样题
设备类型和接口号、拓扑结构根据题目要求中的进行搭建,不要按自己的思路进行搭建
pc机想正常使用,需要将接口管理进行启用,与本题无关
1、 虚拟局域网(VLAN)
pc1和pc2被划分在两个不同的vlan,二者互通需要借助三层路由,所以s1、s2、s3都需要进行vlan的配置,交换机相连的端口均为trunk端口
为了减少广播,需要规划并配置VLAN。具体要求如下:
在s1上配置vlan,交换机端口默认的类型就是access,在交换机的端口中进行vlan的绑定的效果,和用以下的命令进行的vlan配置的效果是一样的
[S1]vlan 10 创建vlan
[S1-vlan10]name RD 给vlan进行命名
[S1-vlan10]port GigabitEthernet 1/0/3 将vlan划分到这个端口上
[S1]vlan 20
[S1-vlan20]name Sales
[S1-vlan20]port GigabitEthernet 1/0/4
[S1]interface range g1/0/1 to g1/0/2 将端口划分到一个端口组中
[S1-if-range]port link-type trunk 交换机相连的端口类型为trunk
[S1-if-range]port trunk permit vlan 10 20 允许vlan10、20通过
配置合理,链路上禁止不必要的数据流通过,就是在链路上禁止vlan1通行
[S1]int g 1/0/1
[S1-GigabitEthernet1/0/1]dis th
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20 vlan 1是交换机中默认存在的vlan
combo enable fiber
#
return
[S1-GigabitEthernet1/0/1]undo port tru
[S1-GigabitEthernet1/0/1]undo port trunk permit vlan 1 禁止不必要的vlan在链路进行传播,删除vlan 1,2口进行相同的操作
[S1-GigabitEthernet1/0/1]dis th
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20
combo enable fiber
#
return
[S2]vlan 10
[S2-vlan10]name RD
[S2-vlan10]vlan 20
[S2-vlan20]name Sales
[S2-vlan20]quit
[S2]interface range g1/0/1 to g1/0/3
[S2-if-range]port link-type trunk
[S2-if-range]port trunk permit vlan 10 20
[S2-if-range]
[S2-if-range]undo port trunk permit vlan 1
[s3]vlan 10
[s3-vlan10]name RD
[s3-vlan10]vlan 20
[s3-vlan20]name Sales
[s3-vlan20]quit
[s3]interface range g1/0/1 to g1/0/3
[s3-if-range]port link-type trunk
[s3-if-range]port trunk permit vlan 10 20
[s3-if-range]undo port tru
[s3-if-range]undo port trunk permit vlan 1
交换机与路由器间的互连物理端口直接使用三层模式互连,只有s2和s3的4口是与路由器进行相连的
[S2]int g 1/0/4
[S2-GigabitEthernet1/0/4]port link-mode route 修改端口的模式为route,bridge为二层
[s3]int g 1/0/4
[s3-GigabitEthernet1/0/4]port link-mode route
[S2]port link-mode route GigabitEthernet1/0/4 作用同上
为了实现端口可以实现快速迁移,交换机连接pc的端口设置为边缘端口 同时使能BPDU保护功能 保护网络安全
[S1-GigabitEthernet1/0/3]stp edged-port 设置边缘端口,4口进行同样的操作,默认是非边缘端口。边缘端口不接受处理配置BPDU,不参与生成树的计算。当边缘端口收到配置BPDU,会从边缘端口变成普通的stp端口,重新进行计算,从而导致网络震荡
[S1]stp bpdu-protection 使能bpdu保护功能。作用是当边缘端口收到BPDU的时候,将端口关闭
2、IPv4地址部署
IP地址中突然出现一个vlan100,根据组网要求,总部使用ospf进行联网,要求s2和s3需要IP地址进行连接,但是两个交换机之间的端口是二层端口,所以vlan100用于两个交换机进行连接。在交换机相连的端口中放行vlan100,两个交换机即可进行通信
[S2-Vlan-interface10]ip address 192.168.10.253 255.255.255.0
[S2-Vlan-interface20]ip address 192.168.20.253 24 掩码的两种表达方式都可以进行使用
[S2]interface range g1/0/1 to g1/0/2
[S2-if-range]port trunk permit vlan 100 两个交换机相连的端口放行vlan100
[s3]interface range g1/0/1 to g1/0/2
[s3-if-range]port trunk permit vlan 100
[s3]ping 192.168.100.1 ping s2的vlan100,可以进行正常的通信
Ping 192.168.100.1 (192.168.100.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.100.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.100.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 192.168.100.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.100.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 192.168.100.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.100.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms
[s3]%Oct 7 20:07:21:290 2023 s3 PING/6/PING_STATISTICS: Ping statistics for 192.168.100.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms.
