拓扑
规划说明
如图 1 实现一个典型的企业网,其中总部(包含 R1、SW1、SW2 和 SW3)为企业主园
区网络,分支为企业分支网络,云部分代表互联网设备(8.8.8.8)。读者需要完成总部和分支
基本的网络功能,可以访问互联网(8.8.8.8)以及通过 GRE VPN 使得位于两个 AS 的终端实
现跨越广域网的通信
整体架构说明
在总部中,R1 作为企业网关出口,负责接入互联网以及同 R3 的 VPN 互联,同时作为
AS 内部的核心路由器;SW1 和 SW2 作为总部的汇聚层交换机,其上的 SVI 接口如图 1 所示;
SW3 作为接入层交换机。
在分支中,R3 作为该分支网络的网关出口,由于分支机构人员较少,在分支中仅仅有
一台 SW4 作为接入 2 层交换机,连接了终端设备和路由器
交换网络部分
交换网络是一个园区网的重点内容,请先实施 2 层网络,然后再进行 3 层网络和其他特
性的调整
VLAN规划和接入
总部交换机和分部交换机创建相应的VLNA,根据表中要求进行划分
LSW1
<Huawei>sys
[Huawei]sys LSW1
[LSW1]vlan batch 11
[LSW1]inte gi 0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 11
LSW2
<Huawei>sys
[Huawei]sys LSW2
[LSW2]vlan batch 12
[LSW2]inte gi 0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 12
LSW3
<Huawei>SYS
[Huawei]sys LSW3
[LSW3]vlan batch 8 9 10
[LSW3]inte gi 0/0/10
[LSW3-GigabitEthernet0/0/10]port link-type access
[LSW3-GigabitEthernet0/0/10]port default vlan 8
[LSW3-GigabitEthernet0/0/10]inte gi 0/0/11
[LSW3-GigabitEthernet0/0/11]port link-type access
[LSW3-GigabitEthernet0/0/11]port default vlan 9
[LSW3-GigabitEthernet0/0/11]inte gi 0/0/12
[LSW3-GigabitEthernet0/0/12]port link-type access
[LSW3-GigabitEthernet0/0/12]port default vlan 10
LSW4
<Huawei>SYS
[Huawei]sys LSW4
[LSW4]vlan batch 20 30
[LSW4]inte gi 0/0/1
[LSW4-GigabitEthernet0/0/1]port link-type access
[LSW4-GigabitEthernet0/0/1]port default vlan 20
[LSW4-GigabitEthernet0/0/1]inte gi 0/0/2
[LSW4-GigabitEthernet0/0/2]port link-type access
[LSW4-GigabitEthernet0/0/2]port default vlan 30
实施TRUNK封装
在总部内交换机互联接口实施标准封装格式的 Trunk链路,总部内所有Trunk上允许除了VLAN1之外的所有VLAN通过,同时所有VLAN的流量必须携带 TAG((SW1 与 SW2 的 g0/0/5 和 g0/0/6 暂时不做,在之后配置链路聚合的时候做);
LSW1
[LSW1]inte gi 0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
LSW2
[LSW2]inte gi 0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW2-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
LSW3
[LSW3]inte gi 0/0/01
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW3-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[LSW3-GigabitEthernet0/0/1]inte gi 0/0/3
[LSW3-GigabitEthernet0/0/3]port link-type trunk
[LSW3-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[LSW3-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
在分支内的交换机上实施 Trunk,安全期间仅仅允许对应 VLAN 通过
LSW4
[LSW4]inte gi 0/0/10
[LSW4-GigabitEthernet0/0/10]port link-type trunk
[LSW4-GigabitEthernet0/0/10]port trunk allow-pass vlan 20 30
实施生成树协议
在总部和分支内实施 802.1s的生成树 SW1 成为整个 STP 所有 VLAN 的主根(通过优先级实现) SW2 反之成为备份根(不允许通过直接修改优先级实现)
LSW1
[LSW1]stp mode stp
[LSW1]stp priority 4096
LSW2
[LSW2]stp mode stp
[LSW2]stp root secondary
LSW3
[LSW3]stp mode stp
LSW4
[LSW4]stp mode stp
