华为设备总部与分部配置

Tony_long74832024-03-06 0:04

1.要求:

(1)总部实现高可靠性设计,接入层断掉一根线或汇聚、核心设备故障都不能影响数据正常转发

(2)分部1人数较少,采用单臂路由互通

(3)总部、分部1、2之间都能访问互联网

(4)外网能够访问总部的HTTP server 和FTP server

(5)总部和两个分部之间通过DSVPN实现内网互通

2.总部配置

(1)创建vlan并加入接口,将核心交换机之间链路捆绑为e-trunk,确保任何一台故障时另一台能正常转发数据

[LSW3]vlan batch 10 20 30

[LSW3]int g0/0/3

[LSW3-GigabitEthernet0/0/3]port link-type access

[LSW3-GigabitEthernet0/0/3]port default vlan 10

[LSW3-GigabitEthernet0/0/3]int g0/0/1

[LSW3-GigabitEthernet0/0/1]port link-type trunk

[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30

[LSW3-GigabitEthernet0/0/1]int g0/0/2

[LSW3-GigabitEthernet0/0/2]port link-type trunk

[LSW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30

[LSW4]vlan batch 10 20 30

[LSW4]int g0/0/3

[LSW4-GigabitEthernet0/0/3]port link-type access

[LSW4-GigabitEthernet0/0/3]port default vlan 20

[LSW4-GigabitEthernet0/0/3]int g0/0/1

[LSW4-GigabitEthernet0/0/1]port link-type trunk

[LSW4-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30

[LSW4-GigabitEthernet0/0/1]int g0/0/2

[LSW4-GigabitEthernet0/0/2]port link-type trunk

[LSW4-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30

[LSW5]vlan batch 10 20 30

[LSW5]int g0/0/3

[LSW5-GigabitEthernet0/0/3]port link-type access

[LSW5-GigabitEthernet0/0/3]port default vlan 30

[LSW5-GigabitEthernet0/0/3]int g0/0/1

[LSW5-GigabitEthernet0/0/1]port link-type trunk

[LSW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 30

[LSW5-GigabitEthernet0/0/1]int g0/0/2

[LSW5-GigabitEthernet0/0/2]port link-type trunk

[LSW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 30

[LSW1]vlan batch 10 20 30 11 12

[LSW1]int g0/0/1

[LSW1-GigabitEthernet0/0/1]port link-type access

[LSW1-GigabitEthernet0/0/1]port default vlan 11

[LSW1-GigabitEthernet0/0/1]int g0/0/2

[LSW1-GigabitEthernet0/0/2]port link-type access

[LSW1-GigabitEthernet0/0/2]port default vlan 12

[LSW1-GigabitEthernet0/0/2]int g0/0/3

[LSW1-GigabitEthernet0/0/3]port link-type trunk

[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 11 12

[LSW1-GigabitEthernet0/0/3]int g0/0/4

[LSW1-GigabitEthernet0/0/4]port link-type trunk

[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 20 30 11 12 13 14

[LSW1-GigabitEthernet0/0/4]int g0/0/5

[LSW1-GigabitEthernet0/0/5]port link-type trunk

[LSW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 10 20 30 11 12 13 14

[LSW1-GigabitEthernet0/0/5]quit

[LSW1]int Eth-Trunk 1

[LSW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/6 to 0/0/7

[LSW1-Eth-Trunk1]port link-type trunk

[LSW1-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 11 12 13 14

[LSW2]vlan batch 10 20 30 13 14

[LSW2]int g0/0/1

[LSW2-GigabitEthernet0/0/1]port link-type access

[LSW2-GigabitEthernet0/0/1]port default vlan 14

[LSW2-GigabitEthernet0/0/1]int g0/0/2

[LSW2-GigabitEthernet0/0/2]port link-type access

[LSW2-GigabitEthernet0/0/2]port default vlan 13

[LSW2-GigabitEthernet0/0/2]int g0/0/3

[LSW2-GigabitEthernet0/0/3]port link-type t

[LSW2-GigabitEthernet0/0/3]port link-type trunk

[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 11 12 13 14

[LSW2-GigabitEthernet0/0/3]int g0/0/4

[LSW2-GigabitEthernet0/0/4]port link-type trunk

[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 10 20 30 11 12 13 14

[LSW2-GigabitEthernet0/0/4]int g0/0/5

[LSW2-GigabitEthernet0/0/5]port link-type trunk

[LSW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 10 20 30 11 12 13 14

[LSW2-GigabitEthernet0/0/5]quit

[LSW2]int Eth-Trunk 1

[LSW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/6 to 0/0/7

[LSW2-Eth-Trunk1]port link-type trunk

[LSW2-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 11 12 13 14

(2)配置MSTP破除环路:LSW1为vlan 10 20的根桥、vlan 30 的次根,LSW2为vlan 30的根桥、vlan 10 20的次根;将连接终端的接口配置为边缘端口

