H3CIE面试项目

挂了挂了,不找借口了,我是个菜狗

这个是我讲的项目,分享出来仅供参考,暂时懒得整理文章排版,凑合着看吧

项目讲述

网络整体介绍

本次项目由5个区域构成,总部、办事处、Internet、分部、合作伙伴。

各区域存在两个业务,分为A业务、B业务。

总部地址规划(A业务:192.168.100.0/24、B业务:192.168.200.0/24)

办事处地址规划(A业务:192.168.101.0/24、B业务:192.168.201.0/24)

分部地址规划(A业务:192.168.102.0/24、B业务:192.168.202.0/24)

合作伙伴只知晓B业务(172.10.0.0/24)

整个网络只能总部的A业务能与分部、办事处互通,分部与办事处之间A业务不能互通。

总部和办事处只有A业务可以访问互联网,办事处访问互联网从公司总部出去。

合作伙伴只使用B业务访问我公司的B业务。

网络详细介绍

IRF

为了简化配置方便管理,总部的两台核心交换机做了IRF堆叠。

链路上,核心之间使用2组万兆光口和SFP+高速电缆交错相连,加强链路的可靠性。

检测机制上,使用BFD MAD方式检测堆叠分裂。在堆叠分裂的情况下,将从设备所有接口down掉,保障网络的正常通信。

VLAN

在堆叠好的核心交换机上有VLAN10 30 100 200,核心交换机与防火墙和办事处交换机通过三层Vlanif接口进行互联,VLAN10用于核心与防火墙互联,VLAN30用于核心与办事处互联,VLAN100是分部的A业务,VLAN200是分部的B业务

链路聚合 trunk

核心交换机与上行下行设备之间通过配置静态链路聚合来提高链路的总带宽和可靠性

核心交换机到SW4到SW5之间都是是TRUNK链路,只允许VLAN100 200通过

DHCP

总部的A业务是普通用户段,使用DHCP动态获取IP地址。并且在汇聚、接入上开启DHCP SNOOPING,将除了通向DHCP服务器的端口全划到untrust域,防止PC从其他违规接入DHCP服务器中获取到不合法的IP地址

ARP

总部的B业务是敏感用户段,通过手工配置IP地址,并且在核心上将配置静态ARP表项,实现IP地址和MAC地址的固定映射,并且将未使用IP绑定MAC地址0000.0000.0000,防止非法用户私自配置使用

OSPF

总部和办事处之间使用OSPF获取路由,总部在区域0里、分部在区域1里。

防火墙通过配置默认路由访问Internet,并且在OSPF中下发默认路由,使得总部的设备都能够通过默认路由访问外部网络。

办事处使用了低端交换机,接受不了大量路由信息,所以将OSPF区域设置为STUB区域,减少外部路由的注入。

为加快OSPF的收敛,将总部和办事处设备的互联链路全部修改为P2P网络类型。

并且在总部汇聚交换机上配置静默端口,使业务VLAN中不能收到OSPF协议报文。

NAT

在防火墙使用"Easy_ip+ACL"的方式访问外网,ACL只允许总部和办事处各自的A业务通过,并在出方向调用ACL,只让总部和办事处的A业务通过NAT转换能够正常上网