在 SW4 的接口下配置命令,使得连接其他设备的接口快速进入转发状态为了保护交换网络,在接入层交换机(SW3、SW4)上,一旦收到非法的 BPDU 关闭接口
LSW4
[LSW4]inte gi 0/0/1
[LSW4-GigabitEthernet0/0/1]stp edged-port enable
[LSW4-GigabitEthernet0/0/1]inte gi 0/0/2
[LSW4-GigabitEthernet0/0/2]stp edged-port enable
[LSW4]stp bpdu-protection
查看生成树端口角色状态
LSW1
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 DESI FORWARDING NONE
0 Eth-Trunk1 DESI FORWARDING NONE
LSW2
[LSW2]dis stp b
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 Eth-Trunk1 ROOT FORWARDING NONE
LSW3
[LSW3]dis stp b
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 ALTE DISCARDING NONE
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
0 GigabitEthernet0/0/10 DESI FORWARDING NONE
0 GigabitEthernet0/0/11 DESI FORWARDING NONE
0 GigabitEthernet0/0/12 DESI FORWARDING NONE
[LSW4]dis stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING BPDU
0 GigabitEthernet0/0/2 DESI FORWARDING BPDU
0 GigabitEthernet0/0/10 DESI FORWARDING NONE
实施以太聚合链路
为了保证汇聚交换机之间拥有足够的带宽,在汇聚交换机之间实施手工模式的以太
链路聚合,以太链路聚合使用基于源目 IP 的负载分担方式(最后教)
LSW1
[LSW1]inte Eth-Trunk 1
[LSW1-Eth-Trunk1]mode manual load-balance
[LSW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/5 to 0/0/6
[LSW1-Eth-Trunk1]load-balance src-dst-ip
[LSW1-Eth-Trunk1]port link-type trunk
[LSW1-Eth-Trunk1]port trunk allow-pass vlan all
[LSW1-Eth-Trunk1]undo port trunk allow-pass vlan 1
LSW2
[LSW2]inte Eth-Trunk 1
[LSW2-Eth-Trunk1]mode manual load-balance
[LSW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/5 to 0/0/6
[LSW2-Eth-Trunk1]load-balance src-dst-ip
[LSW2-Eth-Trunk1]port link-type trunk
[LSW2-Eth-Trunk1]port trunk allow-pass vlan all
[LSW2-Eth-Trunk1]undo port trunk allow-pass vlan 1
查看虚拟接口状态
LSW1
[LSW1]dis interface Eth-Trunk 1
Eth-Trunk1 current state : UP
Line protocol current state : UP
Description:
Switch Port, PVID : 1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:
2G, Current BW: 2G, The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4c1f-ccb7-3b11
Current system time: 2023-10-03 19:16:47-08:00
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
GigabitEthernet0/0/5 UP 1
GigabitEthernet0/0/6 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
LSW2
[LSW2]dis interface Eth-Trunk 1
Eth-Trunk1 current state : UP
Line protocol current state : UP
Description:
Switch Port, PVID : 1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:
2G, Current BW: 2G, The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4c1f-cca0-1ef8
Current system time: 2023-10-03 19:17:05-08:00
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
GigabitEthernet0/0/5 UP 1
GigabitEthernet0/0/6 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
