核心实验9_1000人规模网络设计冗余型_ENSP_配置mstp+vrrp实现流量负载分担,同时实现冗余,并配置相应的stp优化技术stp收敛,并

项目场景：

1000人规模网络设计冗余型_ENSP
要求：
1 配置vlan trunk 两台核心之间配置链路捆绑
2 配置MSTP+VRRP 实现流量负载分担同时实现冗余，并
配置相关stp优化技术加快stp收敛，并减少stp震荡
3 配置OSPF和静态实现三层路由，确保分支可以访问总部
4 所有用户采用动态获取ip地址，并配置相关dhcp安全技术
5 联通作为主出口 电信PPPOE作为备份出口
6 禁止vlan5 用户访问外网
7 将server 200.2 80端口映射成联通公网地址
8 所有交换机都可以被远程telnet （hcie 123）
9 出口链路正常时，vlan3 使用电信PPPOE上网

---

实搭拓扑图：

---

具体操作：

基础配置略

①Vlan Trunk Eth-trunk 底层配置:

sw1:

[SW1]int Eth-Trunk 2
[SW1-Eth-Trunk2]mode lacp-static 
[SW1-Eth-Trunk2]trunkport GigabitEthernet 0/0/2
[SW1-Eth-Trunk2]trunkport GigabitEthernet 0/0/3
[HX_SW1]vlan batch 2 to 5 200 800 999
[HX_SW1]int g0/0/5
[HX_SW1-GigabitEthernet0/0/5]po li tr
[HX_SW1-GigabitEthernet0/0/5]po tr al vl 200 999
[HX_SW1]int g0/0/1
[HX_SW1-GigabitEthernet0/0/1]po li tr
[HX_SW1-GigabitEthernet0/0/1]po tr al vl 2 3 999
[HX_SW1-GigabitEthernet0/0/1]int g0/0/4
[HX_SW1-GigabitEthernet0/0/4]po li tr
[HX_SW1-GigabitEthernet0/0/4]po tr al vl 4 5 999
[HX_SW1]int Eth-Trunk 1
[HX_SW1-Eth-Trunk1]po li tr
[HX_SW1-Eth-Trunk1]po tr al vl 2 to 5 200 999
[HX_SW1]int gi0/0/6
[HX_SW1-GigabitEthernet0/0/6]po li ac
[HX_SW1-GigabitEthernet0/0/6]po de vl 800
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

sw2:

[HX_SW2]int Eth-Trunk 2
[HX_SW2-Eth-Trunk2]mode lacp-static 
[HX_SW2-Eth-Trunk2]trunkport GigabitEthernet 0/0/1
[HX_SW2-Eth-Trunk2]trunkport GigabitEthernet 0/0/2
[HX_SW2]vlan batch 2 to 5 200 801 999
[HX_SW2]int g0/0/4
[HX_SW2-GigabitEthernet0/0/4]po li tr
[HX_SW2-GigabitEthernet0/0/4]po tr al vl 4 5 999
[HX_SW2-GigabitEthernet0/0/4]int g0/0/5
[HX_SW2-GigabitEthernet0/0/5]po li tr
[HX_SW2-GigabitEthernet0/0/5]po tr al vl 2 3 999
[HX_SW2]int Eth-Trunk 2
[HX_SW2-Eth-Trunk2]po li tr
[HX_SW2-Eth-Trunk2]po tr al vl 2 3 4 5 200 999
[HX_SW2-Eth-Trunk2]int g0/0/3
[HX_SW2-GigabitEthernet0/0/3]po li tr
[HX_SW2-GigabitEthernet0/0/3]po tr al vl 200 999
[HX_SW2-GigabitEthernet0/0/3]int g0/0/6
[HX_SW2-GigabitEthernet0/0/6]po li ac
[HX_SW2-GigabitEthernet0/0/6]po de vl 801
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

sw3:

