仅作为备份文件 备份时间 2023.6.23
一、交换机配置
1、生成树spanning-tree
SW1、SW2、SW3启用MSTP,实现网络二层负载均衡和冗余备份,创建实例Instance10和Instance20,名称为SKILLS,修订版本为1,其中Instance10关联vlan60和vlan70,Instance20关联vlan80和vlan90。SW1为Instance0和Instance10的根交换机,为Instance20备份根交换机;SW2为Instance20根交换机,为Instance0和Instance10的备份根交换机;根交换机STP优先级为0,备份根交换机STP优先级为4096。关闭交换机之间三层互联接口的STP。
SW1:
spanning-tree mst configuration
name SKILLS
revision-level 1
instance 0 vlan 1-59;61-69;71-79;81-89;91-4094
instance 10 vlan 60;70
instance 20 vlan 80;90
exit
!
spanning-tree
spanning-tree mst 0 priority 0
spanning-tree mst 10 priority 0
spanning-tree mst 20 priority 4096
Interface Ethernet1/0/22
no spanning-tree
Interface Ethernet1/0/26
no spanning-tree
SW2:
spanning-tree mst configuration
name SKILLS
revision-level 1
instance 0 vlan 1-59;61-69;71-79;81-89;91-4094
instance 10 vlan 60;70
instance 20 vlan 80;90
exit
!
spanning-tree
spanning-tree mst 0 priority 4096
spanning-tree mst 10 priority 4096
spanning-tree mst 20 priority 0
Interface Ethernet1/0/22
no spanning-tree
Interface Ethernet1/0/26
no spanning-tree
SW3:
spanning-tree mst configuration
name SKILLS
revision-level 1
instance 0 vlan 1-59;61-69;71-79;81-89;91-4094
instance 10 vlan 60;70
instance 20 vlan 80;90
exit
!
spanning-tree
Interface Ethernet1/0/21
no spanning-tree
Interface Ethernet1/0/22
no spanning-tree
配置结果:
SW3(config)#show spanning-tree
*********************************** Process 0 ***********************************
-- MSTP Bridge Config Info --
Standard : IEEE 802.1s
Bridge MAC : 00:03:0f:e0:f9:b9
Bridge Times : Max Age 20, Hello Time 2, Forward Delay 15
Force Version: 3
########################### Instance 0 ###########################
Self Bridge Id : 32768.00:03:0f:e0:f9:b9
Root Id : 0.00:03:0f:e0:f9:b3
Ext.RootPathCost : 0
Region Root Id : 0.00:03:0f:e0:f9:b3
Int.RootPathCost : 20000
Root Port ID : 128.23
Current port list in Instance 0:
Ethernet1/0/11 Ethernet1/0/12 Ethernet1/0/15 Ethernet1/0/17 Ethernet1/0/18
Ethernet1/0/23 Ethernet1/0/24 (Total 7)
PortName ID ExtRPC IntRPC State Role DsgBridge DsgPort
-------------- ------------ --------- --------- --- ---- ------------------ ------------
Ethernet1/0/11 128.00011 0 20000 FWD DSGN 32768.00030fe0f9b9 128.00011
Ethernet1/0/12 128.00012 0 20000 FWD DSGN 32768.00030fe0f9b9 128.00012
Ethernet1/0/15 128.00015 0 20000 FWD DSGN 32768.00030fe0f9b9 128.00015
Ethernet1/0/17 128.00017 0 20000 FWD DSGN 32768.00030fe0f9b9 128.00017
Ethernet1/0/18 128.00018 0 20000 FWD DSGN 32768.00030fe0f9b9 128.00018
Ethernet1/0/23 128.00023 0 0 FWD ROOT 0.00030fe0f9b3 128.00023
Ethernet1/0/24 128.00024 0 20000 BLK ALTR 4096.00030fe0f9b6 128.00023
########################### Instance 10 ###########################
Self Bridge Id : 32768.00:03:0f:e0:f9:b9
Region Root Id : 0.00:03:0f:e0:f9:b3
Int.RootPathCost : 20000
Root Port ID : 128.23
Current port list in Instance 10:
Ethernet1/0/23 Ethernet1/0/24 (Total 2)
PortName ID IntRPC State Role DsgBridge DsgPort
--------------- ------------ --------- --- ---- ------------------ ----------
Ethernet1/0/23 128.00023 0 FWD ROOT 0.00030fe0f9b3 128.00023
Ethernet1/0/24 128.00024 20000 BLK ALTR 4096.00030fe0f9b6 128.00023
########################### Instance 20 ###########################
Self Bridge Id : 32768.00:03:0f:e0:f9:b9
Region Root Id : 0.00:03:0f:e0:f9:b6
Int.RootPathCost : 20000
Root Port ID : 128.24
Current port list in Instance 20:
Ethernet1/0/23 Ethernet1/0/24 (Total 2)
PortName ID IntRPC State Role DsgBridge DsgPort
--------------- ------------ --------- --- ---- ------------------ ----------
Ethernet1/0/23 128.00023 20000 BLK ALTR 4096.00030fe0f9b3 128.00023
Ethernet1/0/24 128.00024 0 FWD ROOT 0.00030fe0f9b6 128.00023
2、链路聚合LACP
SW1 和 SW2 之间利用三条裸光缆实现互通,其中一条裸光缆承载三层 IP业务、一条裸光缆承载 VPN 业务、一条裸光缆承载二层业务。用相关技术分别实现财务 1 段、财务 2 段业务路由表与其它业务路由表隔离,财务业务 VPN 实例名称为 CW。
SW1:
SW1#sho ip vrf
VRF CW, FIB ID 1
Router ID: 10.10.255.2 (automatic)
Interfaces:
Vlan40
Vlan1027
!
VRF CW; (id=1); RIP is not enabled
Name Interfaces
CW Vlan40 Vlan1027
Name Default RD Interfaces
CW Vlan40
Vlan1027
SW2:
SW2#sho ip vrf
VRF CW, FIB ID 1
Router ID: 10.10.255.2 (automatic)
Interfaces:
Vlan40
Vlan1027
!
VRF CW; (id=1); RIP is not enabled
Name Interfaces
CW Vlan40 Vlan1027
Name Default RD Interfaces
CW Vlan40
Vlan1027
承载二层业务的只有一条裸光缆通道,配置相关技术,方便后续链路扩容与冗余备份,编号为 1,用 LACP 协议,SW1 为 active,SW2 为 active;采用源、目的 IP 进行实现流量负载分担。
SW1:
SW1(config)#port-group 1
SW1(config)#int e1/0/25;28
SW1(config-if-port-range)#port-group 1 mode active
SW1(config-if-port-range)#exit
SW1(config)#load-balance dst-src-ip
配置结果:
SW1#sho port-group 1 detail
Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Port-group number: 1, Mode: active, Load-balance: dst-src-ip
Port-group detail information:
System ID: 0x8000,00-03-0f-e0-f9-b3
Local:
Port Status Priority Oper-Key Flag
-----------------------------------------------------------
Ethernet1/0/25 Unselected 32768 1 {ACG}
Ethernet1/0/28 Selected 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
Ethernet1/0/28 28 32768 1 0x8000,00-03-0f-e0-f9-b6 {ACDEF}
SW2:
SW2(config)#port-group 1
SW1(config)#int e1/0/25;28
SW1(config-if-port-range)#port-group 1 mode active
SW1(config-if-port-range)#exit
SW2(config)#load-balance dst-src-ip
配置结果:
SW2#sho port-group 1 detail
Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Port-group number: 1, Mode: active, Load-balance: dst-src-ip
Port-group detail information:
System ID: 0x8000,00-03-0f-e0-f9-b6
Local:
Port Status Priority Oper-Key Flag
-----------------------------------------------------------
Ethernet1/0/25 Unselected 32768 1 {ACG}
Ethernet1/0/28 Selected 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
Ethernet1/0/28 28 32768 1 0x8000,00-03-0f-e0-f9-b3 {ACDEF}
3、路由表隔离VPN
将 SW3 模拟为 Internet 交换机,实现与集团其它业务路由表隔离,Internet 路由表 VPN 实例名称为 Internet。将 SW3 模拟办事处交换机,实现与集团其它业务路由表隔离,办事处路由表 VPN 实例名称为 Guangdong。
ip vrf Guangdong
!
ip vrf Internet
!
interface Loopback2
ip vrf forwarding Guangdong
ipv6 address 2001:10:10:3::2/128
ip address 10.10.3.2 255.255.255.255
!
interface Loopback3
ip vrf forwarding Internet
ipv6 address 2001:200:200:3::3/128
ip address 200.200.3.3 255.255.255.255
!
interface Vlan110
ip vrf forwarding Guangdong
ipv6 address 2001:10:16:110::1/64
ip address 10.16.110.1 255.255.255.0
!
interface Vlan120
ip vrf forwarding Guangdong
ipv6 address 2001:10:16:120::1/64
ip address 10.16.120.1 255.255.255.0
!
interface Vlan1015
ip vrf forwarding Guangdong
ip address 10.10.255.46 255.255.255.252
!
interface Vlan1017
ip vrf forwarding Internet
ip address 200.200.200.1 255.255.255.252
!
interface Vlan1018
ip vrf forwarding Internet
ip address 200.200.200.5 255.255.255.252
!
配置结果:
SW3#sho ip vrf
VRF Guangdong, FIB ID 1
Router ID: 10.10.3.2 (loopback)
Interfaces:
Vlan110
Vlan120
Vlan1015
Loopback2
!
VRF Internet, FIB ID 2
Router ID: 200.200.3.3 (loopback)
Interfaces:
Vlan1017
Vlan1018
Loopback3
!
VRF Guangdong; (id=1); RIP is not enabled
VRF Internet; (id=2); RIP is not enabled
Name Interfaces
Guangdong Vlan110 Vlan120 Vlan1015 Loopback2
Internet Vlan1017 Vlan1018 Loopback3
Name Default RD Interfaces
Guangdong Vlan110
Vlan120
Vlan1015
Loopback2
Internet Vlan1017
Vlan1018
Loopback3
4、端口安全
SW1 法务物理接口限制收发数据占用的带宽均为 1000Mbps,限制所有报文最大收包速率为 1000packets/s,如果超过了配置交换机端口的报文最大收包速率则关闭此端口,1 分钟后恢复此端口;启用端口安全功能,最大安全 MAC 地址数为 20,当超过设定 MAC 地址数量的最大值,不学习新的 MAC、丢弃数据包、发nmp trap、同时在 syslog 日志中记录,端口的老化定时器到期后,在老化周期中没有流量的部分表项老化,有流量的部分依旧保留,恢复时间为 10 分钟;禁止采用访控制列表,只允许 IP 主机位为 20-50 的数据包进行转发;禁止配置访问控制列表,实现端口间二层流量无法互通,组名称 FW。
SW1(config)#inter e1/0/3
SW1(config-if-ethernet1/0/3)#rate-violation all 1000
SW1(config-if-ethernet1/0/3)#bandwidth control 1000000 both
SW1(config-if-ethernet1/0/3)#rate-violation control shutdown recovery 60
SW1(config-if-ethernet1/0/3)#switchport port-security
Mac learning is not in cpu-control mode, please enable it to make port-security work well!
