要求:
1 配置vlan trunk 两台核心之间配置链路捆绑
2 配置MSTP+VRRP 实现流量负载分担同时实现冗余,并配置相关stp优化技术加快stp收敛,并减少stp震荡
3 配置OSPF和静态实现三层路由,确保分支可以访问总部
4 所有用户采用动态获取ip地址,并配置相关dhcp安全技术
5 联通作为主出口 电信PPPOE作为备份出口
6 禁止vlan5 用户访问外网
7 将server 200.2 80端口映射成联通公网地址
8 所有交换机都可以被远程telnet (hcie 123)
9 出口链路正常时,vlan3 使用电信PPPOE上网
本实验涉及的主要技术如下:
Vlan、Trunk、Eth-Trunk、MSTP、VRRP、BFD、OSPF、NAT、DHCP Relay、PPPOE、ACL、NAT Server、Policy Route、Telnet。
配置过程
一、链路聚合(Eth-Trunk):
接入交换机SW6与汇聚交换机SW3
SW6:
<Huawei>sys
[Huawei]sysname SW6
[SW6]UN IN EN
[SW6]int Eth-Trunk 1
[SW6-Eth-Trunk1]mode lacp-static
[SW6-Eth-Trunk1]trunkport Ethernet 0/0/1
[SW6-Eth-Trunk1]trunkport Ethernet 0/0/3
SW3:
<Huawei>sys
[Huawei]sysname SW3
[SW3]un in en
[SW3]int Eth-Trunk 1
[SW3-Eth-Trunk1]mode lacp-static
[SW3-Eth-Trunk1]trunkport Ethernet 0/0/4
[SW3-Eth-Trunk1]trunkport Ethernet 0/0/5
核心交换机SW1、SW2
SW1:
<Huawei>sys
[Huawei]sysname hexin-SW1
[hexin-SW1]un in en
[hexin-SW1]int Eth-Trunk 2
[hexin-SW1-Eth-Trunk2]mode lacp-static
[hexin-SW1-Eth-Trunk2]trunkport g0/0/2
[hexin-SW1-Eth-Trunk2]trunkport g0/0/3
SW2:
<Huawei>sys
[Huawei]sysname SW2
[SW2]un in en
[SW2]int Eth-Trunk 2
[SW2-Eth-Trunk2]mode lacp-static
[SW2-Eth-Trunk2]trunkport g0/0/1
[SW2-Eth-Trunk2]trunkport g0/0/2
可以用如下命令查看聚合端口:
[SW1]display eth-trunk 2 //正常情况下可以看到两个端口被选择
二、Vlan及Trunk配置:
SW5
<Huawei>sys
[Huawei]sysname SW5
[SW5]un in en
[SW5]vlan batch 2 to 5 999
//尽管没有vlan 45的流量,但为了后边配置mst,所以全部配置,vlan 1000做管理vlan使用,后边Telnet用到
[SW5]int Ethernet0/0/2
[SW5-Ethernet0/0/2]port link-type access
[SW5-Ethernet0/0/2]port default vlan 2
[SW5-Ethernet0/0/2]q
[SW5]int e0/0/1
[SW5-Ethernet0/0/1]port link-type trunk
[SW5-Ethernet0/0/1]port trunk allow-pass vlan 2 999
[SW5-Ethernet0/0/1]q
SW6:
[SW6]vlan batch 2 to 5 999
[SW6]int e0/0/2
[SW6-Ethernet0/0/2]port link-type access
[SW6-Ethernet0/0/2]port default vlan 3
[SW6-Ethernet0/0/2]q
[SW6]int Eth-Trunk 1
[SW6-Eth-Trunk1]port link-type trunk
[SW6-Eth-Trunk1]port trunk allow-pass vlan 3 999
[SW6-Eth-Trunk1]q
SW3:
[SW3]vlan batch 2 to 5 999
[SW3]int e0/0/3
[SW3-Ethernet0/0/3]port link-type trunk
[SW3-Ethernet0/0/3]port trunk allow-pass vlan all
[SW3-Ethernet0/0/3]q
[SW3]int Eth-Trunk 1
[SW3-Eth-Trunk1]port link-type trunk
[SW3-Eth-Trunk1]int Eth-Trunk 1
[SW3-Eth-Trunk1]port trunk allow-pass vlan all
[SW3-Eth-Trunk1]q
[SW3]port-group group-member Ethernet0/0/1 Ethernet0/0/2
[SW3-port-group]port link-type trunk
[SW3-Ethernet0/0/1]port link-type trunk
[SW3-Ethernet0/0/2]port link-type trunk
[SW3-port-group]port trunk allow-pass vlan all
[SW3-Ethernet0/0/1]port trunk allow-pass vlan all
[SW3-Ethernet0/0/2]port trunk allow-pass vlan all
[SW3-port-group]q
SW7:
<Huawei>sys
[Huawei]sysname SW7
[SW7]
[SW7]un in en
[SW7]vlan batch 2 to 5 999