[HJ_SW3]int Eth-Trunk 1
[HJ_SW3-Eth-Trunk1]mode lacp-static 
[HJ_SW3-Eth-Trunk1]trunkport Ethernet 0/0/4
[HJ_SW3-Eth-Trunk1]trunkport Ethernet 0/0/5
[HJ_SW3]vlan batch 2 to 5 999
[HJ_SW3]int e0/0/3
[HJ_SW3-Ethernet0/0/3]po li tr
[HJ_SW3-Ethernet0/0/3]po tr al vl 2 999
[HJ_SW3]int Eth-Trunk 1
[HJ_SW3-Eth-Trunk1]po li tr
[HJ_SW3-Eth-Trunk1]po tr al vl 3 999
[HJ_SW3]port-group group-member Ethernet0/0/1 Ethernet0/0/2
[HJ_SW3-port-group]po li tr
[HJ_SW3-port-group]po tr al vl 2 to 3 999
1
2
3
4
5
6
7
8
9
10
11
12
13
14

sw4:

[HJ_SW4]int e0/0/3
[HJ_SW4]vlan batch 2 3 4  5 999
[HJ_SW4]int e0/0/3
[HJ_SW4-Ethernet0/0/3]po li tr
[HJ_SW4-Ethernet0/0/3]po tr al vl 4 5 999
[HJ_SW4]port-g g eth0/0/1 Ethernet 0/0/2
[HJ_SW4-port-group]po li tr
[HJ_SW4-port-group]po tr al vl 4 to 5 999
1
2
3
4
5
6
7
8

sw5:

[JR_SW5]vlan batch 2 3 4 5 999
[JR_SW5]int e0/0/2
[JR_SW5-Ethernet0/0/2]po li ac
[JR_SW5-Ethernet0/0/2]po de vl 2
[JR_SW5-Ethernet0/0/2]int e0/0/1
[JR_SW5-Ethernet0/0/1]po li tr
[JR_SW5-Ethernet0/0/1]port trunk allow-pass vlan 2 999
1
2
3
4
5
6
7

sw6:

[JR_SW6]int Eth-Trunk 1
[JR_SW6-Eth-Trunk1]mode lacp-static 
[JR_SW6-Eth-Trunk1]trunkport Ethernet 0/0/1
[JR_SW6-Eth-Trunk1]trunkport Ethernet 0/0/3
1
2
3
4

---

sw7:

[JR_SW7]vlan batch 2 to 5 999
[JR_SW7]int e0/0/2
[JR_SW7-Ethernet0/0/2]po li ac
[JR_SW7-Ethernet0/0/2]po de vl 4
[JR_SW7-Ethernet0/0/2]int e0/0/3
[JR_SW7-Ethernet0/0/3]po li ac
[JR_SW7-Ethernet0/0/3]po de vl 5
[JR_SW7-Ethernet0/0/3]int e0/0/1
[JR_SW7-Ethernet0/0/1]po li tr
[JR_SW7-Ethernet0/0/1]port trunk  allow-pass vlan 4 5 999

1
2
3
4
5
6
7
8
9
10
11

---

sw8:

[SW8]vlan batch 2 to 5  200 999
[SW8]int e0/0/3
[SW8-Ethernet0/0/3]po li ac
[SW8-Ethernet0/0/3] po de vl 200
[SW8-Ethernet0/0/3]int e0/0/4
[SW8-Ethernet0/0/4]po li ac
[SW8-Ethernet0/0/4] po de vl 200
[SW8]port-g g Ethernet 0/0/1 Ethernet 0/0/2
[SW8-port-group]po li tr
[SW8-port-group]po tr al vl 200 999
1
2
3
4
5
6
7
8
9
10

---

②MSTP配置:

sw1\sw2(\sw3\sw4\sw8配到第6行):

[HX_SW1]stp region-configuration 
[HX_SW1-mst-region]region-name aa
[HX_SW1-mst-region]revision-level 1
[HX_SW1-mst-region]instance 1 vlan 2 3 200
[HX_SW1-mst-region]instance 2 vlan 4 5 
[HX_SW1-mst-region]active region-configuration 
[HX_SW1]stp instance 1 root primary 
[HX_SW1]stp instance 2 root  secondary 
1
2
3
4
5
6
7
8