ISIS

Internet区域由运营商维护。使用承载能力强,收敛速度快的ISIS获取路由。

BGP

总部、运营商、合作伙伴分为三个AS,AS之间使用BGP传输路由

运营商内部,通过"ISIS+IBGP"的方式,使用环回口建立BGP邻居

运营商与总部之间、运营商与合作伙伴之间通过"静态路由+EBGP"的方式,使用物理口建立BGP邻居

GRE over IPSEC

在总部与分部之间使用GRE over IPSEC VPN,并且通过感兴趣流匹配,保护各自的A业务可以互通

MPLS

运营商之间使用MPLS生成LSP,便于后续PE设备之间使用BGP传递私网路由

VRF

在运营商PE上将与总部、合作伙伴接口加进相同的VPN实例中。

并且在PE9上,将VPN实例和公共实例中将直连路由相互复制,实现VPN实例和公共实例的路由互通

BGP MPLS VPN

在总部与合作伙伴公司使用BGP/MPLS VPN保证私网业务的正常通信

ACL只允许总部的B业务通过,并使用filter-policy在BGP的出方向进行过滤,只让合作伙伴能收到总部B业务的路由


配置

IRF

Core_SW2

irf domain 100

irf member 1 priority 32

interface range Ten-GigabitEthernet1/0/51 Ten-GigabitEthernet1/0/52

shutdown

irf-port 1/1

port group interface Ten-GigabitEthernet1/0/51

irf-port 1/2

port group interface Ten-GigabitEthernet1/0/52

interface range Ten-GigabitEthernet1/0/51 Ten-GigabitEthernet1/0/52

undo shutdown

irf-port-configuration active

Core_SW3

irf member 1 renumber 2

reboot

irf domain 100

interface range Ten-GigabitEthernet2/0/51 Ten-GigabitEthernet2/0/52

shutdown

irf-port 2/1

port group interface Ten-GigabitEthernet2/0/51

irf-port 2/2

port group interface Ten-GigabitEthernet2/0/52

interface range Ten-GigabitEthernet2/0/51 Ten-GigabitEthernet2/0/52

undo shutdown

save f

irf-port-configuration active


IRF_BDF MAD

Core_SW

vlan 250

interface Vlan-interface250

mad bfd enable

mad ip address 192.168.250.1 24 member 1

mad ip address 192.168.250.2 24 member 2

interface range GigabitEthernet1/0/48 GigabitEthernet2/0/48

port access vlan 250

undo stp enable


VLAN

Core_SW

vlan 10 30 100 200

SW4

vlan 100 200

SW5

vlan 100 200

SW6

vlan 30 40

SW7

VLAN 40

SW8

VLAN 50


链路聚合

Core_SW

interface Bridge-Aggregation10

interface Bridge-Aggregation20

interface Bridge-Aggregation30

interface range GigabitEthernet1/0/1 GigabitEthernet2/0/1

port link-aggregation group 10

interface range GigabitEthernet1/0/2 GigabitEthernet2/0/2

port link-aggregation group 20

interface range GigabitEthernet1/0/3 GigabitEthernet2/0/3

port link-aggregation group 30

FW1

interface Route-Aggregation 10

interface range GigabitEthernet1/0/2 GigabitEthernet1/0/3

port link-aggregation group 10

SW4

interface Bridge-Aggregation20

interface range GigabitEthernet1/0/1 GigabitEthernet1/0/2

port link-aggregation group 20

SW6

interface Bridge-Aggregation30

interface range GigabitEthernet1/0/1 GigabitEthernet1/0/2

port link-aggregation group 30


TRUNK

Core_SW

interface Bridge-Aggregation20

port link-type trunk

port trunk permit vlan 100 200

SW4

interface Bridge-Aggregation20

port link-type trunk

port trunk permit vlan 100 200

interface GigabitEthernet1/0/3

port link-type trunk

port trunk permit vlan 100 200

SW5

interface GigabitEthernet1/0/3

port link-type trunk

port trunk permit vlan 100 200


IP

Core_SW

interface Vlan-interface10

ip address 192.168.10.1 30

interface Vlan-interface30

ip address 192.168.30.1 30

interface Vlan-interface100

ip address 192.168.100.1 255.255.255.0

interface Vlan-interface200

ip address 192.168.200.1 255.255.255.0

interface LoopBack0

ip address 1.0.0.23 255.255.255.255

interface Bridge-Aggregation10

port access vlan 10

interface Bridge-Aggregation30

port access vlan 30

FW1

interface Route-Aggregation10

ip address 192.168.10.2 30

interface GigabitEthernet1/0/0

ip address 10.1.1.1 30

interface LoopBack0

ip address 1.0.0.1 255.255.255.255

SW6

interface Vlan-interface30

ip address 192.168.30.2 30

interface Vlan-interface40

ip address 192.168.40.1 30

interface LoopBack0

ip address 1.0.0.6 255.255.255.255

interface Bridge-Aggregation30

port access vlan 30

interface GigabitEthernet1/0/3

port access vlan 40

SW7

interface Vlan-interface40

ip address 192.168.40.2 30

interface LoopBack0

ip address 1.0.0.7 255.255.255.255

interface LoopBack101