[LSW1]stp region-configuration

[LSW1-mst-region]region-name 1

[LSW1-mst-region]revision-level 1

[LSW1-mst-region]instance 1 vlan 10 20

[LSW1-mst-region]instance 2 vlan 30

[LSW1-mst-region]active region-configuration

[LSW1]stp instance 1 priority 0

[LSW1]stp instance 2 priority 4096

[LSW2]stp region-configuration

[LSW2-mst-region]region-name 1

[LSW2-mst-region]revision-level 1

[LSW2-mst-region]instance 1 vlan 10 20

[LSW2-mst-region]instance 2 vlan 30

[LSW2-mst-region]active region-configuration

[LSW2]stp instance 1 priority 4096

[LSW2]stp instance 2 priority 0

[LSW3]stp region-configuration

[LSW3-mst-region]region-name 1

[LSW3-mst-region]revision-level 1

[LSW3-mst-region]instance 1 vlan 10 20

[LSW3-mst-region]instance 2 vlan 30

[LSW3-mst-region]active region-configuration

[LSW3-mst-region]quit

[LSW4]stp region-configuration

[LSW4-mst-region]region-name 1

[LSW4-mst-region]revision-level 1

[LSW4-mst-region]instance 1 vlan 10 20

[LSW4-mst-region]instance 2 vlan 30

[LSW4-mst-region]active region-configuration

[LSW4-mst-region]quit

[LSW5]stp region-configuration

[LSW5-mst-region]region-name 1

[LSW5-mst-region]revision-level 1

[LSW5-mst-region]instance 1 vlan 10 20

[LSW5-mst-region]instance 2 vlan 30

[LSW5-mst-region]active region-configuration

[LSW3]int g0/0/3

[LSW3-GigabitEthernet0/0/3]stp edged-port enable

[LSW4]int g0/0/3

[LSW4-GigabitEthernet0/0/3]stp edged-port enable

[LSW5]int g0/0/3

[LSW5-GigabitEthernet0/0/3]stp edged-port enable

(3)配置vlan间路由,使内网互通:配置vrrp,LSW1为vlan 10 20的master、为vlan 30的backup,LSW2为vlan 10 20的backup、为vlan 30的master