---

③VRRP配置:

SW1:

[HX_SW1]int Vlanif 2
[HX_SW1-Vlanif2]ip add 192.168.2.254 24
[HX_SW1-Vlanif2]vrrp vrid 2 virtual-ip 192.168.2.1
[HX_SW1-Vlanif2]vrrp vrid 2 priority 105
[HX_SW1-Vlanif2]int vlanif 3
[HX_SW1-Vlanif3]ip add 192.168.3.254 24
[HX_SW1-Vlanif3]vrrp vrid 3 virtual-ip 192.168.3.1
[HX_SW1-Vlanif3]vrrp vrid 3 priority 105
[HX_SW1]int vlan 200
[HX_SW1-Vlanif200]ip add 192.168.200.254 24
[HX_SW1-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1 
[HX_SW1-Vlanif200]vrrp vrid 200 priority 105
[HX_SW1]int Vlanif 4
[HX_SW1-Vlanif4]ip add 192.168.4.254 24
[HX_SW1-Vlanif4]vrrp vrid 4 virtual-ip 192.168.4.1
[HX_SW1-Vlanif4]int vlan 5
[HX_SW1-Vlanif5]ip add 192.168.5.254 24
[HX_SW1-Vlanif5]vrrp vrid  5 virtual-ip 192.168.5.1

[HX_SW1]int Vlanif 800
[HX_SW1-Vlanif800]ip add 192.168.12.2 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

sw2:

[HX_SW2]int Vlanif 4
[HX_SW2-Vlanif4]ip add 192.168.4.253 24
[HX_SW2-Vlanif4]vrrp vrid 4 virtual-ip 192.168.4.1 
[HX_SW2-Vlanif4]vrrp vrid 4 priority 105
[HX_SW2]int Vlanif 5
[HX_SW2-Vlanif5]ip add 192.168.5.253 24
[HX_SW2-Vlanif5]vrrp vrid 5 virtual-ip 192.168.5.1
[HX_SW2-Vlanif5]vrrp vrid 5 priority 105
[HX_SW2]int Vlanif 2
[HX_SW2-Vlanif2]ip add 192.168.2.253 24
[HX_SW2-Vlanif2]vrrp vrid 2 virtual-ip 192.168.2.1
[HX_SW2-Vlanif2]int vlanif 3
[HX_SW2-Vlanif3]ip add 192.168.3.253 24
[HX_SW2-Vlanif3]vrrp vrid 3 virtual-ip 192.168.3.1
[HX_SW2-Vlanif3]int vlanif 200
[HX_SW2-Vlanif200]ip add 192.168.200.253 24
[HX_SW2-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1.

[HX_SW2]int Vlanif 801
[HX_SW2-Vlanif801]ip add 192.168.23.2 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

---

④BFD配置:

核心与出口之间

sw1:

[HX_SW1]bfd
[HX_SW1-bfd]q	
[HX_SW1]bfd bb bind peer-ip 192.168.12.1 source-ip 192.168.12.2 auto 
[HX_SW1-bfd-session-bb]commit 
***===track上下线路：===***
[HX_SW1]int Vlanif 2  
[HX_SW1-Vlanif2]vrrp vrid 2 track  bfd-session session-name bb
[HX_SW1-Vlanif2]vrrp vrid 2 track interface GigabitEthernet 0/0/1

[HX_SW1]int Vlanif 3
[HX_SW1-Vlanif3]vrrp vrid 3 track bfd-session session-name bb
[HX_SW1-Vlanif3]vrrp vrid 3 track interface GigabitEthernet 0/0/1

[HX_SW1]int Vlanif 200
[HX_SW1-Vlanif200]vrrp vrid 200 track bfd-session session-name bb
[HX_SW1-Vlanif200]vrrp vrid 200 track interface GigabitEthernet 0/0/5


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

R1:

[R1]bfd
[R1-bfd]q
[R1]int gi0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.12.1 24
[R1]bfd bb bind peer-ip 192.168.12.2 source-ip 192.168.12.1 auto 
[R1]bfd cc bind peer-ip 192.168.23.2 source-ip 192.168.23.1 auto 
[R1-bfd-session-bb]commit 
1
2
3
4
5
6
7

