双机热备旁挂组网场景实验

于 2025-03-05 20:52:12 发布
阅读量588 收藏 17
点赞数 15
文章标签: 网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_74812361/article/details/146052413
版权

二层交换配置

使用传统三层架构中MSTP+VRRP组网形式
 VLAN 2--->SW3,SW4作为备份
 VLAN 3--->SW4,SW3作为备份
 MSTP设计--->SW3、4、5运行
 实例1:VLAN 2  
 实例2:VLAN 3
 SW3是实例1的主根,实例2的备份根;SW4是实例2的主根,实例1的备份根
 IP地址规划:
 SW3:
 VLAN 2:192.168.2.10/24
 VLAN 3:192.168.3.10/24
 SW4: 
 VLAN 2:192.168.2.20/24
 VLAN 3:192.168.3.20/24
 虚拟IP: 
 VLAN 2:192.168.2.254/24
 VLAN 3:192.168.3.254/24

以交换机为例

[SW3]vlan batch 2 3 
[SW3]int g 0/0/2
[SW3-GigabitEthernet0/0/2]port link-type trunk
[SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 3
[SW3-GigabitEthernet0/0/2]int g 0/0/4
[SW3-GigabitEthernet0/0/4]port link-type trunk 
[SW3-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3
[SW3-GigabitEthernet0/0/4]q
 
[SW3]stp enable 
[SW3]stp mode mstp 
[SW3]stp region-configuration 
[SW3-mst-region]region-name aa
[SW3-mst-region]instance 1 vlan 2 
[SW3-mst-region]instance 2 vlan 3 
[SW3-mst-region]active region-configuration
[SW3-mst-region]q
[SW3]stp instance 1 root primary 
[SW3]stp instance 2 root secondary 
[SW3]int vlanif 2
[SW3-Vlanif2]ip address 192.168.2.10 24
[SW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[SW3-Vlanif2]vrrp vrid 1 priority 120
[SW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20 
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/3 reduced 15
[SW3-Vlanif2]q
[SW3]int vlanif 3
[SW3-Vlanif3]ip address 192.168.3.10 24
[SW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254

交换机4

[SW4]vlan batch 2 3
[SW4]int g 0/0/2
[SW4-GigabitEthernet0/0/2]port link-type trunk 
[SW4-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 3
[SW4-GigabitEthernet0/0/2]int g 0/0/4
[SW4-GigabitEthernet0/0/4]port link-type trunk 
[SW4-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3
[SW4]int g 0/0/4
[SW4-GigabitEthernet0/0/4]port link-type trunk 
[SW4-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3
[SW4-GigabitEthernet0/0/4]q
[SW4]stp enable
[SW4]stp mode mstp
[SW4]stp region-configuration 
[SW4-mst-region]region-name aa
[SW4-mst-region]instance 1 vlan 2
[SW4-mst-region]instance 2 vlan 3
[SW4-mst-region]act region-configuration 
[SW4-mst-region]q    
[SW4]stp instance 1 root secondary 
[SW4]stp instance 2 root primary 
[SW4]int vlanif 2
[SW4-Vlanif2]ip address 192.168.2.20 24
[SW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[SW4-Vlanif2]q
[SW4]int vlanif 3
[SW4-Vlanif3]ip address 192.168.3.20 24
[SW4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[SW4-Vlanif3]vrrp vrid 1 priority 120
[SW4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/3 reduced 15