[SW7]int e0/0/2
[SW7-Ethernet0/0/2]port link-type access
[SW7-Ethernet0/0/2]port default vlan 4
[SW7-Ethernet0/0/2]q
[SW7]int e0/0/3
[SW7-Ethernet0/0/3]port link-type access
[SW7-Ethernet0/0/3]port default vlan 5
[SW7-Ethernet0/0/3]q
[SW7]int e0/0/1
[SW7-Ethernet0/0/1]port link-type trunk
[SW7-Ethernet0/0/1]port trunk allow-pass vlan 4 5 999
[SW7-Ethernet0/0/1]q
SW4:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname SW4
[SW4]vlan batch 2 to 5 999
[SW4]port-group group-member Ethernet 0/0/1 Ethernet 0/0/2 Ethernet 0/0/3
[SW4-port-group]port link-type trunk
[SW4-Ethernet0/0/1]port link-type trunk
[SW4-Ethernet0/0/2]port link-type trunk
[SW4-Ethernet0/0/3]port link-type trunk
[SW4-port-group]port trunk allow-pass vlan all
[SW4-Ethernet0/0/1]port trunk allow-pass vlan all
[SW4-Ethernet0/0/2]port trunk allow-pass vlan all
[SW4-Ethernet0/0/3]port trunk allow-pass vlan all
[SW4-port-group]q
SW8:
<Huawei>sys
[Huawei]sysname SW8
[SW8]
[SW8]UN in en
[SW8]vlan batch 2 to 5 200 999
[SW8]port-group group-member Ethernet 0/0/3 Ethernet 0/0/4
[SW8-port-group]port link-type access
[SW8-Ethernet0/0/3]PORT link-type access
[SW8-Ethernet0/0/4]PORT link-type access
[SW8-port-group]PORT default vlan 200
[SW8-Ethernet0/0/3]PORT default vlan 200
[SW8-Ethernet0/0/4]PORT default vlan 200
[SW8-port-group]q
[SW8]port-group group-member Ethernet 0/0/1 Ethernet 0/0/2
[SW8-port-group]port link-type trunk
[SW8-Ethernet0/0/1]port link-type trunk
[SW8-Ethernet0/0/2]port link-type trunk
[SW8-port-group]port trunk allow-pass vlan 200 999
[SW8-Ethernet0/0/1]port trunk allow-pass vlan 200 999
[SW8-Ethernet0/0/2]port trunk allow-pass vlan 200 999
[SW8-port-group]q
SW1:
<hexin-SW1>sys
[hexin-SW1]vlan batch 2 to 5 200 800 999
[hexin-SW1]int g0/0/5
[hexin-SW1-GigabitEthernet0/0/5]port link-type trunk
[hexin-SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 200 999
[hexin-SW1-GigabitEthernet0/0/5]q
[hexin-SW1]int g0/0/1
[hexin-SW1-GigabitEthernet0/0/1]port link-type trunk
[hexin-SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 999
[hexin-SW1-GigabitEthernet0/0/1]qu
[hexin-SW1]int g0/0/4
[hexin-SW1-GigabitEthernet0/0/4]port link-type trunk
[hexin-SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 4 5 999
[hexin-SW1-GigabitEthernet0/0/4]q
[hexin-SW1]int Eth-Trunk 2
[hexin-SW1-Eth-Trunk2]port link-type trunk
[hexin-SW1-Eth-Trunk2]port trunk allow-pass vlan all
[hexin-SW1-Eth-Trunk2]q
[hexin-SW1]vlan 800
[hexin-SW1-vlan800]int g0/0/6
[hexin-SW1-GigabitEthernet0/0/6]port link-type access
[hexin-SW1-GigabitEthernet0/0/6]port default vlan 800
[hexin-SW1-GigabitEthernet0/0/6]q
SW2:
<SW2>sys
[SW2]sysname hexin-SW2
[hexin-SW2]vlan batch 2 to 5 200 801 999.