SW2:

[HX_SW2]bfd
[HX_SW2-bfd]q
[HX_SW2]bfd cc bind peer-ip 192.168.23.1 source-ip 192.168.23.2 auto 
[HX_SW2-bfd-session-cc]commit

[HX_SW2]int Vlanif 4
[HX_SW2-Vlanif4]vrrp vrid 4 track bfd-session session-name cc
[HX_SW2-Vlanif4]vrrp vrid 4 track interface GigabitEthernet 0/0/4

[HX_SW2]int Vlanif 5
[HX_SW2-Vlanif4]vrrp vrid 5 track bfd-session session-name cc
[HX_SW2-Vlanif4]vrrp vrid 5 track interface GigabitEthernet 0/0/4

1
2
3
4
5
6
7
8
9
10
11
12
13

---

⑤OSPF 、NAT配置:

sw1:

[HX_SW1]ospf 1
[HX_SW1-ospf-1]area 0
[HX_SW1-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 192.168.4.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 192.168.5.0 0.0.0.255t	
[HX_SW1-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255

[HX_SW1]ip route-static 0.0.0.0 0 192.168.12.1
[HX_SW1]ip route-static 0.0.0.0 0 192.168.23.1 preference 65 #备

使vlan4 5 的数据不走sw1：
ospf cost 值调整;尽可能保证来回路径一致且最短
[HX_SW1]int Vlanif 4
[HX_SW1-Vlanif4]ospf cost 4
[HX_SW1-Vlanif4]int vlanif 5
[HX_SW1-Vlanif5]ospf cost 4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

sw2:

[HX_SW2]ospf 1
[HX_SW2-ospf-1]area 0
[HX_SW2-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]network 192.168.4.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]network 192.168.5.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]network 192.168.200.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]network 192.168.23.0 0.0.0.255

[HX_SW2]ip route-static 0.0.0.0 0 192.168.23.1
[HX_SW2]ip route-static 0.0.0.0 0 192.168.12.1 preference 65

使vlan2 3 200的数据不走sw2：
ospf cost 值调整;尽可能保证来回路径一致且最短
[HX_SW2]int Vlanif 2
[HX_SW2-Vlanif2]ospf cost 4
[HX_SW2-Vlanif2]int vlanif 3
[HX_SW2-Vlanif3]ospf cost 4
[HX_SW2-Vlanif3]int vlanif 200
[HX_SW2-Vlanif200]ospf cost 4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

R1:

[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 192.168.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.23.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 14.1.1.0 0.0.0.255

[R1]ip route-static 0.0.0.0 0 13.1.1.2

[R1]acl 2000 
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1]int gi1/0/0
[R1-GigabitEthernet1/0/0]nat outbound 2000
1
2
3
4
5
6
7
8
9
10
11
12

R4:

[FZ_R4]ospf 1
[FZ_R4-ospf-1]area 0
[FZ_R4-ospf-1-area-0.0.0.0]network 14.1.1.0 0.0.0.255
[FZ_R4-ospf-1-area-0.0.0.0]network 192.168.100.0 0.0.0.255
1
2
3
4

(用rip模拟运营商网络的配置):

R5:**********************
[R5]int e0/0/0
[R5-Ethernet0/0/0]ip add 25.1.1.5 24
[R5-Ethernet0/0/0]int e0/0/1
[R5-Ethernet0/0/1]ip add 35.1.1.5 24
[R5]int LoopBack 1
[R5-LoopBack1]ip add 5.5.5.5 24
[R5]rip 1	
[R5-rip-1]version 2	
[R5-rip-1]network 25.0.0.0 	
[R5-rip-1]network 35.0.0.0	
[R5-rip-1]network 5.0.0.0

