【无标题】

最新推荐文章于 2024-06-21 16:41:46 发布

IT-灰灰

最新推荐文章于 2024-06-21 16:41:46 发布

阅读量17

点赞数 1

文章标签：网络

本文链接：https://blog.csdn.net/xiazhui1/article/details/134579429

版权

设备	接口	IP 地址	子网掩码	默认网关
R1	GE 0/0/0	10.0.12.1/24	255.255.255.0	N/A
	GE 0/0/1	10.0.13.1/24	255.255.255.0	N/A
	GE 0/0/2	10.1.1.1/24	255.255.255.0	N/A
	GE 0/0/3	10.0.10.1/24	255.255.255.0	N/A
	LoopBack 0	1.1.1.1/32	255.255.255.255	N/A
R2	GE 0/0/0	10.0.12.2/24	255.255.255.0	N/A
	GE 0/0/1	10.0.24.2/24	255.255.255.0	N/A
	GE 0/0/2	10.2.2.2/24	255.255.255.0	N/A
	GE 0/0/3	10.0.20.2/24	255.255.255.0	N/A
	LoopBack 0	2.2.2.2/32	255.255.255.255	N/A
R3	GE 0/0/1	10.0.13.3/24	255.255.255.0	N/A
	GE 0/0/2	10.0.34.3/24	255.255.255.0	N/A
	GE 0/0/3	10.0.35.3/24	255.255.255.0	N/A
	LoopBack 0	3.3.3.3/32	255.255.255.255	N/A
R4	GE 0/0/1	10.0.24.4/24	255.255.255.0	N/A
	GE 0/0/2	10.0.34.4/24	255.255.255.0	N/A
	GE 0/0/3	10.0.45.4/24	255.255.255.0	N/A
	LoopBack 0	4.4.4.4/32	255.255.255.255	N/A
R5	GE 0/0/1	10.0.35.5/24	255.255.255.0	N/A
	GE 0/0/2	10.0.45.5/24	255.255.255.0	N/A
	LoopBack 0	5.5.5.5/32	255.255.255.255	N/A
	LoopBack 1	55.55.55.55/32	255.255.255.255	N/A
S2	Vlanif 71	10.0.10.254/24	255.255.255.0	N/A
	Vlanif 72	10.2.2.254/24	255.255.255.0	N/A
	LoopBack 0	8.8.8.8/32	255.255.255.255	N/A
S3	Vlanif 81	10.0.20.254/24	255.255.255.0	N/A
	Vlanif 82	10.1.1.254/24	255.255.255.0	N/A
	LoopBack 0	9.9.9.9/32	255.255.255.255	N/A
PC1	Ethemet 0/0/1	192.168.1.1/24	255.255.255.0	192.168.1.254/24
PC2	Ethemet 0/0/1	192.168.1.2/24	255.255.255.0	192.168.1.254/24

2.划分VLAN

[S1]vlan batch 2 3 4 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.

[S2]vlan batch 2 3 4 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.

[S3]vlan batch 2 3 4 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.

3.配置接口模式，并放行VLAN 2、3、10、20、30

[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]port link-type trunk
[S1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 10 20 30
[S1-GigabitEthernet0/0/1]quit
[S1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]port link-type trunk
[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 3 10 20 30
[S1-GigabitEthernet0/0/2]quit

[S2]interface GigabitEthernet 0/0/1
[S2-GigabitEthernet0/0/1]port link-type trunk
[S2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 10 20 30
[S2]interface GigabitEthernet 0/0/4
[S2-GigabitEthernet0/0/4]port link-type trunk
[S2-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3 10 20 30
[S2-GigabitEthernet0/0/4]quit

[S3]interface GigabitEthernet 0/0/1
[S3-GigabitEthernet0/0/1]port link-type trunk
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 10 20 30
[S3]interface GigabitEthernet 0/0/4
[S3-GigabitEthernet0/0/4]port link-type trunk
[S3-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3 10 20 30
[S3-GigabitEthernet0/0/4]quit

