综合实验

综合实验要求:
1、整个组网通过层次规划,接入层、分布层、核心层
2、交换网络中存在4个用户VLAN,分别为VLAN10 VLAN20 VLAN30 VLAN40.并且要合理分配到两个MST实例中。
3、交换网络中存在4个互联VLAN,分别为VLAN100 VLAN200 VLAN300 VLAN400,做分布层交换机和
核心路由器互联使用。
4、设备互联网络IP可以通过手动配置任意网段,但是4个用户VLAN的PC要通过DHCP服务器得到IP地址。
DHCP服务器通过AR4模拟。
VLAN用户及地址的对应关系为;
VLAN10 10.1.10.0/24
VLAN20 10.1.20.0/24
VLAN30 10.1.30.0/24
VLAN40 10.1.40.0/24
5、为了提高网关的高可用性,需要配置网关冗余协议。
6、为了保证二层网络的安全,需要对根桥做相应保护措施。
7、为了实现用户PC能够快速上网,需要对PC接口做特殊处理。
8、为了DHCP服务器的安全及网络安全,交换机需要配置和DHCP有关的安全策略。
9、分布层交换机和核心层路由器之间运行动态路由协议OSPF,规划到区域0中。同时要求区域0的
ospf设备能够安全的交换协议报文。
10、核心路由器AR1 AR2作为内网的出口路由器,分别通过BGP归属到ISP。要求出入流量能够实现负载均衡。在ISP
模拟设备配置一个测试口,用来测试流量。
11、最终流量出入最优!
综合实验_第1张图片
在LSW1、LSW2、LSW3、LSW4上均创建VLAN10、VLAN20、VLAN30、VLAN40,分别在LSW1、LSW2上创建VLAN100、VLAN200、VLAN300、VLAN400
[lsw1]vlan batch 10 20 30 40 100 200 300 400
[lsw2]vlan batch 10 20 30 40 100 200 300 400
[lsw3]vlan batch 10 20 30 40
[lsw4]vlan batch 10 20 30 40
把接口划入相应VLAN:
[lsw1]int g0/0/10
[lsw1-GigabitEthernet0/0/10]port link-type access
[lsw1-GigabitEthernet0/0/10]port default vlan 100
[lsw1]int g0/0/11
[lsw1-GigabitEthernet0/0/11]port link-type access
[lsw1-GigabitEthernet0/0/11]port default vlan 200

[lsw2]int g0/0/10
[lsw2-GigabitEthernet0/0/10]port link-type access
[lsw2-GigabitEthernet0/0/10]port default vlan 300
[lsw2-GigabitEthernet0/0/10]int g0/0/11
[lsw2-GigabitEthernet0/0/11]port link-type access
[lsw2-GigabitEthernet0/0/11]port default vlan 400

[lsw3]int g0/0/1
[lsw3-GigabitEthernet0/0/1]port link-type access
[lsw3-GigabitEthernet0/0/1]port default vlan 10
[lsw3-GigabitEthernet0/0/1]int g0/0/3
[lsw3-GigabitEthernet0/0/3]port link-type access
[lsw3-GigabitEthernet0/0/3]port default vlan 30

[lsw4]int g0/0/4
[lsw4-GigabitEthernet0/0/4]port link-type access
[lsw4-GigabitEthernet0/0/4]port default vlan 40
[lsw4-GigabitEthernet0/0/4]int g0/0/1
[lsw4-GigabitEthernet0/0/1]port link-type access
[lsw4-GigabitEthernet0/0/1]port default vlan 20
1.2链路聚合
LSW1和LSW2分别通过G0/0/19和G0/0/20互联,把这俩个接口捆绑成一个逻辑接口。SW2为主动端。
[lsw1]int Eth-Trunk 12
[lsw1-Eth-Trunk12]mode lacp-static //配置Eth-Trunk工作模式为lacp
[lsw1-Eth-Trunk12]load-balance src-mac //Eth-Trunk接口的负载分担模式
[lsw1-Eth-Trunk12]lacp preempt enable //使能静态模式下LACP优先级抢占的功能
[lsw1-Eth-Trunk12]max active-linknumber 2 //链路聚合组活动接口数目的上限阈(yu)值
[lsw1]int g0/0/19
[lsw1-GigabitEthernet0/0/19]eth-trunk 12
[lsw1-GigabitEthernet0/0/19]int g0/0/20
[lsw1-GigabitEthernet0/0/20]eth-trunk 12

[lsw2]lacp priority 100 //设置系统LACP优先级
[lsw2]int Eth-Trunk 12
[lsw2-Eth-Trunk12]mode lacp-static
[lsw2-Eth-Trunk12]int g0/0/19
[lsw2-GigabitEthernet0/0/19]eth-trunk 12
[lsw2-GigabitEthernet0/0/19]lacp priority 100 //设置接口LACP优先级
[lsw2-GigabitEthernet0/0/19]int g0/0/20
[lsw2-GigabitEthernet0/0/20]eth-trunk 12
[lsw2-GigabitEthernet0/0/20]lacp priority 100