R3:**************************
[LT_R3]int e0/0/0
[LT_R3-Ethernet0/0/0]ip add 13.1.1.2 24
[LT_R3]int e0/0/1
[LT_R3-Ethernet0/0/1]ip add 35.1.1.3 24
[LT_R3]rip 1
[LT_R3-rip-1]version 2
[LT_R3-rip-1]network 13.0.0.0
[LT_R3-rip-1]network 35.0.0.0

R2:***************************
[DX_R2]int g0/0/1
[DX_R2-GigabitEthernet0/0/1]ip add 25.1.1.2 24
[DX_R2]rip 1
[DX_R2-rip-1]version 2
[DX_R2-rip-1]network 12.0.0.0
[DX_R2-rip-1]network 25.0.0.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

---

⑥DHCP 配置:

reset ip pool name vlan3 used 清除已分配地址
dis ip pool name vlan2 used 查看名为vlan2的地址池已分配地址

dhcp server:

[DHCP]dhcp enable 
[DHCP]ip pool vlan2
[DHCP-ip-pool-vlan2]network 192.168.2.0 mask 24
[DHCP-ip-pool-vlan2]gateway-list 192.168.2.1
[DHCP-ip-pool-vlan2]dns-list 114.114.114.114 8.8.8.8
[DHCP]ip pool vlan3
[DHCP-ip-pool-vlan3] gateway-list 192.168.3.1
[DHCP-ip-pool-vlan3] network 192.168.3.0 mask 255.255.255.0
[DHCP-ip-pool-vlan3] dns-list 114.114.114.114 8.8.8.8
[DHCP-ip-pool-vlan3]ip pool vlan4
[DHCP-ip-pool-vlan4] gateway-list 192.168.4.1
[DHCP-ip-pool-vlan4] network 192.168.4.0 mask 255.255.255.0
[DHCP-ip-pool-vlan4] dns-list 114.114.114.114 8.8.8.8
[DHCP-ip-pool-vlan4]ip pool vlan5
[DHCP-ip-pool-vlan5] gateway-list 192.168.5.1
[DHCP-ip-pool-vlan5] network 192.168.5.0 mask 255.255.255.0
[DHCP-ip-pool-vlan5] dns-list 114.114.114.114 8.8.8.8

应用：
[DHCP]int e0/0/0
[DHCP-Ethernet0/0/0]dhcp select global 

排除地址：
[DHCP]ip pool vlan2
[DHCP-ip-pool-vlan2]excluded-ip-address 192.168.2.249 192.168.2.254
[DHCP-ip-pool-vlan2]ip pool vlan3
[DHCP-ip-pool-vlan3]excluded-ip-address 192.168.3.249 192.168.3.254
[DHCP-ip-pool-vlan3]ip pool vlan4
[DHCP-ip-pool-vlan4]excluded-ip-address 192.168.4.249 192.168.4.254
[DHCP-ip-pool-vlan4]ip pool vlan5
[DHCP-ip-pool-vlan5]excluded-ip-address 192.168.5.249 192.168.5.25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

sw1:

[HX_SW1]dhcp enable 
[HX_SW1]int Vlanif 2
[HX_SW1-Vlanif2]dhcp select relay 
[HX_SW1-Vlanif2]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif2]int vlanif 3
[HX_SW1-Vlanif3]dhcp select relay 
[HX_SW1-Vlanif3]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif3]int vlanif 4
[HX_SW1-Vlanif4]dhcp select relay 
[HX_SW1-Vlanif4]dhcp relay server-ip  192.168.200.3
[HX_SW1-Vlanif4]int vlanif 5
[HX_SW1-Vlanif5]dhcp select relay 
[HX_SW1-Vlanif5]dhcp relay  server-ip 192.168.200.3
1
2
3
4
5
6
7
8
9
10
11
12
13

sw2:

[HX_SW2]dhcp enable 
[HX_SW2]int vlanif 2
[HX_SW2-Vlanif2]dhcp select relay 
[HX_SW2-Vlanif2]dhcp relay  server-ip 192.168.200.3
[HX_SW2-Vlanif2]int vlanif 3
[HX_SW2-Vlanif3]dhcp select relay 
[HX_SW2-Vlanif3]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif3]int vlanif 4
[HX_SW2-Vlanif4]dhcp select relay 
[HX_SW2-Vlanif4]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif4]int vlanif 5
[HX_SW2-Vlanif5]dhcp select relay 
[HX_SW2-Vlanif5]dhcp relay server-ip 192.168.200.3
1
2
3
4
5
6
7
8
9
10
11
12
13

dhcp snooping安全配置：
让交换机只从信任端口获取dhcp address给主机

sw5【sw6，sw7（接入层）同理】:

[JR_SW5]dhcp enable 
[JR_SW5]dhcp snooping enable 
[JR_SW5]vlan 2
[JR_SW5-vlan2]dhcp  snooping enable
[JR_SW5-vlan2]int e0/0/1
[JR_SW5-Ethernet0/0/1]dhcp snooping trusted 
1
2
3
4
5
6

---

⑦PPPOE配置:

R1:

[R1]acl 2001
[R1-acl-basic-2001]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2001]int dialer 1
[R1-Dialer1]link-protocol ppp 
[R1-Dialer1]ip address ppp-negotiate 
[R1-Dialer1]ppp pap local-user 0531 password simple 123456
[R1-Dialer1]dialer user 0531
[R1-Dialer1]dialer-group
[R1-Dialer1]dialer bundle 2
[R1-Dialer1]nat outbound 2001
[R1-Dialer1]int gi0/0/2
[R1-GigabitEthernet0/0/2]pppoe-client dial-bundle-number 2

[R1]ip route-static 0.0.0.0 0 Dialer 1 preference 85 #备份链路pppoe

[R1]int Dialer 1
[R1-Dialer1]mtu 1492
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

R2:

[DX_R2]ip pool pool1
[DX_R2-ip-pool-pool1]network 12.1.1.0 mask 24
[DX_R2-ip-pool-pool1]gateway-list 12.1.1.2
[DX_R2]aaa
[DX_R2-aaa]local-user 0531 password cipher 123456
[DX_R2-aaa]local-user 0531 service-type ppp
[DX_R2-aaa]int gi0/0/0
[DX_R2-GigabitEthernet0/0/0]undo ip add
[DX_R2]int Virtual-Template 1
[DX_R2-Virtual-Template1]ppp authentication-mode pap 
[DX_R2-Virtual-Template1]remote address pool  pool1
[DX_R2-Virtual-Template1]ip address 12.1.1.2 24
[DX_R2]int gi0/0/0
[DX_R2-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14

---

⑧出口路由配置:

（已配置）pppoe为备份链路。到联通为主链路。

R1:

ip route-static 0.0.0.0 0.0.0.0 13.1.1.2
ip route-static 0.0.0.0 0.0.0.0 Dialer1 preference 85
1
2

⑨NAT server 配置:

将server 200.2 80端口映射成联通公网地址

R1:

[R1]int gi 1/0/0
[R1-GigabitEthernet1/0/0]nat server protocol tcp global current-interface 80 inside 192.168.200.2 80

1
2
3

⑩ACL配置:

禁止vlan5 用户访问外网

R1:

[R1]acl 3005
[R1-acl-adv-3005]rule permit ip source 192.168.5.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
[R1-acl-adv-3005]rule deny ip source 192.168.5.0 0.0.0.255 
[R1-acl-adv-3005]int gi0/0/1
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl 3005
[R1-GigabitEthernet0/0/1]int gi0/0/0
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3005
1
2
3
4
5
6
7

⑪ 策略路由配置（模拟器不生效）:

出口链路正常时，vlan3 使用电信PPPOE上网

R1:

[R1]acl 3008 
[R1-acl-adv-3008]rule  deny ip source 192.168.3.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 #这部分流量不走策略路由
[R1-acl-adv-3008]rule permit ip source 192.168.3.0 0.0.0.255 #剩下的走策略转发
[R1]traffic classifier vlan_3  #分类
[R1-classifier-vlan_3]if-match acl 3008
[R1]traffic behavior vlan_3  #动作
[R1-behavior-vlan_3]redirect interface Dialer 1 #重定向到拨号接口
[R1]traffic policy aa #定义一个策略aa
[R1-trafficpolicy-aa]classifier  vlan_3 behavior vlan_3 #关联动作和分类
[R1]int gi0/0/0  #调用策略在入方向
[R1-GigabitEthernet0/0/0]traffic-policy aa inbound 
[R1-GigabitEthernet0/0/0]int gi0/0/1
[R1-GigabitEthernet0/0/1]traffic-policy aa inbound 