ip address 192.168.101.1 24

interface LoopBack201

ip address 192.168.201.1 24

interface GigabitEthernet1/0/3

port access vlan 40

SW8

interface Vlan-interface30

ip address 192.168.50.2 30

interface LoopBack0

ip address 1.0.0.8 255.255.255.255

interface LoopBack102

ip address 192.168.102.1 24

interface LoopBack202

ip address 192.168.202.1 24

PE9

interface GigabitEthernet0/0/0

ip address 10.1.1.2 30

interface GigabitEthernet0/0/1

ip address 100.1.1.1 30

interface GigabitEthernet0/0/2

ip address 10.1.2.1 30

interface LoopBack0

ip address 1.0.0.9 255.255.255.255

P10

interface GigabitEthernet0/0/1

ip address 100.1.1.2 30

interface GigabitEthernet0/0/2

ip address 100.1.2.1 30

interface LoopBack0

ip address 1.0.0.10 255.255.255.255

PE11

interface GigabitEthernet0/0/0

ip address 10.1.3.1 30

interface GigabitEthernet0/0/2

ip address 100.1.2.2 30

interface LoopBack0

ip address 1.0.0.11 255.255.255.255

R12

interface GigabitEthernet0/0/1

ip address 192.168.50.1 30

interface GigabitEthernet0/0/2

ip address 10.1.2.2 30

interface LoopBack0

ip address 1.0.0.12 255.255.255.255

P13

interface GigabitEthernet0/0/0

ip address 10.1.3.2 30

interface LoopBack0

ip address 1.0.0.13 255.255.255.255

interface LoopBack172

ip address 172.10.0.1 24


FW策略

FW1

security-zone name Trust

import interface GigabitEthernet1/0/0

import interface Route-Aggregation10

security-policy ip

rule 1 name t2l

action pass

source-zone Trust

source-zone local

destination-zone Trust

destination-zone local


DHCP

Core_SW

dhcp enable

dhcp server ip-pool vlan100

gateway-list 192.168.100.1

network 192.168.100.0 mask 255.255.255.0

address range 192.168.100.10 192.168.100.200

dns-list 114.114.114.114

interface Vlan-interface100

dhcp server apply ip-pool vlan100

SW5

interface GigabitEthernet1/0/1

port access vlan 100

interface GigabitEthernet1/0/2

port access vlan 200

DHCP_SNOOPING

SW4

dhcp snooping enable

interface Bridge-Aggregation20

dhcp snooping trust

SW5

dhcp snooping enable

interface GigabitEthernet1/0/3

dhcp snooping trust


OSPF

Core_SW

ospf 1

area 0.0.0.0

network 192.168.10.0 0.0.0.255

network 192.168.30.0 0.0.0.255

network 192.168.100.0 0.0.0.255

network 192.168.200.0 0.0.0.255

FW1

ospf 1

default-route-advertise

area 0.0.0.0

network 192.168.10.0 0.0.0.255

SW6

ospf 1

area 0.0.0.0

network 192.168.30.0 0.0.0.255

ospf 1

area 0.0.0.1

network 192.168.40.0 0.0.0.255

stub

SW7

ospf 1

area 0.0.0.1

network 192.168.40.0 0.0.0.255

stub


分部OSPF

#SW7

ospf 1

area 0.0.0.2

network 192.168.50.0 0.0.0.255

network 192.168.102.0 0.0.0.255

network 192.168.202.0 0.0.0.255

interface Vlan-interface50

ip address 192.168.50.2 255.255.255.252

interface GigabitEthernet1/0/1

port access vlan 50

#R12

ospf 1

default-route-advertise

area 0.0.0.2

network 192.168.50.0 0.0.0.255


GRE over IPsec VPN

FW1

ip route-static 0.0.0.0 0 10.1.1.2

acl advanced 3000

rule 0 permit ip source 1.0.0.1 0 destination 1.0.0.12 0

rule 5 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.102.0 0.0.0.255

ike keychain 1

pre-shared-key address 10.1.2.2 key simple 123

ike profile 1

keychain 1

match remote identity address 10.1.2.2 255.255.255.255

ipsec transform-set 1

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5

ipsec policy-template tem 1

transform-set 1

ike-profile 1

ipsec policy h3c 1 isakmp template tem

interface GigabitEthernet1/0/0

ipsec apply policy h3c

#######

interface Tunnel0 mode gre

ip address 180.0.0.1 255.255.255.0

source LoopBack0

destination 1.0.0.12

R12

ip route-static 0.0.0.0 0 10.1.2.1

acl advanced 3000

rule 0 permit ip source 1.0.0.12 0 destination 1.0.0.1 0

rule 5 permit ip source 192.168.102.0 0.0.0.255 destination 192.168.100.0 0.0.0.255