3、OSPF及路由部署
总部使用OSPF协议组网。要求网络具有安全性、稳定性。
Ospf 进程为10,区域为0;S2,S3,R1之间建立ospf邻居关系
所有进程必须配置Router-ID;
[S2]ospf 10 router-id 9.9.9.2 router-id一般使用loopback接口的地址
[S2-ospf-10]area 0
[S2-ospf-10-area-0.0.0.0]net 9.9.9.2 0.0.0.0
[S2-ospf-10-area-0.0.0.0]net 10.0.0.0 0.0.0.3
[S2-ospf-10-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[S2-ospf-10-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[S2-ospf-10-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[s3]ospf 10 router-id 9.9.9.3
[s3-ospf-10]area 0
[S3-ospf-10-area-0.0.0.0]net 9.9.9.3 0.0.0.0
[S3-ospf-10-area-0.0.0.0]net 10.0.0.4 0.0.0.3
[S3-ospf-10-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[S3-ospf-10-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[S3-ospf-10-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[R1]ospf 10 router-id 10.10.10.1
[R1-ospf-10]area 0
[R1-ospf-10-area-0.0.0.0]net 10.0.0.0 0.0.0.3
[R1-ospf-10-area-0.0.0.0]net 10.0.0.4 0.0.0.3
[R1-ospf-10-area-0.0.0.0]net 10.10.10.1 0.0.0.0
[S2]dis ospf peer ospf网络类型为广播、非广播多路访问时,会选举DR、BDR。默认链路层协议为Ethernet、FDDI时,网络类型为广播
OSPF Process 10 with Router ID 9.9.9.2
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
10.10.10.1 10.0.0.2 1 31 Full/BDR GE1/0/4
9.9.9.3 192.168.10.254 1 35 Full/DR Vlan10
9.9.9.3 192.168.20.254 1 34 Full/BDR Vlan20
9.9.9.3 192.168.100.2 1 36 Full/DR Vlan100
[S3]dis ospf peer
OSPF Process 10 with Router ID 9.9.9.3
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
10.10.10.1 10.0.0.6 1 33 Full/BDR GE1/0/4
9.9.9.2 192.168.10.253 1 36 Full/BDR Vlan10
9.9.9.2 192.168.20.253 1 30 Full/DR Vlan20
9.9.9.2 192.168.100.1 1 37 Full/BDR Vlan100
[R1]dis ospf peer
OSPF Process 10 with Router ID 10.10.10.1
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
9.9.9.2 10.0.0.1 1 40 Full/DR GE0/0
9.9.9.3 10.0.0.5 1 32 Full/DR GE0/1
要求业务网段中不出现协议报文;
[S2]ospf 10 router-id 9.9.9.2
[S2-ospf-10]silent-interface Vlan-interface 10 将交换机上连接业务网段的接口配置为静默接口。禁止接口收发ospf报文,路由正常
[S2-ospf-10]silent-interface Vlan-interface 20
[s3-ospf-10]silent-interface Vlan-interface 10
[s3-ospf-10]silent-interface vlan-interface 20
[S2]dis ospf peer
OSPF Process 10 with Router ID 9.9.9.2
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
10.10.10.1 10.0.0.2 1 40 Full/BDR GE1/0/4
9.9.9.3 192.168.100.2 1 39 Full/DR Vlan100
[S3]dis ospf peer
OSPF Process 10 with Router ID 9.9.9.3
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
10.10.10.1 10.0.0.6 1 40 Full/BDR GE1/0/4
9.9.9.2 192.168.100.1 1 34 Full/BDR Vlan100
要求所有路由协议都发布具体网段;
为了管理方便,需要发布Loopback地址。
在合适的设备上发布默认路由。交换机s2和s3上没有去往路由器R2业务网段的路由
[S2]dis ip routing-table
Destinations : 28 Routes : 29
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
9.9.9.2/32 Direct 0 0 127.0.0.1 InLoop0
9.9.9.3/32 O_INTRA 10 1 192.168.100.2 Vlan100
10.0.0.0/30 Direct 0 0 10.0.0.1 GE1/0/4
10.0.0.0/32 Direct 0 0 10.0.0.1 GE1/0/4
10.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.3/32 Direct 0 0 10.0.0.1 GE1/0/4
10.0.0.4/30 O_INTRA 10 2 10.0.0.2 GE1/0/4
192.168.100.2 Vlan100
10.10.10.1/32 O_INTRA 10 1 10.0.0.2 GE1/0/4
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.10.0/24 Direct 0 0 192.168.10.253 Vlan10
192.168.10.0/32 Direct 0 0 192.168.10.253 Vlan10
192.168.10.253/32 Direct 0 0 127.0.0.1 InLoop0
192.168.10.255/32 Direct 0 0 192.168.10.253 Vlan10
192.168.20.0/24 Direct 0 0 192.168.20.253 Vlan20
192.168.20.0/32 Direct 0 0 192.168.20.253 Vlan20