4.在S1配置VLAN4 IP作为终端网关，在把VLAN4划分成两个子VLAN，将接口加入VLAN

[S1]vlan 4
[S1-vlan4]aggregate-vlan
[S1-vlan4]access-vlan 2 to 3
[S1-vlan4]quit
[S1]interface Vlanif 4
[S1-Vlanif4]ip address 192.168.1.254 24
[S1-Vlanif4]arp-proxy inter-sub-vlan-proxy enable 
[S1-Vlanif4]quit
[S1]interface Ethernet0/0/1
[S1-Ethernet0/0/1]port link-type access
[S1-Ethernet0/0/1]port default vlan 2
[S1-Ethernet0/0/1]quit
[S1]interface Ethernet0/0/2
[S1-Ethernet0/0/2]port link-type access
[S1-Ethernet0/0/2]port default vlan 3
[S1-Ethernet0/0/2]quit

5.配置MSTP

[S1]stp region-configuration
[S1-mst-region]region-name RG
[S1-mst-region]instance 1 vlan 2 3
[S1-mst-region]instance 2 vlan 10 20 30
[S1-mst-region]revision-level 1
[S1-mst-region]active  region-configuration 
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1-mst-region]quit

[S2]stp mode mstp
[S2]stp region-configuration
[S2-mst-region]region-name RG
[S2-mst-region]instance 1 vlan 2 3
[S2-mst-region]instance 2 vlan 10 20 30
[S2-mst-region]revision-level 1
[S2-mst-region]active region-configuration 
Info: This operation may take a few seconds. Please wait for a moment...done.
[S2-mst-region]quit
[S2]stp instance 1 priority 0
[S2]stp instance 0 priority 0

[S3]stp mode mstp
[S3]stp region-configuration
[S3-mst-region]region-name RG
[S3-mst-region]instance 1 vlan 2 3
[S3-mst-region]instance 2 vlan 10 20 30
[S3-mst-region]revision-level 1
[S3-mst-region]active region-configuration 
Info: This operation may take a few seconds. Please wait for a moment...done.
[S3-mst-region]quit
[S3]stp instance 2 priority 0

6.在S1上启用环路保护功能，保证网路的稳定性

[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]stp loop-protection 
[S1-GigabitEthernet0/0/1]quit
[S1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]stp loop-protection 
[S1-GigabitEthernet0/0/2]quit

7.为了加快生成树收敛速度，在S1的Ethemet0/0/1和Ethemet0/0/2配置为边缘端口，并配置保护

功能防止这些端口收到不合法的BPDU影响生成树计算

[S1]stp bpdu-protection
[S1]interface Ethernet0/0/1
[S1-Ethernet0/0/1]stp edged-port enable 
[S1-Ethernet0/0/1]quit
[S1]interface Ethernet0/0/2
[S1-Ethernet0/0/2]stp edged-port  enable 
[S1-Ethernet0/0/2]quit

8.配置IS-IS路由协议

[R1]isis 1
[R1-isis-1]network-entity 10.0000.0000.0000.3000.00
[R1-isis-1]quit
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]isis  enable 
[R1-GigabitEthernet0/0/0]quit
[R1]interface GigabitEthernet0/0/2
[R1-GigabitEthernet0/0/2]isis enable 
[R1-GigabitEthernet0/0/2]quit
[R1]interface GigabitEthernet0/0/3
[R1-GigabitEthernet0/0/3]isis enable 
[R1-GigabitEthernet0/0/3]quit
[R1]interface LoopBack 0
[R1-LoopBack0]isis enable 
[R1-LoopBack0]quit

[R2]isis 1
[R2-isis-1]network-entity 10.0000.0000.0000.4000.00
[R2-isis-1]quit
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]isis enable 
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet0/0/2
[R2-GigabitEthernet0/0/2]isis enable 
[R2-GigabitEthernet0/0/2]quit
[R2]interface GigabitEthernet0/0/3
[R2-GigabitEthernet0/0/3]isis enable 
[R2-GigabitEthernet0/0/3]quit
[R2]interface LoopBack 0
[R2-LoopBack0]isis enable 
[R2-LoopBack0]quit