[hexin-SW2]int g0/0/4
[hexin-SW2-GigabitEthernet0/0/4]port link-type trunk
[hexin-SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 4 5 999
[hexin-SW2-GigabitEthernet0/0/4]qu
[hexin-SW2]int g0/0/5
[hexin-SW2-GigabitEthernet0/0/5]port link-type trunk
[hexin-SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 2 3 999
[hexin-SW2-GigabitEthernet0/0/5]q
[hexin-SW2]int Eth-Trunk 2
[hexin-SW2-Eth-Trunk2]port link-type trunk
[hexin-SW2-Eth-Trunk2]port trunk allow-pass vlan all
[hexin-SW2-Eth-Trunk2]q
[hexin-SW2]int g0/0/3
[hexin-SW2-GigabitEthernet0/0/3]port link-type trunk
[hexin-SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 200 999
[hexin-SW2-GigabitEthernet0/0/3]q
[hexin-SW2]int g0/0/6
[hexin-SW2-GigabitEthernet0/0/6]port link-type access
[hexin-SW2-GigabitEthernet0/0/6]port default vlan 801
[hexin-SW2-GigabitEthernet0/0/6]q
三、MSTP配置:
SW1:
<hexin-SW1>sys
[hexin-SW1]stp region-configuration
[hexin-SW1-mst-region]region-name A //mstp域名称
[hexin-SW1-mst-region]revision-level 1 //修订号为1
[hexin-SW1-mst-region]instance 1 vlan 2 3 200 //将vlan 23200映射到实例1
[hexin-SW1-mst-region]instance 2 vlan 4 5 //将vlan 45映射到实例2
[hexin-SW1-mst-region]active region-configuration //激活配置
[hexin-SW1]stp instance 1 root primary //该设备成为实例1的根桥
[hexin-SW1]stp instance 2 root secondary //该设备成为实例2的备份根桥
SW2:
<hexin-SW2>SYS
[hexin-SW2]stp region-configuration
[hexin-SW2-mst-region]region-name A
[hexin-SW2-mst-region]revision-level 1
[hexin-SW2-mst-region]instance 1 vlan 2 3 200
[hexin-SW2-mst-region]instance 2 vlan 4 5
[hexin-SW2-mst-region]active region-configuration
[hexin-SW2-mst-region]q
[hexin-SW2]stp instance 2 root primary
[hexin-SW2]stp instance 1 root secondary
SW3:
<SW3>sys
[SW3]stp region-configuration
[SW3-mst-region]region-name A
[SW3-mst-region]revision-level 1
[SW3-mst-region]instance 1 vlan 2 3 200
[SW3-mst-region]instance 2 vlan 4 5
[SW3-mst-region]active region-configuration
SW4:
<SW4>sys
[SW4]stp region-configuration
[SW4-mst-region]region-name A
[SW4-mst-region]revision-level 1
[SW4-mst-region]instance 1 VLAN 2 3 200
[SW4-mst-region]instance 2 vlan 4 5
[SW4-mst-region]active region-configuration
SW8:
<SW8>sys
[SW8]stp region-configuration
[SW8-mst-region]region-name A
[SW8-mst-region]revision-level 1
[SW8-mst-region]instance 1 vlan 2 3 200
[SW8-mst-region]instance 2 vlan 4 5
[SW8-mst-region]active region-configuration
SW5:
<SW5>sys
[SW5]int e0/0/2
[SW5-Ethernet0/0/2]stp edged-port enable
SW6:
<SW6>sys
[SW6]int e0/0/2
[SW6-Ethernet0/0/2]stp edged-port enable
SW7:
<SW7>sys
[SW7]int e0/0/2
[SW7-Ethernet0/0/2]stp edged-port enable
[SW7-Ethernet0/0/2]int e0/0/3
[SW7-Ethernet0/0/3]stp edged-port enable
[SW7-Ethernet0/0/3]q
SW8:
[SW8]int e0/0/3
[SW8-Ethernet0/0/3]stp edged-port enable
[SW8-Ethernet0/0/3]int e0/0/4
[SW8-Ethernet0/0/4]stp edged-port enable
[SW8-Ethernet0/0/4]q
取消核心设备上联口的STP功能:
该接口的Down及Up不影响生成树计算(该接口也不会产生环路)。
SW1:
[hexin-SW1]int g0/0/6
[hexin-SW1-GigabitEthernet0/0/6]stp disable
SW2:
<hexin-SW2>sys
[hexin-SW2]int g0/0/6
[hexin-SW2-GigabitEthernet0/0/6]stp disable
捆绑链路设置静态Cost值:
SW1:
[hexin-SW1]int Eth-Trunk 2
[hexin-SW1-Eth-Trunk2]stp instance 1 cost 10000
[hexin-SW1-Eth-Trunk2]stp instance 2 cost 10000
SW2:
[hexin-SW2]INT Eth-Trunk 2
[hexin-SW2-Eth-Trunk2]stp instance 1 cost 10000
[hexin-SW2-Eth-Trunk2]stp instance 2 cost 10000
四、VRRP配置:
SW1:
[hexin-SW1]int vlanif 2
[hexin-SW1-Vlanif2]ip address 192.168.2.254 24