1.3Trunk
LSW1、LSW2、LSW3、LSW4互联口的接口类型为trunk,允许所有VLAN通过。
[lsw1]int g0/0/2
[lsw1-GigabitEthernet0/0/2]port link-type trunk
[lsw1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[lsw1-GigabitEthernet0/0/2]int g0/0/3
[lsw1-GigabitEthernet0/0/3]port link-type trunk
[lsw1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[lsw1]int Eth-Trunk 12
[lsw1-Eth-Trunk12]port link-type trunk
[lsw1-Eth-Trunk12]port trunk allow-pass vlan all

[lsw2]int g0/0/2
[lsw2-GigabitEthernet0/0/2]port link-type trunk
[lsw2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[lsw2-GigabitEthernet0/0/2]int g0/0/4
[lsw2-GigabitEthernet0/0/4]port link-type trunk
[lsw2-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[lsw2]int Eth-Trunk 12
[lsw2-Eth-Trunk12]port link-type trunk
[lsw2-Eth-Trunk12]port trunk allow-pass vlan all

[lsw3]int g0/0/2
[lsw3-GigabitEthernet0/0/2]port link-type trunk
[lsw3-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[lsw3]int g0/0/4
[lsw3-GigabitEthernet0/0/4]port link-type trunk
[lsw3-GigabitEthernet0/0/4]port trunk allow-pass vlan

[lsw4]int g0/0/2
[lsw4-GigabitEthernet0/0/2]port link-type trunk
[lsw4-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[lsw4-GigabitEthernet0/0/2]int g0/0/3
[lsw4-GigabitEthernet0/0/3]port link-type trunk
[lsw4-GigabitEthernet0/0/3]port trunk allow-pass vlan all
1.4MSTP
LSW1、LSW2、LSW3、LSW4都运行MSTP
VLAN10、VLAN30关联到instance10,LSW1作为primary root,LSW2为secondary root。
VLAN20、VLAN40关联到instance20,LSW2作为primary root,LSW1为secondary root。
MSTP的region-name是HANS,revision-level为1。
[lsw1]stp mode mstp
[lsw1]stp region-configuration
[lsw1-mst-region]region-name HANS
[lsw1-mst-region]revision-level 1
[lsw1-mst-region]instance 10 vlan 10 30
[lsw1-mst-region]instance 20 vlan 20 40
[lsw1-mst-region]active region-configuration
[lsw1]stp instance 10 root primary
[lsw1]stp instance 20 root secondary
[lsw2]stp mode mstp
[lsw2]stp region-configuration
[lsw2-mst-region]region-name HANS
[lsw2-mst-region]revision-level 1
[lsw2-mst-region]instance 10 vlan 10 30
[lsw2-mst-region]instance 20 vlan 20 40
[lsw2-mst-region]active region-configuration
[lsw2]stp instance 10 root secondary
[lsw2]stp instance 20 root primary

[lsw3]stp mode mstp
[lsw3]stp region-configuration
[lsw3-mst-region]region-name HANS
[lsw3-mst-region]revision-level 1
[lsw3-mst-region]instance 10 vlan 10 30
[lsw3-mst-region]instance 20 vlan 20 40
[lsw3-mst-region]active region-configuration

[lsw4]stp mode mstp
[lsw4]stp region-configuration
[lsw4-mst-region]region-name HANS
[lsw4-mst-region]revision-level 1
[lsw4-mst-region]instance 10 vlan 10 30
[lsw4-mst-region]instance 20 vlan 20 40
[lsw4-mst-region]active region-configuration

LSW1、LSW2连接PC的接口up后须立即处于转发状态。当该端口收到BPDU报文后,需要借口能够自动关闭,并且当接口由于BPDU保护被shutdown时,会在50s后自动恢复。

1.5PPP
AR1与AR3、AR2与AR3通过POS口互联,封装类型为PPP。
AR3需要对AR1进行CHAP认证,AR3为认证端,AR1为被认证端。验证的用户名为HCIE,密码HANS。
AR3需要对AR2进行PAP认证,AR3为认证端,AR2为被认证端。验证用户名为HCNP,密码为HANS。
[R3]int p2/0/0
[R3-Pos2/0/0]link-protocol ppp
[R3-Pos2/0/0]ppp authentication-mode chap
[R3-Pos2/0/0]ppp chap user HCIE
[R3-Pos2/0/0]ppp chap password cipher HANS
[R3-Pos2/0/0]int p5/0/0
[R3-Pos5/0/0]link-protocol ppp
[R3-Pos5/0/0]ppp authentication-mode pap
[R3-Pos5/0/0]ppp pap local-user HCNA password cipher HANS
R1:

interface Pos2/0/0
link-protocol ppp
ppp authentication-mode chap
ppp chap user HCIE
ppp chap password cipher % % ~Wcd2.POUMUQ+9KaTeX parse error: Expected '}', got 'EOF' at end of input: L36`,,:{p%%$
ip address 10.1.13.1 255.255.255.0