ike keychain 1

pre-shared-key address 10.1.1.1 key simple 123

ike profile 1

keychain 1

match remote identity address 10.1.1.1 255.255.255.255

ipsec transform-set 1

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5

ipsec policy h3c 1 isakmp

ike-profile 1

transform-set 1

security acl 3000

remote-address 10.1.1.1

interface GigabitEthernet0/0/2

ipsec apply policy h3c

#######

interface Tunnel0 mode gre

ip address 180.0.0.2 255.255.255.0

source LoopBack0

destination 1.0.0.1


isis

PE9

isis 1

network-entity 49.0000.0000.0000.0001.00

is-level level-1

interface GigabitEthernet0/0/1

isis enable 1

interface LoopBack0

isis enable 1

P10

isis 1

network-entity 49.0000.0000.0000.0002.00

is-level level-1

interface GigabitEthernet0/0/1

isis enable 1

interface GigabitEthernet0/0/2

isis enable 1

interface LoopBack0

isis enable 1

PE11

isis 1

network-entity 49.0000.0000.0000.0003.00

is-level level-1

interface GigabitEthernet0/0/2

isis enable 1

interface LoopBack0

isis enable 1



MPLS ldp

PE9

mpls lsr-id 1.0.0.9

mpls ldp

interface GigabitEthernet0/0/1

mpls enable

mpls ldp enable

P10

mpls lsr-id 1.0.0.10

mpls ldp

interface GigabitEthernet0/0/1

mpls enable

mpls ldp enable

interface GigabitEthernet0/0/2

mpls enable

mpls ldp enable

PE11

mpls lsr-id 1.0.0.11

mpls ldp

interface GigabitEthernet0/0/2

mpls enable

mpls ldp enable

VRF

PE9

ip vpn-instance h3c

route-distinguisher 1:1

vpn-target 1:1 import-extcommunity

vpn-target 1:1 export-extcommunity

interface GigabitEthernet0/0/0

ip binding vpn-instance h3c

ip address 10.1.1.2 255.255.255.252

PE11

ip vpn-instance h3c

route-distinguisher 1:1

vpn-target 1:1 import-extcommunity

vpn-target 1:1 export-extcommunity

interface GigabitEthernet0/0/0

ip binding vpn-instance h3c

ip address 10.1.3.1 255.255.255.252

MP-IBGP

PE9

bgp 100

router-id 1.0.0.9

peer 1.0.0.10 as-number 100

peer 1.0.0.10 connect-interface LoopBack0

peer 1.0.0.11 as-number 100

peer 1.0.0.11 connect-interface LoopBack0

address-family vpnv4 unicast

peer 1.0.0.10 enable

peer 1.0.0.11 enable

P10

bgp 100

router-id 1.0.0.10

