公司总部
用户希望在存在冗余备份链路的同时消除网络中的环路,而且能合理运用带宽,并且网络的稳定性要好
在环路的交换机上配置MSTP,两个交换机之间做链路聚合,配置各个设备端口的IP地址以及路由协议,创建VRRF,SW1与SW2互做备分
骨干网
骨干网中路由器都使用ospf动态路由协议做底层,上层使用BGP协议,BGP协议多用于大型网络公司,并且稳定性、安全性、可扩展性相对较高,适合以后公司扩建等等。
R6作为反射器,可以帮R5和R7分摊控制层的压力,不会影响R5、R7的性能。
安全策略中心
所有流量都引入安全策略中心,对流量进行过滤等
做四个VRF,在R8上创建四个子接口,分别对应不同的AS域接收以及发送路由,使数据通过安全中心发送到各个AS域中。一个AS域对应一个VRF,然后在每个AS域做接收。
分公司
正常和总公司通讯
互联网
PC与互联网之间使用NAT技术
公司总部
先创建VLAN
本实验的所有交换机创建VLAN 2和vlan3
[SW1]VLAN batch 2 3
SW3 SW4将PC接口划分VLAN。PC1、PC3划入vlan2中,PC2、PC4划分到VLAN3中
[SW3]interface e0/0/3
[SW3-Ethernet0/0/3]port link-type access
[SW3-Ethernet0/0/3]port default vlan 2
[SW3]int e0/0/4
[SW3-Ethernet0/0/4]port link-type access
[SW3-Ethernet0/0/4]port default vlan 3
SW4上也如此只是接口不一样而已,配置略
在SW1和SW2之间做链路捆绑,创建trunk并将接口划入trunk中,SW1的 配置和SW2的配置相同。
[SW2]interface Eth-Trunk 1
[SW2-Eth-Trunk1]trunkport g0/0/1
[SW2-Eth-Trunk1]trunkport g0/0/2
检查trunk链路是否创建完成。
进入接口
[SW2]int Eth-Trunk 1
[SW2-Eth-Trunk1]port link-type trunk
[SW2-Eth-Trunk1] port trunk allow-pass vlan 2 to 4094
[SW2-Eth-Trunk1]int g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk
[SW2-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 to 4094
[SW2-GigabitEthernet0/0/3]int g0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk
[SW2-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4094
查看干道的状态。SW3和SW4分别存在两个trunk干道,常看方法如RW1和RW2
MSTP
四个交换配置MSTP,且配置相同
[SW1]stp enable
[SW1]stp mode mstp
//更改模式
[SW1]stp region-configuration
[SW1-mst-region]region-name HW
[SW1-mst-region]revision-level 1//此区域的所有交换机这两步必须一致
[SW1-mst-region]instance 1 vlan 2
[SW1-mst-region]instance 2 vlan 3
[SW1-mst-region]active region-configuration
生成树的分流互备
SW2
[SW2]stp instance 1 priority 4096
[SW2]stp instance 2 priorit 0
SW1
[SW1]stp instance 1 priority 0
[SW1]stp instance 2 priorit 4096
给VLAN2、3分配地址
SW1
[SW1]int vlan 2
[SW1-Vlanif2]ip add 10.3.2.1 24
[SW1-Vlanif2]int vlan 3
[SW1-Vlanif3]ip add 10.3.3.1 24
SW2
[SW2]int vlan 2
[SW2-Vlanif2]ip add 10.3.2.2 24
[SW2-Vlanif2]int vlan 3
[SW2-Vlanif3]ip add 10.3.3.2 24
备份网关,SW1是vlan2 的主根,vlan3的备份根,SW2是vlan2的备份根,vlan3的主根
VLAN2
SW1
[SW1]int vlan 2
[SW1-Vlanif2]vrrp vrid 1 virtual-ip 10.3.2.254
[SW1-Vlanif2]vrrp vrid 1 priority 120
[SW1-Vlanif2]vrrp vrid 1 track int g0/0/5 reduced 30//上行链路监测
SW2
[SW2-Vlanif3]int vlan2
[SW2-Vlanif2]vrrp vrid 1 virtual-ip 10.3.2.254
VLAN3
SW2
[SW2-Vlanif2]int vlan 3
[SW2-Vlanif3]vrrp vrid 1 virtual-ip 10.3.3.254
[SW2-Vlanif3]vrrp vrid 1 priority 120
[SW2-Vlanif3]vrrp vrid 1 track interface g0/0/5 re 30//上行链路监测
SW1
[SW1]int vlan 3
