1.
设备 | 接口 | IP 地址 | 子网掩码 | 默认网关 |
R1 | GE 0/0/0 | 10.0.12.1/24 | 255.255.255.0 | N/A |
GE 0/0/1 | 10.0.13.1/24 | 255.255.255.0 | N/A | |
GE 0/0/2 | 10.1.1.1/24 | 255.255.255.0 | N/A | |
GE 0/0/3 | 10.0.10.1/24 | 255.255.255.0 | N/A | |
LoopBack 0 | 1.1.1.1/32 | 255.255.255.255 | N/A | |
R2 | GE 0/0/0 | 10.0.12.2/24 | 255.255.255.0 | N/A |
GE 0/0/1 | 10.0.24.2/24 | 255.255.255.0 | N/A | |
GE 0/0/2 | 10.2.2.2/24 | 255.255.255.0 | N/A | |
GE 0/0/3 | 10.0.20.2/24 | 255.255.255.0 | N/A | |
LoopBack 0 | 2.2.2.2/32 | 255.255.255.255 | N/A | |
R3 | GE 0/0/1 | 10.0.13.3/24 | 255.255.255.0 | N/A |
GE 0/0/2 | 10.0.34.3/24 | 255.255.255.0 | N/A | |
GE 0/0/3 | 10.0.35.3/24 | 255.255.255.0 | N/A | |
LoopBack 0 | 3.3.3.3/32 | 255.255.255.255 | N/A | |
R4 | GE 0/0/1 | 10.0.24.4/24 | 255.255.255.0 | N/A |
GE 0/0/2 | 10.0.34.4/24 | 255.255.255.0 | N/A | |
GE 0/0/3 | 10.0.45.4/24 | 255.255.255.0 | N/A | |
LoopBack 0 | 4.4.4.4/32 | 255.255.255.255 | N/A | |
R5 | GE 0/0/1 | 10.0.35.5/24 | 255.255.255.0 | N/A |
GE 0/0/2 | 10.0.45.5/24 | 255.255.255.0 | N/A | |
LoopBack 0 | 5.5.5.5/32 | 255.255.255.255 | N/A | |
LoopBack 1 | 55.55.55.55/32 | 255.255.255.255 | N/A | |
S2 | Vlanif 71 | 10.0.10.254/24 | 255.255.255.0 | N/A |
Vlanif 72 | 10.2.2.254/24 | 255.255.255.0 | N/A | |
LoopBack 0 | 8.8.8.8/32 | 255.255.255.255 | N/A | |
S3 | Vlanif 81 | 10.0.20.254/24 | 255.255.255.0 | N/A |
Vlanif 82 | 10.1.1.254/24 | 255.255.255.0 | N/A | |
LoopBack 0 | 9.9.9.9/32 | 255.255.255.255 | N/A | |
PC1 | Ethemet 0/0/1 | 192.168.1.1/24 | 255.255.255.0 | 192.168.1.254/24 |
PC2 | Ethemet 0/0/1 | 192.168.1.2/24 | 255.255.255.0 | 192.168.1.254/24 |
2.划分VLAN
[S1]vlan batch 2 3 4 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[S2]vlan batch 2 3 4 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[S3]vlan batch 2 3 4 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
3.配置接口模式,并放行VLAN 2、3、10、20、30
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]port link-type trunk
[S1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 10 20 30
[S1-GigabitEthernet0/0/1]quit
[S1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]port link-type trunk
[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 3 10 20 30
[S1-GigabitEthernet0/0/2]quit
[S2]interface GigabitEthernet 0/0/1
[S2-GigabitEthernet0/0/1]port link-type trunk
[S2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 10 20 30
[S2]interface GigabitEthernet 0/0/4
[S2-GigabitEthernet0/0/4]port link-type trunk
[S2-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3 10 20 30
[S2-GigabitEthernet0/0/4]quit
[S3]interface GigabitEthernet 0/0/1