[LSW1]int Vlanif 10

[LSW1-Vlanif10]ip add 10.1.1.1 24

[LSW1-Vlanif10]int Vlanif 20

[LSW1-Vlanif20]ip add 10.1.2.1 24

[LSW1-Vlanif20]int Vlanif 30

[LSW1-Vlanif30]ip add 10.1.3.1 24

[LSW2]int Vlanif 10

[LSW2-Vlanif10]ip add 10.1.1.2 24

[LSW2-Vlanif10]int Vlanif 20

[LSW2-Vlanif20]ip add 10.1.2.2 24

[LSW2-Vlanif20]int Vlanif 30

[LSW2-Vlanif30]ip add 10.1.3.2 24

[LSW1]int Vlanif 10

[LSW1-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254

[LSW1-Vlanif10]vrrp vrid 1 priority 200

[LSW1-Vlanif10]vrrp vrid 1 preempt-mode timer delay 60

[LSW1-Vlanif10]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 120

[LSW1]int Vlanif 20

[LSW1-Vlanif20]vrrp vrid 2 virtual-ip 10.1.2.254

[LSW1-Vlanif20]vrrp vrid 2 priority 200

[LSW1-Vlanif20]vrrp vrid 2 preempt-mode timer delay 60

[LSW1-Vlanif20]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120

[LSW1]int Vlanif 30

[LSW1-Vlanif30]vrrp vrid 3 virtual-ip 10.1.3.254

[LSW2]int Vlanif 10

[LSW2-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254

[LSW2-Vlanif10]int Vlanif 20

[LSW2-Vlanif20]vrrp vrid 2 virtual-ip 10.1.2.254

[LSW2-Vlanif20]int Vlanif 30

[LSW2-Vlanif30]vrrp vrid 3 virtual-ip 10.1.3.254

[LSW2-Vlanif30]vrrp vrid 3 priority 200

[LSW2-Vlanif30]vrrp vrid 3 preempt-mode timer delay 60

[LSW2-Vlanif30]vrrp vrid 3 track interface GigabitEthernet 0/0/1 reduced 120




(4)配置三层互联接口

[LSW1]int Vlanif 11

[LSW1-Vlanif11]ip add 192.168.11.1 24

[LSW1-Vlanif11]int Vlanif 12

[LSW1-Vlanif12]ip add 192.168.12.1 24

[LSW2]int Vlanif 13

[LSW2-Vlanif13]ip add 192.168.13.2 24

[LSW2-Vlanif13]int Vlanif 14

[LSW2-Vlanif14]ip add 192.168.14.2 24

[FW1]firewall zone trust

[FW1-zone-trust]add interface GigabitEthernet 1/0/2

[FW1-zone-trust]add interface GigabitEthernet 1/0/0

[FW1]firewall zone untrust

[FW1-zone-untrust]add interface GigabitEthernet 1/0/1

[FW1-zone-untrust]firewall zone dmz

[FW1-zone-dmz]add interface GigabitEthernet 1/0/3

[FW1-zone-dmz]add interface GigabitEthernet 1/0/4

[FW1]int g1/0/1

[FW1-GigabitEthernet1/0/1]ip add 20.1.1.3 24

[FW1-GigabitEthernet1/0/1]int g1/0/0

[FW1-GigabitEthernet1/0/0]ip add 192.168.13.3 24

[FW1-GigabitEthernet1/0/0]int g1/0/2

[FW1-GigabitEthernet1/0/2]ip add 192.168.11.3 24

[FW1-GigabitEthernet1/0/2]int g1/0/3

[FW1-GigabitEthernet1/0/3]ip add 192.168.15.3 24

[FW1-GigabitEthernet1/0/3]int g1/0/4

[FW1-GigabitEthernet1/0/4]ip add 192.168.16.3 24

[AR2]int g0/0/0

[AR2-GigabitEthernet0/0/0]ip add 192.168.12.4 24

[AR2-GigabitEthernet0/0/0]int g0/0/1

[AR2-GigabitEthernet0/0/1]ip add 192.168.14.4 24

[AR2-GigabitEthernet0/0/1]int g0/0/2

[AR2-GigabitEthernet0/0/2]ip add 20.1.1.4 24

[AR1]int g4/0/0

[AR1-GigabitEthernet4/0/0]ip add 50.1.1.5 24

[AR1-GigabitEthernet4/0/0]int g0/0/1

[AR1-GigabitEthernet0/0/1]ip add 30.1.1.5 24

[AR1-GigabitEthernet0/0/1]int g0/0/2

[AR1-GigabitEthernet0/0/2]ip add 40.1.1.5 24

[AR1-GigabitEthernet0/0/2]int g0/0/0

[AR1-GigabitEthernet0/0/0]ip add 20.1.1.5 24

(5)配置DMZ区域

1)配置vlan

[LSW10]vlan batch 100 101

[LSW10]int g0/0/3

[LSW10-GigabitEthernet0/0/3]port link-type access

[LSW10-GigabitEthernet0/0/3]port default vlan 100

[LSW10-GigabitEthernet0/0/3]int g0/0/4

[LSW10-GigabitEthernet0/0/4]port link-type access

[LSW10-GigabitEthernet0/0/4]port default vlan 101

[LSW10-GigabitEthernet0/0/4]int g0/0/1

[LSW10-GigabitEthernet0/0/1]port link-type trunk

[LSW10-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 101

[LSW10-GigabitEthernet0/0/1]int g0/0/2

[LSW10-GigabitEthernet0/0/2]port link-type trunk

[LSW10-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101

[LSW8]vlan batch 15 100 101

[LSW8]int g0/0/1

[LSW8-GigabitEthernet0/0/1]port link-type access

[LSW8-GigabitEthernet0/0/1]port default vlan 15

[LSW8-GigabitEthernet0/0/1]int g0/0/2

[LSW8-GigabitEthernet0/0/2]port link-type trunk

[LSW8-GigabitEthernet0/0/2]port trunk allow-pass vlan 15 100 101

[LSW8-GigabitEthernet0/0/2]quit

[LSW8]int Eth-Trunk 1

[LSW8-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/4

[LSW8-Eth-Trunk1]port link-type trunk

[LSW8-Eth-Trunk1]port trunk allow-pass vlan 15 100 101

[LSW9]vlan batch 16 100 101

[LSW9]int g0/0/1

[LSW9-GigabitEthernet0/0/1]port link-type access

[LSW9-GigabitEthernet0/0/1]port default vlan 16

[LSW9-GigabitEthernet0/0/1]int g0/0/2

[LSW9-GigabitEthernet0/0/2]port link-type trunk

[LSW9-GigabitEthernet0/0/2]po

[LSW9-GigabitEthernet0/0/2]port trunk allow-pass vlan 16 100 101

[LSW9-GigabitEthernet0/0/2]quit

[LSW9]int Eth-Trunk 1

[LSW9-Eth-Trunk1]trunkport GigabitEthernet 0/0/3 to 0/0/4

[LSW9-Eth-Trunk1]port link-type trunk

[LSW9-Eth-Trunk1]port trunk allow-pass vlan 16 100 101

2)配置MSTP(要求vlan 100的根桥为LSW8,vlan 101的根桥为LSW9)