SW1(config-if-ethernet1/0/3)#switchport port-security maximum 20
SW1(config-if-ethernet1/0/3)#exit
SW1(config)#mac-address-learning cpu-control
SW1(config)#inter e1/0/3
SW1(config-if-ethernet1/0/3)#switchport port-security violation restrict recovery 600
SW1(config-if-ethernet1/0/3)#switchport port-security aging type inactivity
SW1(config-if-ethernet1/0/3)#exit
SW1(config)#am enable
SW1(config)#inter e1/0/3
SW1(config-if-ethernet1/0/3)#am port
SW1(config-if-ethernet1/0/3)#am ip-pool 10.10.120.20 31
SW1(config-if-ethernet1/0/3)#exit
SW1(config)#isolate-port group FW switchport interface e1/0/3
SW1(config)#isolate-port apply l2
配置结果:
SW1(config-if-ethernet1/0/3)#sho run c
bandwidth control 1000000 both
rate-violation all 1000
rate-violation control shutdown recovery 60
switchport access vlan 30
switchport port-security
switchport port-security maximum 20
switchport port-security violation restrict recovery 600
switchport port-security aging type inactivity
am port
am ip-pool 10.10.120.20 31
SW1#sho isolate-port group FW
Isolate-port group FW
The isolate-port Ethernet1/0/3
SW1 法务物理接口限制收发数据占用的带宽分别为 100Mbps、90Mbps,限制所有报文最大收包速率为100packets/s,如果超过了配置交换机端口的报文最大收包速率则关闭此端口,10 分钟后恢复此端口;启用端口安全功能,最大安全 MAC 地址数为 10,当超过设定 MAC 地址数量的最大值,不学习新的 MAC、丢弃数据包、发nmp trap、同时在 syslog 日志中记录,端口的老化定时器到期后,在老化周期中没有流量的部分表项老化,有流量的部分依旧保留,恢复时间为 10 分钟;禁止采用访控制列表,只允许 IP 主机位为 20-50 的数据包进行转发;禁止配置访问控制列表,实现端口间二层流量无法互通,组名称 FW。
bandwidth control 90000 transmit
bandwidth control 100000 receive
rate-violation all 100
rate-violation control shutdown recovery 600
switchport access vlan 30
switchport port-security
switchport port-security maximum 10
switchport port-security violation restrict recovery 600
switchport port-security aging type inactivity
am port
am ip-pool 10.1.13.20 31
SW1(config)#isolate-port group FW switchport interface e1/0/3
SW1(config)#isolate-port apply l2
5、开启日志记录&保护功能
开启 SW1日志记录功能和保护功能,采样周期5s一次,恢复周期为100s,从而保障 CPU 稳定运行。
SW1(config)#cpu-protect log enable
SW1(config)#cpu-protect enable
SW1(config)#cpu-protect interval 5
SW1(config)#cpu-protect recovery-time 100
配置结果:
SW1#sho cpu-protect running-config
Cpu-Protect Globle: enable
Cpu-Protect trap : disable
Cpu-Protect Log: enable
Cpu-Protect Interval: 5
Cpu-Protect Recovery-Time: 100
Cap-Num Ip-Num Mac-Num Protocal-Num
0 0 0 0
Stream Threshould Limit-Speed Action
IP 300 150 Speed-Limit
DHCP 150 80 Speed-Limit
IGMP 150 80 Speed-Limit
ARP 300 150 Speed-Limit
ICMP 80 50 Speed-Limit
PER-IP 400 200 Speed-Limit
PER-MAC 400 200 Speed-Limit
6、SNMP
.SW1 配置 SNMP,引擎 id 分别为 1;创建组 GROUP2022,采用最高安全级别,配置组的读、写视图分别为:SKILLS_R、SKILLS_W;创建认证用户为SER2022,采用 aes 算法进行加密,密钥为 Pass-1234,哈希算法为 sha,密钥为 Pass-1234;当设备有异常时,需要用本地的环回地址 loopback1 发送 v3 Trap 消息至集团网管服务器 10.10.11.99、2001:10:10:11::99,采用最高安全级别;
snmp-server enable
snmp-server securityip 10.1.15.120
snmp-server securityip 2001:10:1:15::120
snmp-server trap-source 10.1.1.1
snmp-server trap-source 2001:10:1:1::1
snmp-server engineid 1000
snmp-server user UserSkills GroupSkills authPriv aes Key-1122 auth sha Key-1122
snmp-server group GroupSkills authpriv read Skills_R write Skills_W
snmp-server host 10.1.1.1 v3 authpriv UserSkills
snmp-server host 2001:10:1:1::1 v3 authpriv UserSkills
snmp-server enable traps
配置结果:
SW1(config)#sho snmp engineid
SNMP engineID:1
Engine Boots is:1
SW1(config)#sho snmp group
Group Name:GROUP2022
Security Level:AuthPriv
Read View:SKILLS_R
Write View:SKILLS_W
Notify View:<no notifyview specified>
SW1(config)#sho snmp status
System Name : DC YunKe Networks Co.,Ltd.
System Contact : 400-810-9119
System Location : China
Trap enable
RMON enable
Community Information:
V1/V2c Trap Host Information:
V3 Trap Host Information:
Trap-rec-address: 2001:10:10:11::99
User-name :USER2022
Security Level:AuthPriv
Trap-rec-address: 10.10.11.99
User-name :USER2022
Security Level:AuthPriv
Security IP is Enabled.
Security IP: 10.10.11.99
Security IP: 2001:10:10:11::99
SW1(config)#sho snmp user
User name: USER2022
Engine ID: 0x31
Auth Protocol:SHA Priv Protocol:AES-CFB-128
Row status:active
当法务部门对应的用户接口发生 UP DOWN 事件时,禁止发送 trap 消息至上述集团网管服务器。
SW1(config-if-ethernet1/0/3)#sho run c
no switchport updown notification enable
7、互联流量镜像
将 W1 与 FW1 互连流量镜像到 SW1 E1/0/1,会话列表为 1。
monitor session 1 source interface Ethernet1/0/21 tx
monitor session 1 source interface Ethernet1/0/21 rx
monitor session 1 destination interface Ethernet1/0/1
配置结果:
SW1(config)#sho monitor
monitor session 1:
Destination Ethernet1/0/1
Card: slot 1
source ports:
RX port: 21
TX port: 21
--------------------------------------------------------
No monitor in session 2
--------------------------------------------------------
No monitor in session 3
--------------------------------------------------------
No monitor in session 4
--------------------------------------------------------
No monitor in session 5
--------------------------------------------------------
No monitor in session 6
--------------------------------------------------------
No monitor in session 7
--------------------------------------------------------
8、ULDP
SW1 和 SW2 E1/0/21-28 启用单向链路故障检测,当发生该故障时,端口标记为 errdisable 状态,自动关闭端口,经过 1 分钟后,端口自动重启;发送、、
Hello 报文时间间隔为 15s;
SW1:
SW1(config)#uldp enable
SW1(config)#uldp aggressive-mode
SW1(config)#inter e1/0/21-28
SW1(config-if-port-range)#uldp enable
SW1(config-if-port-range)#uldp aggressive-mode
SW1(config)#uldp recovery-time 60
SW1(config)#uldp hello-interval 15
配置结果:
SW1(config)#sho uldp
uldp enable
uldp hello interval is 15
uldp recovery time is 60
uldp shut down mode is AUTO
uldp global work mode is AGGRESSIVE
the total number of the port is 8
---------------------------------------------------------------------------
PortName PhyLink LineProto WorkMode PortState NeighborNum
---------------------------------------------------------------------------
Ethernet1/0/21 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/22 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/23 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/24 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/25 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/26 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/27 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/28 UP UP AGGRESSIVE BIDIRECTION 1
---------------------------------------------------------------------------
SW2:
SW2(config)#uldp enable
SW2(config)#uldp aggressive-mode
SW2(config)#inter e1/0/21-28
SW2(config-if-port-range)#uldp enable
SW2(config-if-port-range)#uldp aggressive-mode
SW2(config)#uldp recovery-time 60
SW2(config)#uldp hello-interval 15
配置结果:
SW2(config)#sho uldp
uldp enable
uldp hello interval is 15
uldp recovery time is 60
uldp shut down mode is AUTO
uldp global work mode is AGGRESSIVE
the total number of the port is 8
---------------------------------------------------------------------------
PortName PhyLink LineProto WorkMode PortState NeighborNum
---------------------------------------------------------------------------
Ethernet1/0/21 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/22 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/23 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/24 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/25 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/26 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/27 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/28 UP UP AGGRESSIVE BIDIRECTION 1
---------------------------------------------------------------------------
9、LLDP
SW1和SW2所有端口启用链路层发现协议,更新报文发送时间间隔为20s,老化时间乘法器值为 5,Trap 报文发送间隔为 10s,配置三条裸光缆端口使能Trap 功能。
SW1:
!
lldp enable
lldp msgTxHold 5
lldp tx-interval 10
!
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
!
配置结果:
SW1#sho lldp
-----LLDP GLOBAL INFORMATIONS-----
LLDP has been enabled globally.
LLDP enabled port : Ethernet1/0/21 Ethernet1/0/22 Ethernet1/0/23 Ethernet1/0/26 Ethernet1/0/27 Ethernet1/0/28
LLDP interval :10
LLDP txTTL :50
LLDP NotificationInterval :5
LLDP txDelay :2
LLDP-MED FastStart Repeat Count :4
-------------END------------------
SW1(config)#inter e1/0/26-28
SW1(config-if-port-range)#sho run c
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
SW2:
!
lldp enable
lldp msgTxHold 5
lldp tx-interval 10
!
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
!
配置结果:
SW2#sho lldp
-----LLDP GLOBAL INFORMATIONS-----
LLDP has been enabled globally.
LLDP enabled port : Ethernet1/0/21 Ethernet1/0/22 Ethernet1/0/23 Ethernet1/0/26 Ethernet1/0/27 Ethernet1/0/28
LLDP interval :10
LLDP txTTL :50
LLDP NotificationInterval :5
LLDP txDelay :2
LLDP-MED FastStart Repeat Count :4
-------------END------------------
SW2(config)#inter e1/0/26-28
SW2(config-if-port-range)#sho run c
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
二、路由配置
1、SSH服务
启用所有设备的 ssh 服务,防火墙用户名 admin,明文密码 Pass-1234,其余设备用户名和明文密码均为 admin。
交换机&AC:
SW(config)#ssh-server enable
SW(config)#username admin password 0 admin
路由器:
RT1_config#username admin password 0 admin
RT1_config#aaa authentication login default local
RT1_config#aaa authentication enable default none
RT1_config#ip sshd enable
防火墙:in
在所需端口上开启SSH服务
例如:
FW1(config)# interface e0/0
FW1(config-if-eth0/0)# manage ssh
2、配置时区
配置所有设备的时区为 GMT+08:00,调整 SW1 时间为实际时间,SW1 配置为 ntp server,其他设备用 SW1 loopback1 ipv4 地址作为 ntp server 地址,ntp client 请求报文时间间隔 1 分钟。
SW1:
SW1#clock set 14:41:30 2023.4.24
SW1#config
SW1(config)#clock timezone GMT add 8 0
SW1(config)#ntp enable
SW1(config)#ntp-service refclock-master 1
SW1(config)#ntp server 10.10.1.1
SW1(config)#ntp syn-interval 60
SW2、SW3、AC:
clock timezone GMT add 8 0
ntp enable
ntp syn-interval 60
ntp server 10.10.1.1
路由器:
time-zone GMT 8 0
ntp query-interval 60
ntp server 10.10.1.1
防火墙:
FW1(config)# clock zone GMT 8 0
FW1(config)# ntp enable
FW1(config)# ntp server 10.10.1.1
FW1(config)# ntp query-interval 1
配置结果:
SW1(config)#sho clock
Current time is Mon Apr 24 15:13:30 2023 [GMT+08:00]
SW1(config)#sho ntp status
ntp clock status: synchronized
Clock stratum:4
Reference clock server:10.10.1.1
Clock offset:0.0 s
Root delay:0.000 ms
Root dispersion:0.000 ms
Reference time:Mon Apr 24 07:06:3.203 2023
Syn-interval:60s
3、VRRP
利用 vrrpv2 和 vrrpv3 技术实现 vlan60、vlan70、vlan80、vlan90 网关冗余备份,vrrp id 与 vlan id 相同。vrrpv2 vip 为 10.10.vlanid.9(如 vlan60的 vrrpv2 vip 为 10.10.60.9),vrrpv3 vip 为 FE80:vlanid::9(如 vlan60 的vrrpv3 vip 为 FE80:60::9)。配置 SW1 为 vlan60、vlan70 的 Master,SW2 为vlan80、vlan90 的 aster。要求 vrrp 组中高优先级为 120,低优先级为默认值,抢占模式为默认值,vrrpv2 和 vrrpv3 发送通告报文时间间隔为默认值。当 SW1或 SW2 上联链路发生故障,Master 优先级降低 50。
VRRPv2
SW1:
!
router vrrp 60
virtual-ip 10.10.60.9
interface Vlan60
circuit-failover Vlan1021 50
priority 120
enable
!
router vrrp 70
virtual-ip 10.10.70.9
interface Vlan70
circuit-failover Vlan1021 50
priority 120
enable
!
router vrrp 80
virtual-ip 10.10.80.9
interface Vlan80
enable
!
router vrrp 90
virtual-ip 10.10.90.9
interface Vlan90
enable
!
配置结果:
SW1(config)#sho vrrp
VrId 60
State is Master
Virtual IP is 10.10.60.9 (Not IP owner)
Interface is Vlan60
Configured priority is 120, Current priority is 120
Advertisement interval is 1 sec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
VrId 70
State is Master
Virtual IP is 10.10.70.9 (Not IP owner)
Interface is Vlan70
Configured priority is 120, Current priority is 120
Advertisement interval is 1 sec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
VrId 80
State is Backup
Virtual IP is 10.10.80.9 (Not IP owner)
Interface is Vlan80
Priority is 100(config priority is 100)
Advertisement interval is 1 sec
Preempt mode is TRUE
VrId 90
State is Backup
Virtual IP is 10.10.90.9 (Not IP owner)
Interface is Vlan90
Priority is 100(config priority is 100)
Advertisement interval is 1 sec
Preempt mode is TRUE
SW2:
!
router vrrp 60
virtual-ip 10.10.60.9
interface Vlan60
enable
!
router vrrp 70
virtual-ip 10.10.70.9
interface Vlan70
enable
!
router vrrp 80
virtual-ip 10.10.80.9
interface Vlan80
circuit-failover Vlan1021 50
priority 120
enable
!
router vrrp 90
virtual-ip 10.10.90.9
interface Vlan90
circuit-failover Vlan1021 50
priority 120
enable
!