[S3-GigabitEthernet0/0/1]port link-type trunk
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 10 20 30
[S3]interface GigabitEthernet 0/0/4
[S3-GigabitEthernet0/0/4]port link-type trunk
[S3-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3 10 20 30
[S3-GigabitEthernet0/0/4]quit
4.在S1配置VLAN4 IP作为终端网关,在把VLAN4划分成两个子VLAN,将接口加入VLAN
[S1]vlan 4
[S1-vlan4]aggregate-vlan
[S1-vlan4]access-vlan 2 to 3
[S1-vlan4]quit
[S1]interface Vlanif 4
[S1-Vlanif4]ip address 192.168.1.254 24
[S1-Vlanif4]arp-proxy inter-sub-vlan-proxy enable
[S1-Vlanif4]quit
[S1]interface Ethernet0/0/1
[S1-Ethernet0/0/1]port link-type access
[S1-Ethernet0/0/1]port default vlan 2
[S1-Ethernet0/0/1]quit
[S1]interface Ethernet0/0/2
[S1-Ethernet0/0/2]port link-type access
[S1-Ethernet0/0/2]port default vlan 3
[S1-Ethernet0/0/2]quit
5.配置MSTP
[S1]stp region-configuration
[S1-mst-region]region-name RG
[S1-mst-region]instance 1 vlan 2 3
[S1-mst-region]instance 2 vlan 10 20 30
[S1-mst-region]revision-level 1
[S1-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1-mst-region]quit
[S2]stp mode mstp
[S2]stp region-configuration
[S2-mst-region]region-name RG
[S2-mst-region]instance 1 vlan 2 3
[S2-mst-region]instance 2 vlan 10 20 30
[S2-mst-region]revision-level 1
[S2-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[S2-mst-region]quit
[S2]stp instance 1 priority 0
[S2]stp instance 0 priority 0
[S3]stp mode mstp
[S3]stp region-configuration
[S3-mst-region]region-name RG
[S3-mst-region]instance 1 vlan 2 3
[S3-mst-region]instance 2 vlan 10 20 30
[S3-mst-region]revision-level 1
[S3-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[S3-mst-region]quit
[S3]stp instance 2 priority 0
6.在S1上启用环路保护功能,保证网路的稳定性
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]stp loop-protection
[S1-GigabitEthernet0/0/1]quit
[S1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]stp loop-protection
[S1-GigabitEthernet0/0/2]quit
7.为了加快生成树收敛速度,在S1的Ethemet0/0/1和Ethemet0/0/2配置为边缘端口,并配置保护
功能防止这些端口收到不合法的BPDU影响生成树计算
[S1]stp bpdu-protection
[S1]interface Ethernet0/0/1
[S1-Ethernet0/0/1]stp edged-port enable
[S1-Ethernet0/0/1]quit
[S1]interface Ethernet0/0/2
[S1-Ethernet0/0/2]stp edged-port enable
[S1-Ethernet0/0/2]quit
8.配置IS-IS路由协议
[R1]isis 1
[R1-isis-1]network-entity 10.0000.0000.0000.3000.00
[R1-isis-1]quit
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]isis enable
[R1-GigabitEthernet0/0/0]quit
[R1]interface GigabitEthernet0/0/2
[R1-GigabitEthernet0/0/2]isis enable
[R1-GigabitEthernet0/0/2]quit
[R1]interface GigabitEthernet0/0/3
[R1-GigabitEthernet0/0/3]isis enable
[R1-GigabitEthernet0/0/3]quit
[R1]interface LoopBack 0
[R1-LoopBack0]isis enable