[hexin-SW1-Vlanif2]vrrp vrid 2 virtual-ip 192.168.2.1
[hexin-SW1-Vlanif2]vrrp vrid 2 priority 105
[hexin-SW1-Vlanif2]q
[hexin-SW1]int vlanif 3
[hexin-SW1-Vlanif3]ip address 192.168.3.254 24
[hexin-SW1-Vlanif3]vrrp vrid 3 virtual-ip 192.168.3.1
[hexin-SW1-Vlanif3]vrrp vrid 3 priority 105
[hexin-SW1-Vlanif3]q
[hexin-SW1]int vlanif 200
[hexin-SW1-Vlanif200]ip address 192.168.200.254 24
[hexin-SW1-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1
[hexin-SW1-Vlanif200]vrrp vrid 200 priority 105
[hexin-SW1-Vlanif200]int vlanif 4
[hexin-SW1-Vlanif4]ip address 192.168.4.254 24
[hexin-SW1-Vlanif4]vrrp vrid 4 virtual-ip 192.168.4.1
[hexin-SW1-Vlanif4]int vlanif 5
[hexin-SW1-Vlanif5]ip address 192.168.5.254 24
[hexin-SW1-Vlanif5]vrrp vrid 5 virtual-ip 192.168.5.1
[hexin-SW1-Vlanif5]int vlanif 800
[hexin-SW1-Vlanif800]ip address 192.168.12.2 24
[hexin-SW1-Vlanif800]q
SW2:
[hexin-SW2]int vlanif 4
[hexin-SW2-Vlanif4]ip address 192.168.4.253 24
[hexin-SW2-Vlanif4]vrrp vrid 4 virtual-ip 192.168.4.1
[hexin-SW2-Vlanif4]vrrp vrid 4 priority 105
[hexin-SW2-Vlanif4]int vlanif5
[hexin-SW2-Vlanif5]ip address 192.168.5.253 24
[hexin-SW2-Vlanif5]vrrp vrid 5 virtual-ip 192.168.5.1
[hexin-SW2-Vlanif5]vrrp vrid 5 priority 105
[hexin-SW2-Vlanif5]int vlanif 200
[hexin-SW2-Vlanif200]ip add 192.168.200.253 24
[hexin-SW2-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1
[hexin-SW2-Vlanif200]int vlanif 2
[hexin-SW2-Vlanif2]ip address 192.168.2.253 24
[hexin-SW2-Vlanif2]vrrp vrid 2 virtual-ip 192.168.2.1
[hexin-SW2-Vlanif2]int vlanif 3
[hexin-SW2-Vlanif3]ip address 192.168.3.253 24
[hexin-SW2-Vlanif3]vrrp vrid 3 virtual-ip 192.168.3.1
[hexin-SW2-Vlanif3]int vlanif 801
[hexin-SW2-Vlanif801]ip address 192.168.23.2 24
[hexin-SW2-Vlanif801]q
五、BFD配置:
SW1(核心)与路由器之间的BFD配置:
SW1:
[hexin-SW1]bfd
[hexin-SW1-bfd]q
[hexin-SW1]bfd B bind peer-ip 192.168.12.1 source-ip 192.168.12.2 auto
[hexin-SW1-bfd-session-b]commit
[hexin-SW1-bfd-session-b]q
R1:
<Huawei>sys
[Huawei]sys R1
[R1]un in en
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.12.1 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.23.1 24
[R1-GigabitEthernet0/0/1]int g1/0/0
[R1-GigabitEthernet1/0/0]ip add
[R1-GigabitEthernet1/0/0]ip address 13.1.1.1 24
[R1-GigabitEthernet1/0/0]int g2/0/0
[R1-GigabitEthernet2/0/0]ip address 14.1.1.1 24
[R1-GigabitEthernet2/0/0]q
[R1]bfd
[R1-bfd]q
[R1]bfd B bind peer-ip 192.168.12.2 source-ip 192.168.12.1 auto
[R1-bfd-session-b]commit
[R1-bfd-session-b]q
SW1:
[hexin-SW1]int vlanif 2
[hexin-SW1-Vlanif2]vrrp vrid 2 track bfd-session session-name B
[hexin-SW1-Vlanif2]vrrp vrid 2 track interface GigabitEthernet 0/0/1
[hexin-SW1-Vlanif2]int vlanif 3
[hexin-SW1-Vlanif3]vrrp vrid 3 track bfd-session session-name B
[hexin-SW1-Vlanif3]vrrp vrid 3 track interface GigabitEthernet 0/0/1
[hexin-SW1-Vlanif3]int vlanif 200
[hexin-SW1-Vlanif200]vrrp vrid 200 track bfd-session session-name B
[hexin-SW1-Vlanif200]vrrp vrid 200 track interface GigabitEthernet 0/0/5(1)
[hexin-SW1-Vlanif200]q
SW2(核心)与路由器之间的BFD配置:
SW2:
[hexin-SW2]bfd
[hexin-SW2-bfd]q
[hexin-SW2]bfd C bind peer-ip 192.168.23.1 source-ip 192.168.23.2 auto
[hexin-SW2-bfd-session-c]commit
[hexin-SW2-bfd-session-c]q
R1:
[R1]bfd C bind peer-ip 192.168.23.2 source-ip 192.168.23.1 auto
[R1-bfd-session-c]commit
SW2:
[hexin-SW2]int vlanif 4
[hexin-SW2-Vlanif4]vrrp vrid 4 track bfd-session session-name C