2层网络向3层网络过渡
如图所示,请在所有交换机上配置 IP 地址,保证路由器之间,路由器和交换机
之间的直连 IP 地址通信
PC1配置
PC2配置
Server1配置
PC3配置
Client1配置
LSW3
[LSW3]vlan batch 99
[LSW3-Vlanif99]ip addr 10.1.99.99 24
LSW1
[LSW1]vlan batch 8 9 10
[LSW1]inte vlan 8
[LSW1-Vlanif8]ip addr 10.1.10.14 28
[LSW1-Vlanif8]inte vlan 9
[LSW1-Vlanif9]ip addr 10.1.10.30 28
[LSW1-Vlanif9]inte vlan 10
[LSW1-Vlanif10]ip addr 10.1.10.46 28
[LSW1-Vlanif10]inte vlan 11
[LSW1-Vlanif11]ip addr 10.1.11.2 29
LSW2
[LSW2]vlan batch 8 9 10 99
[LSW2]inte vlan 8
[LSW2-Vlanif8]ip addr 10.1.10.13 28
[LSW2-Vlanif8]inte vlan 9
[LSW2-Vlanif9]ip addr 10.1.10.29 28
[LSW2-Vlanif9]inte vlan 10
[LSW2-Vlanif10]ip addr 10.1.10.45 28
[LSW2-Vlanif10]inte vlan 99
[LSW2-Vlanif99]ip addr 10.1.99.254 24
[LSW2-Vlanif99]inte vlan 12
[LSW2-Vlanif12]ip addr 10.1.12.2 29
AR1
<Huawei>sys
[Huawei]sys AR1
[AR1]inte gi 0/0/1
[AR1-GigabitEthernet0/0/1]ip addr 10.1.11.1 29
[AR1-GigabitEthernet0/0/1]inte gi 0/0/2
[AR1-GigabitEthernet0/0/2]ip addr 10.1.12.1 29
[AR1-GigabitEthernet0/0/2]inte lo 0
[AR1-LoopBack0]ip addr 11.11.11.11 32
[AR1-GigabitEthernet0/0/2]inte tunnel 0/0/1
[AR1-Tunnel0/0/1]ip addr 10.1.13.1 30
[AR1-Tunnel0/0/1]inte gi 0/0/0
[AR1-GigabitEthernet0/0/0]ip addr 202.100.1.2 30
[AR1-GigabitEthernet0/0/0]inte se 1/0/0
[AR1-Serial1/0/0]ip addr 12.1.1.2 30
AR2
<Huawei>sys
[Huawei]sys AR2
[AR2]inte se 1/0/0
[AR2-Serial1/0/0]ip addr 12.1.1.1 30
[AR2-Serial1/0/0]inte gi 0/0/0
[AR2-GigabitEthernet0/0/0]ip addr 202.100.1.1 30
[AR2-GigabitEthernet0/0/0]inte lo0
[AR2-LoopBack0]ip addr 8.8.8.8 32
[AR2-LoopBack0]inte lo 1
[AR2-LoopBack1]ip addr 9.9.9.9 32
[AR2-LoopBack1]inte gi 0/0/1
[AR2-GigabitEthernet0/0/1]ip addr 202.100.1.5 30
[AR2-GigabitEthernet0/0/1]
AR3
[AR3]inte Tunnel 0/0/1
[AR3-Tunnel0/0/1]ip addr 10.1.13.2 30
[AR3-Tunnel0/0/1]inte gi 0/0/0.20
[AR3-GigabitEthernet0/0/0.20]ip addr 10.1.20.1 27
[AR3-GigabitEthernet0/0/0.20]inte gi 0/0/0.30
[AR3-GigabitEthernet0/0/0.30]ip addr 10.1.30.1 27
[AR3-GigabitEthernet0/0/0.30]inte gi 0/0/1
[AR3-GigabitEthernet0/0/1]ip addr 202.100.1.6 30
路由部分
搭建分支内部网络(配置 R3,保证 PC3 和 Client1 通信)
AR3(配置子接口,子接口IP地址在上面配置过了)
[AR3]inte gi 0/0/0.20
[AR3-GigabitEthernet0/0/0.20]dot1q termination vid 20
[AR3-GigabitEthernet0/0/0.20]arp broadcast enable
[AR3-GigabitEthernet0/0/0.20]inte gi 0/0/0.30
[AR3-GigabitEthernet0/0/0.30]dot1q termination vid 30
[AR3-GigabitEthernet0/0/0.30]arp broadcast enable
测试PC2和Client1通信
PC1
PC>ping 10.1.30.30
Ping 10.1.30.30: 32 data bytes, Press Ctrl_C to break
From 10.1.30.30: bytes=32 seq=1 ttl=254 time=62 ms
From 10.1.30.30: bytes=32 seq=2 ttl=254 time=78 ms
--- 10.1.30.30 ping statistics ---