配置结果:
SW2(config)#sho vrrp
VrId 60
State is Backup
Virtual IP is 10.10.60.9 (Not IP owner)
Interface is Vlan60
Priority is 100(config priority is 100)
Advertisement interval is 1 sec
Preempt mode is TRUE
VrId 70
State is Backup
Virtual IP is 10.10.70.9 (Not IP owner)
Interface is Vlan70
Priority is 100(config priority is 100)
Advertisement interval is 1 sec
Preempt mode is TRUE
VrId 80
State is Master
Virtual IP is 10.10.80.9 (Not IP owner)
Interface is Vlan80
Configured priority is 120, Current priority is 120
Advertisement interval is 1 sec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
VrId 90
State is Master
Virtual IP is 10.10.90.9 (Not IP owner)
Interface is Vlan90
Configured priority is 120, Current priority is 120
Advertisement interval is 1 sec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
配置结果:
SW2(config)#sho ipv6 vrrp
VrId 60
State is Backup
Virtual IPv6 is fe80:60::9 (Not IPv6 owner)
Interface is Vlan60
Priority is 100(config priority is 100)
Advertisement interval is 100 centisec
Preempt mode is TRUE
VrId 70
State is Backup
Virtual IPv6 is fe80:70::9 (Not IPv6 owner)
Interface is Vlan70
Priority is 100(config priority is 100)
Advertisement interval is 100 centisec
Preempt mode is TRUE
VrId 80
State is Master
Virtual IPv6 is fe80:80::9 (Not IPv6 owner)
Interface is Vlan80
Configured priority is 120, Current priority is 120
Advertisement interval is 100 centisec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
VrId 90
State is Master
Virtual IPv6 is fe80:90::9 (Not IPv6 owner)
Interface is Vlan90
Configured priority is 120, Current priority is 120
Advertisement interval is 100 centisec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
VRRPv3
SW1:
!
router ipv6 vrrp 60
virtual-ipv6 fe80:60::9 interface Vlan60
circuit-failover Vlan1021 50
priority 120
enable
!
router ipv6 vrrp 70
virtual-ipv6 fe80:70::9 interface Vlan70
circuit-failover Vlan1021 50
priority 120
enable
!
router ipv6 vrrp 80
virtual-ipv6 fe80:80::9 interface Vlan80
enable
!
router ipv6 vrrp 90
virtual-ipv6 fe80:90::9 interface Vlan90
enable
!
SW2:
!
router ipv6 vrrp 60
virtual-ipv6 fe80:60::9 interface Vlan60
enable
!
router ipv6 vrrp 70
virtual-ipv6 fe80:70::9 interface Vlan70
enable
!
router ipv6 vrrp 80
virtual-ipv6 fe80:80::9 interface Vlan80
circuit-failover Vlan1021 50
priority 120
enable
!
router ipv6 vrrp 90
virtual-ipv6 fe80:90::9 interface Vlan90
circuit-failover Vlan1021 50
priority 120
enable
!
配置结果:
SW1(config)#sho ipv6 vrrp
VrId 60
State is Master
Virtual IPv6 is fe80:60::9 (Not IPv6 owner)
Interface is Vlan60
Configured priority is 120, Current priority is 120
Advertisement interval is 100 centisec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
VrId 70
State is Master
Virtual IPv6 is fe80:70::9 (Not IPv6 owner)
Interface is Vlan70
Configured priority is 120, Current priority is 120
Advertisement interval is 100 centisec
Preempt mode is TRUE
Circuit failover interface Vlan1021, Priority Delta 50, Status UP
VrId 80
State is Backup
Virtual IPv6 is fe80:80::9 (Not IPv6 owner)
Interface is Vlan80
Priority is 100(config priority is 100)
Advertisement interval is 100 centisec
Preempt mode is TRUE
VrId 90
State is Backup
Virtual IPv6 is fe80:90::9 (Not IPv6 owner)
Interface is Vlan90
Priority is 100(config priority is 100)
Advertisement interval is 100 centisec
Preempt mode is TRUE
4、DHCP服务
AC1配置dhcpv4和dhcpv6,分别为SW1产品1段vlan10和分公司vlan100、vlan110 和 vlan120 分配地址;ipv4 地址池名称分别为 POOLv4-10、POOLv4-100、POOLv4-110、POOLv4-120
service dhcp
!
ip dhcp pool POOLv4-10
network-address 10.10.11.0 255.255.255.0
default-router 10.10.11.1
dns-server 114.114.114.114
!
ip dhcp pool POOLv4-100
network-address 10.17.100.0 255.255.255.0
default-router 10.17.100.1
dns-server 114.114.114.114
!
ip dhcp pool POOLv4-110
network-address 10.17.110.0 255.255.255.0
default-router 10.17.110.1
dns-server 114.114.114.114
!
ip dhcp pool POOLv4-120
network-address 10.17.120.0 255.255.255.0
default-router 10.17.120.1
dns-server 114.114.114.114
ipv6 地址池名称分别为 POOLv6-10、POOLv6-100、POOLv6-110、POOLv6-120;ipv6 地址池用网络前缀表示;
service dhcpv6
!
ipv6 dhcp pool POOLv6-120
network-address 2001:10:17:120:: 64
static-binding 2001:10:17:120::9 24-69-8e-1e-b9-5e
excluded-address 2001:10:17:120::1
!
ipv6 dhcp pool POOLv6-110
network-address 2001:10:17:110:: 64
static-binding 2001:10:17:110::9 8c-16-45-78-8d-98
excluded-address 2001:10:17:110::1
!
ipv6 dhcp pool POOLv6-100
network-address 2001:10:17:100:: 64
static-binding 2001:10:17:100::9 00-03-0f-8a-f8-b0
excluded-address 2001:10:17:100::1
!
ipv6 dhcp pool POOLv6-10
network-address 2001:10:10:11:: 64
excluded-address 2001:10:10:11::1
dns-server 2400:3200::1
!
排除网关;
IPv4:
ip dhcp excluded-address 10.10.11.1
ip dhcp excluded-address 10.17.100.1
ip dhcp excluded-address 10.17.110.1
ip dhcp excluded-address 10.17.120.1
IPv6:
ipv6 dhcp pool POOLv6-120
excluded-address 2001:10:17:120::1
!
ipv6 dhcp pool POOLv6-110
excluded-address 2001:10:17:110::1
!
ipv6 dhcp pool POOLv6-100
excluded-address 2001:10:17:100::1
!
ipv6 dhcp pool POOLv6-10
dns-server 2400:3200::1
!
DNS 分别为114.114.114.114 和 2400:3200::1 ; 为 PC1 保 留 地 址 10.10.11.9 和2001:10:10:11::9,为 AP1 保留地址 10.17.100.9 和 2001:10:17💯9,为 PC2保留地址 10.17.110.9 和 2001:10:17:110::9。
ip dhcp pool AP1
host 10.17.100.9 255.255.255.0
hardware-address 00-03-0F-8A-F8-B0
default-router 10.17.100.1
!
ip dhcp pool PC1
host 10.10.11.9 255.255.255.0
hardware-address 8C-16-45-78-8D-98
default-router 10.10.11.1
dns-server 114.114.114.114
!
ip dhcp pool PC2
host 10.17.110.9 255.255.255.0
hardware-address 24-69-8E-1E-B9-5E
default-router 10.17.110.1
dns-server 114.114.114.114
!
interface Vlan1000
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server POOLv6-100
!
interface Vlan110
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server POOLv6-110
!
interface Vlan120
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server POOLv6-120
!
DHCP中继:
SW1 上中继地址为 AC1 loopback1地址。
IPV4:
SW1:
SW1(config)#service dhcp
SW1(config)#ip forward-protocol udp bootps
interface Vlan10
ip helper-address 10.10.8.1
IPV6:
SW1(config)#service dhcpv6
interface Vlan10
no ipv6 nd suppress-ra
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp relay destination 2001:10:10:8::1
DHCP snooping
SW1 启用 dhcpv4 和 dhcpv6 snooping,如果 E1/0/1 连接 dhcpv4 服务器,则关闭该端口,恢复时间为 1 分钟。
IPV4:
ip dhcp snooping enable
!
Interface Ethernet1/0/1
ip dhcp snooping action shutdown recovery 60
Interface Ethernet1/0/21;26;22
ip dhcp snooping trust
IPV6:
SW1(config)#savi enable
SW1(config)#savi ipv6 dhcp-only enable
Interface Ethernet1/0/21;26;22
ipv dhcp snooping trust
5、OSPF
SW1、SW2、SW3、RT1 以太链路、RT2 以太链路、FW1、FW2、AC1 之间运行OSPFv2 和 OSPFv3 协议(路由模式发布网络用接口地址,- BGP 协议除外)。
OSPFv2
(1) SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv2 ,进程 1,区域 0,分别发布 loopback1 地址路由和产品路由,FW1 通告 type2 默认路由。
SW1:
router ospf 1
ospf router-id 10.10.1.1
network 10.10.1.1/32 area 0
network 10.10.11.1/32 area 0
network 10.10.255.1/32 area 0
network 10.10.255.5/32 area 0
network 10.10.255.14/32 area 0
SW2:
router ospf 1
ospf router-id 10.10.2.1
network 10.10.2.1/32 area 0
network 10.10.21.1/32 area 0
network 10.10.255.2/32 area 0
network 10.10.255.9/32 area 0
network 10.10.255.22/32 area 0
SW3:
router ospf 1
ospf router-id 10.10.3.1
network 10.10.3.1/32 area 0
network 10.10.31.1/32 area 0
network 10.10.255.6/32 area 0
network 10.10.255.10/32 area 0
RT1:
router ospf 1
router-id 10.10.4.1
network 10.10.4.1 255.255.255.255 area 0
network 10.10.255.29 255.255.255.255 area 0
network 10.10.255.21 255.255.255.255 area 0
network 10.10.255.18 255.255.255.255 area 0
RT2:
router ospf 1
router-id 10.10.5.1
network 10.10.5.1 255.255.255.255 area 0
network 10.10.255.30 255.255.255.255 area 0
FW1:
ip vrouter "trust-vr"
ip route 0.0.0.0/0 200.200.200.1
router ospf 1
router-id 10.10.6.1
default-information originate
network 10.10.6.1/32 area 0
network 10.10.255.13/32 area 0
network 10.10.255.17/32 area 0
exit
(2) RT2 与 AC1 之间运行 OSPFv2 协议,进程 1,nssa no-summary 区域 1;AC1 发布 loopback1 地址路由、产品和营销路由,用 prefix-list 重发布loopback3。
RT2:
router ospf 1
network 10.10.255.41 255.255.255.255 area 1
area 1 nssa no-summary
AC1:
router ospf 1
ospf router-id 10.10.8.1
area 1 nssa no-summary
network 10.10.8.1/32 area 1
network 10.10.255.42/32 area 1
network 10.17.110.1/32 area 1
network 10.17.120.1/32 area 1
redistribute connected route-map L3
!
ip prefix-list L3 seq 5 permit 10.10.8.3/32
!
route-map L3 permit 10
match ip address prefix-list L3
(4)SW3 模拟办事处产品和营销接口配置为 loopback,模拟接口 up。SW3 模拟办事处与 FW2 之间运行 OSPFv2 协议,进程 2,区域 2,SW3 模拟办事处发布loopback2、产品和营销。
SW3:
Interface Ethernet1/0/11
loopback
switchport access vlan 110
!