[LSW10]stp region-configuration

[LSW10-mst-region]region-name DMZ1

[LSW10-mst-region]revision-level 1

[LSW10-mst-region]instance 1 vlan 100

[LSW10-mst-region]instance 2 vlan 101

[LSW10-mst-region]active region-configuration

[LSW8]stp region-configuration

[LSW8-mst-region]region-name DMZ1

[LSW8-mst-region]revision-level 1

[LSW8-mst-region]instance 1 vlan 100

[LSW8-mst-region]instance 2 vlan 101

[LSW8-mst-region]active region-configuration

[LSW9]stp region-configuration

[LSW9-mst-region]region-name DMZ1

[LSW9-mst-region]revision-level 1

[LSW9-mst-region]instance 1 vlan 100

[LSW9-mst-region]instance 2 vlan 101

[LSW9-mst-region]active region-configuration

[LSW8]stp instance 1 priority 0

[LSW8]stp instance 2 priority 4096

[LSW9]stp instance 1 priority 4096

[LSW9]stp instance 2 priority 0

[LSW10]int g0/0/3

[LSW10-GigabitEthernet0/0/3]stp edged-port enable

[LSW10-GigabitEthernet0/0/3]int g0/0/4

[LSW10-GigabitEthernet0/0/4]stp edged-port enable

3)配置VLAN间路由

[LSW8]int Vlanif 15

[LSW8-Vlanif15]ip add 192.168.15.1 24

[LSW8]int Vlanif 100

[LSW8-Vlanif100]ip add 10.1.100.1 24

[LSW8-Vlanif100]int Vlanif 101

[LSW8-Vlanif101]ip add 10.1.101.1 24

[LSW9]int Vlanif 16

[LSW9-Vlanif16]ip add 192.168.16.2 24

[LSW9]int Vlanif 100

[LSW9-Vlanif100]ip add 10.1.100.2 24

[LSW9-Vlanif100]int Vlanif 101

[LSW9-Vlanif101]ip add 10.1.101.2 24

4)配置VRRP,保证链路备份

[LSW8]int Vlanif 100

[LSW8-Vlanif100]vrrp vrid 1 virtual-ip 10.1.100.254

[LSW8-Vlanif100]vrrp vrid 1 priority 200

[LSW8-Vlanif100]vrrp vrid 1 preempt-mode timer delay 60

[LSW8-Vlanif100]vrrp vrid 1 track interface g0/0/1 reduced 120

[LSW8-Vlanif100]quit

[LSW8]int Vlanif 101

[LSW8-Vlanif101]vrrp vrid 2 virtual-ip 10.1.101.254

[LSW9]int Vlanif 100

[LSW9-Vlanif100]vrrp vrid 1 virtual-ip 10.1.100.254

[LSW9-Vlanif100]int Vlanif 101

[LSW9-Vlanif101]vrrp vrid 2 virtual-ip 10.1.101.254

[LSW9-Vlanif101]vrrp vrid 2 preempt-mode timer delay 60

[LSW9-Vlanif101]vrrp vrid 2 priority 200

[LSW9-Vlanif101]vrrp vrid 2 track interface g0/0/1 reduced 120

(6)配置全网路由:将总部在OSFP的area 0区域,服务器在 area 1区域,分部1在area 2区域,分部2在area 3区域

1)配置OSPF

[LSW1]ospf 1 router-id 11.1.1.1

[LSW1-ospf-1]area 0

[LSW1-ospf-1-area-0.0.0.0]ne

[LSW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255

[LSW1-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255

[LSW1-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255

[LSW1-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255

[LSW1-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255

[LSW2]ospf 1 router-id 22.1.1.1

[LSW2-ospf-1]area 0

[LSW2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255

[LSW2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255

[LSW2-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255

[LSW2-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255

[LSW2-ospf-1-area-0.0.0.0]network 192.168.14.0 0.0.0.255

[FW1]ospf router-id 33.1.1.1

[FW1-ospf-1]ospf 1

[FW1-ospf-1]area 0

[FW1-ospf-1-area-0.0.0.0]network 192.168.11.0 0.0.0.255