交换机5

[SW5]vlan batch 2 3
[SW5]int g 0/0/3
[SW5-GigabitEthernet0/0/3]port link-type access 
[SW5-GigabitEthernet0/0/3]port default vlan 2
[SW5-GigabitEthernet0/0/3]int g0/0/4
[SW5-GigabitEthernet0/0/4]port link-type access 
[SW5-GigabitEthernet0/0/4]port default vlan 3
[SW5-GigabitEthernet0/0/4]int g0/0/1
[SW5-GigabitEthernet0/0/1]port link-type trunk 
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
[SW5-GigabitEthernet0/0/1]int g0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk 
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 3
[SW5-GigabitEthernet0/0/2]q
[SW5]stp enable
[SW5]stp mode mstp
[SW5]stp region-configuration 
[SW5-mst-region]region-name aa
[SW5-mst-region]instance 1 vlan 2
[SW5-mst-region]instance 2 vlan 3
[SW5-mst-region]active region-configuration 
2. 汇聚到核心层路由配置

进行VLAN分配

SW1-SW2:VLAN 102---10.10.2.0/24
SW1-SW3:VLAN 103---10.10.3.0/24
SW1-SW4:VLAN 104---10.10.4.0/24
 
SW2-SW3:VLAN 203---10.20.3.0/24
SW2-SW4:VLAN 204---10.20.4.0/24
配置SW3:

[SW3]vlan batch 103 203    
[SW3]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk 
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 1
[SW3-GigabitEthernet0/0/1]port link-type access 
[SW3-GigabitEthernet0/0/1]port default vlan 103
[SW3-GigabitEthernet0/0/1]undo stp enable --- 关闭STP服务
[SW3-GigabitEthernet0/0/1]q
[SW3]int g0/0/3
[SW3-GigabitEthernet0/0/3]port link-type access 
[SW3-GigabitEthernet0/0/3]port default vlan 203
[SW3-GigabitEthernet0/0/3]undo stp enable
[SW3-GigabitEthernet0/0/3]q

[SW3]int vlanif 103
[SW3-Vlanif103]ip address 10.10.3.3 24
[SW3-Vlanif103]q
[SW3]int vlanif 203
[SW3-Vlanif203]ip address 10.20.3.3 24
[SW3-Vlanif203]q
[SW3]ospf 1 router-id 3.3.3.3
[SW3-ospf-1]area 0
[SW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.10 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.3.10 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]q
[SW3]ospf 1
[SW3-ospf-1]silent-interface vlanif 2
[SW3-ospf-1]silent-interface vlanif 3
配置SW4:[SW4]vlan batch 104 204
[SW4]int g 0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access 
[SW4-GigabitEthernet0/0/1]port default vlan 204
[SW4-GigabitEthernet0/0/1]int g0/0/3
[SW4-GigabitEthernet0/0/3]port link-type access 
[SW4-GigabitEthernet0/0/3]port default vlan 104
[SW4-GigabitEthernet0/0/3]undo stp enable
[SW4-GigabitEthernet0/0/3]int g0/0/1
[SW4-GigabitEthernet0/0/1]undo stp enable
[SW4-GigabitEthernet0/0/1]q
[SW4]int vlanif 104
[SW4-Vlanif104]ip address 10.10.4.4 24
[SW4-Vlanif104]q
[SW4]int vlanif 204
[SW4-Vlanif204]ip address 10.20.4.4 24
[SW4-Vlanif204]q
[SW4]ospf 1 router-id 4.4.4.4
[SW4-ospf-1]area 0
[SW4-ospf-1-area-0.0.0.0]network 10.10.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 10.20.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.2.20 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.3.20 0.0.0.0
[SW4]ospf 1
[SW4-ospf-1]silent-interface vlanif 2
[SW4-ospf-1]silent-interface vlanif 3
因为SW1和SW2需要被分割为两台设备,分别与上下行设备连接,故需要先创建VRF空间,其中GE0/0/3-GE0/0/6属于该空间接口。

[SW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.10.2.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.3.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.4.1 0.0.0.0

SW2:
[SW2]ospf 1 router-id 2.2.2.2 vpn-instance vrf
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]net 10.10.2.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]net 10.10.3.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]net 10.10.4.2 0.0.0.0

此时回程流量是等价路由,负载均衡,不符合来回路径一致要求。故需要进行路由干涉,使用路由 策略

SW3:

主要流量发送给SW1,备份发给SW2 SW4:

主要流量发送给SW2,备份发给SW1 SW1:

192.168.2.0/24--->主要发送给SW3,备份给SW4 192.168.3.0/24--->主要发送给SW4,备份给SW3 SW2:

192.168.2.0/24--->主要发送给SW3,备份给SW4 192.168.3.0/24--->主要发送给SW4,备份给SW3

SW3和SW4只需要修改接口Cost数值,让SW3优选从SW1学习到的路由即可,让SW4优选从SW2学习到的路由。

SW3:

将SW3本地发送的192.168.3.0/24路由的开销值改大,192.168.2.0/24路由开销不变

通过重发布,来调用路由策略

重发布时,不要引入其他路由信息

1、抓流量

[sw3]ip ip-prefix aa permit 192.168.3.0 24

[sw3]ip ip-prefix bb permit 192.168.2.0 24

2、做策略

[sw3]route-policy aa permit node 10

[sw3-route-policy]if-match ip-prefix aa

[sw3-route-policy]apply cost 5

[sw3]route-policy aa permit node 20

[sw3-route-policy]if-match ip-prefix bb

3、调用

[sw3-ospf-1]import-route direct route-policy aa

SW4:

将SW4本地发送的192.168.2.0/24路由的开销值改大,192.168.3.0/24路由开销不变

通过重发布,来调用路由策略

3.VRF交换机和防火墙的路由交互
防火墙和VRF交换机各自建立一个VRRP组,且两个组之间不想管,但相互对称 。

配置思路:

FW1为主

VRRP备份组1---VRRP备份组5 VRRP备份组3---VRRP备份组7 FW2为主

VRRP备份组2---VRRP备份组6 VRRP备份组4---VRRP备份组8

VRRP备份组1:VRF使用,SW1为Master,SW2为Backup

VLAN 401---10.40.1.0/24

SW1:10.40.1.1/24

SW2:10.40.1.2/24

虚拟地址:10.40.1.100

VRRP备份组2:VRF使用,SW2为Master,SW1为Backup

VLAN 402---10.40.2.0/24

SW1:10.40.2.1/24

SW2:10.40.2.2/24

虚拟地址:10.40.2.100

VRRP备份组3:Public使用,SW1为Master,SW2为Backup

VLAN 403---10.40.3.0/24

SW1:10.40.3.1/24

SW2:10.40.3.2/24

虚拟地址:10.40.3.100

VRRP备份组4:Public使用,SW2为Master,SW1为Backup

VLAN 404---10.40.4.0/24

SW1:10.40.4.1/24

SW2:10.40.4.2/24

虚拟地址:10.40.4.100

VRRP备份组5:防火墙使用,FW1为Master,FW2为Backup

VLAN 401---10.40.1.0/24

FW1:10.40.1.10/24

FW2:10.40.1.20/24

虚拟地址:10.40.1.200

VRRP备份组6:防火墙使用,FW2为Master,FW1为Backup

VLAN 402---10.40.2.0/24

FW1:10.40.2.10/24

FW2:10.40.2.20/24

虚拟地址:10.40.2.200

VRRP备份组7:防火墙使用,FW1为Master,FW2为Backup

VLAN 403---10.40.3.0/24

FW1:10.40.3.10/24

FW2:10.40.3.20/24

虚拟地址:10.40.3.200

VRRP备份组8:防火墙使用,FW2为Master,FW1为Backup

VLAN 404---10.40.4.0/24

FW1:10.40.4.10/24

FW2:10.40.4.20/24

虚拟地址:10.40.4.200

防火墙双机热备配置

[FW1]int g 1/0/2.401

[FW1-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 active

[FW1]interface GigabitEthernet 1/0/2.402

[FW1-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby

 [FW1]interface GigabitEthernet 1/0/3.403

[FW1-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 active [FW1]int g 1/0/3.404 [FW1-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby [FW1]hrp mirror session enable ---快速备份功能

