模拟题计算机网络

sysname S1 …………其余设备同理

[S1]vlan 10

[S1]vlan 20 -------创建vlan 10 20-- S1 S2 S3 S4同理

S2设置端口类型

[S2]int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/4

[S2-if-range]port link-type trunk

[S2-if-range]port trunk permit vlan 10 20

S3设置端口类型

[S3]int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/4

[S3-if-range]port link-type trunk

[S3-if-range]port trunk permit vlan 10 20

S1设置端口类型

[S1]int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/2

[S1-if-range]port link-type trunk

[S1-if-range]port trunk permit vlan 10 20

[S1]int GigabitEthernet 1/0/3

[S1-GigabitEthernet1/0/3]port link-type access

[S1-GigabitEthernet1/0/3]port access vlan 10

S4设置端口类型

[S4]int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/2

[S4-if-range]port link-type trunk

[S4-if-range]port trunk permit vlan 10 20

[S4]int GigabitEthernet 1/0/4

[S4-GigabitEthernet1/0/4]port link-type access

[S4-GigabitEthernet1/0/4]port access vlan 20

这里只S2W为例查看vlan信息是否正确

配置ip地址

S2上

[S2]int Vlan-interface 10

[S2-Vlan-interface10]ip address 172.16.10.252 24

[S2]int Vlan-interface 20

[S2-Vlan-interface20]ip address 172.16.20.252 24

[S2-LoopBack0]ip address 9.9.9.202 32

[S2-GigabitEthernet1/0/5]port link-mode route

[S2-GigabitEthernet1/0/5]ip address 10.0.0.1 30

S3上

[S3]int Vlan-interface 10

[S3-Vlan-interface10]ip address 172.16.10.253 24

[S3]int Vlan-interface 20

[S3-Vlan-interface20]ip address 172.16.20.253 24

 

[S3-LoopBack0]ip address 9.9.9.203 32

[S3-GigabitEthernet1/0/5]port link-mode route                       

[S3-GigabitEthernet1/0/5]ip address 20.0.0.1 30

PC1上

MSTP及VRRP部署

[S2]stp mode mstp  

[S2]stp region-configuration

[S2-mst-region]region-name h3c

[S2-mst-region]instance 1 vlan 10

[S2-mst-region]instance 2 vlan 20

[S2-mst-region]active region-configuration------S1 S2 S3 S4 同理

在S2

[S2]stp instance 1 root primary

[S2]stp instance 2 root secondary

[S2]int Vlan-interface 10

[S2-Vlan-interface10]vrrp vrid 20 virtual-ip 172.16.10.254

[S2]int Vlan-interface 20

[S2-Vlan-interface10]vrrp vrid 20 virtual-ip 172.16.20.254

[S2-Vlan-interface10]vrrp vrid 10 preempt-mode

[S2-Vlan-interface10]vrrp vrid 10 priority 150(S2为vlan10的主通道，所以优先级高)

[S2-Vlan-interface10]dis this

[S2]int Vlan-interface 20

[S2-Vlan-interface20]vrrp vrid 20 virtual-ip 172.16.20.254

[S2-Vlan-interface20]vrrp vrid 20 preempt-mode

[S2-Vlan-interface20]vrrp vrid 20 priority 110

[S2-Vlan-interface20]dis this

在S3

[S3]stp instance 1 root secondary

[S3]stp instance 2 root primary

[S3]int Vlan-interface 10

[S3-Vlan-interface10]vrrp vrid 20 virtual-ip 172.16.10.254

[S3]int Vlan-interface 20

[S3-Vlan-interface10]vrrp vrid 20 virtual-ip 172.16.20.254

[S3-Vlan-interface10]vrrp vrid 10 preempt-mode

[S3-Vlan-interface10]vrrp vrid 10 priority 110(S2为vlan10的主通道，所以优先级高)