192.168.20.253/32 Direct 0 0 127.0.0.1 InLoop0
192.168.20.255/32 Direct 0 0 192.168.20.253 Vlan20
192.168.100.0/24 Direct 0 0 192.168.100.1 Vlan100
192.168.100.0/32 Direct 0 0 192.168.100.1 Vlan100
192.168.100.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.100.255/32 Direct 0 0 192.168.100.1 Vlan100
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
[S3]dis ip routing-table
Destinations : 28 Routes : 29
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
9.9.9.2/32 O_INTRA 10 1 192.168.100.1 Vlan100
9.9.9.3/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.0/30 O_INTRA 10 2 10.0.0.6 GE1/0/4
192.168.100.1 Vlan100
10.0.0.4/30 Direct 0 0 10.0.0.5 GE1/0/4
10.0.0.4/32 Direct 0 0 10.0.0.5 GE1/0/4
10.0.0.5/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.7/32 Direct 0 0 10.0.0.5 GE1/0/4
10.10.10.1/32 O_INTRA 10 1 10.0.0.6 GE1/0/4
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.10.0/24 Direct 0 0 192.168.10.254 Vlan10
192.168.10.0/32 Direct 0 0 192.168.10.254 Vlan10
192.168.10.254/32 Direct 0 0 127.0.0.1 InLoop0
192.168.10.255/32 Direct 0 0 192.168.10.254 Vlan10
192.168.20.0/24 Direct 0 0 192.168.20.254 Vlan20
192.168.20.0/32 Direct 0 0 192.168.20.254 Vlan20
192.168.20.254/32 Direct 0 0 127.0.0.1 InLoop0
192.168.20.255/32 Direct 0 0 192.168.20.254 Vlan20
192.168.100.0/24 Direct 0 0 192.168.100.2 Vlan100
192.168.100.0/32 Direct 0 0 192.168.100.2 Vlan100
192.168.100.2/32 Direct 0 0 127.0.0.1 InLoop0
192.168.100.255/32 Direct 0 0 192.168.100.2 Vlan100
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
[R1]dis ip routing-table
Destinations : 23 Routes : 26
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
9.9.9.2/32 O_INTRA 10 1 10.0.0.1 GE0/0
9.9.9.3/32 O_INTRA 10 1 10.0.0.5 GE0/1
10.0.0.0/30 Direct 0 0 10.0.0.2 GE0/0
10.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.3/32 Direct 0 0 10.0.0.2 GE0/0
10.0.0.4/30 Direct 0 0 10.0.0.6 GE0/1
10.0.0.6/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.7/32 Direct 0 0 10.0.0.6 GE0/1
10.10.10.1/32 Direct 0 0 127.0.0.1 InLoop0
20.1.1.0/30 Direct 0 0 20.1.1.1 Ser1/0
20.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
20.1.1.2/32 Direct 0 0 20.1.1.2 Ser1/0
20.1.1.3/32 Direct 0 0 20.1.1.1 Ser1/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.10.0/24 O_INTRA 10 2 10.0.0.1 GE0/0
O_INTRA 10 2 10.0.0.5 GE0/1
192.168.20.0/24 O_INTRA 10 2 10.0.0.1 GE0/0
O_INTRA 10 2 10.0.0.5 GE0/1
192.168.100.0/24 O_INTRA 10 2 10.0.0.1 GE0/0
O_INTRA 10 2 10.0.0.5 GE0/1
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
[S2]ip route-static 0.0.0.0 0 10.0.0.2
[S3]ip route-static 0.0.0.0 0 10.0.0.6
配置ospf区域验证 明文密码为123456,交换机S2和S3、路由器R1在区域中进行区域认证设置。ospf的认证分为区域认证和接口认证,在ospf区域中的接口下进行的认证是接口认证
[R1-ospf-10-area-0.0.0.0]authentication-mode simple plain 123456 plain为明文,cipher为密文,交换机进行同样的操作
优化OSPF相关配置,以尽量加快OSPF收敛。加快收敛的方法为缩短hello报文的时间,默认时间为每10秒发送一次。更改网络类型为P2P,不要进行选举DR/BDR,以节省时间。注意:在ospf中的所有修改,两端必须保持一致,否则邻居建立不起来
[S2-GigabitEthernet1/0/4]ospf timer hello 5 在接口下进行hello报文时间的修改,将其改为每5秒发送一次
[S2-Vlan-interface100]ospf timer hello 5 交换机中在vlan接口中进行配置
[s3-Vlan-interface100]ospf timer hello 5
[s3-GigabitEthernet1/0/4]ospf timer hello 5
[R1-GigabitEthernet0/0]ospf timer hello 5
[R1-GigabitEthernet0/1]ospf timer hello 5
[S2-GigabitEthernet1/0/4]ospf network-type p2p 在接口下修改ospf的网络类型为p2p
[S2-Vlan-interface100]ospf network-type p2p
[s3-GigabitEthernet1/0/4]ospf network-type p2p