[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2 ---定义心跳线和对端IP [FW1]hrp enable

配置SW1:

[SW1]vlan batch 401 402
[SW1]int g 0/0/3
[SW1-GigabitEthernet0/0/3]q
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk 
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 401 402
[SW1-GigabitEthernet0/0/1]q
[SW1]int g0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk 
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 401 402
[SW1-GigabitEthernet0/0/4]q
[SW1]int vlanif 401
[SW1-Vlanif401]ip address 10.40.1.1 24
[SW1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW1-Vlanif401]vrrp vrid 1 priority 120
[SW1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60
[SW1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 30
[SW1-Vlanif401]q
[SW1-Vlanif402]ip binding vpn-instance VRF
[SW1-Vlanif402]ip address 10.40.2.1 24
[SW1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100

配置SW2:

[SW2]vlan batch 401 402
[SW2]int g0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk 
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402
[SW2-GigabitEthernet0/0/5]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk 
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 401 402
[SW2-GigabitEthernet0/0/2]q
[SW2]int vlanif 401
[SW2-Vlanif401]ip binding vpn-instance vrf
[SW2-Vlanif401]ip address 10.40.1.2 24
[SW2-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW2-Vlanif401]q
[SW2]int vlanif 402
[SW2-Vlanif402]ip binding vpn-instance vrf    
[SW2-Vlanif402]ip address 10.40.2.2 24
[SW2-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[SW2-Vlanif402]vrrp vrid 2 priority 120
[SW2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60
[SW2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/4 reduced 30

配置FW1:

[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip address 10.10.10.1 30
[FW1-GigabitEthernet1/0/0]q
[FW1]int g 0/0/0
[FW1-GigabitEthernet0/0/0]q
[FW1]int g 0/0/0.401
[FW1-GigabitEthernet0/0/0.401]ip address 10.40.1.10 24
[FW1-GigabitEthernet0/0/0.401]vlan-type dot1q 401
[FW1-GigabitEthernet0/0/0.401]q
[FW1]int g0/0/0.402
[FW1-GigabitEthernet0/0/0.402]ip address 10.40.2.10 24
[FW1-GigabitEthernet0/0/0.402]vlan-type dot1q 402
[FW1-GigabitEthernet0/0/0.402]q
[FW1]int g1/0/1.403
[FW1-GigabitEthernet1/0/1.403]ip address 10.40.3.10 24
[FW1-GigabitEthernet1/0/1.403]vlan-type dot1q 403
[FW1-GigabitEthernet1/0/1.403]q
[FW1]int g1/0/1.404
[FW1-GigabitEthernet1/0/1.404]ip address 10.40.4.10 24
[FW1-GigabitEthernet1/0/1.404]vlan-type dot1q 404
[FW1-GigabitEthernet1/0/1.404]q
[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 0/0/0.401
[FW1-zone-trust]add interface GigabitEthernet 0/0/0.402
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add int GigabitEthernet 1/0/1.403
[FW1-zone-untrust]add int GigabitEthernet 1/0/1.404
[FW1-zone-untrust]q
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g 1/0/0
[FW1-zone-dmz]q
[FW1]int g 0/0/0.401
[FW1-GigabitEthernet0/0/0.401]vrrp vrid 5 virtual-ip 10.40.1.200 active
[FW1-GigabitEthernet0/0/0.401]q
[FW1]int g 0/0/0.402
[FW1-GigabitEthernet0/0/0.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby 
[FW1-GigabitEthernet0/0/0.402]q
[FW1]int g 1/0/1.403    
[FW1-GigabitEthernet1/0/1.403]vrrp vrid 7 virtual-ip 10.40.3.200 active
[FW1-GigabitEthernet1/0/1.403]q
[FW1]int g 1/0/1.404
[FW1-GigabitEthernet1/0/1.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby 
[FW1-GigabitEthernet1/0/1.404]q
[FW1]hrp mirror session enable
[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2
[FW1]hrp enable
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.3.100
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70
HRP_S[FW1]ip route-static 192.168.0.0 16 10.40.1.100
HRP_M[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70