[FW1-ospf-1-area-0.0.0.0]network 192.168.13.0 0.0.0.255

[FW1-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255

[FW1-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255

[AR2]ospf router-id 44.1.1.1

[AR2-ospf-1]area 0

[AR2-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255

[AR2-ospf-1-area-0.0.0.0]network 192.168.14.0 0.0.0.255

[LSW8]ospf router-id 111.1.1.1

[LSW8-ospf-1]area 0

[LSW8-ospf-1-area-0.0.0.0]network 192.168.15.0 0.0.0.255

[LSW8-ospf-1-area-0.0.0.0]area 1

[LSW8-ospf-1-area-0.0.0.1]network 10.1.100.0 0.0.0.255

[LSW8-ospf-1-area-0.0.0.1]network 10.1.101.0 0.0.0.255

[LSW9]ospf router-id 222.1.1.1

[LSW9-ospf-1]area 0

[LSW9-ospf-1-area-0.0.0.0]net

[LSW9-ospf-1-area-0.0.0.0]network 192.168.16.0 0.0.0.255

[LSW9-ospf-1-area-0.0.0.0]area 1

[LSW9-ospf-1-area-0.0.0.1]network 10.1.101.0 0.0.0.255

[LSW9-ospf-1-area-0.0.0.1]network 10.1.100.0 0.0.0.255

2)将vlanif接口静默

[LSW1]ospf 1

[LSW1-ospf-1]silent-interface Vlanif 10

[LSW1-ospf-1]silent-interface Vlanif 20

[LSW1-ospf-1]silent-interface Vlanif 30

[LSW2]ospf 1

[LSW2-ospf-1]silent-interface Vlanif 10

[LSW2-ospf-1]silent-interface Vlanif 20

[LSW2-ospf-1]silent-interface Vlanif 30

[LSW8-ospf-1]silent-interface Vlanif 100

[LSW8-ospf-1]silent-interface Vlanif 101

[LSW9-ospf-1]silent-interface Vlanif 100

[LSW9-ospf-1]silent-interface Vlanif 101

(7)配置trust到dmz的安全策略

[FW1]security-policy

[FW1-policy-security]rule name t-to-dmz

[FW1-policy-security-rule-t-to-dmz]source-zone trust

[FW1-policy-security-rule-t-to-dmz]source-address 10.1.0.0 16

[FW1-policy-security-rule-t-to-dmz]destination-zone dmz

[FW1-policy-security-rule-t-to-dmz]action permit

(8)配置 NAT

[FW1]nat-policy

[FW1-policy-nat]rule name to-ISP

[FW1-policy-nat-rule-to-ISP]source-zone trust

[FW1-policy-nat-rule-to-ISP]destination-zone untrust

[FW1-policy-nat-rule-to-ISP]source-address 10.1.0.0 16

[FW1-policy-nat-rule-to-ISP]action source-nat easy-ip

[FW1]security-policy

[FW1-policy-security]rule name to-ISP

[FW1-policy-security-rule-to-ISP]source-zone trust

[FW1-policy-security-rule-to-ISP]destination-zone untrust

[FW1-policy-security-rule-to-ISP]source-address 10.1.0.0 16

[FW1-policy-security-rule-to-ISP]action permit

[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.5

[FW1]ospf 1

[FW1-ospf-1]default-route-advertise

(9)公网访问 dmz 区域的 http 服务和 FTP 服务:通过 nat-server 进行映射

[FW1]nat server protocol tcp global 20.1.1.100 80 inside 10.1.100.10 80

[FW1]nat server protocol tcp global 20.1.1.101 21 inside 10.1.101.10 21

[FW1]security-policy

[FW1-policy-security]rule name u-to-dmz

[FW1-policy-security-rule-u-to-dmz]source-zone untrust

[FW1-policy-security-rule-u-to-dmz]destination-zone dmz

[FW1-policy-security-rule-u-to-dmz]destination-address 10.1.100.10 32

[FW1-policy-security-rule-u-to-dmz]destination-address 10.1.101.10 32

[FW1-policy-security-rule-u-to-dmz]action permit

4.分部1的配置:单臂路由和NAT

(1)单臂路由配置

[LSW11]vlan batch 10 20

[LSW11]int g0/0/2