[s3-Vlan-interface100]ospf network-type p2p
[R1-GigabitEthernet0/0]ospf network-type p2p
[R1-GigabitEthernet0/1]ospf network-type p2p
总部与分部之间,配置合适的静态路由组网,最起码要保证业务网段之间能够正常的通信
[R2]dis ip routing-table
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.0/30 Direct 0 0 10.10.10.2 Loop0
10.10.10.2/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.3/32 Direct 0 0 10.10.10.2 Loop0
20.1.1.0/30 Direct 0 0 20.1.1.2 Ser1/0
20.1.1.1/32 Direct 0 0 20.1.1.1 Ser1/0
20.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
20.1.1.3/32 Direct 0 0 20.1.1.2 Ser1/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
[R1]ip route-static 10.10.10.0 30 20.1.1.2
[R2]ip route-static 192.168.10.0 24 20.1.1.1
[R2]ip route-static 192.168.20.0 24 20.1.1.1
[R2]ip route-static 10.0.0.0 30 20.1.1.1
[R2]ip route-static 10.0.0.4 30 20.1.1.1
[R2]dis ip routing-table
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.0/30 Static 60 0 20.1.1.1 Ser1/0
10.0.0.4/30 Static 60 0 20.1.1.1 Ser1/0
10.10.10.0/30 Direct 0 0 10.10.10.2 Loop0
10.10.10.2/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.3/32 Direct 0 0 10.10.10.2 Loop0
20.1.1.0/30 Direct 0 0 20.1.1.2 Ser1/0
20.1.1.1/32 Direct 0 0 20.1.1.1 Ser1/0
20.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
20.1.1.3/32 Direct 0 0 20.1.1.2 Ser1/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.10.0/24 Static 60 0 20.1.1.1 Ser1/0
192.168.20.0/24 Static 60 0 20.1.1.1 Ser1/0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
现在全网已经互通
4、MSTP及VRRP链路聚合部署
在总部交换机S1;S2;S3上配置MSTP防止二层环路;要求VLAN10、的数据流经过S2转发,S2失效时经过S3转发;VLAN20的数据流经过S3转发,S3失效时经过S2转发。所配置的参数要求如下:
消除环路:通过阻断冗余链路来消除网络中可能存在的环路。 链路备份:当活动路径发生故障时,激活备份链路,及时恢复网络连通性
region-name为H3C;
实例值为1和2;
S2作为实例1中的主根, S3作为从根;
S3作为实例2中的主根, S2作为从根。
[S1]stp mode mstp 设置stp的模式为mstp
[S1]stp region-configuration 进入stp的配置视图
[S1-mst-region]region-name H3C 对域名进行命名
[S1-mst-region]instance 1 vlan 10 将vlan10加入到实例1中
[S1-mst-region]instance 2 vlan 20 将vlan20加入到实例2中
[S1-mst-region]active region-configuration 激活配置,否则以上配的都不会生效
[S2]stp mode mstp
[S2]stp region-configuration
[S2-mst-region]region-name H3C
[S2-mst-region]instance 1 vlan 10
[S2-mst-region]instance 2 vlan 20
[S2-mst-region]active region-configuration
[S2]stp instance 1 root primary 将s2作为实例1的主根
[S2]stp instance 2 root secondary 将s2作为实例2的从根
[s3]stp mode mstp
[s3]stp region-configuration
[s3-mst-region]region-name H3C
[s3-mst-region]instance 1 vlan 10
[s3-mst-region]instance 2 vlan 20
[s3-mst-region]active region-configuration
[s3]stp instance 1 root secondary
[s3]stp instance 2 root primary
查看stp的简要的配置详情,所有的实例都能正常的启动。mstp端口角色:根端口(root)、指定端口(designated port)、替代端口(alternate port)、备份端口(backup port)
端口状态:forwarding、learning、discarding
[S1]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
1 GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
2 GigabitEthernet1/0/1 ALTE DISCARDING NONE
2 GigabitEthernet1/0/2 ROOT FORWARDING NONE
[S2]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING NONE
1 GigabitEthernet1/0/2 DESI FORWARDING NONE
1 GigabitEthernet1/0/3 DESI FORWARDING NONE
2 GigabitEthernet1/0/1 ROOT FORWARDING NONE
2 GigabitEthernet1/0/2 ALTE DISCARDING NONE
2 GigabitEthernet1/0/3 DESI FORWARDING NONE
[s3]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
1 GigabitEthernet1/0/3 DESI FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING NONE
2 GigabitEthernet1/0/2 DESI FORWARDING NONE