Interface Ethernet1/0/12
loopback
switchport access vlan 120
router ospf 2 Guangdong
ospf router-id 10.10.3.2
network 10.10.3.2/32 area 2
network 10.10.255.46/32 area 2
network 10.16.110.1/32 area 2
network 10.16.120.1/32 area 2
FW2:
ip vrouter "trust-vr"
router ospf 2
router-id 10.10.7.1
network 10.10.255.45/32 area 2
network 10.10.255.26/32 area 2
network 10.10.7.1/32 area 2
exit
(5)RT1、FW2 之间 OSPFv2 协议,进程 2,区域 2;RT1 发布 loopback4路由,向该区域通告 type1 默认路由;
RT1:
router ospf 2
router-id 10.10.4.4
network 10.10.4.4 255.255.255.255 area 2
network 10.10.255.25 255.255.255.255 area 2
default-information originate always metric-type 1
FW2 发布 loopback1 路由,FW2 禁止学习到集团和分公司的所有路由。
ip vrouter "trust-vr"
router ospf 2
router-id 10.10.7.1
network 10.10.255.45/32 area 2
network 10.10.255.26/32 area 2
network 10.10.7.1/32 area 2
exit
RT1 用 prefix-list 匹配 FW2 loopback1 路由、SW3模拟办事处 loopback2 和产品路由、RT1 与 FW2 直连 ipv4 路由,将这些路由重发布到区域 0。
router ospf 1
router-id 10.10.4.1
network 10.10.4.1 255.255.255.255 area 0
network 10.10.255.29 255.255.255.255 area 0
network 10.10.255.21 255.255.255.255 area 0
network 10.10.255.18 255.255.255.255 area 0
redistribute ospf 2 route-map BSC
redistribute connect route-map ZL
route-map BSC 10 permit
match ip address prefix-list BSC
ip prefix-list BSC seq 5 permit 10.10.7.1/32
ip prefix-list BSC seq 10 permit 10.10.3.2/32
ip prefix-list BSC seq 15 permit 10.16.110.0/24
route-map ZL 10 permit
match ip address prefix-list ZL
ip prefix-list ZL seq 5 permit 10.10.255.24/30
路由表:
SW1:
SW1(config)#sho ip route ospf
O*E2 0.0.0.0/0 [110/10] via 10.10.255.13, Vlan1021, 12:37:46 tag:0
O 10.10.2.1/32 [110/2] via 10.10.255.2, Vlan1026, 15:51:53 tag:0
O 10.10.3.1/32 [110/2] via 10.10.255.6, Vlan1022, 15:46:35 tag:0
O E2 10.10.3.2/32 [110/100] via 10.10.255.13, Vlan1021, 11:56:19 tag:0
[110/100] via 10.10.255.2, Vlan1026, 11:56:19 tag:0
O 10.10.4.1/32 [110/3] via 10.10.255.13, Vlan1021, 14:40:59 tag:0
[110/3] via 10.10.255.2, Vlan1026, 14:40:59 tag:0
O 10.10.5.1/32 [110/4] via 10.10.255.13, Vlan1021, 14:40:59 tag:0
[110/4] via 10.10.255.2, Vlan1026, 14:40:59 tag:0
O 10.10.6.1/32 [110/2] via 10.10.255.13, Vlan1021, 14:42:20 tag:0
O E2 10.10.7.1/32 [110/100] via 10.10.255.13, Vlan1021, 12:02:08 tag:0
[110/100] via 10.10.255.2, Vlan1026, 12:02:08 tag:0
O IA 10.10.8.1/32 [110/5] via 10.10.255.13, Vlan1021, 13:59:39 tag:0
[110/5] via 10.10.255.2, Vlan1026, 13:59:39 tag:0
O E2 10.10.8.3/32 [110/20] via 10.10.255.13, Vlan1021, 12:32:00 tag:0
[110/20] via 10.10.255.2, Vlan1026, 12:32:00 tag:0
O 10.10.21.0/24 [110/2] via 10.10.255.2, Vlan1026, 15:51:53 tag:0
O 10.10.31.0/24 [110/2] via 10.10.255.6, Vlan1022, 15:46:35 tag:0
O 10.10.255.8/30 [110/2] via 10.10.255.6, Vlan1022, 15:46:35 tag:0
[110/2] via 10.10.255.2, Vlan1026, 15:46:35 tag:0
O 10.10.255.16/30 [110/2] via 10.10.255.13, Vlan1021, 14:41:09 tag:0
O 10.10.255.20/30 [110/2] via 10.10.255.2, Vlan1026, 15:51:53 tag:0
O E2 10.10.255.24/30 [110/100] via 10.10.255.13, Vlan1021, 11:52:58 tag:0
[110/100] via 10.10.255.2, Vlan1026, 11:52:58 tag:0
O 10.10.255.28/30 [110/3] via 10.10.255.13, Vlan1021, 14:40:59 tag:0
[110/3] via 10.10.255.2, Vlan1026, 14:40:59 tag:0
O IA 10.10.255.40/30 [110/4] via 10.10.255.13, Vlan1021, 13:59:30 tag:0
[110/4] via 10.10.255.2, Vlan1026, 13:59:30 tag:0
O E2 10.16.110.0/24 [110/100] via 10.10.255.13, Vlan1021, 11:55:52 tag:0
[110/100] via 10.10.255.2, Vlan1026, 11:55:52 tag:0
O IA 10.17.110.0/24 [110/5] via 10.10.255.13, Vlan1021, 13:59:39 tag:0
[110/5] via 10.10.255.2, Vlan1026, 13:59:39 tag:0
O IA 10.17.120.0/24 [110/5] via 10.10.255.13, Vlan1021, 13:59:39 tag:0
[110/5] via 10.10.255.2, Vlan1026, 13:59:39 tag:0
Total routes are : 34 item(s)
SW2:
SW2(config)#sho ip rout ospf
O*E2 0.0.0.0/0 [110/10] via 10.10.255.1, Vlan1026, 12:38:26 tag:0
[110/10] via 10.10.255.21, Vlan1021, 12:38:26 tag:0
O 10.10.1.1/32 [110/2] via 10.10.255.1, Vlan1026, 15:52:34 tag:0
O 10.10.3.1/32 [110/2] via 10.10.255.10, Vlan1022, 15:47:42 tag:0
O E2 10.10.3.2/32 [110/100] via 10.10.255.21, Vlan1021, 11:57:00 tag:0
O 10.10.4.1/32 [110/2] via 10.10.255.21, Vlan1021, 15:18:41 tag:0
O 10.10.5.1/32 [110/3] via 10.10.255.21, Vlan1021, 15:03:50 tag:0
O 10.10.6.1/32 [110/3] via 10.10.255.1, Vlan1026, 14:41:39 tag:0
[110/3] via 10.10.255.21, Vlan1021, 14:41:39 tag:0
O E2 10.10.7.1/32 [110/100] via 10.10.255.21, Vlan1021, 12:02:49 tag:0
O IA 10.10.8.1/32 [110/4] via 10.10.255.21, Vlan1021, 14:00:19 tag:0
O E2 10.10.8.3/32 [110/20] via 10.10.255.21, Vlan1021, 12:32:40 tag:0
O 10.10.11.0/24 [110/2] via 10.10.255.1, Vlan1026, 15:52:34 tag:0
O 10.10.31.0/24 [110/2] via 10.10.255.10, Vlan1022, 15:47:42 tag:0
O 10.10.255.4/30 [110/2] via 10.10.255.1, Vlan1026, 15:47:42 tag:0
[110/2] via 10.10.255.10, Vlan1022, 15:47:42 tag:0
O 10.10.255.12/30 [110/2] via 10.10.255.1, Vlan1026, 15:52:34 tag:0
O 10.10.255.16/30 [110/2] via 10.10.255.21, Vlan1021, 15:18:41 tag:0
O E2 10.10.255.24/30 [110/100] via 10.10.255.21, Vlan1021, 11:53:38 tag:0
O 10.10.255.28/30 [110/2] via 10.10.255.21, Vlan1021, 15:08:47 tag:0
O IA 10.10.255.40/30 [110/3] via 10.10.255.21, Vlan1021, 14:00:11 tag:0
O E2 10.16.110.0/24 [110/100] via 10.10.255.21, Vlan1021, 11:56:32 tag:0
O IA 10.17.110.0/24 [110/4] via 10.10.255.21, Vlan1021, 14:00:19 tag:0
O IA 10.17.120.0/24 [110/4] via 10.10.255.21, Vlan1021, 14:00:19 tag:0
Total routes are : 24 item(s)
SW3:
SW3(config)#sho ip route ospf
O*E2 0.0.0.0/0 [110/10] via 10.10.255.5, Vlan1021, 12:38:54 tag:0
O 10.10.1.1/32 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
O 10.10.2.1/32 [110/2] via 10.10.255.9, Vlan1022, 15:48:13 tag:0
O E2 10.10.3.2/32 [110/100] via 10.10.255.9, Vlan1022, 11:57:27 tag:0
O 10.10.4.1/32 [110/3] via 10.10.255.9, Vlan1022, 15:19:09 tag:0
O 10.10.5.1/32 [110/4] via 10.10.255.9, Vlan1022, 15:04:17 tag:0
O 10.10.6.1/32 [110/3] via 10.10.255.5, Vlan1021, 14:43:28 tag:0
O E2 10.10.7.1/32 [110/100] via 10.10.255.9, Vlan1022, 12:03:16 tag:0
O IA 10.10.8.1/32 [110/5] via 10.10.255.9, Vlan1022, 14:00:47 tag:0
O E2 10.10.8.3/32 [110/20] via 10.10.255.9, Vlan1022, 12:33:08 tag:0
O 10.10.11.0/24 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
O 10.10.21.0/24 [110/2] via 10.10.255.9, Vlan1022, 15:48:13 tag:0
O 10.10.255.0/30 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
[110/2] via 10.10.255.9, Vlan1022, 15:47:43 tag:0
O 10.10.255.12/30 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
O 10.10.255.16/30 [110/3] via 10.10.255.5, Vlan1021, 14:42:17 tag:0
[110/3] via 10.10.255.9, Vlan1022, 14:42:17 tag:0
O 10.10.255.20/30 [110/2] via 10.10.255.9, Vlan1022, 15:48:13 tag:0
O E2 10.10.255.24/30 [110/100] via 10.10.255.9, Vlan1022, 11:54:06 tag:0
O 10.10.255.28/30 [110/3] via 10.10.255.9, Vlan1022, 15:09:14 tag:0
O IA 10.10.255.40/30 [110/4] via 10.10.255.9, Vlan1022, 14:00:39 tag:0
O E2 10.16.110.0/24 [110/100] via 10.10.255.9, Vlan1022, 11:57:00 tag:0
O IA 10.17.110.0/24 [110/5] via 10.10.255.9, Vlan1022, 14:00:47 tag:0
O IA 10.17.120.0/24 [110/5] via 10.10.255.9, Vlan1022, 14:00:47 tag:0
Total routes are : 24 item(s)
SW3(config)#sho ip route vrf Guangdong ospf
O*E1 0.0.0.0/0 [110/102] via 10.10.255.45, Vlan1015, 12:10:12 tag:0
O 10.10.4.4/32 [110/3] via 10.10.255.45, Vlan1015, 12:10:13 tag:0
O 10.10.7.1/32 [110/2] via 10.10.255.45, Vlan1015, 12:19:31 tag:0
O 10.10.255.24/30 [110/2] via 10.10.255.45, Vlan1015, 12:10:33 tag:0
Total routes are : 4 item(s)
RT1:
RT1_config#sho ip route ospf
VRF ID: 0
O E2 0.0.0.0/0 [150,10] via 10.10.255.17(on GigaEthernet0/2)
O 10.10.1.1/32 [110,3] via 10.10.255.17(on GigaEthernet0/2)
[110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.2.1/32 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.3.1/32 [110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.3.2/32 [110,3] via 10.10.255.26(on GigaEthernet0/3)
O 10.10.5.1/32 [110,2] via 10.10.255.30(on GigaEthernet0/0)
O 10.10.6.1/32 [110,2] via 10.10.255.17(on GigaEthernet0/2)
O 10.10.7.1/32 [110,2] via 10.10.255.26(on GigaEthernet0/3)
O IA 10.10.8.1/32 [110,3] via 10.10.255.30(on GigaEthernet0/0)
O E2 10.10.8.3/32 [150,20] via 10.10.255.30(on GigaEthernet0/0)
O 10.10.11.0/24 [110,3] via 10.10.255.17(on GigaEthernet0/2)
[110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.21.0/24 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.31.0/24 [110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.0/30 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.4/30 [110,3] via 10.10.255.17(on GigaEthernet0/2)
[110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.8/30 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.12/30 [110,2] via 10.10.255.17(on GigaEthernet0/2)
O IA 10.10.255.40/30 [110,2] via 10.10.255.30(on GigaEthernet0/0)
O 10.10.255.44/30 [110,2] via 10.10.255.26(on GigaEthernet0/3)
O 10.16.110.0/24 [110,3] via 10.10.255.26(on GigaEthernet0/3)
O 10.16.120.0/24 [110,3] via 10.10.255.26(on GigaEthernet0/3)
O IA 10.17.110.0/24 [110,3] via 10.10.255.30(on GigaEthernet0/0)
O IA 10.17.120.0/24 [110,3] via 10.10.255.30(on GigaEthernet0/0)
RT2:
RT2_config#sho ip route ospf
VRF ID: 0
O E2 0.0.0.0/0 [150,10] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.1.1/32 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.2.1/32 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.3.1/32 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.10.3.2/32 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.4.1/32 [110,2] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.6.1/32 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.10.7.1/32 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.8.1/32 [110,2] via 10.10.255.42(on GigaEthernet0/1)
O N2 10.10.8.3/32 [150,20] via 10.10.255.42(on GigaEthernet0/1)
O 10.10.11.0/24 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.21.0/24 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.31.0/24 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.0/30 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.4/30 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.8/30 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.12/30 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.16/30 [110,2] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.20/30 [110,2] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.10.255.24/30 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.16.110.0/24 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O 10.17.110.0/24 [110,2] via 10.10.255.42(on GigaEthernet0/1)
O 10.17.120.0/24 [110,2] via 10.10.255.42(on GigaEthernet0/1)
AC1:
AC1(config)#sho ip route os
O*IA 0.0.0.0/0 [110/101] via 10.10.255.41, Vlan1001, 14:02:54 tag:0
Total routes are : 1 item(s)
FW1:
FW1(config)# sho ip route ospf
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
O>* 10.10.1.1/32 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.2.1/32 [110/3/1] via 10.10.255.14, ethernet0/1, 14:44:57
* [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.3.1/32 [110/3/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.3.2/32 [110/100/1] via 10.10.255.18, ethernet0/2, 12:00:17
O>* 10.10.4.1/32 [110/2/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.5.1/32 [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.7.1/32 [110/100/1] via 10.10.255.18, ethernet0/2, 12:06:06
O>* 10.10.8.1/32 [110/4/1] via 10.10.255.18, ethernet0/2, 14:03:32
O>* 10.10.8.3/32 [110/20/1] via 10.10.255.18, ethernet0/2, 12:35:58
O>* 10.10.11.0/24 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.21.0/24 [110/3/1] via 10.10.255.14, ethernet0/1, 14:44:57
* [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.31.0/24 [110/3/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.255.0/30 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.255.4/30 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.255.8/30 [110/3/1] via 10.10.255.14, ethernet0/1, 14:44:57
* [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.255.20/30 [110/2/1] via 10.10.255.18, ethernet0/2, 14:44:59
O>* 10.10.255.24/30 [110/100/1] via 10.10.255.18, ethernet0/2, 11:56:58
O>* 10.10.255.28/30 [110/2/1] via 10.10.255.18, ethernet0/2, 14:44:59
O>* 10.10.255.40/30 [110/3/1] via 10.10.255.18, ethernet0/2, 14:03:24
O>* 10.16.110.0/24 [110/100/1] via 10.10.255.18, ethernet0/2, 11:59:52
O>* 10.17.110.0/24 [110/4/1] via 10.10.255.18, ethernet0/2, 14:03:34
O>* 10.17.120.0/24 [110/4/1] via 10.10.255.18, ethernet0/2, 14:03:34
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
FW2:
FW2(config)# sho ip route os
<cr>
| Output modifiers
vrouter Virtual router
FW2(config)# sho ip route os
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
O>* 0.0.0.0/0 [110/101/1] via 10.10.255.25, ethernet0/2, 12:12:31
O>* 10.10.3.2/32 [110/2/1] via 10.10.255.46, ethernet0/1, 12:23:29
O>* 10.10.4.4/32 [110/2/1] via 10.10.255.25, ethernet0/2, 12:12:32
O>* 10.16.110.0/24 [110/2/1] via 10.10.255.46, ethernet0/1, 12:23:29
O>* 10.16.120.0/24 [110/2/1] via 10.10.255.46, ethernet0/1, 12:23:29
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
OSPFv3
(1) SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv3 ,进程 1,区域 0,分别发布 loopback1 地址路由和产品路由,FW1 通告 type2 默认路由。
SW1:
router ipv6 ospf 1
router-id 10.10.1.1
interface Loopback1
ipv6 router ospf area 0 tag 1
!
