三层架构综合实验

目录

拓扑结构：

要求：

确定广播域的个数

分配网段

配置Eth-Trunk

创建VLAN

配置STP生成树协议

修改根

边缘端口

SVI

VRRP

DHCP

路由部分

OSPF

缺省

汇总

NAT

---

拓扑结构：

要求：

1、内部IP地址基于172.16.0.0/16进行合理分配

2、汇聚层的SW1和SW2之间互为备份

3、VRRP/STP/VLAN/TRUNK均要使用到

4、保障更新安全，防止环路，防止路由黑洞

 使用的设备：2台路由器、2台交换机、2台交换机和4台PC

三层架构解决网络拓扑的思路：

1、确定广播域的个数

2、分配网段

4、进行交换部分的配置

3、配置IP地址 （优先配置路由器）

5、路由协议。。。

确定广播域的个数

根据拓扑结构图以及要求可知，只有R1和网路运营商之间是公网，R1之下都是内网，并且内网中分为2个接口网段和两个SVI网段。

分配网段

自主分配网段

接口网段：

接口	分配网段
R1：GE 0/0/0 R1：GE 0/0/1 R1：GE 0/0/2	12.0.0.0/30 172.16.0.0/30 172.16.0.4/30
ISP：GE 0/0/0	12.0.0.0/30

环回网段：

环回	分配网段
ISP	3.3.3.0/24

SVI和三层接口的网段

华为模拟器中三层交换机的三层接口不能配置IP地址，所以做一个SVI接口

SVI和三层接口	分配网段
Convergence-S5700-1：GE 0/0/1	172.16.0.0/30
Convergence-S5700-2：GE 0/0/1	172.16.0.4/30
Convergence-S5700-1：vlanif 1 Convergence-S5700-1：vlanif 2	172.16.1.0/25 172.16.1.128/25
Convergence-S5700-2：vlanif 1 Convergence-S5700-2：vlanif 2	172.16.1.0/25 172.16.1.128/25

​​​

配置Eth-Trunk

三层架构有交换机的配置，要优先配置交换部分的内容，首先为Eth-Trunk

Convergence-S5700-1：

system-view 
[Huawei]sysname Convergence-S5700-1
[Convergence-S5700-1]interface Eth-Trunk 0
[Convergence-S5700-1-Eth-Trunk0]q
[Convergence-S5700-1]interface GigabitEthernet 0/0/23
[Convergence-S5700-1-GigabitEthernet0/0/23]eth-trunk 0
[Convergence-S5700-1-GigabitEthernet0/0/23]q
[Convergence-S5700-1]interface GigabitEthernet 0/0/24
[Convergence-S5700-1-GigabitEthernet0/0/24]eth-trunk 0
[Convergence-S5700-1-GigabitEthernet0/0/24]q
[Convergence-S5700-1]

Convergence-S5700-2：

system-view 
[Huawei]sysname Convergence-S5700-2
[Convergence-S5700-2]interface Eth-Trunk 0
[Convergence-S5700-2-Eth-Trunk0]q
[Convergence-S5700-2]interface GigabitEthernet 0/0/23
[Convergence-S5700-2-GigabitEthernet0/0/23]eth-trunk 0
[Convergence-S5700-2-GigabitEthernet0/0/23]q
[Convergence-S5700-2]interface GigabitEthernet 0/0/24
[Convergence-S5700-2-GigabitEthernet0/0/24]eth-trunk 0
[Convergence-S5700-2-GigabitEthernet0/0/24]q
[Convergence-S5700-2]

创建VLAN

Convergence-S5700-1：

[Convergence-S5700-1]vlan 2
[Convergence-S5700-1-vlan2]q
[Convergence-S5700-1]port-group group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/3 Eth-Trunk 0
[Convergence-S5700-1-port-group]port link-type trunk 
[Convergence-S5700-1-port-group]port trunk allow-pass vlan 2
[Convergence-S5700-1-port-group]q
[Convergence-S5700-1]