2 packet(s) transmitted
2 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/70/78 ms
搭建总部内部网络
在总部内部的AR1,SW1和SW2实施 OSPF 单区域(area0)网络,进程号为 10,配置设备的 OSPF 路由器 ID,分别为 0.0.0.1,0.0.0.2 和 0.0.0.3,R1 的环回接口 0(请自行创建,地址 11.11.11.11/32)运行在区域 0, 总部内其他接口都运行在 area0 中,请实施对应的接口,AR1下发默认路由
AR1配置
[AR1]ospf 10 router-id 0.0.0.1
[AR1-ospf-10]area 0
[AR1-ospf-10]default-route-advertise always
[AR1-ospf-10-area-0.0.0.0]network 11.11.11.11 0.0.0.0
[AR1-ospf-10-area-0.0.0.0]network 10.1.11.1 0.0.0.0
[AR1-ospf-10-area-0.0.0.0]network 10.1.12.1 0.0.0.0
LSW1配置
[LSW1]ospf 10 router-id 0.0.0.2
[LSW1-ospf-10]area 0
[LSW1-ospf-10-area-0.0.0.0]network 10.1.10.14 0.0.0.0
[LSW1-ospf-10-area-0.0.0.0]network 10.1.10.30 0.0.0.0
[LSW1-ospf-10-area-0.0.0.0]network 10.1.10.46 0.0.0.0
[LSW1-ospf-10-area-0.0.0.0]network 10.1.11.2 0.0.0.0
LSW2配置
[LSW2]ospf 10 router-id 0.0.0.3
[LSW2-ospf-10]area 0
[LSW2-ospf-10-area-0.0.0.0]network 10.1.10.13 0.0.0.0
[LSW2-ospf-10-area-0.0.0.0]network 10.1.10.29 0.0.0.0
[LSW2-ospf-10-area-0.0.0.0]network 10.1.10.45 0.0.0.0
[LSW2-ospf-10-area-0.0.0.0]network 10.1.99.254 0.0.0.0
[LSW2-ospf-10-area-0.0.0.0]network 10.1.12.2 0.0.0.0
查看OSPF邻居建立状态
AR1
[AR1]dis ospf peer brief
OSPF Process 10 with Router ID 0.0.0.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 0.0.0.2 Full
0.0.0.0 GigabitEthernet0/0/2 0.0.0.3 Full
----------------------------------------------------------------------------
LSW1
[LSW1]dis ospf peer brief
OSPF Process 10 with Router ID 0.0.0.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 Vlanif8 0.0.0.3 Full
0.0.0.0 Vlanif9 0.0.0.3 Full
0.0.0.0 Vlanif10 0.0.0.3 Full
0.0.0.0 Vlanif11 0.0.0.1 Full
----------------------------------------------------------------------------
LSW2
[LSW2]dis ospf peer brief
OSPF Process 10 with Router ID 0.0.0.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 Vlanif8 0.0.0.2 Full
0.0.0.0 Vlanif9 0.0.0.2 Full
0.0.0.0 Vlanif10 0.0.0.2 Full
0.0.0.0 Vlanif12 0.0.0.1 Full
----------------------------------------------------------------------------
网络边界的实施
总部的网关设备配置 2 条默认路由,下一跳为运营商地址,请使用以太链路作为主
路径, 分支的网关设备配置默认路由,下一跳为运营商地址,保证 R1 和 R3 可以和 8.8.8.8 和 9.9.9.9 通信,保证 R1 和 R3 可以相互通信,
AR1配置
[AR1]ip route-static 0.0.0.0 0 202.100.1.1 preference 50
[AR1]ip route-static 0.0.0.0 0 12.1.1.1
AR3配置
[AR3]ip route-static 0.0.0.0 0 202.100.1.4
通信测试(AR1 ping 8.8.8.8 和 9.9.9.9)
[AR1]ping 8.8.8.8
PING 8.8.8.8: 56 data bytes, press CTRL_C to break
Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=255 time=70 ms
Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=255 time=20 ms
--- 8.8.8.8 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/36/70 ms