interface Vlan10
ipv6 router ospf area 0 tag 1
!
interface Vlan1021
ipv6 router ospf area 0 tag 1
!
interface Vlan1022
ipv6 router ospf area 0 tag 1
!
interface Vlan1026
ipv6 router ospf area 0 tag 1
SW2:
router ipv6 ospf 1
router-id 10.10.2.1
interface Loopback1
ipv6 router ospf area 0 tag 1
!
interface Vlan10
ipv6 router ospf area 0 tag 1
!
interface Vlan1021
ipv6 router ospf area 0 tag 1
!
interface Vlan1022
ipv6 router ospf area 0 tag 1
!
interface Vlan1026
ipv6 router ospf area 0 tag 1
SW3:
router ipv6 ospf 1
router-id 10.10.3.1
interface Loopback1
ipv6 router ospf area 0 tag 1
!
interface Vlan10
ipv6 router ospf area 0 tag 1
!
interface Vlan1021
ipv6 router ospf area 0 tag 1
!
interface Vlan1022
ipv6 router ospf area 0 tag 1
RT1:
router ospfv3 1
router-id 10.10.4.1
interface Loopback1
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/0
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/1
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/2
ipv6 ospf 1 area 0
RT2:
router ospfv3 1
router-id 10.10.5.1
interface Loopback1
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigaEthernet0/0
ipv6 enable
ipv6 ospf 1 area 0
FW1:
ipv6 route ::/0 "ethernet0/3" FE80::203:FFF:FEE0:F9B8
ipv6 router ospf 1
router-id 10.10.6.1
default-information originate
exit
!
interface loopback1
ipv6 enable
ipv6 ospf 1 area 0
!
interface ethernet0/1
ipv6 enable
ipv6 ospf 1 area 0
!
interface ethernet0/2
ipv6 enable
ipv6 ospf 1 area 0
(3)RT2 与 AC1 之间运行 OSPFv3 协议,进程 1,stub no-summary 区域 1;AC1 发布 loopback1 地址路由、产品和营销。
RT2:
router ospfv3 1
router-id 10.10.5.1
area 1 stub no-summary
interface GigaEthernet0/1
ipv6 enable
ipv6 ospf 1 area 1
AC1:
router ipv6 ospf 1
router-id 10.10.8.1
area 1 stub no-summary
interface Loopback1
ipv6 router ospf area 1 tag 1
!
interface Vlan110
ipv6 router ospf area 1 tag 1
!
interface Vlan120
ipv6 router ospf area 1 tag 1
!
interface Vlan1001
ipv6 router ospf area 1 tag 1
(4)SW3 模拟办事处配置 ipv6 默认路由;FW2 分别配置到 SW3 模拟办事处 loopback2、产品和营销的 ipv6 明细静态路由,FW2 重发布静态 路由到 OSPFv3 协议。
SW3:
ipv6 route vrf Guangdong ::/0 fe80::203:fff:fea6:8341 Vlan1015
FW2:
ip vrouter "trust-vr"
ipv6 route 2001:10:10:3::1/128 "ethernet0/1" FE80::203:FFF:FEE0:F9B8
ipv6 route 2001:10:16:110::/64 "ethernet0/1" FE80::203:FFF:FEE0:F9B8
ipv6 route 2001:10:16:120::/64 "ethernet0/1" FE80::203:FFF:FEE0:F9B8
exit
ipv6 router ospf 2
router-id 10.10.7.1
redistribute static
exit
(5)RT1、FW2 之间OSPFv3 协议,进程 2,区域 2;RT1 发布 loopback4路由,向该区域通告 type1 默认路由;
RT1:
router ospfv3 2
router-id 10.10.4.4
default-information originate always metric-type 1
interface Loopback4
ipv6 enable
ipv6 ospf 2 area 2
FW2 发布 loopback1 路由,FW2 禁止学习到集团和分公司的所有路由。
FW2:
interface loopback1
ipv6 enable
ipv6 ospf 2 area 2
interface ethernet0/1
ipv6 enable
ipv6 ospf 2 area 2
exit
interface ethernet0/2
ipv6 enable
ipv6 ospf 2 area 2
exit
RT1 用 prefix-list 匹配 FW2 loopback1 路由、SW3模拟办事处 loopback2 和产品路由、RT1 与 FW2 直连 ipv4 路由,将这些路由重发布到区域 0。
router ospfv3 1
router-id 10.10.4.1
redistribute ospf 2 route-map BSCV6·
!
route-map BSCV6 10 permit
match ipv6 address prefix-list BSCV6
!
ipv6 prefix-list BSCV6 seq 5 permit 2001:10:10:3::2/128
ipv6 prefix-list BSCV6 seq 10 permit 2001:10:16:110::/64
(6)修改ospf cost为100,实现SW1分别与RT2、FW2之间ipv4和ipv6互访流量优先通过SW1_SW2_RT1链路转发,SW2访问Internet ipv4和ipv6流量优先通过SW2_SW1_FW1链路转发。
FW1:
interface ethernet0/2
ip ospf cost 100
ipv6 ospf cost 100
RT1:
interface GigaEthernet0/2
ip ospf cost 100
ipv6 ospf cost 100
IPV6路由表:
SW1:
SW1(config)#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/21] via fe80::203:fff:fea6:72c1, Vlan1021, 12:00:39 tag:0
O 2001:10:10:2::1/128 [110/1] via fe80::203:fff:fee0:f9b5, Vlan1026, 12:24:12 tag:0
O 2001:10:10:3::1/128 [110/1] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:16:43 tag:0
O 2001:10:10:3::2/128 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:20 tag:0
O 2001:10:10:4::1/128 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:10:5::1/128 [110/3] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:10:6::1/128 [110/2] via fe80::203:fff:fea6:72c1, Vlan1021, 12:05:24 tag:0
O 2001:10:10:8::1/128 [110/4] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:10:21::/64 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1026, 12:24:12 tag:0
O 2001:10:10:31::/64 [110/2] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:16:43 tag:0
O 2001:10:16:110::/64 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:20 tag:0
O 2001:10:17:110::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:17:120::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
SW2:
SW2(config)#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/22] via fe80::203:fff:fee0:f9b2, Vlan1026, 11:31:37 tag:0
O 2001:10:10:1::1/128 [110/1] via fe80::203:fff:fee0:f9b2, Vlan1026, 12:24:52 tag:0
O 2001:10:10:3::1/128 [110/1] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:17:33 tag:0
O 2001:10:10:3::2/128 [110/150] via fe80::203:fff:fedc:c392, Vlan1021, 11:36:13 tag:0
O 2001:10:10:4::1/128 [110/1] via fe80::203:fff:fedc:c392, Vlan1021, 12:14:02 tag:0
O 2001:10:10:5::1/128 [110/2] via fe80::203:fff:fedc:c392, Vlan1021, 12:11:48 tag:0
O 2001:10:10:6::1/128 [110/3] via fe80::203:fff:fee0:f9b2, Vlan1026, 11:31:38 tag:0
O 2001:10:10:8::1/128 [110/3] via fe80::203:fff:fedc:c392, Vlan1021, 11:59:02 tag:0
O 2001:10:10:11::/64 [110/2] via fe80::203:fff:fee0:f9b2, Vlan1026, 12:24:52 tag:0
O 2001:10:10:31::/64 [110/2] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:17:33 tag:0
O 2001:10:16:110::/64 [110/150] via fe80::203:fff:fedc:c392, Vlan1021, 11:36:13 tag:0
O 2001:10:17:110::/64 [110/4] via fe80::203:fff:fedc:c392, Vlan1021, 11:59:02 tag:0
O 2001:10:17:120::/64 [110/4] via fe80::203:fff:fedc:c392, Vlan1021, 11:59:02 tag:0
SW3:
SW3#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/22] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:01:49 tag:0
O 2001:10:10:1::1/128 [110/1] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:17:56 tag:0
O 2001:10:10:2::1/128 [110/1] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:17:56 tag:0
O 2001:10:10:3::2/128 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:36:44 tag:0
O 2001:10:10:4::1/128 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:14:33 tag:0
O 2001:10:10:5::1/128 [110/3] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:12:19 tag:0
O 2001:10:10:6::1/128 [110/3] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:06:35 tag:0
O 2001:10:10:8::1/128 [110/4] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:59:33 tag:0
O 2001:10:10:11::/64 [110/2] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:17:56 tag:0
O 2001:10:10:21::/64 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:17:56 tag:0
O 2001:10:16:110::/64 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:36:44 tag:0
O 2001:10:17:110::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:59:33 tag:0
O 2001:10:17:120::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:59:33 tag:0
RT1:
RT1_config#sho ipv route ospf
OE1 ::/0[1]
[110,23] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:1::1/128[1]
[110,2] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:2::1/128[1]
[110,1] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:3::1/128[1]
[110,2] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
OE2 2001:10:10:3::2/128[1]
[110,20] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
O 2001:10:10:5::1/128[1]
[110,1] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
O 2001:10:10:6::1/128[1]
[110,4] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:7::1/128[1]
[110,2] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
OIA 2001:10:10:8::1/128[1]
[110,2] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
O 2001:10:10:11::/64[1]
[110,3] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:21::/64[1]
[110,2] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:31::/64[1]
[110,3] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
OE2 2001:10:16:110::/64[1]
[110,20] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
OE2 2001:10:16:120::/64[1]
[110,20] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
OIA 2001:10:17:110::/64[1]
[110,3] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
OIA 2001:10:17:120::/64[1]
[110,3] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
RT2:
RT2_config#sho ipv route ospf
OE1 ::/0[1]
[110,24] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:1::1/128[1]
[110,3] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:2::1/128[1]
[110,2] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:3::1/128[1]
[110,3] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
OE2 2001:10:10:3::2/128[1]
[110,150] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:4::1/128[1]
[110,1] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:6::1/128[1]
[110,5] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:8::1/128[1]
[110,1] via fe80::203:fff:fed4:28b2(on GigaEthernet0/1)
O 2001:10:10:11::/64[1]
[110,4] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:21::/64[1]
[110,3] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:31::/64[1]
[110,4] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
OE2 2001:10:16:110::/64[1]
[110,150] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:17:110::/64[1]
[110,2] via fe80::203:fff:fed4:28b2(on GigaEthernet0/1)
O 2001:10:17:120::/64[1]
[110,2] via fe80::203:fff:fed4:28b2(on GigaEthernet0/1)
AC1:
AC1(config)#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/2] via fe80::203:fff:fedc:c38a, Vlan1001, 12:01:37 tag:0
FW1:
FW1(config)# sho ipv route ospf ?