配置FW2:

[FW2]vlan batch 401 402 403 404
[FW2]int g0/0/0
[FW2-GigabitEthernet0/0/0]ip address 10.10.10.2 30
[FW2-GigabitEthernet0/0/0]int g 1/0/1.401
[FW2-GigabitEthernet1/0/1.401]ip address 10.40.1.20 24
[FW2-GigabitEthernet1/0/1.401]vlan-type dot1q 401
[FW2-GigabitEthernet1/0/1.401]int g1/0/1.402
[FW2-GigabitEthernet1/0/1.402]ip address 10.40.2.20 24
[FW2-GigabitEthernet1/0/1.402]vlan-type dot1q 402
[FW2-GigabitEthernet1/0/1.402]int g1/0/0.403
[FW2-GigabitEthernet1/0/0.403]ip address 10.40.3.2 24
[FW2-GigabitEthernet1/0/0.403]vlan-type dot1q 403
[FW2-GigabitEthernet1/0/0.403]int g1/0/0.404
[FW2-GigabitEthernet1/0/0.404]ip address 10.40.4.20 24
[FW2-GigabitEthernet1/0/0.404]vlan-type dot1q 404
[FW2-GigabitEthernet1/0/0.404]int g1/0/0.403
[FW2-GigabitEthernet1/0/0.403]ip address 10.40.3.20 24
[FW2-GigabitEthernet1/0/0.403]q
[FW2]firewall zone trust
[FW2-zone-trust]add int g 1/0/1.401
[FW2-zone-trust]add int g 1/0/1.402
[FW2-zone-trust]q
[FW2]firewall zone untrust
[FW2-zone-untrust]add int g 1/0/0.403
[FW2-zone-untrust]add int g 1/0/0.404
[FW2-zone-untrust]q
[FW2]firewall zone dmz
[FW2-zone-dmz]add int g 0/0/0
[FW2-zone-dmz]q
[FW2]int g 1/0/1.401
[FW2-GigabitEthernet1/0/1.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby 
[FW2-GigabitEthernet1/0/1.401]q
[FW2]int g    
[FW2]int GigabitEthernet 1/0/1.402
[FW2-GigabitEthernet1/0/1.402]vrrp vrid 6 virtual-ip 10.40.2.200 active 
[FW2-GigabitEthernet1/0/1.402]q
[FW2]int g 1/0/0.403
[FW2-GigabitEthernet1/0/0.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby 
[FW2-GigabitEthernet1/0/0.403]q
[FW2]int g 1/0/0.404    
[FW2-GigabitEthernet1/0/0.404]vrrp vrid 8 virtual-ip 10.40.4.200 active 
[FW2-GigabitEthernet1/0/0.404]q    
[FW2]hrp mirror session enable
[FW2]hrp interface g    
[FW2]hrp interface GigabitEthernet 0/0/0 remote 10.10.10.1
[FW2]hrp enable
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.4.100
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.3.100 preference 70
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.2.100    
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70

4.安全策略配置
防火墙FW1:

HRP_M[FW1]security-policy (+B)
HRP_M[FW1-policy-security]rule name t_to_u (+B)
HRP_M[FW1-policy-security-rule-t_to_u]source-zone trust  (+B)
HRP_M[FW1-policy-security-rule-t_to_u]destination-zone untrust  (+B)    
HRP_M[FW1-policy-security-rule-t_to_u]source-zone    
HRP_M[FW1-policy-security-rule-t_to_u]source-address 192.168.0.0 16 (+B)
HRP_M[FW1-policy-security-rule-t_to_u]action permit  (+B)
HRP_M[FW1-policy-security-rule-t_to_u]q
[SW1]vlan batch 403 404
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk 
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 403 404
[SW1-GigabitEthernet0/0/2]q
[SW1]int g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk 
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 403 404
[SW1-GigabitEthernet0/0/3]q
[SW1]int vlanif 403
[SW1-Vlanif403]ip address 10.40.3.1 24
[SW1-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW1-Vlanif403]vrrp vrid 3 priority 120    
[SW1-Vlanif403]vrrp vrid 3 preempt-mode timer delay 60
[SW1-Vlanif403]vrrp vrid 3 track int g 0/0/2 reduced 30
[SW1-Vlanif403]q
[SW1]int vlanif 404
[SW1-Vlanif404]ip address 10.40.4.1 24
[SW1-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
 
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70    
[SW1]ip route-static 192.168.0.0 16 10.40.3.200
[SW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70

[SW2]vlan batch 403 404
[SW2]int g 0/0/4
[SW2-GigabitEthernet0/0/4]po t all v 403 404
[SW2-GigabitEthernet0/0/4]int g 0/0/1
[SW2-GigabitEthernet0/0/1]po li t
[SW2-GigabitEthernet0/0/1]po t all v 403 404
[SW2-GigabitEthernet0/0/1]q
[SW2]int vlanif 403
[SW2-Vlanif403]ip address 10.40.3.2 24
[SW2-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW2-Vlanif403]q
[SW2]int vlanif 404
[SW2-Vlanif404]ip address 10.40.4.2 24
[SW2-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
[SW2-Vlanif404]vrrp vrid 4 priority 120
[SW2-Vlanif404]vrrp vrid 4 preempt-mode timer delay 60    
[SW2-Vlanif404]vrrp vrid 4 track interface g 0/0/4 reduced 30
[SW2]ip route-static vpn-instance vrf 0.0.0.0 0 10.40.2.200
[SW2]ip route-static vpn-instance vrf 0.0.0.0 0 10.40.1.200 preference 70
[SW2]ip route-static 192.168.0.0 16 10.40.4.200
[SW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

5.核心到边界配置
[SW1]vlan batch 201 105
[SW1]int g 0/0/6
[SW1-GigabitEthernet0/0/6]po li a
[SW1-GigabitEthernet0/0/6]po de v 105
[SW1-GigabitEthernet0/0/6]undo stp enable
[SW1-GigabitEthernet0/0/6]int g 0/0/3
[SW1-GigabitEthernet0/0/3]po t all v 201
[SW1-GigabitEthernet0/0/3]undo stp enable
[SW1-GigabitEthernet0/0/3]q
[SW1]int vlanif 105
[SW1-Vlanif105]ip address 10.10.5.1 24
[SW1-Vlanif105]q
[SW1]int vlanif 201
[SW1-Vlanif201]ip address 10.20.1.1 24
[SW1-Vlanif201]q
[SW1]ospf 1 router-id 1.1.1.1
[SW1-ospf-1]q
[SW1]ospf 2 router-id 1.1.1.1
[SW1-ospf-2]area 0
[SW1-ospf-2-area-0.0.0.0]network 10.20.1.1 0.0.0.0
[SW1-ospf-2-area-0.0.0.0]network 10.10.5.1 0.0.0.0

SW2:

SW2]vlan batch 201 206
[SW2]int g 0/0/3
[SW2-GigabitEthernet0/0/3]po l a
[SW2-GigabitEthernet0/0/3]po de v 206
[SW2-GigabitEthernet0/0/3]q
[SW2]int g 0/0/1
[SW2-GigabitEthernet0/0/1]po t all v 201
[SW2-GigabitEthernet0/0/1]undo stp enable
[SW2-GigabitEthernet0/0/1]int g 0/0/3
[SW2-GigabitEthernet0/0/3]undo stp enable
[SW2-GigabitEthernet0/0/3]q
[SW2]int vlanif 201
[SW2-Vlanif201]ip address 10.20.1.2 24
[SW2-Vlanif201]q
[SW2]int vlanif 206
[SW2-Vlanif206]ip address 10.10.6.2 24
[SW2-Vlanif206]undo ip address 10.10.6.2 24
[SW2-Vlanif206]ip address 10.20.6.2 24
[SW2-Vlanif206]q
[SW2]ospf 2 router-id 2.2.2.2
[SW2-ospf-2]area 0
[SW2-ospf-2-area-0.0.0.0]network 10.20.6.2 0.0.0.0
[SW2-ospf-2-area-0.0.0.0]network 10.20.1.2 0.0.0.0