2 GigabitEthernet1/0/3 DESI FORWARDING NONE
查看每个交换机上的stp的根,s2是整个生成树的根交换机,s2是实例1的根交换机,s3是实例2的根交换机,符合题目要求,配置没有问题
[S1]dis stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.2aaf-49dc-0300 0 20 GE1/0/1
1 0.2aaf-49dc-0300 0 20 GE1/0/1
2 0.2aaf-4b7b-0400 0 20 GE1/0/2
[S2]dis stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.2aaf-49dc-0300 0 0
1 0.2aaf-49dc-0300 0 0
2 0.2aaf-4b7b-0400 0 20 GE1/0/1
[s3]dis stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.2aaf-49dc-0300 0 20 GE1/0/1
1 0.2aaf-49dc-0300 0 20 GE1/0/1
2 0.2aaf-4b7b-0400 0 0
S2作为VLAN10中所有主机的实际网关,S3作为备份网关;S3作为VLAN20中所有主机的实际网关,S2作为备份网关。
各VRRP组中高优先级设置为120,优先级默认是100
[S2]int vlan 10
[S2-Vlan-interface10]vrrp vrid 10 virtual-ip 192.168.10.252
[S2-Vlan-interface10]vrrp vrid 10 priority 120
[s3]int vlan 20
[s3-Vlan-interface20]vrrp vrid 20 virtual-ip 192.168.20.252
[s3-Vlan-interface20]vrrp vrid 20 priority 120
[S2]dis vrrp
IPv4 virtual router information:
Running mode : Standard
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
pri timer(cs) type IP
---------------------------------------------------------------------
Vlan10 10 Master 100 100 None 192.168.10.252
Vlan20 20 Backup 100 100 None 192.168.20.252
[s3]dis vrrp
IPv4 virtual router information:
Running mode : Standard
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
pri timer(cs) type IP
---------------------------------------------------------------------
Vlan10 10 Backup 100 100 None 192.168.10.252
Vlan20 20 Master 100 100 None 192.168.20.252
在VRRP组中Master设备上配置监视指定的Track项(ID值为1),配合BFD监视上行链路状态;当上行链路故障时,Slave设备能够接管Master设备转发数据;而当链路故障恢复后,主备设备之间进行切换.时间为5秒
BFD(Bidirectional Forwarding Detection,双向转发检测)是一个通用的、标准化的、介质无关和协议无关的快速故障检测机制,用于检测IP网络中链路的连通状况,保证设备之间能够快速检测到通信故障,以便能够及时采取措施,保证业务持续运行。
BFD可以为各种上层协议(如路由协议)快速检测两台设备间双向转发路径的故障。上层协议通常采用Hello报文机制检测故障,所需时间为秒级,而BFD可以提供毫秒级检测。
bfd会话通过两种报文方式实现:echo报文(只需要一端配置bfd即可,本端发送echo报文建立BFD会话,对链路进行检测。对端不建立BFD会话,只需把收到的echo报文转发回本端。)、控制报文(链路两端通过周期性发送控制报文建立BFD会话,对链路进行检测。)
注意:Track项只能与Echo报文方式的BFD会话建立关联,不能与控制报文方式的BFD会话建立联动。如果在Track项和BFD会话之间建立了关联,则当BFD判断出对端不可达时,BFD会通知Track模块将与BFD会话关联的Track项的状态置为Negative
[S2]bfd echo-source-ip 2.2.2.2 配置bfd功能,必须配置,卡在这里老长时间,地址随便给,不要是设备上的实际地址
[S2]track 1 bfd echo interface GigabitEthernet 1/0/4 remote ip 10.0.0.2 local ip
10.0.0.1 配置track项,echo interface后的接口为连接上行链路的本设备接口。用于检查本端是否能到达对端
[S2-Vlan-interface10]dis th
#
interface Vlan-interface10
ip address 192.168.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.252
vrrp vrid 10 priority 120 设置优先级,默认是100
vrrp vrid 10 preempt-mode delay 500 配置抢占,单位是分秒,5秒是500
vrrp vrid 10 track 1 priority reduced 25 与bfd进行联动,当上行链路故障时,优先级减少25(一定要比20大)
#
return
[S2-Vlan-interface20]dis th
#
interface Vlan-interface20
ip address 192.168.20.253 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.252
vrrp vrid 20 preempt-mode delay 500
#
return
[s3]bfd echo-source-ip 3.3.3.3
[s3]track 1 bfd echo interface GigabitEthernet 1/0/4 remote ip 10.0.0.6 local ip
10.0.0.5
[s3-Vlan-interface10]dis th
#
interface Vlan-interface10
ip address 192.168.10.254 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.252
vrrp vrid 10 preempt-mode delay 500
#
return
[s3-Vlan-interface20]dis th
#
interface Vlan-interface20
ip address 192.168.20.254 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.252
vrrp vrid 20 priority 120
vrrp vrid 20 preempt-mode delay 500
vrrp vrid 20 track 1 priority reduced 25
