ospfv3 1 area 0.0.0.0
#
interface Vlanif145
ipv6 enable
ipv6 address auto link-local
ospfv3 1 area 0.0.0.0
#
31.NAT64
FW3
ospfv3 1
default-route-advertise always
#
nat64 prefix 2001:172:14:: 96
#
nat-policy
rule name NAT64
source-zone trust
destination-zone untrust
source-address 2001:172:16:5:: 64
nat-type nat64
action source-nat easy-ip //使用源地址转换
#
interface GigabitEthernet1/0/1
nat64 enable
#
security-policy
rule name IN->OUT(IPv6)
source-zone trust
destination-zone untrust
service protocol icmpv6
action permit
#
//dis firewall ipv6 session table //查看ipv6转换列表
//使用PC5ping公网是否可以通讯 ping 2001:172:14::8201:202 -6 (130.1.2.2)
ipv4地址:130.1.2.2
转换二进制:1000 0100 0000 0001 0000 0010 0000 0010
转换十六进制 8 2 0 1 0 2 0 2
32.6to4自动隧道
R1
ipv6
#
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 2001:155:1:1::1 64
#
interface Tunnel0/0/0
ipv6 enable
ipv6 address 2002:9601:101:13::1 64
tunnel-protocol ipv6-ipv4 6to4
source LoopBack0
#
ipv6 route-static 2001:155:1:3:: 64 2002:9601:303:13::3
ipv6 route-static 2002:: 16 Tunnel0/0/0
#
R3
interface Tunnel0/0/0
ipv6 enable
ipv6 address 2002:9601:303:13::3 64
tunnel-protocol ipv6-ipv4 6to4
source LoopBack0
#
ipv6 route-static 2001:155:1:1:: 64 2002:9601:101:13::1
ipv6 route-static 2002:: 16 Tunnel0/0/0
#
33.配置QOS
AR1
//把有线侧和无线侧网络抓取出来
acl number 2005
rule 5 permit source 172.16.5.0 0.0.0.255
acl number 2010
rule 5 permit source 172.16.10.0 0.0.0.255
#
//配置复杂流分类
traffic classifier NET5_CMAP operator or
if-match acl 2005
traffic classifier NET10_CMAP operator or
if-match acl 2010
#
//做标记
traffic behavior NET10_BMAP
remark dscp af21
traffic behavior NET5_BMAP
remark dscp af11
#
traffic policy REMARK //做策略
classifier NET5_CMAP behavior NET5_BMAP
classifier NET10_CMAP behavior NET10_BMAP
#
//应用到接口
interface Ethernet1/0/0
ip address 100.1.1.1 255.255.255.0
traffic-policy REMARK inbound
#
//做拥塞避免
drop-profile NET10_WRED
wred dscp
dscp af21 low-limit 50 high-limit 80 discard-percentage 50
#
//qos队列配置
qos queue-profile QUEUE_PRO
queue 1 gts cir 512 cbs 12800
queue 1 weight 50
queue 2 weight 30
schedule wfq 0 to 4
queue 2 drop-profile NET10_WRED
#//应用到接口
interface GigabitEthernet0/0/1
qos queue-profile QUEUE_PRO
#
interface GigabitEthernet0/0/2
qos queue-profile QUEUE_PRO
# //为了保障上网体验,对网络做一下限制
acl number 3000
rule 5 permit udp destination-port range 6881 6999 time-range WORKTIME
#
time-range WORKTIME 09:00 to 18:00 working-day
#
interface GigabitEthernet0/0/0
qos car inbound acl 3000 cir 256 cbs 48128 pbs 80128 green pass yellow pass red discard
#
34.BFD&NQA
BFD
AR1
bfd
#
interface GigabitEthernet0/0/1
ospf bfd enable
#
interface GigabitEthernet0/0/2
ospf bfd enable
#
FW1
bfd
#
interface GigabitEthernet1/0/0
ospf bfd enable
#
FW2
bfd
#
interface GigabitEthernet1/0/0
ospf bfd enable
//dis ospf bfd session all 查看bfd会话
NQA配置
FW3
//nqa的作用就是一直检测一个指定的地址是否还可以ping的通,这个功能再模拟器上做会有些bug可能看不到效果
ip route-static 0.0.0.0 0.0.0.0 136.1.142.2 track nqa ADMIN ICMP
#
nqa test-instance ADMIN ICMP
test-type icmp //测试类型
destination-address ipv4 130.1.2.2 //测试地址
records result 1 //把最近的记过记录下来
records history 3 //记录最近的记录
frequency 5 //五秒测试一次
timeout 2 //两秒超时
start now //开始测试
#
//dis nqa history 查看nqa状态