R2:

interface Pos2/0/0
link-protocol ppp
ppp authentication-mode pap
ppp pap local-user HCNA password cipher % % ,rmAC8_`jS%.x>1!5XI.,; E E% E%$
ip address 10.1.23.2 255.255.255.0

第二部分:IGP配置
2.1基本配置
所有设备IP地址规划:
AR1:
interface Ethernet3/0/0
ip address 10.1.14.1 255.255.255.0
interface GigabitEthernet0/0/0
ip address 10.1.100.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.103.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.12.1 255.255.255.0
interface Pos2/0/0
ip address 10.1.13.1 255.255.255.0
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
AR2:
interface GigabitEthernet0/0/0
ip address 10.1.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.104.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.12.2 255.255.255.0
#
interface Pos2/0/0
ip address 10.1.23.2 255.255.255.0
#
interface LoopBack0
ip address 10.2.2.2 255.255.255.255
#
AR3:
interface Pos2/0/0
ip address 10.1.13.3 255.255.255.0
#
interface Pos5/0/0
ip address 10.1.23.3 255.255.255.0
#
interface LoopBack0
ip address 200.200.200.200 255.255.255.255
AR4:
interface LoopBack0
ip address 10.4.4.4 255.255.255.255
int g0/0/0
ip add 10.1.14.4 24

SW1:
interface Vlanif100
ip address 10.1.100.10 255.255.255.0
#
interface Vlanif200
ip address 10.1.102.10 255.255.255.0
SW2:
interface Vlanif300
ip address 10.1.103.10 255.255.255.0
#
interface Vlanif400
ip address 10.1.104.10 255.255.255.0
2.2OSPF
所有路由器的ospf进程号为1,AR1、AR2、SW1、SW2互联接口以及loopback0都运行在ospf区域0中
[R1]ospf 1 router-id 10.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.1.100.1 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.1.103.1 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.1.12.1 0.0.0.255

LSW1:
ospf 1
area 0.0.0.0
network 10.1.100.0 0.0.0.255
network 10.1.102.0 0.0.0.255
2.3ospf认证
区域0要使用区域认证进行安全防护。认证方式使用MD5认证,认证密码为 HANS。
ospf 1 router-id 10.2.2.2
area 0.0.0.0
authentication-mode md5 1 cipher % % T1sB’H|MTKXJ:>SnzJd#}e% %
network 10.1.12.0 0.0.0.255
network 10.1.102.0 0.0.0.255
network 10.1.104.0 0.0.0.255
network 10.2.2.2 0.0.0.0
2.4RIP
AR1与AR4的互联口及AR4的loopback0口运行在RIPV2中。
AR1:
rip 1
undo summary
version 2
network 10.0.0.0
AR4:
rip 1
undo summary
version 2
network 10.0.0.0
2.5RIP和OSPF互通
在AR1上RIP和OSPF互相进行路由引入,并且AR1上做AR4 loopback0路由的汇总,汇总路由的cost为100。
[R1-rip-1]import-route ospf
[R1-ospf-1]import-route rip 1
[R1-ospf-1]asbr-summary 10.4.4.4 255.255.255.255 cost 10
2.6缺省路由通过
在AR1、AR2上做OSPF的缺省路由,以使得内网可以将访问外网的数据传输到出口设备AR1、AR2,配置完该部分后,内网所有设备都能互通。
[R1]ip route-static 0.0.0.0 0.0.0.0 10.1.13.3
[R1-ospf-1]default-route-advertise
[R2]ip route-static 0.0.0.0 0.0.0.0 10.1.23.3
[R2-ospf-1]default-route-advertise
第三部分:BGP
3.1EBGP
在AR1、AR2分别与AR3配置EBGP邻居关系,使用直连地址建立邻居。AR1、AR2所属的AS为100,AR3所属的AS为200。
AR1:
bgp 100
peer 10.1.12.2 as-number 100
peer 10.1.13.3 as-number 200
AR2:
bgp 100
peer 10.1.12.1 as-number 100
peer 10.1.23.3 as-number 200
AR3:
bgp 200
peer 10.1.13.1 as-number 100
peer 10.1.23.2 as-number 100
3.2BGP路由
在R3上分别针对EBGP邻居通过缺省路由,将自己的200.200.200.200宣告到BGP中。
[R3-bgp]peer 10.1.13.1 default-route-advertise //针对EBGP邻居通过缺省路由
[R3-bgp]peer 10.1.23.2 default-route-advertise
[R3-bgp]network 200.200.200.200 32
[R3]dis bgp peer
10.1.13.1 4 100 5 8 0 00:03:16 Established 0
10.1.23.2 4 100 7 8 0 00:03:07 Established 0