#
return
配置完成之后查看配置是否正确有效,并注意进行验证,关闭s2的4口,观察两台交换机vrrp主备的变换,然后在开启看是否支持主备的切换
[S2]dis vrrp
IPv4 virtual router information:
Running mode : Standard
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
pri timer(cs) type IP
---------------------------------------------------------------------
Vlan10 10 Master 120 100 None 192.168.10.252
Vlan20 20 Backup 100 100 None 192.168.20.252
[S2]dis bfd session
Total Session Num: 1 Up Session Num: 1 Init Mode: Active
IPv4 session working in echo mode:
LD SourceAddr DestAddr State Holdtime Interface
129 10.0.0.1 10.0.0.2 Up 1993ms GE1/0/4
[s3]dis vrrp
IPv4 virtual router information:
Running mode : Standard
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
pri timer(cs) type IP
---------------------------------------------------------------------
Vlan10 10 Backup 100 100 None 192.168.10.252
Vlan20 20 Master 120 100 None 192.168.20.252
[s3]dis bfd session
Total Session Num: 1 Up Session Num: 1 Init Mode: Active
IPv4 session working in echo mode:
LD SourceAddr DestAddr State Holdtime Interface
129 10.0.0.5 10.0.0.6 Up 1945ms GE1/0/4
在S2、S3上创建链路聚合组1,S2和S3之间通过链路聚合增加链路可靠性,模式采用静态聚合。链路聚合有两种聚合模式,动态聚合和静态聚合。聚合组的端口类型和要加入聚合组的端口类型要一致,配置相同
[S2]int Bridge-Aggregation 1 创建端口聚合组
[S2]interface range g1/0/1 to g1/0/2
[S2-if-range]port link-aggregation group 1 将端口放到端口聚合组中
[S2-Bridge-Aggregation1]port link-type trunk 聚合组的配置和端口的配置一致
[S2-Bridge-Aggregation1]port trunk permit vlan 10 20 100
[S2-Bridge-Aggregation1]undo port trunk permit vlan 1
[S2]dis int Bridge-Aggregation
Bridge-Aggregation1
Current state: UP 状态为up
IP packet frame type: Ethernet II, hardware address: 2aaf-49dc-0300
Description: Bridge-Aggregation1 Interface
Bandwidth: 2000000 kbps
2Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
PVID: 1
Port link-type: Trunk
VLAN Passing: 10, 20, 100
VLAN permitted: 10, 20, 100
Trunk port encapsulation: IEEE 802.1q
Last clearing of counters: Never
Last 300 second input: 0 packets/sec 0 bytes/sec 0%
Last 300 second output: 0 packets/sec 0 bytes/sec 0%
Input (total): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Input (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Input: 0 input errors, 0 runts, 0 giants, 0 throttles
0 CRC, 0 frame, 0 overruns, 0 aborts
0 ignored, 0 parity errors
Output (total): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Output (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Output: 0 output errors, 0 underruns, 0 buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
0 lost carrier, 0 no carrier
交换机S3重复上述的操作
5、IPSEC部署
总部的R1与分部的R2间链路属于广域网链路。需要使用PPP(一种封装协议)及IPSec进行安全保护。
PPP的具体要求如下:
采用chap双向认证方式,两端都需要将用户名和密码加入到用户列表当中
用户名+验证口令方式;
用户名和密码均为123456。
[R1]local-user 123456 class network 将用户名加入到用户列表当中,network为网络接入用户
[R1-luser-network-123456]password simple 123456 输入加入列表用户的密码
[R1-luser-network-123456]service-type ppp 类型为ppp
[R1]int s 1/0
[R1-Serial1/0]link-protocol ppp 设置接口封装协议,默认为ppp,保险起见设置一下,因为是默认的display是看不到的
[R1-Serial1/0]ppp authentication-mode chap ppp认证方式为chap(挑战握手认证协议)
[R1-Serial1/0]ppp chap user 123456 发送给验证方的用户名
R2操作同上
IPSec的具体要求如下:
IPSec Ike步骤:全网互通 → ACL匹配数据流 → ipsec提议 → Ike keychain → Ike profile → ipsec策略 → 应用策略,理论需要自己积累,这里就没有过多的涉及到理论讲解
对从总部到分部间的业务数据流(业务网段)进行加密。
封装形式为隧道模式,安全协议采用ESP协议,加密算法采用DES,认证算法采用SHA1,以IKE协商方式建立IPsec SA。
[R1]ipsec transform-set h3c 配置ipsec的转换集,就是ipsec提议
[R1-ipsec-transform-set-h3c]encapsulation-mode tunnel 隧道封装