[LSW11-GigabitEthernet0/0/2]port link-type access

[LSW11-GigabitEthernet0/0/2]port default vlan 10

[LSW11-GigabitEthernet0/0/2]int g0/0/3

[LSW11-GigabitEthernet0/0/3]port link-type access

[LSW11-GigabitEthernet0/0/3]port default vlan 20

[LSW11-GigabitEthernet0/0/3]int g0/0/1

[LSW11-GigabitEthernet0/0/1]port link-type trunk

[LSW11-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

[AR4]int g0/0/1.10

[AR4-GigabitEthernet0/0/1.10]dot1q termination vid 10

[AR4-GigabitEthernet0/0/1.10]arp broadcast enable

[AR4-GigabitEthernet0/0/1.10]ip add 10.2.1.1 2

[AR4-GigabitEthernet0/0/1.10]int g0/0/1.20

[AR4-GigabitEthernet0/0/1.20]dot1q termination vid 20

[AR4-GigabitEthernet0/0/1.20]arp broadcast enable

[AR4-GigabitEthernet0/0/1.20]ip add 10.2.2.1 24

[AR4]int g0/0/0

[AR4-GigabitEthernet0/0/0]ip add 40.1.1.1 24

[AR4]ip route-static 0.0.0.0 0.0.0.0 40.1.1.5

[AR4]acl 2000

[AR4-acl-basic-2000]rule permit source 10.2.0.0 0.0.255.255

[AR4-acl-basic-2000]int g0/0/0

[AR4-GigabitEthernet0/0/0]nat outbound 2000

5.分部2的配置

(1)配置vlan

[LSW13]vlan batch 10 20 17

[LSW13]int g0/0/1

[LSW13-GigabitEthernet0/0/1]port link-type access

[LSW13-GigabitEthernet0/0/1]port default vlan 17

[LSW13-GigabitEthernet0/0/1]int g0/0/2

[LSW13-GigabitEthernet0/0/2]port link-type trunk

[LSW13-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 17

[LSW13-GigabitEthernet0/0/2]int g0/0/3

[LSW13-GigabitEthernet0/0/3]port link-type trunk

[LSW13-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 17

[LSW13-GigabitEthernet0/0/3]quit

[LSW13]int Eth-Trunk 1

[LSW13-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 to 0/0/5

[LSW13-Eth-Trunk1]port link-type trunk

[LSW13-Eth-Trunk1]port trunk allow-pass vlan 10 20 17

[LSW14]vlan batch 10 20 18

[LSW14]int g0/0/1

[LSW14-GigabitEthernet0/0/1]port link-type access

[LSW14-GigabitEthernet0/0/1]port default vlan 18

[LSW14-GigabitEthernet0/0/1]int g0/0/2

[LSW14-GigabitEthernet0/0/2]port link-type trunk

[LSW14-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 18

[LSW14-GigabitEthernet0/0/2]int g0/0/3

[LSW14-GigabitEthernet0/0/3]port link-type trunk

[LSW14-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 18

[LSW14-GigabitEthernet0/0/3]quit

[LSW14]int Eth-Trunk 1

[LSW14-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 to 0/0/5

[LSW14-Eth-Trunk1]port link-type trunk

[LSW14-Eth-Trunk1]port trunk allow-pass vlan 10 20 18

[LSW15]vlan batch 10 20

[LSW15]int g0/0/3

[LSW15-GigabitEthernet0/0/3]port link-type access

[LSW15-GigabitEthernet0/0/3]port default vlan 10

[LSW15-GigabitEthernet0/0/3]int g0/0/1

[LSW15-GigabitEthernet0/0/1]port link-type trunk

[LSW15-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

[LSW15-GigabitEthernet0/0/1]int g0/0/2

[LSW15-GigabitEthernet0/0/2]port link-type trunk

[LSW15-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20

[LSW16]vlan batch 10 20

[LSW16]int g0/0/3

[LSW16-GigabitEthernet0/0/3]port link-type access

[LSW16-GigabitEthernet0/0/3]port default vlan 20