[AR1]ping 9.9.9.9
PING 9.9.9.9: 56 data bytes, press CTRL_C to break
Reply from 9.9.9.9: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 9.9.9.9: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 9.9.9.9: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 9.9.9.9: bytes=56 Sequence=4 ttl=255 time=20 ms
--- 9.9.9.9 ping statistics ---
4 packet(s) transmitted
4 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/22/30 ms
通信测试(AR3 ping 8.8.8.8 和 9.9.9.9)
[AR3]ping 8.8.8.8
PING 8.8.8.8: 56 data bytes, press CTRL_C to break
Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=255 time=20 ms
Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=255 time=20 ms
--- 8.8.8.8 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/20/20 ms
[AR3]ping 9.9.9.9
PING 9.9.9.9: 56 data bytes, press CTRL_C to break
Reply from 9.9.9.9: bytes=56 Sequence=1 ttl=255 time=20 ms
Reply from 9.9.9.9: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 9.9.9.9: bytes=56 Sequence=3 ttl=255 time=30 ms
--- 9.9.9.9 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/23/30 ms
通信测试(AR1和AR3)
<AR1>ping 202.100.1.6
PING 202.100.1.6: 56 data bytes, press CTRL_C to break
Reply from 202.100.1.6: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 202.100.1.6: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 202.100.1.6: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 202.100.1.6: bytes=56 Sequence=4 ttl=254 time=30 ms
--- 202.100.1.6 ping statistics ---
4 packet(s) transmitted
4 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/35/40 ms
总部和分支网络通信
总部和分支之间实施 IP 协议 47,两个网关设备的地址配置为10.1.13.1/30 和 10.1.13.2/30,保证两个隧道地址可以实现通信,通过宣告隧道口建立总部和分部的网关设备建立OSPF邻居关系,并宣告公司内部路由
AR1配置
[AR1]inte Tunnel 0/0/01
[AR1-Tunnel0/0/1]tunnel-protocol gre
[AR1-Tunnel0/0/1]source 202.100.1.2
[AR1-Tunnel0/0/1]destination 202.100.1.6
[AR1]ospf 10 router-id 0.0.0.1
[AR1-ospf-10]area 0
[AR1-ospf-10-area-0.0.0.0]network 10.1.13.1 0.0.0.0
AR3配置
[AR3]interface Tunnel 0/0/1
[AR3-Tunnel0/0/1]tunnel-protocol gre
[AR3-Tunnel0/0/1]source 202.100.1.6
[AR3-Tunnel0/0/1]destination 202.100.1.2
[AR3]ospf 10 router-id 0.0.0.4
[AR3-ospf-10]area 0
[AR3-ospf-10-area-0.0.0.0]network 10.1.13.2 0.0.0.0
[AR3-ospf-10-area-0.0.0.0]network 10.1.20.1 0.0.0.0
[AR3-ospf-10-area-0.0.0.0]network 10.1.30.1 0.0.0.0
查看AR1的邻居表,成功通过隧道口和AR3建立邻居,查看路由表,发现总部前往分布内网的对应路由信息
[AR1-ospf-10-area-0.0.0.0]dis ospf peer brief
OSPF Process 10 with Router ID 0.0.0.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 0.0.0.2 Full
0.0.0.0 GigabitEthernet0/0/2 0.0.0.3 Full
0.0.0.0 Tunnel0/0/1 0.0.0.4 Full
----------------------------------------------------------------------------
[AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 28 Routes : 31
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 50 0 RD 202.100.1.1 GigabitEthernet
0/0/0
10.1.10.0/28 OSPF 10 2 D 10.1.11.2 GigabitEthernet
0/0/1
OSPF 10 2 D 10.1.12.2 GigabitEthernet
0/0/2
10.1.10.16/28 OSPF 10 2 D 10.1.11.2 GigabitEthernet
0/0/1
OSPF 10 2 D 10.1.12.2 GigabitEthernet
0/0/2
10.1.10.32/28 OSPF 10 2 D 10.1.11.2 GigabitEthernet
0/0/1
OSPF 10 2 D 10.1.12.2 GigabitEthernet
0/0/2
10.1.11.0/29 Direct 0 0 D 10.1.11.1 GigabitEthernet
0/0/1
10.1.11.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.1.11.7/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.1.12.0/29 Direct 0 0 D 10.1.12.1 GigabitEthernet
0/0/2
10.1.12.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
10.1.12.7/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
10.1.13.0/30 Direct 0 0 D 10.1.13.1 Tunnel0/0/1
10.1.13.1/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
10.1.13.3/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
10.1.20.0/27 OSPF 10 1563 D 10.1.13.2 Tunnel0/0/1
10.1.30.0/27 OSPF 10 1563 D 10.1.13.2 Tunnel0/0/1
10.1.99.0/24 OSPF 10 2 D 10.1.12.2 GigabitEthernet
0/0/2
11.11.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack0
12.1.1.0/30 Direct 0 0 D 12.1.1.2 Serial1/0/0
12.1.1.1/32 Direct 0 0 D 12.1.1.1 Serial1/0/0
12.1.1.2/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
12.1.1.3/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
202.100.1.0/30 Direct 0 0 D 202.100.1.2 GigabitEthernet
0/0/0
202.100.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
202.100.1.3/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
互联网接入和网络安全
VRRP 协议
如图,SW1 响应所有 VLAN 中的终端的网关ARP请求,成为所有 VLAN 的 VRRP 的 Master 主, SW2 成为所有 VLAN 的 VRRP 的 Backup 备
LSW1配置
[LSW1]inte Vlanif 8
[LSW1-Vlanif8]vrrp vrid 8 virtual-ip 10.1.10.12
[LSW1-Vlanif8]vrrp vrid 8 priority 110
[LSW1-Vlanif8]inte vlan 9
[LSW1-Vlanif9]vrrp vrid 9 virtual-ip 10.1.10.28
[LSW1-Vlanif9]vrrp vrid 9 priority 110
[LSW1-Vlanif9]inte vlan 10
[LSW1-Vlanif10]vrrp vrid 10 virtual-ip 10.1.10.44
[LSW1-Vlanif10]vrrp vrid 10 priority 110
LSW2配置
[LSW2]interface Vlanif 8
[LSW2-Vlanif8]vrrp vrid 8 virtual-ip 10.1.10.12
[LSW2-Vlanif8]inte vlan 9
[LSW2-Vlanif9]vrrp vrid 9 virtual-ip 10.1.10.28
[LSW2-Vlanif9]inte vlan 10
[LSW2-Vlanif10]vrrp vrid 10 virtual-ip 10.1.10.44
查看VRRP状态
[LSW1]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
8 Master Vlanif8 Normal 10.1.10.12
9 Master Vlanif9 Normal 10.1.10.28
10 Master Vlanif10 Normal 10.1.10.44
----------------------------------------------------------------