[R1-ipsec-transform-set-h3c]protocol esp 使用esp安全协议
[R1-ipsec-transform-set-h3c]esp encryption-algorithm des-cbc 加密算法
[R1-ipsec-transform-set-h3c]esp authentication-algorithm sha1 认证算法
ACL编号为3001
[R1]dis acl 3001
Advanced IPv4 ACL 3001, 2 rules,
ACL's step is 5
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.10.0 0.0.0.3 (6 times matched)
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.3
[R2]dis acl 3001 使用高级ACL,对源目IP地址进行过滤,对业务网段进行过滤
Advanced IPv4 ACL 3001, 2 rules,
ACL's step is 5
rule 5 permit ip source 10.10.10.0 0.0.0.3 destination 192.168.10.0 0.0.0.255 (5 times matched)
rule 10 permit ip source 10.10.10.0 0.0.0.3 destination 192.168.20.0 0.0.0.255
ike提议序列1、IKE keychain、IKE profile IPsec 转换集的名称均为h3c;
预共享密钥均为明文654321;
[R1]ike keychain h3c 类似华为ensp中的Ike对等体
[R1-ike-keychain-h3c]pre-shared-key address 20.1.1.2 30 key simple 654321 设置共享密钥以及对端的IP地址
[R1]ike profile h3c
[R1-ike-profile-h3c]keychain h3c 引用Ike keychain
[R1-ike-profile-h3c]local-identity address 20.1.1.1 本地接口的地址
[R1-ike-profile-h3c]match remote identity address 20.1.1.2 255.255.255.252 匹配对端的IP地址
IPsec安全策略的名称为h3c,序列号为1。
[R1]ipsec policy h3c 1 isakmp isakmp代表用Ike的方式建立ipsec
[R1-ipsec-policy-isakmp-h3c-1]transform-set h3c 引用ipsec提议
[R1-ipsec-policy-isakmp-h3c-1]security acl 3001 引用acl
[R1-ipsec-policy-isakmp-h3c-1]remote-address 20.1.1.2 设置对端IP地址
[R1-ipsec-policy-isakmp-h3c-1]ike-profile h3c 引用Ike profile
在接口上进行配置,测试在交换机s2上使用ping -a 192.168.10.253 10.10.10.2
[R1]int s 1/0
[R1-Serial1/0]ipsec apply policy h3c 在接口上应用安全策略
[S2]ping -a 192.168.10.253 10.10.10.2
Ping 10.10.10.2 (10.10.10.2) from 192.168.10.253: 56 data bytes, press CTRL_C to break
56 bytes from 10.10.10.2: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 10.10.10.2: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 10.10.10.2: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 10.10.10.2: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 10.10.10.2: icmp_seq=4 ttl=254 time=0.000 ms
--- Ping statistics for 10.10.10.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms
[S2]%Oct 8 15:10:55:533 2023 S2 PING/6/PING_STATISTICS: Ping statistics for 10.10.10.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms.
[R1]dis ike sa
Connection-ID Local Remote Flag DOI
-------------------------------------------------------------------------
1 20.1.1.1 20.1.1.2 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
[R2]dis ipsec sa 使用该命令查看ipsec配置情况,这个不是本题ipsec的配置,但是大概就是这个,只是里面的参数不一样而已,可能需要稍微等一下
-------------------------------
Interface: Serial1/0
-------------------------------
-----------------------------
IPsec policy: h3c
Sequence number: 1
Mode: ISAKMP
----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1444
Tunnel:
local address: 192.168.30.2
remote address: 192.168.30.1
Flow:
sour addr: 192.168.20.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.10.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1463321289 (0x573882c9)
Connection ID: 4294967296
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3579
Max received sequence-number: 9
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3785821096 (0xe1a70ba8)
Connection ID: 4294967297
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3579
Max sent sequence-number: 9
UDP encapsulation used for NAT traversal: N
Status: Active
6、路由选路部署
考虑从总部的业务网段到分部有两条链路 规划r1到s2为vlan10的主线路;r1到s3为vlan20的主线路.