[S2]isis 1
[S2-isis-1]network-entity 10.0000.0000.0000.1000.00
[S2-isis-1]quit
[S2]interface Vlanif 71
[S2-Vlanif71]isis enable 
[S2-Vlanif71]quit
[S2]interface Vlanif 72
[S2-Vlanif72]isis enable 
[S2-Vlanif72]quit
[S2]interface LoopBack 0
[S2-LoopBack0]isis enable 
[S2-LoopBack0]quit

[S3]isis 1
[S3-isis-1]net	
[S3-isis-1]network-entity 10.0000.0000.0000.2000.00
[S3-isis-1]quit
[S3]interface Vlanif 1
[S3-Vlanif1]isis enable 
[S3-Vlanif1]quit
[S3]interface Vlanif 82
[S3-Vlanif82]isis enable 
[S3-Vlanif82]quit
[S3]interface LoopBack 0
[S3-LoopBack0]isis enable 
[S3-LoopBack0]quit

9.将S2、S3的VLAN10、20、30接口所涉及的用户网段引进IS-IS中，为了减少路由条目，进行路由聚合

[S2]interface Vlanif 10
[S2-Vlanif10]ip address 192.168.1.10 24
[S2-Vlanif10]quit
[S2]interface Vlanif 20
[S2-Vlanif20]ip address 192.168.2.20 24
[S2-Vlanif20]quit
[S2]interface Vlanif 30
[S2-Vlanif30]ip address 192.168.3.30 24
[S2-Vlanif30]quit

[S3]interface Vlanif 10
[S3-Vlanif10]ip address 172.16.1.10 24
[S3-Vlanif10]quit
[S3]interface Vlanif 20
[S3-Vlanif20]ip address 172.16.2.20 24
[S3-Vlanif20]quit
[S3]interface Vlanif 30
[S3-Vlanif30]ip address 172.16.3.30 24
[S3-Vlanif30]quit

[S2]isis 1
[S2-isis-1]import-route direct
[S2-isis-1]summary 192.168.0.0 255.255.224.0
[S2-isis-1]quit

[S3]isis 1
[S3-isis-1]import-route direct
[S3-isis-1]summary 172.16.0.0 255.255.224.0
[S3-isis-1]quit

10.为了减少LSP数量来优化网络，修改所有IS-IS接口的网络型号为P2P

[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]isis circuit-type p2p 
[R1-GigabitEthernet0/0/0]quit
[R1]interface GigabitEthernet0/0/2
[R1-GigabitEthernet0/0/2]isis circuit-type p2p
[R1-GigabitEthernet0/0/2]quit
[R1]interface GigabitEthernet0/0/3
[R1-GigabitEthernet0/0/3]isis circuit-type p2p
[R1-GigabitEthernet0/0/3]quit

[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]isis circuit-type p2p 
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet0/0/2
[R2-GigabitEthernet0/0/2]isis circuit-type p2p
[R2-GigabitEthernet0/0/2]quit
[R2]interface GigabitEthernet0/0/3
[R2-GigabitEthernet0/0/3]isis circuit-type p2p
[R2-GigabitEthernet0/0/3]quit

[S2]interface Vlanif 71
[S2-Vlanif71]isis circuit-type p2p 
[S2-Vlanif71]quit
[S2]interface Vlanif 72
[S2-Vlanif72]isis circuit-type p2p
[S2-Vlanif72]quit

[S3]interface Vlanif 81
[S3-Vlanif81]isis circuit-type p2p 
[S3-Vlanif81]quit
[S3]interface Vlanif 82
[S3-Vlanif82]isis circuit-type p2p
[S3-Vlanif82]quit

11.因为S2、S3不运行BGP路由协议，为了能够访问外网，需要在路由器R1、R2上配置IS-IS下发缺省路由

[R1]isis 1
[R1-isis-1]default-route-advertise
[R1-isis-1]quit

[R2]isis 1
[R2-isis-1]default-route-advertise
[R2-isis-1]quit

12.为了提高网络安全性，R1、R2、S2、S3需要相互通过认证后才能IS-IS路由信息，配置MD5认证，密钥“bdqn.123”