[LSW16-GigabitEthernet0/0/3]int g0/0/1

[LSW16-GigabitEthernet0/0/1]port link-type trunk

[LSW16-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

[LSW16-GigabitEthernet0/0/1]int g0/0/2

[LSW16-GigabitEthernet0/0/2]port link-type trunk

[LSW16-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20

(2)配置MSTP:LSW13为vlan 10的主根、vlan 20的次根,LSW14为vlan 20的主根、vlan 10的次根

[LSW13]stp region-configuration

[LSW13-mst-region]region-name FB2

[LSW13-mst-region]revision-level 1

[LSW13-mst-region]instance 1 vlan 10

[LSW13-mst-region]instance 2 vlan 20

[LSW13-mst-region]active region-configuration

[LSW14]stp region-configuration

[LSW14-mst-region]region-name FB2

[LSW14-mst-region]revision-level 1

[LSW14-mst-region]instance 1 vlan 10

[LSW14-mst-region]instance 2 vlan 20

[LSW14-mst-region]active region-configuration

[LSW15]stp region-configuration

[LSW15-mst-region]region-name FB2

[LSW15-mst-region]revision-level 1

[LSW15-mst-region]instance 1 vlan 10

[LSW15-mst-region]instance 2 vlan 20

[LSW15-mst-region]active region-configuration

[LSW16]stp region-configuration

[LSW16-mst-region]region-name FB2

[LSW16-mst-region]revision-level 1

[LSW16-mst-region]instance 1 vlan 10

[LSW16-mst-region]instance 2 vlan 20

[LSW16-mst-region]active region-configuration

[LSW13]stp instance 1 priority 0

[LSW13]stp instance 2 priority 4096

[LSW14]stp instance 1 priority 4096

[LSW14]stp instance 2 priority 0

[LSW16-GigabitEthernet0/0/3]stp edged-port enable

[LSW15-GigabitEthernet0/0/3]stp edged-port enable

(3)配置vlan间路由

[LSW13]int Vlanif 10

[LSW13-Vlanif10]ip add 10.3.1.1 24

[LSW13-Vlanif10]int Vlanif 20

[LSW13-Vlanif20]ip add 10.3.2.1 24

[LSW13-Vlanif20]int Vlanif 10

[LSW13-Vlanif10]vrrp vrid 1 virtual-ip 10.3.1.254

[LSW13-Vlanif10]vrrp vrid 1 priority 200

[LSW13-Vlanif10]vrrp vrid 1 preempt-mode timer delay 60

[LSW13-Vlanif10]vrrp vrid 1 track interface g0/0/1 reduced 120

[LSW13-Vlanif10]int Vlanif 20

[LSW13-Vlanif20]vrrp vrid 2 virtual-ip 10.3.2.254

[LSW14]int Vlanif 10

[LSW14-Vlanif10]ip add 10.3.1.2 24

[LSW14-Vlanif10]int Vlanif 20

[LSW14-Vlanif20]ip add 10.3.2.2 24

[LSW14-Vlanif20]vrrp vrid 2 virtual-ip 10.3.2.254

[LSW14-Vlanif20]vrrp vrid 2 priority 200

[LSW14-Vlanif20]vrrp vrid 2 preempt-mode timer delay 60

[LSW14-Vlanif20]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120

[LSW14-Vlanif20]int Vlanif 10

[LSW14-Vlanif10]vrrp vrid 1 virtual-ip 10.3.1.254

(4)配置全网路由

[LSW13]int Vlanif 17

[LSW13-Vlanif17]ip add 192.168.17.1 24

[LSW13-Vlanif17]quit

[LSW13]ospf 1 router-id 17.1.1.1

[LSW13-ospf-1]area 2

[LSW13-ospf-1-area-0.0.0.2]ne

[LSW13-ospf-1-area-0.0.0.2]network 192.168.17.0 0.0.0.255

[LSW13-ospf-1-area-0.0.0.2]network 10.3.1.0 0.0.0.255

[LSW13-ospf-1-area-0.0.0.2]network 10.3.2.0 0.0.0.255

[LSW13-ospf-1-area-0.0.0.2]qui

[LSW13-ospf-1]silent-interface Vlanif 10

[LSW13-ospf-1]silent-interface Vlanif 20

[LSW14]int Vlanif 18

[LSW14-Vlanif18]ip add 192.168.18.1 24

[LSW14-Vlanif18]quit

[LSW14]ospf 1 router-id 18.1.1.1