[hexin-SW2-Vlanif4]VRRP vrid 4 track interface GigabitEthernet 0/0/4
[hexin-SW2-Vlanif4]int vlanif5
[hexin-SW2-Vlanif5]vrrp vrid 5 track bfd-session session-name C
[hexin-SW2-Vlanif5]vrrp vrid 5 track int GigabitEthernet 0/0/3
[hexin-SW2-Vlanif5]q
六、OSPF配置:
SW1:
[HeXin-SW1]dis ip int bri
[hexin-SW1]ospf 1
[hexin-SW1-ospf-1]area 0
[hexin-SW1-ospf-1]area 0
[hexin-SW1-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[hexin-SW1-ospf-1-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[hexin-SW1-ospf-1-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[hexin-SW1-ospf-1-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[hexin-SW1-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[hexin-SW1-ospf-1-area-0.0.0.0]net 192.168.12.0 0.0.0.255
SW2:
[hexin-SW2]ospf 1
[hexin-SW2-ospf-1]area 0
[hexin-SW2-ospf-1-area-0.0.0.0]
[hexin-SW2-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[hexin-SW2-ospf-1-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[hexin-SW2-ospf-1-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[hexin-SW2-ospf-1-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[hexin-SW2-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[hexin-SW2-ospf-1-area-0.0.0.0]net 192.168.23.0 0.0.0.255
[hexin-SW2-ospf-1-area-0.0.0.0]
分支机构设备预配置:
R4:
<Huawei>sys
[Huawei]sysname Branch
[Branch]un in en
[Branch]int e0/0/0
[Branch-Ethernet0/0/0]ip address 14.1.1.2 24
[Branch-Ethernet0/0/0]int e0/0/1
[Branch-Ethernet0/0/1]ip address 192.168.100.1 24
R1配置OSPF:
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]net 192.168.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]net 192.168.23.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]net 14.1.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]
R4(分支机构)配置OSPF
[Branch]ospf 1
[Branch-ospf-1]area 0
[Branch-ospf-1-area-0.0.0.0]net 14.1.1.0 0.0.0.255
[Branch-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
六、R6:DHCP服务器预配置:
<Huawei>sys
[Huawei]sysname DHCP-Server
[DHCP-Server]un in en
[DHCP-Server]int g0/0/0
[DHCP-Server-GigabitEthernet0/0/0]ip address 192.168.200.3 24
[DHCP-Server-GigabitEthernet0/0/0]q
[DHCP-Server]ip route-static 0.0.0.0 0 192.168.200.1
R2:(电信)
<Huawei>sys
[Huawei]sys China-Telecom
[China-Telecom]un in en
[China-Telecom]int g0/0/1
[China-Telecom-GigabitEthernet0/0/1]ip address 25.1.1.2 24
[China-Telecom-GigabitEthernet0/0/1]q
[China-Telecom]ospf 2
[China-Telecom-ospf-2]area 0
[China-Telecom-ospf-2-area-0.0.0.0]net 25.1.1.0 0.0.0.255
R3(连通):
<Huawei>sys
[Huawei]sysname China-Union
[China-Union]un in en
[China-Union]int e0/0/0
[China-Union-Ethernet0/0/0]ip address 13.1.1.2 24
[China-Union-Ethernet0/0/0]int e0/0/1
[China-Union-Ethernet0/0/1]ip address 35.1.1.2 24
[China-Union-Ethernet0/0/1]ospf 2
[China-Union-ospf-2]area 0
[China-Union-ospf-2-area-0.0.0.0]net 13.1.1.0 0.0.0.255
[China-Union-ospf-2-area-0.0.0.0]net 35.1.1.0 0.0.0.255
[China-Union-ospf-2-area-0.0.0.0]q
R5:
<Huawei>sys
[Huawei]sysname R5
[R5]un in en
[R5]int e0/0/0
[R5-Ethernet0/0/0]ip address 25.1.1.3 24
[R5-Ethernet0/0/0]int e0/0/1
[R5-Ethernet0/0/1]ip address 35.1.1.3 24
[R5-Ethernet0/0/1]q
[R5]int LoopBack 0
[R5-LoopBack0]ip address 5.5.5.5 24
[R5-LoopBack0]q
[R5]ospf 2
[R5-ospf-2]area 0
[R5-ospf-2-area-0.0.0.0]net 25.1.1.0 0.0.0.255
[R5-ospf-2-area-0.0.0.0]net 35.1.1.0 0.0.0.255
[R5-ospf-2-area-0.0.0.0]net 5.5.5.5 0.0.0.0