[SW1-Vlanif3]vrrp vrid 1 virtual-ip 10.3.3.254
创建互联VLAN,在SW1上创建VLAN101并将接口g0/0/5划入vlan101,并且分配互联地址
SW1 VLAN101
[SW1]vlan 101
[SW1-vlan101]qu
[SW1]int g0/0/5
[SW1-GigabitEthernet0/0/5]port link-type access
[SW1-GigabitEthernet0/0/5]port default vlan 101
[SW1]int vlan 101
[SW1-Vlanif101]ip address 10.1.11.1 24
SW2 VLAN102
[SW2]vlan 102
[SW2-vlan102]qu
[SW2]int g0/0/5
[SW2-GigabitEthernet0/0/5]port link-type access
[SW2-GigabitEthernet0/0/5]port default vlan 101
[SW2]int vlan 102
[SW2-Vlanif102]ip add 10.1.22.1 24
为所有路由器配置地址,过程略
SW1、SW2配置DHCP地址池,dhcp地址池也需要备份,故将DHCP地址分为分为两段分别配置在SW1和SW2上,排除地址不能排除网关
SW1
interface Vlanif3
dhcp select interface
dhcp server excluded-ip-address 10.3.3.129 10.3.3.254
dhcp server dns-list 114.114.114.114
interface Vlanif2
dhcp select interface
dhcp server excluded-ip-address 10.3.2.129 10.3.2.254
dhcp server dns-list 114.114.144.114
SW2
[SW2-Vlanif2]int vlan 3
[SW2-Vlanif3]dhcp select interface
[SW2-Vlanif3]dhcp server excluded-ip-address 10.3.3.3 10.3.3.128
[SW2-Vlanif3]dhcp server dns-list 114.114.144.144
[SW2-Vlanif3]int vlan 2
[SW2-Vlanif2]dhcp select interface
[SW2-Vlanif2]dhcp server excluded-ip-address 10.3.2.3 10.3.2.128
[SW2-Vlanif2]dhcp server dns-list 114.114.114.114
在R1、R2、SW1、SW2之间起OSPF动态协议
SW1
ospf 1 router-id 101.101.101.101
area 0.0.0.0
network 101.101.101.101 0.0.0.0
network 10.1.11.0 0.0.0.255
network 10.3.2.0 0.0.0.255
network 10.3.3.0 0.0.0.255
network 10.1.201.0 0.0.0.255
SW2
ospf 1 router-id 102.102.102.102
area 0.0.0.0
network 10.1.11.0 0.0.0.255
network 10.3.2.0 0.0.0.255
network 10.3.3.0 0.0.0.255
network 10.1.201.0 0.0.0.255
network 10.1.22.0 0.0.0.255
network 102.102.102.102 0.0.0.0
R1
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.1.12.0 0.0.0.255
network 1.1.1.1 0.0.0.0
network 10.1.11.0 0.0.0.255
R2
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 10.1.22.0 0.0.0.255
network 10.1.12.0 0.0.0.255
network 2.2.2.2 0.0.0.0
骨干网
配置地址以及ospf动态路由协议,过程略
R3、R4、R8、R9与R6之间分别建立BGP邻居和VPNV4邻居
R6
[R6]bgp 1
[R6-bgp]group IBGP //创建组
[R6-bgp]peer IBGP connect-interface LoopBack 0
[R6-bgp]peer IBGP reflect-client //反射器
[R6-bgp]peer 3.3.3.3 group IBGP
[R6-bgp]peer 4.4.4.4 group IBGP
[R6-bgp]peer 8.8.8.8 group IBGP
[R6-bgp]peer 9.9.9.9 group IBGP
创建vpnv4
[R6-bgp]ipv4-family vpnv4
[R6-bgp-af-vpnv4]peer IBGP enable //把组放在VPNV4中
[R6-bgp-af-vpnv4]peer IBGP advertise-community //通告团体属性
[R6-bgp-af-vpnv4]peer IBGP reflect-client //反射器
[R6-bgp-af-vpnv4]undo policy vpn-target
将组员通告在组里
[R6-bgp-af-vpnv4]peer 3.3.3.3 group IBGP
[R6-bgp-af-vpnv4]peer 4.4.4.4 group IBGP