R5:

[R5]int g 0/0/0
[R5-GigabitEthernet0/0/0]ip address 10.10.5.5 24
[R5-GigabitEthernet0/0/0]q
[R5]undo info-center enable
Info: Information center is disabled.
[R5]int g 0/0/1
[R5-GigabitEthernet0/0/1]ip address 10.56.0.5 24
[R5-GigabitEthernet0/0/1]q
[R5]ospf 1 router-id 5.5.5.5
[R5-ospf-1]area 0
[R5-ospf-1-area-0.0.0.0]network 10.56.0.5 0.0.0.0
[R5-ospf-1-area-0.0.0.0]network 10.10.5.5 0.0.0.0
[R5]int g 0/0/2
[R5-GigabitEthernet0/0/2]ip address 12.0.0.5 24
[R5-GigabitEthernet0/0/2]q
[R5]ip route-static 0.0.0.0 0 12.0.0.100
[R5]ospf 1
[R5-ospf-1]default-route-advertise
[R5-ospf-1]q
[R5]acl 2000
[R5-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R5-acl-basic-2000]q
[R5]int g 0/0/2
[R5-GigabitEthernet0/0/2]nat outbound 2000
[R5-GigabitEthernet0/0/2]q

R6:

[R6]int g 0/0/2
[R6-GigabitEthernet0/0/2]ip address 10.20.6.6 24
[R6-GigabitEthernet0/0/2]q
[R6]undo info-center enable
[R6]int g0/0/0
[R6-GigabitEthernet0/0/0]ip address 10.56.0.6 24
[R6-GigabitEthernet0/0/0]q
[R6]ospf 1 router-id 6.6.6.6
[R6-ospf-1]area 0
[R6-ospf-1-area-0.0.0.0]network 10.56.0.6 0.0.0.0
[R6-ospf-1-area-0.0.0.0]network 10.20.6.6 0.0.0.0 
[R6]int g 0/0/1
[R6-GigabitEthernet0/0/1]ip address 13.0.0.6 24
[R6-GigabitEthernet0/0/1]q
[R6]ip route-static 0.0.0.0 0 13.0.0.10
[R6]ospf 1
[R6-ospf-1]default-route-advertise
[R6-ospf-1]q
[R6]acl 2000
[R6-acl-basic-2000]rule permit source 192.168.0.0  0.0.255.255
[R6-acl-basic-2000]q
[R6]int g 0/0/1
[R6-GigabitEthernet0/0/1]nat outbound 2000

ISP:

[ISP]int g 0/0/0
[ISP-GigabitEthernet0/0/0]ip address 12.0.0.100 24
[ISP-GigabitEthernet0/0/0]q
[ISP]int g 0/0/1
[ISP-GigabitEthernet0/0/1]ip address 13.0.0.100 24
[ISP-GigabitEthernet0/0/1]q
[ISP]int LoopBack 0
[ISP-LoopBack0]ip address 100.1.1.1 24
在防火墙SW1,SW2上下放路由:

[SW1]ospf 1
[SW1-ospf-1]default-route-advertise
[SW1]ospf 2
[SW1-ospf-2]import-route static 
[SW2]ospf 1
[SW2-ospf-1]default-route-advertise
[SW2]ospf 2
[SW2-ospf-2]import-route static

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值