3.3BGP控制
要求内网访问AS200的数据流量在AR1与AR3没有问题的情况下将AR1作为出口,只有当AR1与AR3链路出现问题,流量切换到AR2上。
3.4数据通信
配置完该部分要求内网PC能正常访问到AS200里的路由。

第四部分:VRRP配置
LSW1:
interface Vlanif10
vrrp vrid 10 virtual-ip 10.1.10.254
vrrp vrid 10 priority 120
vrrp vrid 10 preempt-mode timer delay 20
vrrp vrid 10 authentication-mode md5 ,)-5O5r!Q2^QW:LZJi;=-5j#

interface Vlanif20
vrrp vrid 20 virtual-ip 10.1.20.254
vrrp vrid 20 authentication-mode md5 Uvz’/)$eZ>y~t+Byca8Y’7P#

interface Vlanif30
vrrp vrid 30 virtual-ip 10.1.30.254
vrrp vrid 30 priority 120
vrrp vrid 30 preempt-mode timer delay 20
vrrp vrid 30 authentication-mode md5 >$e6J!EY},u:|l#3M^#3M6f#

interface Vlanif40
vrrp vrid 40 virtual-ip 10.1.40.254
vrrp vrid 40 authentication-mode md5 ySCZJ,aLVIS/0Rb{DzN)8$# LSW2: interface Vlanif10 vrrp vrid 10 virtual-ip 10.1.10.254 vrrp vrid 10 authentication-mode md5 ,)-5O5r!Q2:.&R&e7S(F9^#

interface Vlanif20
vrrp vrid 20 virtual-ip 10.1.20.254
vrrp vrid 20 priority 120
vrrp vrid 20 preempt-mode timer delay 20
vrrp vrid 20 authentication-mode md5 Uvz’/) e Z > eZ> eZ>+cx#k/mS=’;B#

interface Vlanif30
vrrp vrid 30 virtual-ip 10.1.30.254
vrrp vrid 30 authentication-mode md5 5n3l(ic2T-EBi%T]n/.IF;%#

interface Vlanif40
vrrp vrid 40 virtual-ip 10.1.40.254
vrrp vrid 40 priority 120
vrrp vrid 40 preempt-mode timer delay 20
vrrp vrid 40 authentication-mode md5 ;@Q{Pw+*GUWq<}.DH-])v=2#
第五部分:DHCP配置
网络中R4模拟DHCP服务器,要求在LSW1、LSW2上配置DHCP的relay。PC通过DHCP获取地址。为了DHCP服务器的安全性,需要在交换网络里开启DHCP snooping特性。
最终PC都能获取到正确的IP地址,同时能够访问外部网络。
R4:
dhcp enable

ip pool vlan10
gateway-list 10.1.10.254
network 10.1.10.0 mask 255.255.255.0
lease day 10 hour 0 minute 0
dns-list 8.8.8.8

ip pool vlan20
gateway-list 10.1.20.254
network 10.1.20.0 mask 255.255.255.0
lease day 10 hour 0 minute 0
dns-list 8.8.8.8

ip pool vlan30
gateway-list 10.1.30.254
network 10.1.30.0 mask 255.255.255.0
lease day 10 hour 0 minute 0
dns-list 8.8.8.8

ip pool vlan40
gateway-list 10.1.40.254
network 10.1.40.0 mask 255.255.255.0
lease day 10 hour 0 minute 0
dns-list 8.8.8.8
LSW1:

dhcp enable

dhcp snooping enable

interface Vlanif10
ip address 10.1.10.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.14.4

interface Vlanif20
ip address 10.1.20.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.14.4

interface Vlanif30
ip address 10.1.30.254 255.255.255.0
hcp select relay
dhcp relay server-ip 10.1.14.4

interface Vlanif40
ip address 10.1.40.254 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.14.4

ospf 1
area 0.0.0.0
authentication-mode md5 1 cipher O4D!E(t|&Y9P4p;tsqP+1VN#
network 10.1.100.0 0.0.0.255
network 10.1.102.0 0.0.0.255
network 10.1.10.0 0.0.0.255
network 10.1.20.0 0.0.0.255
network 10.1.30.0 0.0.0.255
network 10.1.40.0 0.0.0.255

interface GigabitEthernet0/0/2
dhcp snooping enable

interface GigabitEthernet0/0/3
dhcp snooping enable

LSW2同LSW1
R1、R2:
dhcp enable

你可能感兴趣的:(综合实验)