如上配置后,R2(联通)、R3(电信)可以ping通5.5.5.5(百度)。
七、NAT配置:核心设备上配置默认路由
SW1:
<hexin-SW1>sys
[hexin-SW1]ip route-static 0.0.0.0 0 192.168.12.1
[hexin-SW1]ip route-static 0.0.0.0 0 192.168.23.1 preference 65
SW2:
<hexin-SW2>sys
[hexin-SW2]ip route-static 0.0.0.0 0 192.168.23.1
[hexin-SW2]ip route-static 0.0.0.0 0 192.168.12.1 preference 65
R1:出口路由器R1配置默认路由
[R1]ip route-static 0.0.0.0 0 13.1.1.2
此时R1可以ping通5.5.5.5(百度)。
R1出口路由器R1配置NAT:
[R1]acl 2000
[R1-acl-basic-2000]rule 5 permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2000]q
[R1]int g1/0/0
[R1-GigabitEthernet1/0/0]nat out
[R1-GigabitEthernet1/0/0]nat outbound 2000
[R1-GigabitEthernet1/0/0]
此时内网可以ping通5.5.5.5(百度)。
八、验证选路及冗余:
SW1(核心):
[HeXin-SW1]int vlanif 4
[HeXin-SW1-Vlanif4]ospf cost 4
[HeXin-SW1-Vlanif4]qu
[HeXin-SW1]int vlanif 5
[HeXin-SW1-Vlanif5]ospf cost 4
[HeXin-SW1-Vlanif5]qu
SW2(核心):
[HeXin-SW2]int vlanif 2
[HeXin-SW2-Vlanif2]ospf cost 4
[HeXin-SW2-Vlanif2]qu
[HeXin-SW2]int vlanif 3
[HeXin-SW2-Vlanif3]ospf cost 4
[HeXin-SW2-Vlanif3]qu
[HeXin-SW2]int vlanif 200
[HeXin-SW2-Vlanif200]ospf cost 4
[hexin-SW2-Vlanif200]q
九、DHCP地址池划分:
R6:
[DHCP-Server]dhcp enable
[DHCP-Server]ip pool vlan2
[DHCP-Server-ip-pool-vlan2]network 192.168.2.0 mask 24
[DHCP-Server-ip-pool-vlan2]gateway-list 192.168.2.1
[DHCP-Server-ip-pool-vlan2]dns-list 114.114.114.114 8.8.8.8
[DHCP-Server-ip-pool-vlan2]excluded-ip-address 192.168.2.249 192.168.2.254
[DHCP-Server-ip-pool-vlan2]q
[DHCP-Server]ip pool vlan3
[DHCP-Server-ip-pool-vlan3]network 192.168.3.0 mask 24
[DHCP-Server-ip-pool-vlan3]gateway-list 192.168.3.1
[DHCP-Server-ip-pool-vlan3]dns-list 114.114.114.114 8.8.8.8
[DHCP-Server-ip-pool-vlan3]excluded-ip-address 192.168.3.249 192.168.2.254
[DHCP-Server-ip-pool-vlan3]q
[DHCP-Server]ip pool vlan4
[DHCP-Server-ip-pool-vlan4]network 192.168.4.0 mask 24
[DHCP-Server-ip-pool-vlan4]gateway-list 192.168.4.1
[DHCP-Server-ip-pool-vlan4]dns-list 114.114.114.114 8.8.8.8
[DHCP-Server-ip-pool-vlan4]excluded-ip-address 192.168.4.249 192.168.4.254
[DHCP-Server-ip-pool-vlan4]q
[DHCP-Server]ip pool vlan5
[DHCP-Server-ip-pool-vlan5]network 192.168.5.0 mask 24
[DHCP-Server-ip-pool-vlan5]gateway-list 192.168.5.1
[DHCP-Server-ip-pool-vlan5]dns-list 114.114.114.114 8.8.8.8
[DHCP-Server-ip-pool-vlan5]excluded-ip-address 192.168.5.249 192.168.5.254
[DHCP-Server-ip-pool-vlan4]q
[DHCP-Server]int e0/0/0
[DHCP-Server-Ethernet0/0/0]DHCP select global
由于DHCP的广播报文被vlan隔离(如处于vlan2的PC1获取不到地址)(三层设备隔离广播报文)
附:
该命令可以重置DHCP地址池:
<DHCP-Server>reset ip pool name xx [选项]
该命令可以查看DHCP地址分配情况:
[DHCP-Server]dis ip pool name xx used
主机释放DHCP地址及重新获取:
PC>ipconfig /release
PC>ipconfig /renew
DHCP中继配置:
SW1:
[hexin-SW1]dhcp enable
[hexin-SW1]int vlanif 2
[hexin-SW1-Vlanif2]dhcp select relay
[hexin-SW1-Vlanif2]dhcp relay server-ip 192.168.200.3
[hexin-SW1-Vlanif2]int vlanif3
[hexin-SW1-Vlanif3]dhcp select relay
[hexin-SW1-Vlanif3]dhcp relay server-ip 192.168.200.3
[hexin-SW1-Vlanif3]int vlanif 4
[hexin-SW1-Vlanif4]dhcp select relay
[hexin-SW1-Vlanif4]dhcp relay server-ip 192.168.200.3
[hexin-SW1-Vlanif4]int vlanif 5
[hexin-SW1-Vlanif5]dhcp select relay
[hexin-SW1-Vlanif5]dhcp relay server-ip 192.168.200.3
[hexin-SW1-Vlanif5]q
SW2:
[hexin-SW2]dhcp enable
[hexin-SW2]int vlanif 2
[hexin-SW2-Vlanif2]dhcp select relay
[hexin-SW2-Vlanif2]dhcp relay server-ip 192.168.200.3
[hexin-SW2-Vlanif2]int vlanif 3
[hexin-SW2-Vlanif3]dhcp select relay