Total:3 Master:3 Backup:0 Non-active:0
[LSW2]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
8 Backup Vlanif8 Normal 10.1.10.12
9 Backup Vlanif9 Normal 10.1.10.28
10 Backup Vlanif10 Normal 10.1.10.44
----------------------------------------------------------------
Total:3 Master:0 Backup:3 Non-active:0
接入层交换机调整
SW3 的管理 IP:vlan 99=10.1.99.99/24,SW2:vlan99=10.1.99.254/24 使其仅可以被
Telnet 协议远程管理, 使用端口号为 23 的协议进行远程管理,SW3 仅仅允许 10.1.0.0/16 和 202.100.1.0/30的网络进行管理,管理 SW2 和 SW3 的密码为 qytang123, 无法通过配置直接看到该密码
LSW3配置
[LSW3]user-interface vty 0 4
[LSW3-ui-vty0-4]authentication-mode password
[LSW3-ui-vty0-4]protocol inbound telnet
[LSW3-ui-vty0-4]user privilege level 15
[LSW3-ui-vty0-4]set authentication password cipher qytang123
[LSW3]inte gi 0/0/3
[LSW3-GigabitEthernet0/0/3]port trunk pvid vlan 99
[LSW3-GigabitEthernet0/0/3]inte gi 0/0/1
[LSW3-GigabitEthernet0/0/1]port trunk pvid vlan 99
[LSW3-GigabitEthernet0/0/1]q
[LSW3]acl 2000
[LSW3-acl-basic-2000]rule permit source 10.1.0.0 0.0.255.255
[LSW3-acl-basic-2000]rule permit source 202.100.1.0 0.0.0.3
[LSW3]port-group 1
[LSW3-port-group-1]group-member gi 0/0/3 gi 0/0/1 gi 0/0/11 gi 0/0/10 gi 0/0/12
[LSW3-port-group-1]traffic-filter inbound acl 2000
[LSW3-port-group-1]q
[LSW3]ip route-static 0.0.0.0 0 10.1.99.254
LSW2配置
[LSW2]user-interface vty 0 4
[LSW2-ui-vty0-4]authentication-mode password
[LSW2-ui-vty0-4]protocol inbound telnet
[LSW2-ui-vty0-4]user privilege level 15
[LSW2-ui-vty0-4]set authentication password cipher qytang123
[LSW2]inte e 1
[LSW2-Eth-Trunk1]port trunk pvid vlan 1
[LSW2-Eth-Trunk1]inte gi 0/0/1
[LSW2-GigabitEthernet0/0/1]port trunk pvid vlan 99
LSW1
[LSW1]inte gi 0/0/3
[LSW1-GigabitEthernet0/0/3]port trunk pvid vlan 99
[LSW1-GigabitEthernet0/0/3]inte e 1
[LSW1-Eth-Trunk1]port trunk pvid vlan 99
NAT 接入互联网
业务网络 VLAN8、9、10 的用户可以访问互联网,互联网设备可以远程通过 telnet 1234 端口来管理 SW3
AR1
[AR1]acl 2001
[AR1-acl-basic-2001]rule permit source 10.1.10.0 0.0.0.15
[AR1-acl-basic-2001]rule permit source 10.1.10.16 0.0.0.15
[AR1-acl-basic-2001]rule permit source 10.1.10.32 0.0.0.15
[AR1-acl-basic-2001]q
[AR1]inte gi 0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2001
[AR1-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 1234
inside 10.1.99.99 telnet
[AR1-GigabitEthernet0/0/0]inte se 1/0/0
[AR1-Serial1/0/0]nat outbound 2001
[AR1-Serial1/0/0]nat server protocol tcp global current-interface 1234 inside 10
.1.99.99 telnet
最终测试
公司总部和分布的联通性(PC1 ping PC3)
公司总部内网和运营商的通信(PC1 ping AR2的环回口0)
公司总部的端口映射验证(AR2远程连接LSW3)
关闭公司总部出口连接运营商的以太链路,测试PPP链路的通信(PC1 ping AR2的环回口0)
AR1
[AR1]inte gi 0/0/0
[AR1-GigabitEthernet0/0/0]shutdown
