- 很久没有更新博客了,一方面是笔记整理的不是很满意,另一方面是因为有些学习的内容不允许发布到博客。如果有需要的可以通过邮箱(Email:[email protected])联系我。
- 本篇是关于HCIE-RS的Lab-Option-C1整理笔记,实验命令多为简写,需要完整命令可以自行补充,部分笔记无法记录在博客,通过有道云分享。
- 本博客仅供参考,转发联系作者注明出处,并附带本文链接,禁止商业!!!
解法:分别在S1,S2上配置Eth-Trunk
int eth 12
mode man loa
loa src-dst-mac
tr g 0/0/23 0/0/24
解法:在S1,S2,S3,S4上分别创建vlan 10, vlan 20 ,配置交换机之间的链路为Trunk,并放行除VLAN1之外的VLAN通过
vlan bat 10 20
int g0/0/1
p l t
p t a v a
undo p t a v 1
int g0/0/2
p l t
p t a v a
undo p t a v 1
int g0/0/12
p l t
p t a v a
undo p t a v 1
int eth 12
p l t
p t a v a
undo p t a v 1
vlan bat 10 20
int g0/0/1
p l t
p t a v a
undo p t a v 1
int g0/0/2
p l t
p t a v a
undo p t a v 1
int e0/0/1
p l a
p d v 10
vlan bat 10 20
int g0/0/1
p l t
p t a v a
undo p t a v 1
int g0/0/2
p l t
p t a v a
undo p t a v 1
int e0/0/1
p l a
p d v 20
源MAC为00-00-5E-00-01-01表明VRRP的VRID为1,是VLAN 10的Master
源MAC为00-00-5E-00-01-02表明VRRP的VRID为2,是VLAN 20的Master
配置抢占延时为60S
解法:在CE1的G0/0/2.10和G0/0/2.20接口上配置VRRP协议,接口地址已经预配
int g0/0/2.10
arp bro en //涉及到子接口,务必开启ARP广播
vrrp vrid 1 vir 10.3.1.254
vrrp vrid 1 pri 120 //配置VRRP优先级
vrrp vrid 1 pre timer de 60 //配置转发时延
int g0/0/2.20
arp bro en
vrrp vrid 2 vir 10.3.2.254
int g0/0/2.10
arp bro en
vrrp vrid 1 vir 10.3.1.254
int g0/0/2.20
arp bro en
vrrp vrid 2 vir 10.3.2.254
vrrp vrid 2 pri 120
vrrp vrid 2 pre timer de 60
使用
dis vrrp brief
查看CE1和CE2上VRRP备份组状态
- CE1为vrid 1的Master,vrid 2的Backup
- CE2为vrid 2的Master,vrid 1的Backup
使用PC测试与各自网关的连通性如果不是请完成MSTP配置后再次查看,如果还不是,请查看Trunk接口是否配置有误
配置MSTP域,将VLAN 10与Instance 10绑定,并将S1作为主根,S2作为备根,VLAN 20也相同思路,等级修改为12,交换机上的域配置要完全相同,配置完成后最后需要激活域配置
将连接PC的接口配置为边缘端口
解法:分别在S1,S2,S3,S4上配置MSTP域
stp reg
reg HUAWEI
revi 12
inst 10 vlan 10
inst 20 vlan 20
acti reg
stp ins 10 root pri
stp ins 20 root sec
stp ins 10 root sec
stp ins 20 root pri
在S3,S4上分别查看MSTP实例端口角色是否正确
dis stp bri
- S3的G0/0/1是Instance 10的RP,是Instance 20的AP, G0/0/2是Instance 10的AP,是Instance 20的RP
- S4的G0/0/1是Instance 10的AP,Instance 20的RP,G0/0/2是Instance 10的RP,Instance 20的AP
stp edged-port default //将交换机的所有端口都设置为边缘端口,方便以后的拓展
int g0/0/1
stp edge dis
int g0/0/12
stp edge dis
int eth 12
stp edge dis
int g0/0/1
stp edge dis
int g0/0/2
stp edge dis
在S3,S4上查看STP端口状态
dis stp int e 0/0/1
- Port Edged的Active为enable
链路协议修改为HDLC
PE1的接口地址为10.1.13.1/30
,RR1的接口地址为10.1.13.2/30
int s0/0/0
l h
int s0/0/1
l h
int ip 1
trun se 0/0/0 0/0/1
ip ad 10.1.13.1 30
int s0/0/0
l h
int s0/0/1
l h
int ip 1
trun se 0/0/0 0/0/1
ip ad 10.1.13.2 30
使用
dis ip int ip 1
或dis int ip 1
查看接口状态
链路协议类型为PPP(默认即为PPP协议类型)
PE3的接口地址为10.2.33.2/30
,CE3的接口地址为10.2.33.1/30
int mp 0/0/1
ip ad 10.2.33.2 30
int pos 4/0/0
ppp mp mp 0/0/1
int pos 6/0/0
ppp mp mp 0/0/1
int mp 0/0/1
ip ad 10.2.33.1 30
int pos 4/0/0
ppp mp mp 0/0/1
int pos 6/0/0
ppp mp mp 0/0/1
使用
dis ip int mp 0/0/1
或dis int mp 0/0/1
查看接口状态
将CE1、CE2的子接口设置为静默接口
解法:
ospf 1
sil g0/0/2.10