1
2
3
4
5
6
7
8
9
10
11
12
13
14

bug1:可以配置但不生效策略路由匹配Dialer口不支持
traffic behavior VLAN_3
redirect interface Dialer1

bug2︰路由器不请求下─跳的mac地址
traffic behavior VLAN_3
redirect ip-nexthop 13.1.1.2
如果想生效需要确保13.1.1.2的mac地址在本台路由器的arp 缓存表。

⑫ Telnet配置:

所有交换机都可以被远程telnet （hcie 123）

所有设备:

[HX_SW1]aaa
[HX_SW1-aaa]local-user hcie privilege level 3 password cipher 123
[HX_SW1-aaa]local-user hcie service-type telnet
[HX_SW1]user-interface vty 0 4
[HX_SW1-ui-vty0-4]authentication-mode aaa
[HX_SW1-ui-vty0-4]protocol inbound telnet
1
2
3
4
5
6

sw1:

[HX_SW1]int Vlanif 999
[HX_SW1-Vlanif999]ip add 192.168.255.254 24
[HX_SW1-Vlanif999]vrrp vrid 255 virtual-ip 192.168.255.1
1
2
3

sw2:

[HX_SW2]int vlanif 999
[HX_SW2-Vlanif999]ip add 192.168.255.253 24
[HX_SW2-Vlanif999]vrrp vrid 255 virtual-ip 192.168.255.1
1
2
3

sw3:

[HJ_SW3]vlan 999
[HJ_SW3-vlan999]int vlanif 999
[HJ_SW3-Vlanif999]ip add 192.168.253.3 24
[HJ_SW3]ip route-static 0.0.0.0 0 192.168.255.1 #回管理的包用

1
2
3
4
5

sw4:

[HJ_SW4]vlan 999
[HJ_SW4-vlan999]int vlanif 999
[HJ_SW4-Vlanif999]ip add 192.168.255.4 24
[HJ_SW4]ip route-static 0.0.0.0 0 192.168.255.1

1
2
3
4
5

sw5:

[JR_SW5]int vlanif 999
[JR_SW5-Vlanif999]ip add 192.168.255.5 24
[JR_SW5]ip route-static 0.0.0.0 0 192.168.255.1
1
2
3

sw6:

[JR_SW6]int vlanif 999
[JR_SW6-Vlanif999]ip add 192.168.255.6 24
[JR_SW6]ip route-static 0.0.0.0 0 192.168.255.1
1
2
3

sw7:

[JR_SW7]int vlanif 999
[JR_SW7-Vlanif999]ip add 192.168.255.7 24
[JR_SW7]ip route-static 0.0.0.0 0 192.168.255.1
1
2
3

sw8:

[JR_SW8]int vlanif 999
[JR_SW8-Vlanif999]ip add 192.168.255.8 24
[JR_SW8]ip route-static 0.0.0.0 0 192.168.255.1
1
2
3

---

可选：

配置相关stp优化技术加快stp收敛，并减少stp震荡:

1. 所有接入交换机接用户口打边缘端口：

[JR_SW5]int e0/0/2
[JR_SW5-Ethernet0/0/2]stp edged-port enable 
1
2

2. sw1.sw2上联口取消stp功能：

[HX_SW1]int gi 0/0/6
[HX_SW1-GigabitEthernet0/0/6]stp disable 
1
2

3. 给捆绑接口配置静态的cost开销

[HX_SW1]int Eth-Trunk 2
[HX_SW1-Eth-Trunk2]stp instance 1 cost 10000
[HX_SW1-Eth-Trunk2]stp instance 2 cost 10000
1
2
3