<cr>
| Output modifiers
vrouter Virtual router
FW1(config)# sho ipv route ospf
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
B - BGP, I - ISIS, A - AUTOCONF, H - HOST, > - selected route,
* - FIB route,
Routing Table for Virtual Router <trust-vr>
==============================================================================
O> 2001:10:10:1::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/1/1]
O> 2001:10:10:2::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/2/1]
O> 2001:10:10:3::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/2/1]
O> 2001:10:10:3::2/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/150/1]
O> 2001:10:10:4::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/3/1]
O> 2001:10:10:5::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/4/1]
O> 2001:10:10:8::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/5/1]
O> 2001:10:10:11::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/2/1]
O> 2001:10:10:21::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/3/1]
O> 2001:10:10:31::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/3/1]
O> 2001:10:16:110::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/150/1]
O> 2001:10:17:110::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/6/1]
O> 2001:10:17:120::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/6/1]
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
FW2:
FW2(config)# sho ipv route ospf
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
B - BGP, I - ISIS, A - AUTOCONF, H - HOST, > - selected route,
* - FIB route,
Routing Table for Virtual Router <trust-vr>
==============================================================================
O> ::/0
* via FE80::203:FFF:FEDC:C394, ethernet0/2 [110/151/1]
O> 2001:10:10:4::4/128
* via FE80::203:FFF:FEDC:C394, ethernet0/2 [110/1/1]
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
6、RIP
RT1串行链路、RT2串行链路、FW1、AC1之间分别运行RIP和RIPng协议, FW1、RT1、RT2的RIP和RIPng发布loopback2地址路由,AC1 RIP发布loopback2 地址路由,AC1 RIPng采用route-map匹配prefix-list重发布loopback2地址路由。
IPV4:
FW1:
router rip
network 10.10.6.2/32
network 10.10.255.16/30
RT1:
router rip 1
version 2
no auto-summary
interface Loopback2
ip rip 1 enable
!
interface Serial1/0
ip rip 1 enable
!
interface Serial1/1
ip rip 1 enable
!
interface GigaEthernet0/2
ip rip 1 enable
!
RT2:
router rip 1
version 2
no auto-summary
interface Loopback2
ip rip 1 enable
!
interface Serial1/0
ip rip 1 enable
!
interface Serial1/1
ip rip 1 enable
!
interface GigaEthernet0/1
ip rip 1 enable
AC1:
router rip
network Loopback2
network Vlan1001
RT1配置offset值为3的路由策略,实现RT1-S1/0_RT2-S1/1为主链路, RT1-1/1_RT2-S1/0为备份链路,ipv4的ACL名称为AclRIP,ipv6的ACL名称为AclRIPng。
router rip 1
version 2
no auto-summary
offset Serial1/1 in AclRIP 3
offset Serial1/1 out AclRIP 3
!
ip access-list standard AclRIP
permit any sequence 10
RIPng
RT1串行链路、RT2串行链路、FW1、AC1之间运行RIPng协议, FW1、RT1、RT2的RIPng发布loopback2地址路由,AC1 RIP发布loopback2 地址路由,AC1 RIPng采用route-map匹配prefix-list重发布loopback2地址路由。
FW1:
ipv6 router rip
network loopback2
network ethernet0/2
RT1:
router ripng 1
interface Loopback2
ipv6 rip 1 enable
!
interface Serial1/0
ipv6 rip 1 enable
!
interface Serial1/1
ipv6 rip 1 enable
!
interface GigaEthernet0/2
ipv6 rip 1 enable
RT2:
router ripng 1
interface Loopback2
ipv6 rip 1 enable
!
interface Serial1/0
ipv6 rip 1 enable
!
interface Serial1/1
ipv6 rip 1 enable
!
interface GigaEthernet0/1
ipv6 rip 1 enable
AC1:
router ipv6 rip
redistribute connected route-map L2V6
!
route-map L2V6 permit 10
match ipv6 address prefix-list L2V6
!
ipv6 prefix-list L2V6 seq 5 permit 2001:10:10:8::2/128
!
interface Vlan1001
ipv6 router rip
RT1配置offset值为3的路由策略,实现RT1-S1/0_RT2-S1/1为主链路, RT1-1/1_RT2-S1/0为备份链路,ipv4的ACL名称为AclRIP,ipv6的ACL名称为AclRIPng。
RT1:
router ripng 1
offset Serial1/1 in AclRIPng 3
offset Serial1/1 out AclRIPng 3
!
ipv6 access-list AclRIPng massive
permit ipv6 any any sequence 10
chap双向认证
RT1的S1/0与RT2的S1/1之间采用chap双向认证,用户名为对端设备名称,密码为Pass-1234。
RT1:
aaa authentication ppp default local
!
username RT2 password 0 Pass-1234
!
interface Serial1/0
ppp authentication chap
ppp chap hostname RT1
ppp chap password 0 Pass-1234
RT2:
aaa authentication ppp default local
!
username RT1 password 0 Pass-1234
!
interface Serial1/1
ppp authentication chap
ppp chap hostname RT2
ppp chap password 0 Pass-1234
路由表:
FW1:
FW1(config)# sho ip route rip
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
R>* 10.10.4.2/32 [120/2/1] via 10.10.255.18, ethernet0/2, 09:01:13
R>* 10.10.5.2/32 [120/3/1] via 10.10.255.18, ethernet0/2, 07:44:32
R>* 10.10.8.2/32 [120/4/1] via 10.10.255.18, ethernet0/2, 07:44:32
R>* 10.10.255.32/30 [120/2/1] via 10.10.255.18, ethernet0/2, 07:44:43
R>* 10.10.255.36/30 [120/2/1] via 10.10.255.18, ethernet0/2, 07:44:43
R 10.10.255.40/30 [120/3/1] via 10.10.255.18, ethernet0/2, 07:44:32
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
RT1:
RT1_config#sho ip route rip
VRF ID: 0
R 10.10.5.2/32 [120,1] via 10.10.255.34(on Serial1/0)
R 10.10.6.2/32 [120,1] via 10.10.255.17(on GigaEthernet0/2)
R 10.10.8.2/32 [120,2] via 10.10.255.34(on Serial1/0)
RT2:
RT2_config#sho ip route rip
VRF ID: 0
R 10.10.4.2/32 [120,1] via 10.10.255.33(on Serial1/1)
R 10.10.6.2/32 [120,2] via 10.10.255.33(on Serial1/1)
R 10.10.8.2/32 [120,1] via 10.10.255.42(on GigaEthernet0/1)
AC1:
AC1(config)#sho ip route rip
R 10.10.4.2/32 [120/3] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.5.2/32 [120/2] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.6.2/32 [120/4] via 10.10.255.41, Vlan1001, 07:47:32 tag:0
R 10.10.255.16/30 [120/3] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.255.32/30 [120/2] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.255.36/30 [120/2] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
Total routes are : 6 item(s)
7、ISIS
RT1 以太链路、RT2 以太链路之间运行 ISIS 协议,进程 1,分别实现 loopback3 之间 ipv4 互通和 ipv6 互通。RT1、RT2 的 NET 分别为10.0000.0000.0001.00、10.0000.0000.0002.00,路由器类型是Level-2,接口网络类型为点到点。
RT1:
router isis 1
is-type level-2
net 10.0000.0000.0001.00
!
interface Loopback3
ip router isis 1
ipv6 router isis 1
!
interface GigaEthernet0/0
ip router isis 1
ipv6 router isis 1
isis network point-to-point
isis circuit-type level-2
RT2:
router isis 1
is-type level-2
net 10.0000.0000.0002.00
!
interface Loopback3
ip router isis 1
ipv6 router isis 1
!
interface GigaEthernet0/0
ip router isis 1
ipv6 router isis 1
isis network point-to-point
isis circuit-type level-2
isis network point-to-point
配置域md5认证和接口md5认证,密码均为Pass-1234。
RT1:
router isis 1
authentication mode md5 level-2
authentication key 0 Pass-1234 level-2
!
interface GigaEthernet0/0
isis authentication mode md5 level-2
isis authentication key 0 Pass-1234
RT2:
router isis 1
authentication mode md5 level-2
authentication key 0 Pass-1234 level-2
!
interface GigaEthernet0/0
isis authentication mode md5 level-2
isis authentication key 0 Pass-1234 level-2
8、nat
RT2配置ipv4 nat,实现AC1 ipv4产品部门用RT2外网接口ipv4地址访问Internet。RT2配置nat64,实现AC1 ipv6产品部门用RT2外网接口ipv4地址访问Internet,ipv4地址转ipv6地址前缀为64:ff9b::/96。
IPV4:
RT2:
ip route default 200.200.200.5
!
ip access-list standard NAT
permit 10.17.110.0 255.255.255.0 sequence 10
!
ip nat inside source list NAT interface GigaEthernet0/3
!
interface GigaEthernet0/1
ip nat inside
!
interface GigaEthernet0/3
ip nat outside
!
router ospf 1
default-information originate
结果验证:
AC1:
AC1#ping src 10.17.110.1 200.200.200.5
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 200.200.200.5, using source address 10.17.110.1, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/14/20 ms
RT2:
RT2_config#sho ip nat translations
Pro. Dir Inside local Inside global Outside local Outside global
ICMP OUT 10.17.110.1:4660 200.200.200.6:4660 200.200.200.5:4660 200.200.200.5:4660
IPV6:
ipv6 access-list NATV6 massive
permit ipv6 2001:10:17:110::/64 any sequence 10
!
ipv6 nat v6v4 source list NATV6 interface GigaEthernet0/3
ipv6 nat prefix 64:FF9B::/96 v4-mapped NATV6
!
interface GigaEthernet0/3
ipv6 nat
!
interface GigaEthernet0/1
ipv6 nat
结果验证:
AC1:
AC1#ping6 src 2001:10:17:110::1 64:ff9b::200.200.200.5
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 64:ff9b::200.200.200.5, using src address 2001:10:17:110::1, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/20 ms
RT2:
RT2_config#sho ipv nat translations
Prot V6Src V6Dst V4Src V4Dst
ICMP 2001:10:17:110::1-466064:FF9B::C8C8:C805-4660200.200.200.6-4660200.200.200.5-4660
9、BGP
SW1、SW2、SW3、RT1、RT2 之间运行 BGP 协议,SW1、SW2、RT1 AS 号 65001、 RT2 AS 号 65002、SW3 AS 号 65003。
ipv4 BGP
(1)SW1、SW2、SW3、RT1、RT2 之间通过 loopback1 建立 ipv4BGP 邻 居。SW1 和 SW2 之间财务通过 loopback2 建立 ipv4 BGP 邻居,SW1 和 SW2 的 loopback2 互通采用静态路由。
SW1:
router bgp 65001
bgp router-id 10.10.1.1
neighbor 10.10.2.1 remote-as 65001
neighbor 10.10.2.1 update-source 10.10.1.1
neighbor 10.10.2.1 next-hop-self
neighbor 10.10.3.1 remote-as 65003
neighbor 10.10.3.1 ebgp-multihop 255
neighbor 10.10.3.1 update-source 10.10.1.1
neighbor 10.10.4.1 remote-as 65001
neighbor 10.10.4.1 update-source 10.10.1.1
neighbor 10.10.4.1 next-hop-self
ip route vrf CW 10.10.2.2/32 10.10.255.2
router bgp 65001
address-family ipv4 vrf CW
network 10.10.14.0/24
neighbor 10.10.2.2 remote-as 65001
neighbor 10.10.2.2 update-source 10.10.1.2
exit-address-family
SW2:
router bgp 65001
bgp router-id 10.10.2.1
neighbor 10.10.1.1 remote-as 65001
neighbor 10.10.1.1 update-source 10.10.2.1
neighbor 10.10.1.1 next-hop-self
neighbor 10.10.3.1 remote-as 65003
neighbor 10.10.3.1 ebgp-multihop 255
neighbor 10.10.3.1 update-source 10.10.2.1
neighbor 10.10.4.1 remote-as 65001
neighbor 10.10.4.1 update-source 10.10.2.1
neighbor 10.10.4.1 next-hop-self
ip route vrf CW 10.10.1.2/32 10.10.255.1
router bgp 65001
address-family ipv4 vrf CW
network 10.10.24.0/24
neighbor 10.10.1.2 remote-as 65001
neighbor 10.10.1.2 update-source 10.10.2.2
exit-address-familys
SW3:
router bgp 65003
bgp router-id 10.10.3.1
neighbor 10.10.1.1 remote-as 65001
neighbor 10.10.1.1 ebgp-multihop 255
neighbor 10.10.1.1 update-source 10.10.3.1
neighbor 10.10.2.1 remote-as 65001
neighbor 10.10.2.1 ebgp-multihop 255
neighbor 10.10.2.1 update-source 10.10.3.1
RT1:
router bgp 65001
bgp router-id 10.10.4.1
neighbor 10.10.1.1 remote-as 65001
neighbor 10.10.1.1 update-source Loopback1
neighbor 10.10.1.1 next-hop-self
neighbor 10.10.2.1 remote-as 65001
neighbor 10.10.2.1 update-source Loopback1
neighbor 10.10.2.1 next-hop-self
neighbor 10.10.5.1 remote-as 65002
neighbor 10.10.5.1 ebgp-multihop 255
neighbor 10.10.5.1 update-source Loopback1
RT2:
router bgp 65002
bgp router-id 10.10.5.1
neighbor 10.10.4.1 remote-as 65001
neighbor 10.10.4.1 ebgp-multihop 255
neighbor 10.10.4.1 update-source Loopback1
(2)SW1、SW2、SW3、RT2 分别只发布营销、法务、财务、人力等 ipv4路由;RT1 发布办事处营销 ipv4路由到 BGP。
SW1:
router bgp 65001
network 10.10.12.0/24
network 10.10.13.0/24
network 10.10.15.0/24
SW2:
router bgp 65001
network 10.10.22.0/24
network 10.10.23.0/24
network 10.10.25.0/24
SW3:
router bgp 65003
network 10.10.32.0/24
network 10.10.33.0/24
network 10.10.35.0/24
RT2:
router bgp 65002
network 10.17.120.0/24
RT1:
router bgp 65001
redistribute ospf 2 route-map BGP
!