[R1]isis 1
[R1-isis-1]area-authentication-mode md5 bdqn.123
[R1-isis-1]quit

[R2]isis 1
[R2-isis-1]area-authentication-mode md5 bdqn.123
[R2-isis-1]quit

[S2]isis 1
[S2-isis-1]area-authentication-mode md5 bdqn.123
[S2-isis-1]quit

[S3]isis 1
[S3-isis-1]area-authentication-mode md5 bdqn.123
[S3-isis-1]quit

13.公司分部配置OSPF

[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]area 0	
[R3-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]quit
[R3-ospf-1]

[R4]ospf 1 router-id 4.4.4.4
[R4-ospf-1]area 0
[R4-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 10.0.45.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[R4-ospf-1-area-0.0.0.0]quit
[R4-ospf-1]

[R5]ospf 1 router-id 5.5.5.5
[R5-ospf-1]area 0
[R5-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
[R5-ospf-1-area-0.0.0.0]network 10.0.45.0 0.0.0.255
[R5-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[R5-ospf-1-area-0.0.0.0]network 55.55.55.55 0.0.0.0
[R5-ospf-1-area-0.0.0.0]quit
[R5-ospf-1]

14.在路由器上配置BGP，R1与R3、R2与R4用物理接口建立EBGP邻居关系，R1与R2、R3、R4、R5用Loopback接口建立IBGP邻居关系

[R1]router id 1.1.1.1
[R1]bgp 100
[R1-bgp]peer 2.2.2.2 as-number 100
[R1-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[R1-bgp]peer 10.0.13.3 as-number 200
[R1-bgp]quit

[R2]router id 2.2.2.2
[R2]bgp 100
[R2-bgp]peer 1.1.1.1 as-number 100
[R2-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[R2-bgp]peer 10.0.24.4 as-number 200
[R2-bgp]quit

[R3]bgp 200
[R3-bgp]peer 4.4.4.4 as-number 200
[R3-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[R3-bgp]peer 5.5.5.5 as-number 200
[R3-bgp]peer 5.5.5.5 connect-interface LoopBack 0	
[R3-bgp]peer 10.0.13.1 as-number 100
[R3-bgp]quit

[R4]bgp 200
[R4-bgp]peer 3.3.3.3 as-number 200
[R4-bgp]peer 3.3.3.3 connect-interface LoopBack 0
[R4-bgp]peer 5.5.5.5 as-number 200
[R4-bgp]peer 5.5.5.5 connect-interface LoopBack 0
[R4-bgp]peer 10.0.24.2 as-number 100
[R4-bgp]quit

[R5]bgp 200
[R5-bgp]peer 3.3.3.3 as-number 200
[R5-bgp]peer 3.3.3.3 connect-interface LoopBack 0
[R5-bgp]peer 4.4.4.4 as-number 200
[R5-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[R5-bgp]quit

15.为了将总部路由信息通告分部，在R1、R2上同时将IS-IS路由信息引进BGP进程

[R1]bgp 100
[R1-bgp]import-route isis 1
[R1-bgp]quit

[R2]bgp 100
[R2-bgp]import-route isis 1
[R2-bgp]quit

16.查看R5的路由表可以发现去往R1、R2的路由是无效的，因为对于R5来说下一跳是R1、R2不可达。解决方法，在R3、R4引入直连路由的方法，使R5知道怎么去R1、R2

[R3]bgp 200
[R3-bgp]import-route direct 
[R3-bgp]quit

[R4]bgp 200
[R4-bgp]import-route direct 
[R4-bgp]quit

17.为了让总部知道分部的路由，在R3、R4上将OSPF路由引进BGP进程

[R3]bgp 200
[R3-bgp]import-route ospf 1
[R3-bgp]quit

[R4]bgp 200
[R4-bgp]import-route ospf 1
[R4-bgp]quit

18.为了避免分部后续扩展后有太多IBGP对等体关系需要建立，决定将R3配置为BGP路由反射器，这样新加入的路由器直接配置为R3路由反射器的客户端

[R3]bgp 200
[R3-bgp]peer 5.5.5.5 reflect-client
[R3-bgp]peer 4.4.4.4 reflect-client 
[R3-bgp]quit