[R6-bgp-af-vpnv4]peer 8.8.8.8 group IBGP
[R6-bgp-af-vpnv4]peer 9.9.9.9 group IBGP
R3配置,R4、R8、R9和R3配置相同
bgp 1
peer 6.6.6.6 as-number 1
peer 6.6.6.6 connect-interface LoopBack0
ipv4-family unicast
undo synchronization
peer 6.6.6.6 enable
ipv4-family vpnv4
undo policy vpn-target
peer 6.6.6.6 enable
peer 6.6.6.6 advertise-community
配置MPLS,解决BGP路由黑洞,骨干网中所有路由器,都需配置,下面只展示R3以及R4的配置
[R3]mpls lsr-id 3.3.3.3
[R3]mpls
[R3-mpls]qu
[R3]mpls ld
[R3-mpls-ldp]qu
进入接口
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]mpls
[R3-GigabitEthernet0/0/0]mpls ldp
在R3、R4、R8、R9四个路由器上配置VRF,做流量的出和接收。
R4
对AS2的流量进行标记
ip vpn-instance AS2
ipv4-family
route-distinguisher 4:4
vpn-target 4:4 export-extcommunity
vpn-target 12:2 import-extcommunity
[R4]int e0/0/0
[R4-Ethernet0/0/0]ip binding vpn-instance AS2
[R4-Ethernet0/0/0]ip address 10.1.24.2 255.255.255.0
对AS6的流量进行标记
ip vpn-instance int
ipv4-family
route-distinguisher 4:6
vpn-target 4:6 export-extcommunity
vpn-target 12:6 import-extcommunity
interface GigabitEthernet0/0/1
ip binding vpn-instance int //在接口配置后,地址会被冲掉,需重新配置地址
ip address 10.1.134.1 255.255.255.0
R3
对AS2的流量进行标记
ip vpn-instance AS3
ipv4-family
route-distinguisher 3:3
vpn-target 3:3 export-extcommunity
vpn-target 12:2 import-extcommunity
[R3]int e0/0/0
[R3-Ethernet0/0/0]ip binding vpn-instance AS3
[R3-Ethernet0/0/0]ip address 10.1.13.2 255.255.255.0
对AS6的流量进行标记
ip vpn-instance int
ipv4-family
route-distinguisher 3:6
vpn-target 3:6 export-extcommunity
vpn-target 12:6 import-extcommunity
interface GigabitEthernet0/0/1
ip binding vpn-instance int
ip address 10.1.133.1 255.255.255.0
R8
对AS3的流量进行标记
[R8]ip vpn-instance AS1-3
[R8-vpn-instance-AS1-3]route-distinguisher 8:8
[R8-vpn-instance-AS1-3-af-ipv4]vpn-target 8:8 export-extcommunity
vpn-target 12:3 import-extcommunity
[R8-vpn-instance-AS1-3-af-ipv4]int g0/0/0
[R8-GigabitEthernet0/0/0]ip binding vpn-instance AS1-3
[R8-GigabitEthernet0/0/0]ip address 10.1.108.1 255.255.255.0
R8上分别对应不同的AS域做流量的收发
划分子接口
收发AS2区域流量的对应的子接口为g0/0/1.1
ip vpn-instance toAS2
ipv4-family
route-distinguisher 12:2
vpn-target 12:2 export-extcommunity
vpn-target 3:3 4:4 import-extcommunity
interface GigabitEthernet0/0/1.1
ip binding vpn-instance toAS2
ip address 10.2.1.1 255.255.255.0
adot1q termination vid 1
rp broadcast enable
收发AS3区域流量的对应的子接口为g0/0/1.2
ip vpn-instance toAS3
ipv4-family
route-distinguisher 12:3
vpn-target 12:3 export-extcommunity
vpn-target 8:8 import-extcommunity
interface GigabitEthernet0/0/1.2
dot1q termination vid 2
ip binding vpn-instance toAS3