route-map BGP 10 permit
match ip address prefix-list BGP
!
ip prefix-list BGP seq 5 permit 10.16.120.0/24
(3)SW3 营销分别与 SW1 和 SW2 营销 ipv4互访优先在 SW3_SW1 链路 转发;SW3 法务及人力分别与 SW1 和 SW2 法务及人力 ipv4互访优先在 SW3_SW2 链路转发,主备链路相互备份;用 prefix-list、route-map 和 BGP 路 径属性进行选路,新增 AS 65000。
SW1:
router bgp 65001
neighbor 10.10.3.1 route-map R&F in
!
route-map R&F permit 10
match ip address prefix-list R&F
set as-path prepend 65000
!
route-map R&F permit 20
!
ip prefix-list R&F seq 5 permit 10.10.35.0/24
ip prefix-list R&F seq 10 permit 10.10.33.0/24
SW2:
router bgp 65001
neighbor 10.10.3.1 route-map R&F in
!
route-map R&F permit 10
match ip address prefix-list R&F
set as-path prepend 65000
!
route-map R&F permit 20
!
ip prefix-list R&F seq 5 permit 10.10.32.0/24
SW3:
router bgp 65003
neighbor 10.10.1.1 route-map R&F in
neighbor 10.10.2.1 route-map YX in
!
route-map R&F permit 10
match ip address prefix-list R&F
set as-path prepend 65000
!
route-map R&F permit 20
!
route-map YX permit 10
match ip address prefix-list YX
set as-path prepend 65000
!
route-map YX permit 20
!
ip prefix-list R&F seq 5 permit 10.10.13.0/24
ip prefix-list R&F seq 10 permit 10.10.23.0/24
ip prefix-list R&F seq 15 permit 10.10.15.0/24
ip prefix-list R&F seq 20 permit 10.10.25.0/24
ip prefix-list YX seq 5 permit 10.10.12.0/24
ip prefix-list YX seq 10 permit 10.10.22.0/24
ip prefix-list YX seq 15 permit 10.16.120.0/24
ip prefix-list YX seq 20 permit 10.17.120.0/24
路由表:
SW1:
SW1(config)#sho ip route bgp
B 10.10.22.0/24 [200/0] via 10.10.2.1 (recursive via 10.10.255.2, Vlan1026), 01:01:28 tag:0
B 10.10.23.0/24 [200/0] via 10.10.2.1 (recursive via 10.10.255.2, Vlan1026), 01:01:28 tag:0
B 10.10.25.0/24 [200/0] via 10.10.2.1 (recursive via 10.10.255.2, Vlan1026), 01:01:28 tag:0
B 10.10.32.0/24 [20/0] via 10.10.3.1 (recursive via 10.10.255.6, Vlan1022), 01:00:34 tag:0
B 10.10.33.0/24 [20/0] via 10.10.3.1 (recursive via 10.10.255.6, Vlan1022), 01:00:34 tag:0
B 10.10.35.0/24 [20/0] via 10.10.3.1 (recursive via 10.10.255.6, Vlan1022), 01:00:34 tag:0
B 10.16.120.0/24 [200/3] via 10.10.4.1 (recursive via 10.10.255.2, Vlan1026), 01:00:43 tag:0
Total routes are : 7 item(s)
SW2:
SW2#sho ip route bgp
B 10.10.12.0/24 [200/0] via 10.10.1.1 (recursive via 10.10.255.1, Vlan1026), 01:01:42 tag:0
B 10.10.13.0/24 [200/0] via 10.10.1.1 (recursive via 10.10.255.1, Vlan1026), 01:01:42 tag:0
B 10.10.15.0/24 [200/0] via 10.10.1.1 (recursive via 10.10.255.1, Vlan1026), 01:01:42 tag:0
B 10.10.32.0/24 [20/0] via 10.10.3.1 (recursive via 10.10.255.10, Vlan1022), 01:01:00 tag:0
B 10.10.33.0/24 [20/0] via 10.10.3.1 (recursive via 10.10.255.10, Vlan1022), 01:01:00 tag:0
B 10.10.35.0/24 [20/0] via 10.10.3.1 (recursive via 10.10.255.10, Vlan1022), 01:01:00 tag:0
B 10.16.120.0/24 [200/3] via 10.10.4.1 (recursive via 10.10.255.21, Vlan1021), 01:00:55 tag:0
Total routes are : 7 item(s)
SW3:
SW3#sho ip bgp
BGP table version is 4, local router ID is 10.10.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 10.10.12.0/24 10.10.1.1 0 65001 i
* 10.10.2.1 0 65001 i
* 10.10.2.1 0 65000 65001 i
*> 10.10.1.1 0 65001 i
* 10.10.13.0/24 10.10.1.1 0 65001 i
* 10.10.2.1 0 65001 i
*> 10.10.2.1 0 65001 i
* 10.10.1.1 0 65000 65001 i
* 10.10.15.0/24 10.10.1.1 0 65001 i
* 10.10.2.1 0 65001 i
*> 10.10.2.1 0 65001 i
* 10.10.1.1 0 65000 65001 i
* 10.10.22.0/24 10.10.2.1 0 65001 i
* 10.10.2.1 0 65000 65001 i
* 10.10.1.1 0 65001 i
*> 10.10.1.1 0 65001 i
* 10.10.23.0/24 10.10.2.1 0 65001 i
* 10.10.2.1 0 65001 i
* 10.10.1.1 0 65000 65001 i
*> 10.10.1.1 0 65001 i
* 10.10.25.0/24 10.10.2.1 0 65001 i
* 10.10.2.1 0 65001 i
* 10.10.1.1 0 65000 65001 i
*> 10.10.1.1 0 65001 i
*> 10.10.32.0/24 0.0.0.0 32768 i
*> 10.10.33.0/24 0.0.0.0 32768 i
*> 10.10.35.0/24 0.0.0.0 32768 i
* 10.16.120.0/24 10.10.2.1 0 65001 ?
* 10.10.2.1 0 65000 65001 ?
* 10.10.1.1 0 65001 ?
*> 10.10.1.1 0 65001 ?
* 10.17.120.0/24 10.10.2.1 0 65001 65002 i
* 10.10.2.1 0 65000 65001 65002 i
* 10.10.1.1 0 65001 65002 i
*> 10.10.1.1 0 65001 65002 i
Total number of prefixes 11
RT1:
RT1#sho ip route bgp
VRF ID: 0
B 10.10.12.0/24 [200,0] via 10.10.1.1
B 10.10.13.0/24 [200,0] via 10.10.1.1
B 10.10.15.0/24 [200,0] via 10.10.1.1
B 10.10.22.0/24 [200,0] via 10.10.2.1
B 10.10.23.0/24 [200,0] via 10.10.2.1
B 10.10.25.0/24 [200,0] via 10.10.2.1
B 10.10.32.0/24 [200,0] via 10.10.2.1
B 10.10.33.0/24 [200,0] via 10.10.2.1
B 10.10.35.0/24 [200,0] via 10.10.2.1
B 10.17.120.0/24 [20,2] via 10.10.5.1
RT2:
RT2#sho ip route bgp
VRF ID: 0
B 10.10.12.0/24 [20,0] via 10.10.4.1
B 10.10.13.0/24 [20,0] via 10.10.4.1
B 10.10.15.0/24 [20,0] via 10.10.4.1
B 10.10.22.0/24 [20,0] via 10.10.4.1
B 10.10.23.0/24 [20,0] via 10.10.4.1
B 10.10.25.0/24 [20,0] via 10.10.4.1
B 10.10.32.0/24 [20,0] via 10.10.4.1
B 10.10.33.0/24 [20,0] via 10.10.4.1
B 10.10.35.0/24 [20,0] via 10.10.4.1
B 10.16.120.0/24 [20,3] via 10.10.4.1
ipv6 BGP
(1)SW1、SW2、SW3、RT1、RT2 之间通过 loopback1 建立ipv6 BGP 邻 居。SW1 和 SW2 之间财务通过 loopback2 建立 ipv4 BGP 邻居,SW1 和 SW2 的 loopback2 互通采用静态路由。
SW1:
router bgp 65001
neighbor 2001:10:10:2::1 remote-as 65001
neighbor 2001:10:10:2::1 update-source 2001:10:10:1::1
neighbor 2001:10:10:3::1 remote-as 65003
neighbor 2001:10:10:3::1 ebgp-multihop 255
neighbor 2001:10:10:3::1 update-source 2001:10:10:1::1
neighbor 2001:10:10:4::1 remote-as 65001
neighbor 2001:10:10:4::1 update-source 2001:10:10:1::1
address-family ipv6 unicast
neighbor 2001:10:10:2::1 activate
neighbor 2001:10:10:2::1 next-hop-self
neighbor 2001:10:10:3::1 activate
neighbor 2001:10:10:4::1 activate
neighbor 2001:10:10:4::1 next-hop-self
SW2:
router bgp 65001
neighbor 2001:10:10:1::1 remote-as 65001
neighbor 2001:10:10:1::1 update-source 2001:10:10:2::1
neighbor 2001:10:10:3::1 remote-as 65003
neighbor 2001:10:10:3::1 ebgp-multihop 255
neighbor 2001:10:10:3::1 update-source 2001:10:10:2::1
neighbor 2001:10:10:4::1 remote-as 65001
neighbor 2001:10:10:4::1 update-source 2001:10:10:2::1
address-family ipv6 unicast
neighbor 2001:10:10:1::1 activate
neighbor 2001:10:10:1::1 next-hop-self
neighbor 2001:10:10:3::1 activate
neighbor 2001:10:10:4::1 activate
neighbor 2001:10:10:4::1 next-hop-self
SW3:
router bgp 65003
neighbor 2001:10:10:1::1 remote-as 65001
neighbor 2001:10:10:1::1 ebgp-multihop 255
neighbor 2001:10:10:1::1 update-source 2001:10:10:3::1
neighbor 2001:10:10:2::1 remote-as 65001
neighbor 2001:10:10:2::1 ebgp-multihop 255
neighbor 2001:10:10:2::1 update-source 2001:10:10:3::1
address-family ipv6 unicast
neighbor 2001:10:10:1::1 activate
neighbor 2001:10:10:2::1 activate
RT1:
router bgp 65001
neighbor 2001:10:10:1::1 remote-as 65001
neighbor 2001:10:10:1::1 update-source Loopback1
neighbor 2001:10:10:1::1 next-hop-self
neighbor 2001:10:10:2::1 remote-as 65001
neighbor 2001:10:10:2::1 update-source Loopback1
neighbor 2001:10:10:2::1 next-hop-self
neighbor 2001:10:10:5::1 remote-as 65002
neighbor 2001:10:10:5::1 ebgp-multihop 255
neighbor 2001:10:10:5::1 update-source Loopback1
address-family ipv6
neighbor 2001:10:10:1::1 activate
neighbor 2001:10:10:1::1 next-hop-self
neighbor 2001:10:10:2::1 activate
neighbor 2001:10:10:2::1 next-hop-self
neighbor 2001:10:10:5::1 activate
RT2:
router bgp 65002
neighbor 2001:10:10:4::1 remote-as 65001
neighbor 2001:10:10:4::1 ebgp-multihop 255
neighbor 2001:10:10:4::1 update-source Loopback1
address-family ipv6
(2)SW1、SW2、SW3、RT2 分别只发布营销、法务、财务、人力等ipv6 路由;RT1 发布办事处营销和 ipv6 路由到 BGP。
SW1:
router bgp 65001
address-family ipv6 unicast
network 2001:10:10:12::/64
network 2001:10:10:13::/64
network 2001:10:10:15::/64
SW2:
router bgp 65001
address-family ipv6 unicast
network 2001:10:10:22::/64
network 2001:10:10:23::/64
network 2001:10:10:25::/64
SW3:
router bgp 65003
address-family ipv6 unicast
network 2001:10:10:32::/64
network 2001:10:10:33::/64
network 2001:10:10:35::/64
RT2:
router bgp 65002
address-family ipv6
network 2001:10:17:120::/64
RT1:
router bgp 65001
address-family ipv6
redistribute ospf 2 match external 2 route-map BGPV6
!
route-map BGPV6 10 permit
match ipv6 address prefix-list BGPV6
!
ipv6 prefix-list BGPV6 seq 5 permit 2001:10:16:120::/64
(3)SW3 营销分别与 SW1 和 SW2 营销ipv6 互访优先在 SW3_SW1 链路 转发;SW3 法务及人力分别与 SW1 和 SW2 法务及人力ipv6 互访优先在 SW3_SW2 链路转发,主备链路相互备份;用 prefix-list、route-map 和 BGP 路 径属性进行选路,新增 AS 65000。
SW1:
router bgp 65001
address-family ipv6 unicast
neighbor 2001:10:10:3::1 route-map R&FV6 in
!
route-map R&FV6 permit 10
match ipv6 address prefix-list R&FV6
set as-path prepend 65000
!
route-map R&FV6 permit 20
!
ipv6 prefix-list R&FV6 seq 5 permit 2001:10:10:33::/64
ipv6 prefix-list R&FV6 seq 10 permit 2001:10:10:35::/64
SW2:
router bgp 65001
address-family ipv6 unicast
neighbor 2001:10:10:3::1 route-map R&FV6 in
!