Convergence-S5700-2：

[Convergence-S5700-2]vlan 2
[Convergence-S5700-2-vlan2]q
[Convergence-S5700-2]port-group group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/3 Eth-Trunk 0
[Convergence-S5700-2-port-group]port link-type trunk 
[Convergence-S5700-2-port-group]port trunk allow-pass vlan 2
[Convergence-S5700-2-port-group]q
[Convergence-S5700-2]

Access-S3700-1：

system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Access-S3700-1
[Access-S3700-1]vlan 2
[Access-S3700-1-vlan2]q
[Access-S3700-1]interface Ethernet 0/0/4
[Access-S3700-1-Ethernet0/0/4]port link-type access 
[Access-S3700-1-Ethernet0/0/4]port default vlan 2
[Access-S3700-1-Ethernet0/0/4]q
[Access-S3700-1]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/2
[Access-S3700-1-port-group]port link-type trunk 
[Access-S3700-1-port-group]port trunk allow-pass vlan 2
[Access-S3700-1-port-group]q
[Access-S3700-1]

Access-S3700-2:

system-view 
[Huawei]sysname Access-S3700-2
[Access-S3700-2]vlan 2
[Access-S3700-2-vlan2]q
[Access-S3700-2]interface Ethernet 0/0/4
[Access-S3700-2-Ethernet0/0/4]port link-type access 
[Access-S3700-2-Ethernet0/0/4]port default vlan 2
[Access-S3700-2-Ethernet0/0/4]q
[Access-S3700-2]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/2
[Access-S3700-2-port-group]port link-type trunk 
[Access-S3700-2-port-group]port trunk allow-pass vlan 2
[Access-S3700-2-port-group]q
[Access-S3700-2]

配置STP生成树协议

Convergence-S5700-1：

[Convergence-S5700-1]stp enable
[Convergence-S5700-1]stp mode mstp 
[Convergence-S5700-1]stp region-configuration 
[Convergence-S5700-1-mst-region]region-name a
[Convergence-S5700-1-mst-region]instance 1 vlan 1
[Convergence-S5700-1-mst-region]instance 2 vlan 2
[Convergence-S5700-1-mst-region]active region-configuration 
[Convergence-S5700-1-mst-region]q
[Convergence-S5700-1]

Convergence-S5700-2：

[Convergence-S5700-2]stp enable 
[Convergence-S5700-2]stp mode mstp 
[Convergence-S5700-2]stp region-configuration 
[Convergence-S5700-2-mst-region]region-name a
[Convergence-S5700-2-mst-region]instance 1 vlan 1
[Convergence-S5700-2-mst-region]instance 2 vlan 2
[Convergence-S5700-2-mst-region]active region-configuration 
[Convergence-S5700-2-mst-region]q
[Convergence-S5700-2]

Access-S3700-1：

[Access-S3700-1]stp enable
[Access-S3700-1]stp mode mstp 
[Access-S3700-1]stp region-configuration 
[Access-S3700-1-mst-region]region-name a
[Access-S3700-1-mst-region]instance 1 vlan 1
[Access-S3700-1-mst-region]instance 2 vlan 2
[Access-S3700-1-mst-region]active region-configuration 
[Access-S3700-1-mst-region]q
[Access-S3700-1]

Access-S3700-2：

[Access-S3700-2]stp enable 
[Access-S3700-2]stp mode mstp 
[Access-S3700-2]stp region-configuration 
[Access-S3700-2-mst-region]region-name a
[Access-S3700-2-mst-region]instance 1 vlan 1
[Access-S3700-2-mst-region]instance 2 vlan 2
[Access-S3700-2-mst-region]active region-configuration 
[Access-S3700-2-mst-region]q
[Access-S3700-2]

这里会出现接入层设备抢占根（一部分或者是全部）这里抢的是instance 2 的根

修改根

Convergence-S5700-1：

[Convergence-S5700-1]stp instance 1 root primary 
[Convergence-S5700-1]stp instance 2 root secondary 