[R1-LoopBack0]quit
[R2]isis 1
[R2-isis-1]network-entity 10.0000.0000.0000.4000.00
[R2-isis-1]quit
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]isis enable
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet0/0/2
[R2-GigabitEthernet0/0/2]isis enable
[R2-GigabitEthernet0/0/2]quit
[R2]interface GigabitEthernet0/0/3
[R2-GigabitEthernet0/0/3]isis enable
[R2-GigabitEthernet0/0/3]quit
[R2]interface LoopBack 0
[R2-LoopBack0]isis enable
[R2-LoopBack0]quit
[S2]isis 1
[S2-isis-1]network-entity 10.0000.0000.0000.1000.00
[S2-isis-1]quit
[S2]interface Vlanif 71
[S2-Vlanif71]isis enable
[S2-Vlanif71]quit
[S2]interface Vlanif 72
[S2-Vlanif72]isis enable
[S2-Vlanif72]quit
[S2]interface LoopBack 0
[S2-LoopBack0]isis enable
[S2-LoopBack0]quit
[S3]isis 1
[S3-isis-1]net
[S3-isis-1]network-entity 10.0000.0000.0000.2000.00
[S3-isis-1]quit
[S3]interface Vlanif 1
[S3-Vlanif1]isis enable
[S3-Vlanif1]quit
[S3]interface Vlanif 82
[S3-Vlanif82]isis enable
[S3-Vlanif82]quit
[S3]interface LoopBack 0
[S3-LoopBack0]isis enable
[S3-LoopBack0]quit
9.将S2、S3的VLAN10、20、30接口所涉及的用户网段引进IS-IS中,为了减少路由条目,进行路由聚合
[S2]interface Vlanif 10
[S2-Vlanif10]ip address 192.168.1.10 24
[S2-Vlanif10]quit
[S2]interface Vlanif 20
[S2-Vlanif20]ip address 192.168.2.20 24
[S2-Vlanif20]quit
[S2]interface Vlanif 30
[S2-Vlanif30]ip address 192.168.3.30 24
[S2-Vlanif30]quit
[S3]interface Vlanif 10
[S3-Vlanif10]ip address 172.16.1.10 24
[S3-Vlanif10]quit
[S3]interface Vlanif 20
[S3-Vlanif20]ip address 172.16.2.20 24
[S3-Vlanif20]quit
[S3]interface Vlanif 30
[S3-Vlanif30]ip address 172.16.3.30 24
[S3-Vlanif30]quit
[S2]isis 1
[S2-isis-1]import-route direct
[S2-isis-1]summary 192.168.0.0 255.255.224.0
[S2-isis-1]quit
[S3]isis 1
[S3-isis-1]import-route direct
[S3-isis-1]summary 172.16.0.0 255.255.224.0
[S3-isis-1]quit
10.为了减少LSP数量来优化网络,修改所有IS-IS接口的网络型号为P2P
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]isis circuit-type p2p
[R1-GigabitEthernet0/0/0]quit
[R1]interface GigabitEthernet0/0/2
[R1-GigabitEthernet0/0/2]isis circuit-type p2p
[R1-GigabitEthernet0/0/2]quit
[R1]interface GigabitEthernet0/0/3
[R1-GigabitEthernet0/0/3]isis circuit-type p2p
[R1-GigabitEthernet0/0/3]quit
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0]isis circuit-type p2p
[R2-GigabitEthernet0/0/0]quit
[R2]interface GigabitEthernet0/0/2
[R2-GigabitEthernet0/0/2]isis circuit-type p2p
[R2-GigabitEthernet0/0/2]quit
[R2]interface GigabitEthernet0/0/3
[R2-GigabitEthernet0/0/3]isis circuit-type p2p
[R2-GigabitEthernet0/0/3]quit
[S2]interface Vlanif 71
[S2-Vlanif71]isis circuit-type p2p
[S2-Vlanif71]quit
[S2]interface Vlanif 72
[S2-Vlanif72]isis circuit-type p2p