sil g0/0/2.20
area 0
net 10.3.1.1 0.0.0.0
net 10.3.2.1 0.0.0.0
ospf 1
sil g0/0/2.10
sil g0/0/2.20
a 0
net 10.3.1.2 0.0.0.0
net 10.3.2.2 0.0.0.0
RR2、P2、PE3、PE4在OSPF区域0中,cost如图2配置。(已预配置)
解法:
int g0/0/0
ospf net p2p
解法:
ip ip-prefix 1 index 10 permit 172.16.1.2 32
route-policy import permit node 10
if-match ip-prefix 1
ospf 1
import-route direct type 1 route-policy import
在PE3上查看OSPF协议路由表,是否有172.16.1.2并且开销为21的路由
dis ip routing-table protocol ospf
注意:P2和PE4使用loopback0接口建立LDP会话,由于P2的Loopback0加入的是ISIS网络,故在做双点双向引入之前,P2和PE4的LDP会话无法正常建立的,RR2和PE3情况一样。
PE1与RR1之间的链路Cost为1500
解法:
int ip 1
isis en 1
isis cost 1500
解法 :
int g0/0/0
isis cir p2p
为了保证后续MPLS VPN中AS100公网LSP的可达,在RR1和P1上做172.16.0.0/16主机路由L2向L1路由的泄漏。
ip ip-prefix 1 index 10 permit 172.16.0.0 16 g 32 l 32
isis 1
import-route isis level-2 into level-1 filter-policy ip-prefix 1
ip ip-prefix 1 index 10 permit 172.16.0.0 16 g 32 l 32
isis 1
import-route isis level-2 into level-1 fifter-policy ip-prefix 1
在PE1上查看是否有172.16.1.5和172.16.1.6的路由
dis ip routing-table protocol isis
解法:
ospf 1
default cost inherit-metric //引入路由开销值为自带的Cost值
ip ip-prefix 1 index 10 permit 172.16.0.0 16 g 32 l 32
route-policy oti deny node 5
if-match tag 300
route-policy oti permit node 10
if-match ip-prefix 1
apply tag 100
isis 1
import-route ospf 1 inherit-cost route-policy oti
route-policy ito deny node 10
if-match tag 200
route-policy ito permit node 20
if-match ip-prefix 1
apply tag 400
ospf 1
import isis 1 type 1 route-policy ito
ip ip-prefix 1 index 10 permit 172.16.0.0 16 g 32 l 32
route-policy ito deny node 5
if-match tag 100
route-policy ito permit node 10
if-match ip-prefix 1
apply tag 300
ospf 1
import isis 1 type 1 route-policy ito
route-policy oti deny node 5
if-match tag 400
route-policy oti permit node 10
if-match ip-prefix 1
apply tag 200
isis 1
import-route ospf 1 inherit-cost route-policy oti
route-policy pre permit node 10
if-match tag 300
apply preference 150
ospf 1
preference ase route-policy pre 10
route-policy pre permit node 10
if-match tag 400
apply preference 150
ospf 1
preference ase route-policy pre 10
使用
dis ip routing-table protocol ospf
、dis ip routing-table protocol isis
查看OSPF和ISIS的协议路由表
- OSPF协议路由表有4条,ISIS协议路由表有5条
解法:
isis 1
timer lsp-generation 1 50 50
timer spf 1 100 100
flash-flood
【笔记链接】
解法:
bfd
bfd isp bind peer-ip 100.0.1.2 interface GigabitEthernet2/0/1 one-arm-echo
discriminator local 1
detect-multiplier 4
min-echo-rx-interval 30
commit
ip route-static 0.0.0.0 0 100.0.1.2 track bfd-session isp
现象:
dis bfd session all
dis ip rou
查看路由表是否有缺省路由
注意由于目前考试 CE2 和 ISP 之间没有这条链路,故这个需求不在需要配置,如果链路存在则按解法配置。NQA 和 BFD 的配置还是练习,两个随机考。(2分)
解法:
ip route-static 0.0.0.0 0.0.0.0 200.0.2.2 track nqa admin icmp
nqa test-instance admin icmp
test-type icmp
destination-address ipv4 200.0.2.2
frequency 3
start now
现象:
dis nqa-agent
dis ip rou
查看路由表是否有缺省路由
由于 CE2-ISP 目前考试中这条链路并不存在,所以此处在 CE2 上不用下发缺省路由,仅需要在 CE1 上下发缺省路由。
ospf 1
default-route-advertise
现象:当 CE1 的 G2/0/1 接口 down 后,路由表中的缺省路由是 OSPF 下发的
bgp 65000
peer 10.2.11.6 default-route-advertise conditional-route-match-all 0.0.0.0 0
bgp 65000
peer 10.2.22.6 default-route-advertise conditional-route-match-all 0.0.0.0 0
ospf 2
default-route-advertise
ospf 2
default-route-advertise
现象:
- 在 PE1 上查看 VPNv4 路由表,VPN_OUT 表中有缺省路由,有双下一跳(BGP 需要刷新收到的路由信息),在 PE3 上可以看到缺省路由
- 在 CE3、CE4 上都可以看到缺省路由
由于目前 CE2-ISP 的链路不存在了,故在 CE1 上就不在需要做接口 track,故以下命令不用配置。
int g0/0/2.10
vrrp vrid 1 track interface GigabitEthernet2/0/1 reduced 15
vrrp vrid 1 track interface GigabitEthernet0/0/0 reduced 15
由于目前 CE2-ISP 没有链路,所以该步骤不用配置,只需要跟踪 G0/0/0 接口即可,解法参考“##”部分
int g0/0/2.20
vrrp vrid 2 track interface GigabitEthernet2/0/2 reduced 15
vrrp vrid 2 track interface GigabitEthernet0/0/0 reduced 15
route-policy org permit node 10
apply origin incomplete
bgp 65000
peer 10.2.22.6 default-route-advertise route-policy org conditional-route-match-all 0.0.0.0 0
现象:在 PE2 上查看 VPNv4 路由表,缺省路由的起源变成 ?dis bgp v4 all rou
int g0/0/2.20
vrrp vrid 2 track interface GigabitEthernet0/0/0 reduced 30
解法:
nat address-group 1 102.0.1.2 102.0.1.6
acl number 2000
rule 5 deny source 10.3.2.10 0
rule 10 permit source 10.3.0.0 0.0.255.255
int g2/0/1
nat outbound 2000 address-group 1
nat server protocol tcp global 102.0.1.1 www inside 10.3.2.10 www
nat server protocol tcp global 102.0.1.1 ftp inside 10.3.2.10 ftp
在 CE2 上配置基于地址池的 NAPT 以及 NAT Server,由于 CE2-ISP 之间没有链路,故该步骤不用配置
nat address-group 1 102.0.1.2 102.0.1.6
acl number 2000
rule 5 deny source 10.3.2.10 0
rule 10 permit source 10.3.0.0 0.0.255.255
interface GigabitEthernet2/0/2
nat outbound 2000 address-group 1
nat server protocol tcp global 102.0.1.1 www inside 10.3.2.10 www
nat server protocol tcp global 102.0.1.1 ftp inside 10.3.2.10 ftp
现象:
- CE3 可以访问 ISP
ping -a -c 10 10.3.3.3 113.1.1.1
- CE 1 上
dis nat session all
查看 NAT 地址转换信息
解法:
time-range work 08:00 to 18:00 working-day
acl number 3000
rule 5 permit tcp destination-port range 6881 6999 time-range wrok
int g2/0/1
qos car outbound acl 3000 cir 1024
time-range work 08:00 to 18:00 working-day
acl number 3000
rule 5 permit tcp destination-port range 6881 6999 time-range work
int g2/0/2
qos car outbound acl 3000 cir 1024
业务地址前缀 | 业务类别 | 802.1p | DSCP | 队列调度 | 拥塞避免 | ||||
---|---|---|---|---|---|---|---|---|---|
调度策略 | Weight值 | 拥塞避免机制 | 低门限 | 高门限 | 丢包概率 | ||||
10.3.1.0/24 | RealTime | 101 | EF 46 5 | PQ | 不丢包 | ||||
10.3.2.0/24 | Signal | 100 | CS4 32 4 | WFQ | 63 | WRED | 70% | 100% | 50% |
10.3.3.0/24 | Monitor | 011 | CS3 24 3 | WFQ | 21 | WRED | 50% | 90% | 50 |
10.3.4.0/24 | Office | 010 | CS2 16 2 | WFQ | 9 | WRED | 50% | 80% | 50 |
其他 | BE | 000 | BE 0 0 | WFQ | 1 | WRED | 50% | 80% | 50 |