19.策略配置

为了防止次优路径和环路的产生，在R1、R2配置Router-Policy，但R1、R2发布缺省路由时加上Router-Policy限制条件

[R1]acl 2001
[R1-acl-basic-2001]rule permit source 10.0.13.0 0
[R1-acl-basic-2001]quit
[R1]route-policy isis permit node 10
Info: New Sequence of this List.
[R1-route-policy]if-match acl 2001
[R1-route-policy]isis 1
[R1-isis-1]default-route-advertise route-policy isis 
[R1-isis-1]quit

[R2]acl 2001
[R2-acl-basic-2001]rule permit source 10.0.24.0 0
[R2-acl-basic-2001]quit
[R2]route-policy isis permit node 10
Info: New Sequence of this List.
[R2-route-policy]if-match acl 2001
[R2-route-policy]isis 1
[R2-isis-1]default-route-advertise route-policy isis 
[R2-isis-1]quit

20.为了实现R5去往总部的流量能够负载分担，在R5上修改BGP路由LocalPreference属性，来保证R5通过R3访问S2所连接的总部用户网段，通过R4访问S3所连接的总部用户网段

[R5]acl 2001
[R5-acl-basic-2001]rule permit source 172.16.0.0 0.0.31.255
[R5-acl-basic-2001]quit
[R5]route-policy fuzai permit node 10
Info: New Sequence of this List.
[R5-route-policy]if-match acl 2001
[R5-route-policy]apply local-preference 200
[R5-route-policy]quit
[R5]route-policy fuzai permit node 20
Info: New Sequence of this List.
[R5-route-policy]bgp 200
[R5-bgp]peer 4.4.4.4 route-policy fuzai import 
[R5-bgp]quit

21.通过修改R3、R4 BGP路由的团体属性，是研发部网段55.55.55.55被通告给总部路由器R1

R2时带上团体属性No-Export

[R3]acl 2002
[R3-acl-basic-2002]rule permit source 55.55.55.55 0
[R3-acl-basic-2002]quit
[R3]route-policy 1 permit node 10
Info: New Sequence of this List.
[R3-route-policy]if-match acl 2002
[R3-route-policy]apply community no-export
[R3-route-policy]quit
[R3]route-policy 1 permit node 20
Info: New Sequence of this List.
[R3-route-policy]bgp 200
[R3-bgp]peer 10.0.13.1 route-policy 1 export 
[R3-bgp]peer 10.0.13.1 advertise-community 
[R3-bgp]quit

[R4]acl 2002
[R4-acl-basic-2002]rule permit source 55.55.55.55 0
[R4-acl-basic-2002]quit
[R4]route-policy 1 permit node 10
Info: New Sequence of this List.
[R4-route-policy]if-match acl 2002
[R4-route-policy]apply community no-export
[R4-route-policy]quit
[R4]route-policy 1 permit node 20
Info: New Sequence of this List.
[R4-route-policy]bgp 200
[R4-bgp]peer 10.0.24.2 route-policy 1 export 
[R4-bgp]peer 10.0.24.2 advertise-community 
[R4-bgp]quit

IT-灰灰

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
【无标题】

14.在路由器上配置BGP，R1与R3、R2与R4用物理接口建立EBGP邻居关系，R1与R2、R3、R4、R5用Loopback接口建立IBGP邻居关系。12.为了提高网络安全性，R1、R2、S2、S3需要相互通过认证后才能IS-IS路由信息，配置MD5认证，密钥“bdqn.123”9.将S2、S3的VLAN10、20、30接口所涉及的用户网段引进IS-IS中，为了减少路由条目，进行路由聚合。11.因为S2、S3不运行BGP路由协议，为了能够访问外网，需要在路由器R1、R2上配置IS-IS下发缺省路由。
复制链接

扫一扫