[S2-Vlanif72]quit
[S3]interface Vlanif 81
[S3-Vlanif81]isis circuit-type p2p
[S3-Vlanif81]quit
[S3]interface Vlanif 82
[S3-Vlanif82]isis circuit-type p2p
[S3-Vlanif82]quit
11.因为S2、S3不运行BGP路由协议,为了能够访问外网,需要在路由器R1、R2上配置IS-IS下发缺省路由
[R1]isis 1
[R1-isis-1]default-route-advertise
[R1-isis-1]quit
[R2]isis 1
[R2-isis-1]default-route-advertise
[R2-isis-1]quit
12.为了提高网络安全性,R1、R2、S2、S3需要相互通过认证后才能IS-IS路由信息,配置MD5认证,密钥“bdqn.123”
[R1]isis 1
[R1-isis-1]area-authentication-mode md5 bdqn.123
[R1-isis-1]quit
[R2]isis 1
[R2-isis-1]area-authentication-mode md5 bdqn.123
[R2-isis-1]quit
[S2]isis 1
[S2-isis-1]area-authentication-mode md5 bdqn.123
[S2-isis-1]quit
[S3]isis 1
[S3-isis-1]area-authentication-mode md5 bdqn.123
[S3-isis-1]quit
13.公司分部配置OSPF
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]quit
[R3-ospf-1]
[R4]ospf 1 router-id 4.4.4.4
[R4-ospf-1]area 0
[R4-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 10.0.45.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[R4-ospf-1-area-0.0.0.0]quit
[R4-ospf-1]
[R5]ospf 1 router-id 5.5.5.5
[R5-ospf-1]area 0
[R5-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
[R5-ospf-1-area-0.0.0.0]network 10.0.45.0 0.0.0.255
[R5-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[R5-ospf-1-area-0.0.0.0]network 55.55.55.55 0.0.0.0
[R5-ospf-1-area-0.0.0.0]quit
[R5-ospf-1]
14.在路由器上配置BGP,R1与R3、R2与R4用物理接口建立EBGP邻居关系,R1与R2、R3、R4、R5用Loopback接口建立IBGP邻居关系
[R1]router id 1.1.1.1
[R1]bgp 100
[R1-bgp]peer 2.2.2.2 as-number 100
[R1-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[R1-bgp]peer 10.0.13.3 as-number 200
[R1-bgp]quit
[R2]router id 2.2.2.2
[R2]bgp 100
[R2-bgp]peer 1.1.1.1 as-number 100
[R2-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[R2-bgp]peer 10.0.24.4 as-number 200
[R2-bgp]quit
[R3]bgp 200
[R3-bgp]peer 4.4.4.4 as-number 200
[R3-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[R3-bgp]peer 5.5.5.5 as-number 200
[R3-bgp]peer 5.5.5.5 connect-interface LoopBack 0
[R3-bgp]peer 10.0.13.1 as-number 100
[R3-bgp]quit
[R4]bgp 200
[R4-bgp]peer 3.3.3.3 as-number 200
[R4-bgp]peer 3.3.3.3 connect-interface LoopBack 0
[R4-bgp]peer 5.5.5.5 as-number 200
[R4-bgp]peer 5.5.5.5 connect-interface LoopBack 0
[R4-bgp]peer 10.0.24.2 as-number 100
[R4-bgp]quit
[R5]bgp 200
[R5-bgp]peer 3.3.3.3 as-number 200
[R5-bgp]peer 3.3.3.3 connect-interface LoopBack 0
[R5-bgp]peer 4.4.4.4 as-number 200
[R5-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[R5-bgp]quit
15.为了将总部路由信息通告分部,在R1、R2上同时将IS-IS路由信息引进BGP进程
[R1]bgp 100
[R1-bgp]import-route isis 1
[R1-bgp]quit
[R2]bgp 100
[R2-bgp]import-route isis 1
[R2-bgp]quit