修改接口开销cost值,且其值必须为5或10
总部和分部vlan10互通主路径为s1-s2-r1-r2
总部和分部vlan20互通主路径为s1-s3-r1-r2
要求来回路径一致
主链路故障可无缝切换到备用链路上
[S2]dis ip routing-table protocol ospf
Summary count : 9
OSPF Routing table status : <Active>
Summary count : 4
Destination/Mask Proto Pre Cost NextHop Interface
9.9.9.3/32 O_INTRA 10 1 192.168.100.2 Vlan100
10.0.0.4/30 O_INTRA 10 2 10.0.0.2 GE1/0/4
192.168.100.2 Vlan100
10.10.10.1/32 O_INTRA 10 1 10.0.0.2 GE1/0/4
OSPF Routing table status : <Inactive>
Summary count : 5
Destination/Mask Proto Pre Cost NextHop Interface
9.9.9.2/32 O_INTRA 10 0 0.0.0.0 Loop0
10.0.0.0/30 O_INTRA 10 1 0.0.0.0 GE1/0/4
192.168.10.0/24 O_INTRA 10 1 0.0.0.0 Vlan10
192.168.20.0/24 O_INTRA 10 1 0.0.0.0 Vlan20
192.168.100.0/24 O_INTRA 10 1 0.0.0.0 Vlan100
[S2]int vlan 10
[S2-Vlan-interface10]ospf cost 5
[S2]int vlan 20
[S2-Vlan-interface20]ospf cost 10
[S2]dis ip routing-table protocol ospf
Summary count : 9
OSPF Routing table status : <Active>
Summary count : 4
Destination/Mask Proto Pre Cost NextHop Interface
9.9.9.3/32 O_INTRA 10 1 192.168.100.2 Vlan100
10.0.0.4/30 O_INTRA 10 2 10.0.0.2 GE1/0/4
192.168.100.2 Vlan100
10.10.10.1/32 O_INTRA 10 1 10.0.0.2 GE1/0/4
OSPF Routing table status : <Inactive>
Summary count : 5
Destination/Mask Proto Pre Cost NextHop Interface
9.9.9.2/32 O_INTRA 10 0 0.0.0.0 Loop0
10.0.0.0/30 O_INTRA 10 1 0.0.0.0 GE1/0/4
192.168.10.0/24 O_INTRA 10 5 0.0.0.0 Vlan10
192.168.20.0/24 O_INTRA 10 10 0.0.0.0 Vlan20
192.168.100.0/24 O_INTRA 10 1 0.0.0.0 Vlan100
[S3-Vlan-interface10]ospf cost 10
[S3-Vlan-interface20]ospf cost 5
配置完成之后,使用tracert命令进行测试的时候,老是出现星号,查找手册需要配置两条命令
[S2]ip ttl-expires enable 表示在中间设备上开启icmp超时报文发送功能
[S2]ip unreachables enable 表示在目的设备上开启icmp目的不可达报文发送功能
[S2]tracert -a 192.168.10.253 20.1.1.2
traceroute to 20.1.1.2 (20.1.1.2) from 192.168.10.253, 30 hops at most, 40 bytes each packet, press CTRL_C to break
1 10.0.0.2 (10.0.0.2) 1.000 ms 0.000 ms 0.000 ms
2 20.1.1.2 (20.1.1.2) 1.000 ms 0.000 ms 0.000 ms
7、设备与网络管理部署
为总部路由器r1开启Telnet功能,对所有Telnet用户采用本地认证的方式。创建本地用户,设定用户名和密码为admin的用户拥有最高权限,密码为明文类型;仅允许设备通过telnet回环口来登陆设备 ACL编号为3000.
[R1]telnet server enable 使能telnet服务器功能
[R1]user-interface vty 0 4 表示同时配置5个用户的vty界面
[R1-line-vty0-4]authentication-mode scheme vty界面采用aaa本地认证
[R1-line-vty0-4]user-role level-15 用户的等级为最高15,具有最高的权限
[R1-line-vty0-4]user-role network-admin 和level-15的等级一样,配置一个即可
[R1-line-vty0-4]protocol inbound telnet 表示支持的协议是telnet
[R1]local-user admin class manage 创建一个用户,manager为管理账户。network为接入账户,不能指定服务类型
[R1-luser-manage-admin]password simple passwrod123 设置明文密码,密码长度要求大于10,并且不能包含用户名,题目要求可能有些问题
[R1-luser-manage-admin]service-type telnet 服务类型telnet
[R1]acl number 3000
[R1-acl-ipv4-adv-3000]rule 5 permit ip source any destination 10.10.10.1 0 只能通过回环地址进行telnet
[R1]telnet server acl 3000 引用acl3000
telnet需要进行验证
8、感悟心得
小编是在校大学生,参加2023年的省赛成功晋级全国决赛(学生组),将比赛前的训练题目分享给大家,中间也是查阅了很多的资料,可能还会有错误,希望大家指出。