peer 1.0.0.9 as-number 100

peer 1.0.0.9 connect-interface LoopBack0

peer 1.0.0.11 as-number 100

peer 1.0.0.11 connect-interface LoopBack0

address-family vpnv4 unicast

peer 1.0.0.9 enable

peer 1.0.0.11 enable

PE11

bgp 100

router-id 1.0.0.11

peer 1.0.0.9 as-number 100

peer 1.0.0.9 connect-interface LoopBack0

peer 1.0.0.10 as-number 100

peer 1.0.0.10 connect-interface LoopBack0

address-family vpnv4 unicast

peer 1.0.0.9 enable

peer 1.0.0.10 enable

MP-EBGP

PE9

bgp 100

ip vpn-instance h3c

peer 10.1.1.1 as-number 200

address-family ipv4 unicast

import-route direct

peer 10.1.1.1 enable

PE11

bgp 100

ip vpn-instance h3c

peer 10.1.3.2 as-number 300

address-family ipv4 unicast

import-route direct

peer 10.1.3.2 enable

FW1

bgp 200

peer 10.1.1.2 as-number 100

address-family ipv4 unicast

import-route direct

peer 10.1.1.2 enable

R13

bgp 300

peer 10.1.3.1 as-number 100

address-family ipv4 unicast

import-route direct

peer 10.1.3.1 enable

BGP引入

FW1

bgp 200

address-family ipv4 unicast

import-route ospf 1

ospf

import-route bgp

VRF public

通过路由复制实现Public与VRF路由互通

PE9

ip vpn-instance h3c

address-family ipv4

route-replicate from public protocol direct //可以实现将Public的直连路由引入到VRF test里

ip public-instance

address-family ipv4

route-replicate from vpn-instance h3c protocol direct //可以实现将VRF test的直连路由引入到Public路由表里

路由过滤

FW1

acl basic 2100

rule 0 permit source 192.168.200.0 0.0.0.255

bgp 200

address-family ipv4 unicast

filter-policy 2100 export

相关推荐
飞翔的瓜牛7 个月前
网工基础协议——IP地址
网络·数通·ip地址
飞翔的瓜牛7 个月前
MPLS-LDP邻居建立、标签的发布、控制保持
网络·数通·mpls
it技术分享just_free7 个月前
HUAWEI 华为交换机 配置 Eth-Trunk 接口流量本地优先转发示例(堆叠)
网络·华为·网络工程师·数通
it技术分享just_free7 个月前
huawei 华为 交换机 配置 LACP 模式的链路聚合示例 (交换机之间直连)
网络·华为·网络工程师·数通
IT考试认证7 个月前
华为数通 HCIP-Datacom H12-831 题库补充
华为·hcip·数通·hcip-datacom·h12-831
it技术分享just_free8 个月前
huawei 华为交换机 配置手工模式链路聚合示例
网络·华为·网络工程师·数通
腾科教育8 个月前
hcie数通和云计算选哪个好?
华为·云计算·数通
it技术分享just_free8 个月前
HUAWEI 华为交换机 配置 MAC 地址漂移检测示例
网络·华为·网络工程师·数通·路由交换
Leon-zy8 个月前
【数通】三层、二层交换机级联跨网段互访并设置独立管理IP段
网络·数通·路由·华为交换机
it技术分享just_free8 个月前
HUAWEI 华为交换机 配置 MAC 防漂移 防MAC伪造示例
网络·华为·数通·交换机·huawei·路由交换