16.查看R5的路由表可以发现去往R1、R2的路由是无效的,因为对于R5来说下一跳是R1、R2不可达。解决方法,在R3、R4引入直连路由的方法,使R5知道怎么去R1、R2
[R3]bgp 200
[R3-bgp]import-route direct
[R3-bgp]quit
[R4]bgp 200
[R4-bgp]import-route direct
[R4-bgp]quit
17.为了让总部知道分部的路由,在R3、R4上将OSPF路由引进BGP进程
[R3]bgp 200
[R3-bgp]import-route ospf 1
[R3-bgp]quit
[R4]bgp 200
[R4-bgp]import-route ospf 1
[R4-bgp]quit
18.为了避免分部后续扩展后有太多IBGP对等体关系需要建立,决定将R3配置为BGP路由反射器,这样新加入的路由器直接配置为R3路由反射器的客户端
[R3]bgp 200
[R3-bgp]peer 5.5.5.5 reflect-client
[R3-bgp]peer 4.4.4.4 reflect-client
[R3-bgp]quit
19.策略配置
为了防止次优路径和环路的产生,在R1、R2配置Router-Policy,但R1、R2发布缺省路由时加上Router-Policy限制条件
[R1]acl 2001
[R1-acl-basic-2001]rule permit source 10.0.13.0 0
[R1-acl-basic-2001]quit
[R1]route-policy isis permit node 10
Info: New Sequence of this List.
[R1-route-policy]if-match acl 2001
[R1-route-policy]isis 1
[R1-isis-1]default-route-advertise route-policy isis
[R1-isis-1]quit
[R2]acl 2001
[R2-acl-basic-2001]rule permit source 10.0.24.0 0
[R2-acl-basic-2001]quit
[R2]route-policy isis permit node 10
Info: New Sequence of this List.
[R2-route-policy]if-match acl 2001
[R2-route-policy]isis 1
[R2-isis-1]default-route-advertise route-policy isis
[R2-isis-1]quit
20.为了实现R5去往总部的流量能够负载分担,在R5上修改BGP路由LocalPreference属性,来保证R5通过R3访问S2所连接的总部用户网段,通过R4访问S3所连接的总部用户网段
[R5]acl 2001
[R5-acl-basic-2001]rule permit source 172.16.0.0 0.0.31.255
[R5-acl-basic-2001]quit
[R5]route-policy fuzai permit node 10
Info: New Sequence of this List.
[R5-route-policy]if-match acl 2001
[R5-route-policy]apply local-preference 200
[R5-route-policy]quit
[R5]route-policy fuzai permit node 20
Info: New Sequence of this List.
[R5-route-policy]bgp 200
[R5-bgp]peer 4.4.4.4 route-policy fuzai import
[R5-bgp]quit
21.通过修改R3、R4 BGP路由的团体属性,是研发部网段55.55.55.55被通告给总部路由器R1
R2时带上团体属性No-Export
[R3]acl 2002
[R3-acl-basic-2002]rule permit source 55.55.55.55 0
[R3-acl-basic-2002]quit
[R3]route-policy 1 permit node 10
Info: New Sequence of this List.
[R3-route-policy]if-match acl 2002
[R3-route-policy]apply community no-export
[R3-route-policy]quit
[R3]route-policy 1 permit node 20
Info: New Sequence of this List.
[R3-route-policy]bgp 200
[R3-bgp]peer 10.0.13.1 route-policy 1 export
[R3-bgp]peer 10.0.13.1 advertise-community
[R3-bgp]quit
[R4]acl 2002
[R4-acl-basic-2002]rule permit source 55.55.55.55 0
[R4-acl-basic-2002]quit
[R4]route-policy 1 permit node 10
Info: New Sequence of this List.
[R4-route-policy]if-match acl 2002
[R4-route-policy]apply community no-export
[R4-route-policy]quit
[R4]route-policy 1 permit node 20
Info: New Sequence of this List.
[R4-route-policy]bgp 200
[R4-bgp]peer 10.0.24.2 route-policy 1 export
[R4-bgp]peer 10.0.24.2 advertise-community
[R4-bgp]quit