- EF 的 DSCP 值为46,CS 的值为 CSx=8x,AF 的值为 AF xy=8x+2y
- CS 4 的值为 84=32,AF 11 的值为 81+2*1=10
解法:
acl name office 3996
rule 5 permit ip destination 10.3.4.0 0.0.0.255
acl name monitor 3997
rule 5 permit ip destination 10.3.3.0 0.0.0.255
acl name signal 3998
rule 5 permit ip destination 10.3.2.0 0.0.0.255
acl name realtime 3999
rule 5 permit ip destination 10.3.1.0 0.0.0.255
traffic classifier Office
if-match acl 3996
traffic classifier Monitor
if-match acl 3997
traffic classifier Signal
if-match acl 3998
traffic classifier RealTime
if-match acl 3999
traffic behavior Signal
remark 8021p 4
traffic behavior Office
remark 8021p 2
traffic behavior Monitor
remark 8021p 3
traffic behavior RealTime
remark 8021p 5
traffic behavior Other
remark 8021p 0
traffic policy remark
classifier RealTime behavior RealTime
classifier Signal behavior Signal
classifier Monitor behavior Monitor
classifier Office behavior Office
classifier default-class behavior Other
int g0/0/1
traffic-policy remark outbound
int g/0/1
trust 8021p override //对继承的802.1p值可以更改
qos map-table dot1p-dscp
input 5 output 46
解法:
drop-profile cs4
wred dscp
dscp cs4 low-limit 70 high-limit 100 discard-percentage 50
drop-profile cs3
wred dscp
dscp cs3 low-limit 50 high-limit 90 discard-percentage 50
drop-profile cs2
wred dscp
dscp cs2 low-limit 50 high-limit 80 discard-percentage 50
drop-profile BE
wred dscp
dscp default low-limit 50 high-limit 80 discard-percentage 50
qos queue-profile test
schedule wfq 0 to 4 pq 5
queue 0 weight 1
queue 2 weight 9
queue 3 weight 21
queue 4 weight 63
queue 0 drop-profile BE
queue 2 drop-profile cs2
queue 3 drop-profile cs3
queue 4 drop-profile cs4
int g0/0/0
qos queue-profile test
int g0/0/2
qos queue-profile test
解法:
int Ip-Trunk1
ipv6 en
ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1301/127
int Ip-Trunk1
ipv6 en
ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1300/127
解法:
isis 1
ipv6 enable topology ipv6 //单独计算多拓扑
int lo 0
isis ipv6 enable 1
int g0/0/0
isis ipv6 enable 1
isis ipv6 cost 20
int Ip-Trunk1
isis ipv6 enable 1
isis ipv6 cost 1550
isis 1
ipv6 enable topology ipv6
int lo 0
isis ipv6 enable 1
int g0/0/0
isis ipv6 enable 1
isis ipv6 cost 20
int g0/0/2
isis ipv6 enable 1
isis ipv6 cost 1500
isis 1
ipv6 enable topology ipv6
int lo 0
isis ipv6 enable 1
int g0/0/0
isis ipv6 enable 1
isis ipv6 cost 80
int g0/0/1
isis ipv6 enable 1
isis ipv6 cost 860
int Ip-Trunk1
isis ipv6 enable 1
isis ipv6 cost 1550
isis 1
ipv6 enable topology ipv6
int lo 0
isis ipv6 enable 1
int g0/0/0
isis ipv6 enable 1
isis ipv6 cost 80
int g0/0/1
isis ipv6 enable 1
isis ipv6 cost 1000
int g0/0/2
isis ipv6 enable 1
isis ipv6 cost 1500
isis 1
ipv6 enable topology ipv6
int lo 0
isis ipv6 enable 1
int g0/0/0
isis ipv6 enable 1
isis ipv6 cost 100
int g0/0/1