Convergence-S5700-2：

[Convergence-S5700-2]stp instance 1 root secondary 
[Convergence-S5700-2]stp instance 2 root primary 

边缘端口

将接入层交换机连接底下的主机用户修改为边缘接口，减少等待延时，快速上线

Access-S3700-1：

[Access-S3700-1]port-group group-member Ethernet 0/0/3 to Ethernet 0/0/4
[Access-S3700-1-port-group]stp edged-port enable 
[Access-S3700-1-port-group]q
[Access-S3700-1]

Access-S3700-2：

[Access-S3700-2]port-group group-member Ethernet 0/0/3 to Ethernet 0/0/4
[Access-S3700-2-port-group]stp edged-port enable 
[Access-S3700-2-port-group]q
[Access-S3700-2]

SVI

Convergence-S5700-1：

[Convergence-S5700-1]interface Vlanif 1
[Convergence-S5700-1-Vlanif1]ip address 172.16.1.1 25
[Convergence-S5700-1-Vlanif1]q
[Convergence-S5700-1]interface Vlanif 2
[Convergence-S5700-1-Vlanif2]ip address 172.16.1.130 25
[Convergence-S5700-1-Vlanif2]q
[Convergence-S5700-1]

Convergence-S5700-2：

[Convergence-S5700-2]interface Vlanif 1
[Convergence-S5700-2-Vlanif1]ip address 172.16.1.2 25
[Convergence-S5700-2-Vlanif1]q
[Convergence-S5700-2]interface Vlanif 2
[Convergence-S5700-2-Vlanif2]ip address 172.16.1.129 25
[Convergence-S5700-2-Vlanif2]q
[Convergence-S5700-2]

VRRP

Convergence-S5700-1：

[Convergence-S5700-1]interface Vlanif 1
[Convergence-S5700-1-Vlanif1]vrrp vrid 1 virtual-ip 172.16.1.126                                                         
[Convergence-S5700-1-Vlanif1]vrrp vrid 1 priority 105        
[Convergence-S5700-1-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 6
[Convergence-S5700-1-Vlanif1]q
[Convergence-S5700-1]    

[Convergence-S5700-1]interface Vlanif 2
[Convergence-S5700-1-Vlanif2]vrrp vrid 1 virtual-ip 172.16.1.254   
[Convergence-S5700-1-Vlanif2]q
[Convergence-S5700-1]

Convergence-S5700-2：

[Convergence-S5700-2]interface Vlanif 1
[Convergence-S5700-2-Vlanif1]vrrp vrid 1 virtual-ip 172.16.1.126 
[Convergence-S5700-2-Vlanif1]q
[Convergence-S5700-2]

[Convergence-S5700-2]interface Vlanif 2
[Convergence-S5700-2-Vlanif2]vrrp vrid 1 virtual-ip 172.16.1.254
[Convergence-S5700-2-Vlanif2]vrrp vrid 1 priority 105
[Convergence-S5700-2-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 6
[Convergence-S5700-2-Vlanif2]q
[Convergence-S5700-2]

DHCP

Convergence-S5700-1：

[Convergence-S5700-1]dhcp enable 
[Convergence-S5700-1]ip pool a
[Convergence-S5700-1-ip-pool-a]network 172.16.1.0 mask 25
[Convergence-S5700-1-ip-pool-a]gateway-list 172.16.1.126
[Convergence-S5700-1-ip-pool-a]dns-list 114.114.114.114 8.8.8.8
[Convergence-S5700-1-ip-pool-a]q
[Convergence-S5700-1]ip pool b
[Convergence-S5700-1-ip-pool-b]network 172.16.1.128 mask 25
[Convergence-S5700-1-ip-pool-b]gateway-list 172.16.1.254
[Convergence-S5700-1-ip-pool-b]dns-list 114.114.114.114 8.8.8.8
[Convergence-S5700-1-ip-pool-b]q
[Convergence-S5700-1]interface Vlanif 1
[Convergence-S5700-1-Vlanif1]dhcp select global 
[Convergence-S5700-1-Vlanif1]q
[Convergence-S5700-1]interface Vlanif 2
[Convergence-S5700-1-Vlanif2]dhcp select global 
[Convergence-S5700-1-Vlanif2]q
[Convergence-S5700-1]