[S3-Vlan-interface10]dis this

[S3]int Vlan-interface 20

[S3-Vlan-interface20]vrrp vrid 20 virtual-ip 172.16.20.254

[S3-Vlan-interface20]vrrp vrid 20 preempt-mode

[S3-Vlan-interface20]vrrp vrid 20 priority 150

[S3-Vlan-interface20]dis this

链路可靠性部署

[S2]interface Bridge-Aggregation 1（先创建一个虚拟接口）

[S2-Bridge-Aggregation1] port link-type trunk（这里因为物理接口是trunk模型所以也要把虚拟接口设为trunk）

[S2-Bridge-Aggregation1]port trunk permit vlan 10 20

[S2]int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/2（将接口加入到虚拟接口）

[S2-if-range]port link-aggregation group 1

[S2]dis interface  Bridge-Aggregation brief（查看是否借入成功）

防火墙安全域部署

在FW1

[fw]acl advanced 3000

[fw-acl-ipv4- advanced -3000] rule 0 permit ip destination any

[FW]security-zone name trust（创建域）

[FW-security-zone-trust] import interface GigabitEthernet 1/0/1

[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/0

[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/2（将接口加入到对应的域）

[fw]zone-pair security source any destination any（在生产环境不要这样写）

[fw-zone-pair-security-Any-Any] packet-filter 3000（应用规则acl）

[fw]zone-pair security source untrust destination trust（从外部到内部）

[fw]zone-pair security sourcet trust destination untrus（从内部到外部）

在FW2

[fw]acl advanced 3000

[fw-acl-ipv4- advanced -3000] rule 0 permit ip destination any

[FW]security-zone name trust（创建域）

[FW-security-zone-trust] import interface GigabitEthernet 1/0/1

[FW2-security-zone-Trust]import interface GigabitEthernet 1/0/0（将接口加入到对应的域）

[FW2-security-zone-Trust]import interface GigabitEthernet1/0/0

[FW2-security-zone-Trust]import interface GigabitEthernet1/0/1

[FW2-security-zone-Trust]import interface GigabitEthernet1/0/2

[FW2-security-zone-Trust]import interface GigabitEthernet1/0/3

IPv4 IGP路由部署（ospf）

在S3

ospf 10 router-id 9.9.9.202

[S3-ospf-10]silent-interface Vlan-interface 10

[S3-ospf-10]silent-interface Vlan-interface 20

[S3-ospf-10]area 0

[S3-ospf-10-area-0.0.0.0]network 9.9.9.203 0.0.0.0

[S3-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3

[S3-ospf-10-area-0.0.0.0]network 172.16.10.0 0.0.0.255

[S3-ospf-10-area-0.0.0.0]network 172.16.20.0 0.0.0.255

在S2

ospf 10 router-id 9.9.9.202

[S2-ospf-10]silent-interface Vlan-interface 10

[S2-ospf-10]silent-interface Vlan-interface 20

[S2-ospf-10]area 0

[S2-ospf-10-area-0.0.0.0]network 9.9.9.202 0.0.0.0

[S2-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3

[S2-ospf-10-area-0.0.0.0]network 172.16.10.0 0.0.0.255

[S2-ospf-10-area-0.0.0.0]network 172.16.20.0 0.0.0.255

在FW1

[FW1]ospf 10 router-id 1.1.1.1

[FW1-ospf-10]area 0

[FW1-ospf-10-area-0.0.0.0]network 10.0.0.0 0.0.0.3

[FW1-ospf-10-area-0.0.0.0]network 1.1.1.1 0.0.0.0

在FW2

[FW1]ospf 10 router-id 2.2.2.2

[FW1-ospf-10]area 0

[FW1-ospf-10-area-0.0.0.0]network 20.0.0.0 0.0.0.3

[FW1-ospf-10-area-0.0.0.0]network 2.2.2.2 0.0.0.0

IPv4 BGP路由部署

在FW1

[FW1]bgp 100

[FW1-bgp-default]peer 125.1.1.2 as-number 200

[FW1-bgp-default]address-family ipv4

[FW1-bgp-default-ipv4]peer 125.1.1.2 enable

在R2

[R2]bgp 200

[R2-bgp-default]peer 125.1.1.1 as-number 100

[R2-bgp-default]address-family ipv4

[R2-bgp-default-ipv4]peer 125.1.1.1 enable

建立对点

题干上说了由总部发布缺省路由

建立缺省路由

[FW1]ip route-static 0.0.0.0 0 125.1.1.2

FW1-bgp-default-ipv4] network 1.1.1.1 0.0.0.0

[FW1-bgp-default-ipv4]network 0.0.0.0 0.0.0.0（将缺省路由发布到）R2

R2接收到FW1的缺省路由

此时可以ping到R2的逻辑接口

通过验证我们只有这一部分能够ping通，是因为在R2上没有总部的路由此时需要将总部的ospf自动引入到分部

在FW1上将ospf 10引入到bgp

[FW1]bgp 100

[FW1-bgp-default]address-family ipv4

[FW1-bgp-default-ipv4]import-route ospf 10

此时在R2上查看到了引入的ospf路由来自bgp100

此时我们在S2上同样不能ping通分部是因为我们的总部S2上没有分部的路由

这里还需要将分部的直连路由和bgp自动引入到总部的ospf 10

在FW1

[FW1]ospf 10

[FW1-ospf-10]import-route direct

[FW1-ospf-10]import-route bgp

此时我们在S2看到直连路由引入进来了

在R2上引入直连路由到bgp

[R2]bgp 200

[R2-bgp-default]address-family ipv4

[R2-bgp-default-ipv4]import-route direct

在PC2配置ip地址

在PC1上可以任意ping到分部AS200实现全网ping通

在FW2与R3上的bgp同理配置最后可以测试pc ping通

配置ppp认证

最后实现全网互ping：