关键配置:
1、出口为ospf区域0,下联汇聚依次区域1、2...,非骨干全部为完全nssa区域
2、核心(abr)上对非骨干区域进行路由汇总,用于解决出口两台路由的条目数量
3、ospf静默接口配置在汇聚下联接接入交换机的vlan
4、核心交换机配置黑洞路由,防止内网用户探测不存在的192网段的地址,造成核心和出口路由一直循环转发这个不存在的地址。
AR1:
dis current-configuration
[V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load portalpage.zip
drop illegal-mac alarm
set cpu-usage threshold 80 restore 75
interface GigabitEthernet0/0/0
ip address 10.0.0.100 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.0.100 255.255.255.0
interface GigabitEthernet0/0/2
interface NULL0
interface LoopBack0
ip address 100.1.1.1 255.255.255.255
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wlan ac
return
AR2:
dis current-configuration
[V200R003C00]
sysname r2
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load portalpage.zip
drop illegal-mac alarm
set cpu-usage threshold 80 restore 75
acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.0
nat outbound 2000
interface GigabitEthernet0/0/1
ip address 21.1.1.2 255.255.255.248
interface GigabitEthernet0/0/2
interface NULL0
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
ospf 1 router-id 2.2.2.2
default-route-advertise
area 0.0.0.0
network 21.1.1.0 0.0.0.7
ip route-static 0.0.0.0 0.0.0.0 10.0.0.100
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wlan ac
return
AR3:
dis current-configuration
[V200R003C00]
sysname r3
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load portalpage.zip
drop illegal-mac alarm
set cpu-usage threshold 80 restore 75
acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255
interface GigabitEthernet0/0/0
ip address 10.1.0.3 255.255.255.0
nat outbound 2000
interface GigabitEthernet0/0/1
ip address 31.1.1.3 255.255.255.248
ospf cost 100
interface GigabitEthernet0/0/2
interface NULL0
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
ospf 1 router-id 3.3.3.3
default-route-advertise
area 0.0.0.0
network 31.1.1.0 0.0.0.7
ip route-static 0.0.0.0 0.0.0.0 10.1.0.100
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wlan ac
return
LSW1:
dis current-configuration
sysname hx
undo info-center enable
vlan batch 10 20 50 60
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
interface Vlanif1
interface Vlanif10
ip address 12.1.1.1 255.255.255.248
interface Vlanif20
ip address 13.1.1.1 255.255.255.248
interface Vlanif50
ip address 21.1.1.1 255.255.255.248
interface Vlanif60
ip address 31.1.1.1 255.255.255.248
ospf cost 100
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
mode lacp-static
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20
mode lacp-static
interface GigabitEthernet0/0/1
port link-type access
port default vlan 50
interface GigabitEthernet0/0/2
port link-type access
port default vlan 60
interface GigabitEthernet0/0/3
eth-trunk 1
interface GigabitEthernet0/0/4
eth-trunk 2
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
eth-trunk 1
interface GigabitEthernet0/0/8
eth-trunk 2
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 21.1.1.0 0.0.0.7
network 31.1.1.0 0.0.0.7
area 0.0.0.1
abr-summary 192.168.100.0 255.255.254.0
network 12.1.1.0 0.0.0.7
nssa no-summary
area 0.0.0.2
abr-summary 192.168.200.0 255.255.254.0
network 13.1.1.0 0.0.0.7
nssa no-summary
ip route-static 192.0.0.0 255.0.0.0 NULL0 //黑洞路由,防攻击
user-interface con 0
user-interface vty 0 4
LSW2:
dis current-configuration
sysname sw2
undo info-center enable
vlan batch 10 100 110
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
dhcp enable
diffserv domain default
drop-profile default
interface Vlanif1
interface Vlanif10
ip address 12.1.1.2 255.255.255.248
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
dhcp select interface
interface Vlanif110
ip address 192.168.101.1 255.255.255.0
dhcp select interface
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
mode lacp-static
interface GigabitEthernet0/0/1
eth-trunk 1
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 110
interface GigabitEthernet0/0/4
eth-trunk 1
interface LoopBack0
ip address 22.22.22.22 255.255.255.255
ospf 1
silent-interface Vlanif100
silent-interface Vlanif110
area 0.0.0.1
network 12.1.1.0 0.0.0.7
network 192.168.100.0 0.0.0.255
network 192.168.101.0 0.0.0.255
nssa no-summary
user-interface con 0
user-interface vty 0 4
LSW3:
dis current-configuration
sysname sw3
vlan batch 20 200 210
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
dhcp enable
diffserv domain default
drop-profile default
interface Vlanif1
interface Vlanif20
ip address 13.1.1.3 255.255.255.248
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
dhcp select interface
interface Vlanif210
ip address 192.168.201.1 255.255.255.0
dhcp select interface
interface MEth0/0/1
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20
mode lacp-static
interface GigabitEthernet0/0/1
eth-trunk 2
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 210
interface GigabitEthernet0/0/4
eth-trunk 2
interface LoopBack0
ip address 33.33.33.33 255.255.255.255
ospf 1
silent-interface Vlanif200
silent-interface Vlanif210
area 0.0.0.2
network 13.1.1.0 0.0.0.7
network 192.168.200.0 0.0.0.255
network 192.168.201.0 0.0.0.255
nssa no-summary
user-interface con 0
user-interface vty 0 4
return
LSW4:
dis current-configuration
sysname Huawei
vlan batch 100
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
interface Vlanif1
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
interface GigabitEthernet0/0/2
port link-type access
port default vlan 100
return
LSW5:
dis current-configuration
sysname Huawei
vlan batch 110
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
interface Vlanif1
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 110
interface GigabitEthernet0/0/2
port link-type access
port default vlan 110
user-interface con 0
user-interface vty 0 4
return
LSW6:
dis current-configuration
sysname Huawei
vlan batch 200
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
interface Vlanif1
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
return
LSW7:
dis current-configuration
sysname Huawei
vlan batch 210
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
interface Vlanif1
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 210
interface GigabitEthernet0/0/2
port link-type access
port default vlan 210
return