Convergence-S5700-2：

[Convergence-S5700-2]dhcp enable 
[Convergence-S5700-2]ip pool a
[Convergence-S5700-2-ip-pool-a]network 172.16.1.0 mask 25
[Convergence-S5700-2-ip-pool-a]gateway-list 172.16.1.126 
[Convergence-S5700-2-ip-pool-a]dns-list 114.114.114.114 8.8.8.8
[Convergence-S5700-2-ip-pool-a]q
[Convergence-S5700-2]ip pool b
[Convergence-S5700-2-ip-pool-b]network 172.16.1.128 mask 25
[Convergence-S5700-2-ip-pool-b]gateway-list 172.16.1.254
[Convergence-S5700-2-ip-pool-b]dns-list 114.114.114.114 8.8.8.8
[Convergence-S5700-2-ip-pool-b]q
[Convergence-S5700-2]interface Vlanif 1
[Convergence-S5700-2-Vlanif1]dhcp select global 
[Convergence-S5700-2-Vlanif1]q
[Convergence-S5700-2]interface Vlanif 2
[Convergence-S5700-2-Vlanif2]dhcp select global 
[Convergence-S5700-2-Vlanif2]q
[Convergence-S5700-2]

以上交换部分就配置完成，然后是路由部分

路由部分

首先是地址配置

R1：

system-view 
[Huawei]sysname r1
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 12.0.0.2 30
[r1-GigabitEthernet0/0/0]q
[r1]interface GigabitEthernet 0/0/1
[r1-GigabitEthernet0/0/1]ip address 172.16.0.1 30
[r1-GigabitEthernet0/0/1]q
[r1]interface GigabitEthernet 0/0/2
[r1-GigabitEthernet0/0/2]ip address 172.16.0.5 30
[r1-GigabitEthernet0/0/2]q
[r1]

ISP：

system-view 
[Huawei]sysname isp
[isp]interface GigabitEthernet 0/0/0
[isp-GigabitEthernet0/0/0]ip address 12.0.0.1 30
[isp-GigabitEthernet0/0/0]q
[isp]interface LoopBack 0
[isp-LoopBack0]ip address 3.3.3.3 24
[isp-LoopBack0]q
[isp]

OSPF

r1：

system-view 
[r1]ospf 1 router-id 1.1.1.1
[r1-ospf-1]area 0
[r1-ospf-1-area-0.0.0.0]network 172.16.0.0 0.0.0.3
[r1-ospf-1-area-0.0.0.0]network 172.16.0.4 0.0.0.3
[r1-ospf-1-area-0.0.0.0]q
[r1-ospf-1]q
[r1]

 Convergence-S5700-1：

[Convergence-S5700-1]vlan 99
[Convergence-S5700-1-vlan99]q  
[Convergence-S5700-1]interface Vlanif 99
[Convergence-S5700-1-Vlanif99]ip address 172.16.0.2 30
[Convergence-S5700-1-Vlanif99]q
[Convergence-S5700-1]interface GigabitEthernet 0/0/1
[Convergence-S5700-1-GigabitEthernet0/0/1]port link-type access 
[Convergence-S5700-1-GigabitEthernet0/0/1]port default vlan 99
[Convergence-S5700-1-GigabitEthernet0/0/1]q
[Convergence-S5700-1]ospf 1 router-id 2.2.2.2
[Convergence-S5700-1-ospf-1]area 0
[Convergence-S5700-1-ospf-1-area-0.0.0.0]network 172.16.0.0 0.0.0.3
[Convergence-S5700-1-ospf-1-area-0.0.0.0]q
[Convergence-S5700-1-ospf-1]area 1                                     
[Convergence-S5700-1-ospf-1-area-0.0.0.1]network 172.16.1.0 0.0.0.127
[Convergence-S5700-1-ospf-1-area-0.0.0.1]q
[Convergence-S5700-1-ospf-1]q
[Convergence-S5700-1]ospf 1
[Convergence-S5700-1-ospf-1]silent-interface all 
[Convergence-S5700-1-ospf-1]undo silent-interface GigabitEthernet 0/0/1           
[Convergence-S5700-1-ospf-1]undo silent-interface Eth-Trunk 0
[Convergence-S5700-1-ospf-1]undo silent-interface Vlanif 1
[Convergence-S5700-1-ospf-1]undo silent-interface Vlanif 99
[Convergence-S5700-1-ospf-1]q
[Convergence-S5700-1]