[hexin-SW2-Vlanif3]dhcp relay server-ip 192.168.200.3
[hexin-SW2-Vlanif3]int vlanif 4
[hexin-SW2-Vlanif4]dhcp select relay
[hexin-SW2-Vlanif4]dhcp relay server-ip 192.168.200.3
[hexin-SW2-Vlanif4]int vlanif 5
[hexin-SW2-Vlanif5]dhcp select relay
[hexin-SW2-Vlanif5]dhcp relay server-ip 192.168.200.3
[hexin-SW2-Vlanif5]q
此时,PC1至PC4均可以正常获取到地址。
接入设备DHCP Snooping配置:
SW5:
[SW5]dhcp enable
[SW5]dhcp snooping enable
[SW5]vlan 2
[SW5-vlan2]dhcp snooping enable
[SW5-vlan2]int e0/0/1
[SW5-Ethernet0/0/1]dhcp snooping trusted
[SW5-Ethernet0/0/1]q
sw6:
[SW6]dhcp enable
[SW6]dhcp snooping enable
[SW6]vlan 3
[SW6-vlan3]dhcp snooping enable
[SW6-vlan3]q
[SW6]int Eth-Trunk 1
[SW6-Eth-Trunk1]dhcp snooping trusted
SW7:
[SW7]dhcp enable
[SW7]dhcp snooping enable
[SW7]vlan 4
[SW7-vlan4]dhcp snooping enable
[SW7-vlan4]q
[SW7]vlan 5
[SW7-vlan5]dhcp snooping enable
[SW7-vlan5]int e0/0/1
[SW7-Ethernet0/0/1]dhcp snooping trusted
R2:(电信)
[China-Telecom]IP pool POOL-PPPOE
[China-Telecom-ip-pool-POOL-PPPOE]network 12.1.1.0 mask 24
[China-Telecom-ip-pool-POOL-PPPOE]gateway-list 12.1.1.2
[China-Telecom-ip-pool-POOL-PPPOE]q
[China-Telecom]aaa
[China-Telecom-aaa]local-user lsy password cipher huawei
[China-Telecom-aaa]local-user lsy service-type ppp
[China-Telecom-aaa]q
[China-Telecom]int Virtual-Template 1
[China-Telecom-Virtual-Template1]ppp authentication-mode pap
[China-Telecom-Virtual-Template1]remote address pool POOL-PPPOE
[China-Telecom-Virtual-Template1]IP address 12.1.1.2 255.255.255.0
[China-Telecom-Virtual-Template1]q
[China-Telecom]int g0/0/0
[China-Telecom-GigabitEthernet0/0/0]pppoe bind virtual-template 1
R1:
[R1]acl 2001
[R1-acl-basic-2001]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2001]q
[R1]int Dialer 1
[R1-Dialer1]link-protocol ppp
[R1-Dialer1]ip address ppp-negotiate
[R1-Dialer1]ppp pap local-user lsy password simple huawei
[R1-Dialer1]dialer user lsy
[R1-Dialer1]dialer bundle 2
[R1-Dialer1]nat outbound 2001
[R1-Dialer1]mtu 1492
[R1-Dialer1]q
[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]pppoe-client dial-bundle-number 2
[R1-GigabitEthernet0/0/2]q
[R1]ip route-static 0.0.0.0 0 Dialer 1 preference 80 //电信PPPOE作为联通的备份出口。
NAT Server配置:将Server 1的80端口映射为联通公网地址。
R1]int g1/0/0
[R1-GigabitEthernet1/0/0]nat server protocol tcp global current-interface 80 inside 192.168.200.2 80
十、ACL配置:
假设不允许vlan 5用户访问外网,但允许访问内网及分支机构。
[R1]acl 3005
[R1-acl-adv-3005]rule permit ip source 192.168.5.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
[R1-acl-adv-3005]rule deny ip source 192.168.5.0 0.0.0.255
[R1-acl-adv-3005]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3005
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl 3005
[R1-GigabitEthernet0/0/1]q
十一、策略路由:
当出口链路正常时,vlan 3用户采用PPPOE拨号上网,当联通链路故障时,所有用户都采取PPPOE拨号上网。
[R1]acl 3008
[R1-acl-adv-3008]rule deny ip source 192.168.3.0 0.0.255.255 destination 192.168
.0.0 0.0.255.255
[R1-acl-adv-3008]rule permit ip source 192.168.3.0 0.0.0.255
[R1]traffic classifier VLAN3
[R1-classifier-VLAN3]if-match acl 3008
[R1-classifier-VLAN3]qu
//以上为创建分类
[R1]traffic behavior VLAN3
//创建一个动作,此处命名与分类名一样,实际可以不同
[R1-behavior-VLAN3]redirect interface Dialer 1
//将流量重定向至接口
qu
[R1]traffic policy AA
[R1-trafficpolicy-AA]classifier VLAN3 behavior VLAN3
//创建一个策略,关联分类与动作
//acl 3008匹配的报文归类为VLAN3中,动作为强制出接口为Dialer1口
[R1-trafficpolicy-AA]qu
[R1]int gi0/0/0
[R1-GigabitEthernet0/0/0]traffic-policy AA inbound