ip address 10.2.2.1 255.255.255.0
arp broadcast enable
收发AS4区域流量的对应的子接口为g0/0/1.3
ip vpn-instance toAS4
ipv4-family
route-distinguisher 12:4
vpn-target 12:4 export-extcommunity
vpn-target 9:9 import-extcommunity
interface GigabitEthernet0/0/1.3
dot1q termination vid 3
ip binding vpn-instance toAS4
ip address 10.2.3.1 255.255.255.0
arp broadcast enable
收发AS6区域流量的对应的子接口为g0/0/1.4
ip vpn-instance toAS6
ipv4-family
route-distinguisher 12:6
vpn-target 12:6 export-extcommunity
vpn-target 3:6 4:6 import-extcommunity
#
interface GigabitEthernet0/0/1.4
dot1q termination vid 4
ip binding vpn-instance toAS6
ip address 10.2.4.1 255.255.255.0
arp broadcast enable
R9收发AS4区域的流量
[R9]ip vpn-instance AS4
[R9-vpn-instance-AS4]route-distinguisher 9:9
[R9-vpn-instance-AS4-af-ipv4]vpn-target 9:9 export-extcommunity
[R9-vpn-instance-AS4-af-ipv4]vpn-target 12:4 import-extcommunity
[R9-vpn-instance-AS4-af-ipv4]int g0/0/0
[R9-GigabitEthernet0/0/0]ip binding vpn-instance AS4
[R9-GigabitEthernet0/0/0]ip address 10.1.119.1 255.255.255.0
在PE和CE之间建立EBGP对等体关系,引入vpn路由
[R9-bgp]ipv4-family vpn-instance AS4 //属于此AS4并非区域
[R9-bgp-AS4]peer 10.1.119.2 AS-nu
[R9-bgp-AS4]peer 10.1.119.2 as-number 4
bgp 4
peer 10.1.119.1 as-number 1
#
ipv4-family unicast
undo synchronization
peer 10.1.119.1 enable
PE之间建立MP-IBGP对等体关系
R6为反射器
bgp 1
group IBGP internal
peer IBGP connect-interface LoopBack0
peer 3.3.3.3 as-number 1
peer 3.3.3.3 group IBGP
peer 4.4.4.4 as-number 1
peer 4.4.4.4 group IBGP
peer 8.8.8.8 as-number 1
peer 8.8.8.8 group IBGP
peer 9.9.9.9 as-number 1
peer 9.9.9.9 group IBGP
#
ipv4-family unicast
undo synchronization
peer IBGP enable
peer IBGP reflect-client
peer 3.3.3.3 enable
peer 3.3.3.3 group IBGP
peer 4.4.4.4 enable
peer 4.4.4.4 group IBGP
peer 8.8.8.8 enable
peer 8.8.8.8 group IBGP
peer 9.9.9.9 enable
peer 9.9.9.9 group IBGP
#
ipv4-family vpnv4
undo policy vpn-target
peer IBGP enable
peer IBGP reflect-client
peer IBGP advertise-community
peer 3.3.3.3 enable
peer 3.3.3.3 group IBGP
peer 4.4.4.4 enable
peer 4.4.4.4 group IBGP
peer 8.8.8.8 enable
peer 8.8.8.8 group IBGP
peer 9.9.9.9 enable
peer 9.9.9.9 group IBGP
R3、R4、R8、R9配置相同,再次展示R3配置
bgp 1
peer 6.6.6.6 as-number 1
peer 6.6.6.6 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 6.6.6.6 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 6.6.6.6 enable
peer 6.6.6.6 advertise-community
检测PC1与PC5的连通性
10.1.10.2是PC5的地址
总结:
此实验对我来说相对较难,难就说明此实验一些技术自己掌握不熟练,基础知识漏洞较大,对MPLS VPN、VRF的掌握有缺陷。对基础知识还是由疏忽,知识遗忘严重,后续加强复习。
此实验未完成,选路部分未做,路由条目不优。各位看官多多包涵