isis ipv6 enable 1
isis ipv6 cost 860
isis 1
ipv6 enable topology ipv6
int lo 0
isis ipv6 enable 1
int g0/0/0
isis ipv6 enable 1
isis ipv6 cost 100
int g/0/1
isis ipv6 enable 1
isis ipv6 cost 1000
现象:
dis ipv6 rou p i
- PE1 上去往 3500 的开销是 2410
- PE2 上去往 4600 的开销是 2500
isis 1
ipv6 import-route isis level-2 into level-1
isis 1
ipv6 import-route isis level-2 into level-1
解法:
考试注意预配 ASBR1、ASBR2 是否是 RR1 的客户机,然后有部分 IPv6 的地址族邻居没有激活,激活如下:
bgp 100
ipv6-family unicast
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:5701 enable
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA3 enable
bgp 100
ipv6-family unicast
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA3 enable
bgp 100
ipv6-family unicast
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA5 enable
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA6 enable
解法:
bgp 100
ipv6-family unicast
import-route isis 1
aggregate 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DC00 120
ip ipv6-prefix 1 index 10 permit 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DC00 120 g 120 l 120
bgp 100
ipv6-family unicast
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:5701 ipv6-prefix 1 export
注意如果考试要求只引入的 128 前缀的 ISIS 路由则进行如下配置:
ip ipv6-prefix isis index 10 per 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DC00 120 g 128 l 128
route-policy isis_bgp permit node 10
if-match ipv6 address prefix-list isis
bgp 100
ipv6-family unicast
import-route isis route-policy isis_bgp
aggregate 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DC00 120
bgp 200
ipv6-family unicast
network 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA7 128
解法:
ip ipv6-prefix 1 index 10 permit 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA7 128 g 128 l 128
route-policy agg deny node 10
if-match ipv6 address prefix-list 1
route-policy agg permit node 20
bgp 100
ipv6-family unicast
aggregate 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DC00 120 suppress-policy agg
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA3 next-hop-local
注意此时 ASBR2 应该无法学习该路由,因为 ASBR2 不是 RR1 的客户机,如果题目要求 ASBR2 也能学习到该路由,则需要在 ASBR1 和 ASBR2 之间配置 IBGP+ 邻居关系,由于 ASBR1 和 ASBR2 是 RR1 的非客户机,存在水平分割规则,导致 RR1 不会向 ASBR2 传递路由。
bgp 100
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA6 as-number 100
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA6 con lo 0
ipv6-family unicast
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA6 enable
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA6 next-hop-local
bgp 100
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA5 as-number 100
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA5 con lo 0
ipv6-family unicast
peer 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA5 enable
解法:
isis 1
set-overload on-startup wait-for-bgp
以上内容均属原创,实验参考誉天教育实验文档。如有不详或错误敬请指出。