Convergence-S5700-2：

[Convergence-S5700-2]vlan 99
[Convergence-S5700-2-vlan99]q
[Convergence-S5700-2]interface Vlanif 99
[Convergence-S5700-2-Vlanif99]ip address 172.16.0.6 30
[Convergence-S5700-2-Vlanif99]q
[Convergence-S5700-2]interface GigabitEthernet 0/0/1
[Convergence-S5700-2-GigabitEthernet0/0/1]port link-type access 
[Convergence-S5700-2-GigabitEthernet0/0/1]port default vlan 99
[Convergence-S5700-2]ospf 1 router-id 3.3.3.3
[Convergence-S5700-2-ospf-1]area 0
[Convergence-S5700-2-ospf-1-area-0.0.0.0]network 172.16.0.4 0.0.0.3
[Convergence-S5700-2-ospf-1-area-0.0.0.0]q
[Convergence-S5700-2-ospf-1]area 1
[Convergence-S5700-2-ospf-1-area-0.0.0.1]network 172.16.1.128 0.0.0.127
[Convergence-S5700-2-ospf-1-area-0.0.0.1]q
[Convergence-S5700-2-ospf-1]q 
[Convergence-S5700-2]ospf 1
[Convergence-S5700-2-ospf-1]silent-interface GigabitEthernet 0/0/2
[Convergence-S5700-2-ospf-1]silent-interface GigabitEthernet 0/0/3
[Convergence-S5700-2-ospf-1]silent-interface Vlanif 2
[Convergence-S5700-2-ospf-1]q
[Convergence-S5700-2]q

缺省

[r1]ip route-static 0.0.0.0 0 12.0.0.1

[r1]ospf 1
[r1-ospf-1]default-route-advertise
[r1-ospf-1]q
[r1]

汇总

[Convergence-S5700-1]ospf 1
[Convergence-S5700-1-ospf-1]area 1
[Convergence-S5700-1-ospf-1-area-0.0.0.1]abr-summary 172.16.1.0 255.255.255.0
[Convergence-S5700-1-ospf-1-area-0.0.0.1]q
[Convergence-S5700-1-ospf-1]q
[Convergence-S5700-1]

[Convergence-S5700-2]ospf 1
[Convergence-S5700-2-ospf-1]area 1
[Convergence-S5700-2-ospf-1-area-0.0.0.1]abr-summary 172.16.1.0 255.255.255.0
[Convergence-S5700-2-ospf-1-area-0.0.0.1]q
[Convergence-S5700-2-ospf-1]q
[Convergence-S5700-2]

NAT

[r1]acl 2000
[r1-acl-basic-2000]rule permit source 172.16.0.0 0.0.255.255
[r1-acl-basic-2000]q
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]nat outbound 2000
[r1-GigabitEthernet0/0/0]q
[r1]

一切做完之后通过DHCP获取到的地址：

PC1：172.16.1.125、PC2：172.16.1.253、PC3：172.16.1.124、PC4：172.16.1.252

测试：

访问PC2：

访问PC3：

访问PC4：

访问公网：

 

最后实现全部通信，也满足所有要求，实验到此为止。