[R1-GigabitEthernet0/0/0]qu
[R1]int gi
[R1]int GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]traffic-policy AA inbound
[R1-GigabitEthernet0/0/1]qu
十二、Telnet配置:
所有交换机都可以被远程。用户名为lsy,密码为huawei。
SW1:
[hexin-SW1]int vlanif 999
[hexin-SW1-Vlanif999]ip address 192.168.255.254 24
[hexin-SW1-Vlanif999]vrrp vrid 255 virtual-ip 192.168.255.1
[hexin-SW1-Vlanif999]q
[hexin-SW1]aaa
[hexin-SW1-aaa]local-user lsy privilege level 3 password cipher huawei
[hexin-SW1-aaa]local-user lsy service-type telnet
[hexin-SW1-aaa]q
[hexin-SW1]user-interface vty 0 4
[hexin-SW1-ui-vty0-4]authentication-mode aaa
[hexin-SW1-ui-vty0-4]protocol inbound telnet
SW2:
[HeXin-SW2]int vlanif 1000
[HeXin-SW2-Vlanif1000]ip add 192.168.255.253 24
[HeXin-SW2-Vlanif1000]vrrp vrid 255 virtual-ip 192.168.255.1
[hexin-SW2-Vlanif999]aaa
[hexin-SW2-aaa]local-user lsy privilege level 3 password cipher huawei
[hexin-SW2-aaa]local-user lsy service-type telnet
[hexin-SW2-aaa]q
[hexin-SW2]user-interface vty 0 4
[hexin-SW2-ui-vty0-4]authentication-mode aaa
[hexin-SW2-ui-vty0-4]protocol inbound telnet
SW3:
[SW3]int vlanif 999
[SW3-Vlanif999]ip address 192.168.255.3 24
[SW3-Vlanif999]q
[SW3]ip route-static 0.0.0.0 0 192.168.255.1
[SW3]aaa
[SW3-aaa]local-user lsy privilege level 3 password cipher huawei
[SW3-aaa]local-user lsy service-type telnet
[SW3-aaa]q
[SW3]user-interface vty 0 4
[SW3-ui-vty0-4]authentication-mode aaa
[SW3-ui-vty0-4]protocol inbound telnet
SW4:
<SW4>sys
[SW4]int vlanif 999
[SW4-Vlanif4]ip address 192.168.255.4 24
[SW4-Vlanif4]q
[SW4]ip route-static 0.0.0.0 0 192.168.255.1
[SW4]aaa
[SW4-aaa]local-user lsy privilege level 3 password cipher huawei
[SW4-aaa]local-user lsy service-type telnet
[SW4-aaa]q
[SW4]user-interface vty 0 4
[SW4-ui-vty0-4]authentication-mode aaa
[SW4-ui-vty0-4]protocol inbound telnet
SW5:
[SW5]int vlanif 999
[SW5-Vlanif999]ip add 192.168.255.5 24
[SW5-Vlanif999]q
[SW5]ip route-static 0.0.0.0 0 192.168.255.1
[SW5]aaa
[SW5-aaa]local-user lsy privilege level 3 password cipher huawei
[SW5-aaa]local-user lsy service-type telnet
[SW5-aaa]q
[SW5]user-interface vty 0 4
[SW5-ui-vty0-4]authentication-mode aaa
[SW5-ui-vty0-4]protocol inbound telnet
SW6:
<SW6>sys
[SW6]int vlanif 999
[SW6-Vlanif999]ip address 192.168.255.6 24
[SW6-Vlanif999]q
[SW6]ip route-static 0.0.0.0 0 192.168.255.1
[SW6]aaa
[SW6-aaa]local-user lsy privilege level 3 password cipher huawei
[SW6-aaa]local-user lsy service-type telnet
[SW6-aaa]q
[SW6]user-interface vty 0 4
[SW6-ui-vty0-4]authentication-mode aaa
[SW6-ui-vty0-4]protocol inbound telnet
SW7:
[SW7]int vlanif 999
[SW7-Vlanif999]ip address 192.168.255.7 24
[SW7-Vlanif999]q
[SW7]ip route-static 0.0.0.0 0 192.168.255.1
[SW7]aaa
[SW7-aaa]local-user lsy privilege level 3 password cipher huawei
[SW7-aaa]local-user lsy service-type telnet
[SW7-aaa]q
[SW7]user-interface vty 0 4
[SW7-ui-vty0-4]authentication-mode aaa
[SW7-ui-vty0-4]protocol inbound telnet
SW8:
[SW8-vlan999]int vlanif 999
[SW8-Vlanif999]ip address 192.168.255.8 24
[SW8-Vlanif999]q
[SW8]ip route-static 0.0.0.0 0 192.168.255.1
[SW8]aaa
[SW8-aaa]local-user lsy privilege level 3 password cipher huawei
[SW8-aaa]local-user lsy service-type telnet
[SW8-aaa]q
[SW8]user-interface vty 0 4
[SW8-ui-vty0-4]authentication-mode aaa
[SW8-ui-vty0-4]protocol inbound telnet
十三、实验配置完成
3188
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