[LSW14-ospf-1]area 2

[LSW14-ospf-1-area-0.0.0.2]network 10.3.1.0 0.0.0.255

[LSW14-ospf-1-area-0.0.0.2]network 10.3.2.0 0.0.0.255

[LSW14-ospf-1-area-0.0.0.2]network 192.168.18.0 0.0.0.255

[LSW14-ospf-1-area-0.0.0.2]quit

[LSW14-ospf-1]silent-interface Vlanif 10

[LSW14-ospf-1]silent-interface Vlanif 20

[AR5]int g0/0/1

[AR5-GigabitEthernet0/0/1]ip add 192.168.17.6 24

[AR5-GigabitEthernet0/0/1]int g0/0/2

[AR5-GigabitEthernet0/0/2]ip add 192.168.18.6 24

[AR5-GigabitEthernet0/0/2]int g0/0/0

[AR5-GigabitEthernet0/0/0]ip add 50.1.1.6 24

[AR5]ospf 1 router-id 55.1.1.1

[AR5-ospf-1]area 2

[AR5-ospf-1-area-0.0.0.2]network 192.168.17.0 0.0.0.255

[AR5-ospf-1-area-0.0.0.2]network 192.168.18.0 0.0.0.255

[AR5]ip route-static 0.0.0.0 0.0.0.0 50.1.1.5

[AR5]ospf 1

[AR5-ospf-1]default-route-advertise

(5)源NAT地址转换

[AR5]acl 2000

[AR5-acl-basic-2000]rule permit source 10.3.0.0 0.0.255.255

[AR5]int g0/0/0

[AR5-GigabitEthernet0/0/0]nat outbound 2000

6.总校分校DSVPN配置:AR2作为hub端,AR4、AR5作为spoke端,三个接口配置在172.1.1.0网段

[AR2]int Tunnel 0/0/0

[AR2-Tunnel0/0/0]tunnel-protocol gre p2mp

[AR2-Tunnel0/0/0]ip add 172.1.1.1 24

[AR2-Tunnel0/0/0]source GigabitEthernet 0/0/2

[AR2-Tunnel0/0/0]nhrp entry multicast dynamic

[AR2-Tunnel0/0/0]ospf dr-priority 255 //调整优先级至最大,使其成为 DR

[AR4]int Tunnel 0/0/0

[AR4-Tunnel0/0/0]tunnel-protocol gre p2mp

[AR4-Tunnel0/0/0]ip add 172.1.1.3 24

[AR4-Tunnel0/0/0]source GigabitEthernet 0/0/0

[AR4-Tunnel0/0/0]nhrp entry 172.1.1.1 20.1.1.4 register

[AR4-Tunnel0/0/0]ospf network-type broadcast

[AR4-Tunnel0/0/0]ospf dr-priority 0

[AR5]int Tunnel 0/0/0

[AR5-Tunnel0/0/0]tunnel-protocol gre p2mp

[AR5-Tunnel0/0/0]ip add 172.1.1.2 24

[AR5-Tunnel0/0/0]source GigabitEthernet 0/0/0

[AR5-Tunnel0/0/0]nhrp entry 172.1.1.1 20.1.1.4 register

[AR5-Tunnel0/0/0]ospf network-type broadcast

[AR5-Tunnel0/0/0]ospf dr-priority 0

[AR2]ospf 1

[AR2-ospf-1]area 0

[AR2-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255

[AR4]ospf 1

[AR4-ospf-1]area 0

[AR4-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255

[AR5]ospf 1

[AR5-ospf-1]area 0

[AR5-ospf-1-area-0.0.0.0]network 172.1.1.0 0.0.0.255

相关推荐
2401_8470565528 分钟前
Altium Designer脚本工具定制
网络·数据库
就这个java爽!1 小时前
JAVA网络编程【基于TCP和UDP协议】超详细!!!
java·开发语言·网络·tcp/ip·udp·eclipse·idea
KookeeyLena71 小时前
动态IP与静态IP:哪种更适合用户使用?
网络·网络协议·tcp/ip
可惜已不在2 小时前
华为 HCIP-Datacom H12-821 题库 (25)
网络·华为
亿林科技网络安全2 小时前
阿里云盘照片事件!网络安全警钟长鸣
网络·安全·web安全
平头哥在等你2 小时前
《计算机网络名词解释》
服务器·网络·计算机网络
时之彼岸Φ3 小时前
Web:HTTP包的相关操作
网络·网络协议·http
W21553 小时前
LINUX网络编程:http
网络·网络协议·http
Mogu_cloud3 小时前
pcdn盒子连接方式
网络·智能路由器
Hqst_Kevin4 小时前
Hqst 品牌 H81801D 千兆 DIP 网络变压器在光猫收发器机顶盒中的应用
运维·服务器·网络·5g·网络安全·信息与通信·信号处理
热门推荐
01RAG 实践- Ollama+RagFlow 部署本地知识库02组基轨迹建模 GBTM的介绍与实现(Stata 或 R)032024年高教社杯数学建模国赛C题超详细解题思路分析04苍穹外卖面试总结05yolov8实战第五天——yolov8+ffmpg实时视频流检测并进行实时推流——(推流,保姆教学)06【2024数模国赛赛题思路公开】国赛B题思路丨附可运行代码丨无偿自提07软件工程从理论到实践客观题汇总(头歌第一章至第八章)08Coze扣子平台完整体验和实践(附国内和国际版对比)09【2024高教社杯全国大学生数学建模竞赛】B题 生产过程中的决策问题——解题思路 代码 论文10CCF-CSP认证考试 202406-3 文本分词 100分题解