route-map R&FV6 permit 10
match ipv6 address prefix-list R&FV6
set as-path prepend 65000
!
route-map R&FV6 permit 20
!
ipv6 prefix-list R&FV6 seq 5 permit 2001:10:10:32::/64
SW3:
router bgp 65003
address-family ipv6 unicast
neighbor 2001:10:10:1::1 route-map R&FV6 in
neighbor 2001:10:10:2::1 route-map YXV6 in
!
route-map R&FV6 permit 10
match ipv6 address prefix-list R&FV6
set as-path prepend 65000
!
route-map R&FV6 permit 20
!
route-map YXV6 permit 10
match ipv6 address prefix-list YXV6
set as-path prepend 65000
!
route-map YXV6 permit 20
!
ipv6 prefix-list R&FV6 seq 5 permit 2001:10:10:13::/64
ipv6 prefix-list R&FV6 seq 10 permit 2001:10:10:23::/64
ipv6 prefix-list R&FV6 seq 15 permit 2001:10:10:15::/64
ipv6 prefix-list R&FV6 seq 20 permit 2001:10:10:25::/64
ipv6 prefix-list YXV6 seq 5 permit 2001:10:10:12::/64
ipv6 prefix-list YXV6 seq 10 permit 2001:10:10:22::/64
ipv6 prefix-list YXV6 seq 15 permit 2001:10:16:120::/64
ipv6 prefix-list YXV6 seq 20 permit 2001:10:17:120::/64
路由表:
SW1:
SW1(config)#sho ipv route nsm bgp
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
B 2001:10:10:22::/64 [200/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1026), 01:07:05 tag:0
B 2001:10:10:23::/64 [200/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1026), 01:07:05 tag:0
B 2001:10:10:25::/64 [200/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1026), 01:07:05 tag:0
B 2001:10:10:32::/64 [20/0] via 2001:10:10:3::1 (recursive via fe80::203:fff:fee0:f9b8, Vlan10), 01:06:02 tag:0
B 2001:10:10:33::/64 [200/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1026), 01:06:17 tag:0
B 2001:10:10:35::/64 [200/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1026), 01:06:17 tag:0
B 2001:10:16:120::/64 [200/20] via 2001:10:10:4::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1026), 01:05:18 tag:0
SW2:
SW2#sho ipv route nsm bgp
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
B 2001:10:10:12::/64 [200/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1026), 01:07:22 tag:0
B 2001:10:10:13::/64 [200/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1026), 01:07:22 tag:0
B 2001:10:10:15::/64 [200/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1026), 01:07:22 tag:0
B 2001:10:10:32::/64 [200/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1026), 01:06:17 tag:0
B 2001:10:10:33::/64 [20/0] via 2001:10:10:3::1 (recursive via fe80::203:fff:fee0:f9b8, Vlan1022), 01:06:34 tag:0
B 2001:10:10:35::/64 [20/0] via 2001:10:10:3::1 (recursive via fe80::203:fff:fee0:f9b8, Vlan1022), 01:06:34 tag:0
B 2001:10:16:120::/64 [200/20] via 2001:10:10:4::1 (recursive via fe80::203:fff:fedc:c392, Vlan1021), 01:06:37 tag:0
SW3:
SW3#sho ipv route nsm bgp
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
B 2001:10:10:12::/64 [20/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1021), 00:04:16 tag:0
B 2001:10:10:13::/64 [20/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1022), 00:04:43 tag:0
B 2001:10:10:15::/64 [20/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1022), 00:04:43 tag:0
B 2001:10:10:22::/64 [20/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1021), 00:04:43 tag:0
B 2001:10:10:23::/64 [20/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1022), 00:04:43 tag:0
B 2001:10:10:25::/64 [20/0] via 2001:10:10:2::1 (recursive via fe80::203:fff:fee0:f9b5, Vlan1022), 00:04:43 tag:0
B 2001:10:16:120::/64 [20/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1021), 00:03:47 tag:0
B 2001:10:17:120::/64 [20/0] via 2001:10:10:1::1 (recursive via fe80::203:fff:fee0:f9b2, Vlan1021), 00:03:47 tag:0
RT1:
RT1#sho ipv route bgp
B 2001:10:10:12::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:1::1
B 2001:10:10:13::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:1::1
B 2001:10:10:15::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:1::1
B 2001:10:10:22::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:2::1
B 2001:10:10:23::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:2::1
B 2001:10:10:25::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:2::1
B 2001:10:10:32::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:1::1
B 2001:10:10:33::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:2::1
B 2001:10:10:35::/64[1]
[200,0] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
gate 2001:10:10:2::1
B 2001:10:17:120::/64[1]
[20,2] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
gate 2001:10:10:5::1
RT2:
RT2#sho ipv route bgp
B 2001:10:10:12::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:13::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:15::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:22::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:23::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:25::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:32::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:33::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:10:35::/64[1]
[20,0] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
B 2001:10:16:120::/64[1]
[20,20] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
gate 2001:10:10:4::1
10、BGP、MPLS、VPN
利用 BGP MPLS VPN 技术,RT1 与 RT2 以太链路间运行多协议标签交换、 标签分发协议。RT1 与 RT2 间创建财务 VPN 实例,名称为 CW,RT1 的 RD 值为 1:1,export rt 值为 1:2,import rt 值为 2:1;RT2 的 RD 值为 2:2。通过两端 loopback1 建立 VPN 邻居,分别实现两端 loopback5 ipv4 互通和 ipv6 互通。
ipv4 MPLS
RT1:
RT1_config#sho run
ip vrf CW
rd 1:1
route-target export 1:2
route-target import 2:1
interface Loopback5
ip vrf forwarding CW
RT1_config#mpls ip
RT1_config#mpls ldp router-id 10.10.4.1
RT1_config#int g0/0
RT1_config_g0/0#mpls ip
RT1_config_g0/0#mpls ldp enable
router bgp 65001
address-family vpnv4
neighbor 10.10.5.1 activate
neighbor 10.10.5.1 send-community extended
exit-address-family
address-family ipv4 vrf CW
no synchronization
network 10.10.4.5/32
exit-address-family
配置结果:
RT1_config#sho ip route vrf CW bgp
VRF ID: 1
B 10.10.5.5/32 [20,0] via 10.10.5.1
RT2:
RT2_config#sho run
ip vrf CW
rd 2:2
route-target export 2:1
route-target import 1:2
interface Loopback5
ip vrf forwarding CW
RT2_config#mpls ip
RT2_config#mpls ldp router-id 10.10.5.1
RT2_config#int g0/0
RT2_config_g0/0#mpls ip
RT2_config_g0/0#mpls ldp enable
router bgp 65002
address-family vpnv4
neighbor 10.10.4.1 activate
neighbor 10.10.4.1 send-community extended
exit-address-family
address-family ipv4 vrf CW
no synchronization
network 10.10.5.5/32
exit-address-family
配置结果:
RT2_config#sho ip route vr CW bgp
VRF ID: 1
B 10.10.4.5/32 [20,0] via 10.10.4.1
ipv6 MPLS
RT1:
RT1_config#sho run
ipv6 unicast-routing
ipv6 vrf CW
rd 1:1
route-target import 2:1
route-target export 1:2
interface Loopback5
ipv6 vrf forwarding CW
router bgp 65001
address-family vpnv6
neighbor 10.10.5.1 activate
neighbor 10.10.5.1 send-community extended
exit-address-family
address-family ipv6 vrf CW
no synchronization
network 2001:10:10:4::5/128
exit-address-family
配置结果:
RT1_config#sho ipv route vrf CW bgp
B 2001:10:10:5::5/128[1]
[20,0] via ::ffff:10.10.255.30(on GigaEthernet0/0)
gate ::ffff:10.10.5.1 (vrf_id: 0)
RT2:
RT2_config#sho run
ipv6 unicast-routing
ipv6 vrf CW
rd 1:1
route-target import 1:2
route-target export 2:1
interface Loopback5
ipv6 vrf forwarding CW
router bgp 65002
address-family vpnv6
neighbor 10.10.4.1 activate
neighbor 10.10.4.1 send-community extended
exit-address-family
address-family ipv6 vrf CW
no synchronization
network 2001:10:10:5::5/128
exit-address-family
配置结果:
RT2_config#sho ipv route vrf CW bgp
B 2001:10:10:4::5/128[1]
[20,0] via ::ffff:10.10.255.29(on GigaEthernet0/0)
gate ::ffff:10.10.4.1 (vrf_id: 0)
11、PIM-SM 组播
SW1、SW2、RT1、RT2、AC1 运行 PIM-SM,RT1 loopback1 为 c-bsr 和 crp,RT2 运行 IGMPv3;SW1 产品部门(PC1 测试)终端启用组播,用 VLC 工具串 流播放视频文件“1.mp4”,模拟组播源,设置此视频循环播放,组地址232.1.1.1, 端口 1234,实现分公司产品部门(PC2 测试)收看视频。
SW1:
SW1(config)#ip pim multicast-routing
Interface Ethernet1/0/21
ip dhcp snooping trust
ipv6 dhcp snooping trust
Interface Ethernet1/0/22
ip dhcp snooping trust
ipv6 dhcp snooping trust
Interface Ethernet1/0/26
ip dhcp snooping trust
ipv6 dhcp snooping trust
interface Vlan10
ip pim sparse-mode
interface Vlan1026
ip pim sparse-mode
SW2:
SW2(config)#ip pim multicast-routing
interface Vlan1021
ip pim sparse-mode
interface Vlan1026
ip pim sparse-mode
RT1:
ip multicast-routing
router pim-sm
reg-rate-limit 1
c-bsr l1
c-rp l1
interface Loopback1
ip pim-sm
interface GigaEthernet0/0
ip pim-sm
interface GigaEthernet0/1
ip pim-sm
RT2:
ip multicast-routing
router pim-sm
reg-rate-limit 1
interface GigaEthernet0/0
ip pim-sm
interface GigaEthernet0/1
ip pim-sm
ip igmp enable
AC1:
ip pim multicast-routing
interface Vlan1001
ip pim sparse-mode
interface Vlan110
ip pim sparse-mode
三、无线配置
1、AP上线:
wireless
auto-ip-assign
ap authentication mac
discovery vlan-list 100
ap database 00-03-0f-8a-f8-b0
AC1(config-wireless)#sho wireless ap status
MAC Address Configuration
(*) Peer Managed IP Address Profile Status Status Age
------------------ --------------------------------------- ------- ------- ------------- --------------
00-03-0f-8a-f8-b0 10.17.100.9 1 Managed Success 0d:00:00:01
Total Access Points............................ 1
2、创建ssid
AC1 loopback1 ipv4 和 ipv6 地址分别作为 AC1 的 ipv4 和 ipv6 管理地 址。AP 二层自动注册,AP 采用 MAC 地址认证。配置 2 个 ssid,分别为 SKILLS2.4G 和 SKILLS-5G。SKILLS-2.4G 对应 vlan110,用 network 110 和 radio1(模 式为 n-only-g),用户接入无线网络时需要采用基于 WPA-personal 加密方式, 密码为 Pass-1234。SKILLS-5G 对应 vlan120,用 network 120 和 radio2(模式 为 n-only-a),不需要认证,隐藏 ssid,SKILLS-5G 用倒数第一个可用 VAP 发送 5G 信号。
network 110
security mode wpa-personal
ssid SKILLS-2.4G
vlan 110
wpa key Pass-1234
network 120
hide-ssid
ssid SKILLS-5G
vlan 120
ap profile 1
radio 1
mode n-only-g
vap 0
network 110
radio 2
mode n-only-a
vap 15
network 120
3、AP自动升级
当 AP 上线,如果 AC 中储存的 Image 版本和 AP 的 Image 版本号不同时, 会触发 AP 自动升级。AP 失败状态超时时间及探测到的客户端状态超时时间都为 2 小时。
AC1(config-wireless)#ap auto-upgrade
AC1(config-wireless)#agetime ap-failure 2
AC1(config-wireless)#agetime detected-clients
4、黑名单MAC认证模式
MAC 认证模式为黑名单,MAC 地址为 80-45-DD-77-CC-48 的无线终端采用 全局配置 MAC 认证。
mac-authentication-mode black-list
known-client 80-45-dd-77-cc-48 action global-action
network 110
mac authentication local
network 120
mac authentication local
5、防止多 AP 和 AC 相连时过多的安全认证连接而消耗 CPU 资源,检测到 AP 与 AC 10 分钟内建立连接 5 次就不再允许继续连接,2 小时后恢复正常。
wireless ap anti-flood interval 10
wireless ap anti-flood max-conn-count 5
wireless ap anti-flood agetime 120
6、用户访问 Internet https
配置vlan110无线接入用户上班时间(工作日09:00-17:00)访问Internet https 上下行 CIR 为 100Mbps,CBS 为 200Mbps,PBS 为 300Mbps,exceed-action 和 violate-action 均为 drop。时间范围名称、控制列表名称、分类名称、策略 名称均为 SKILLS。
time-range SKILLS
periodic weekdays 09:00:00 to 17:00:00
ip access-list extended SKILLS
exit
class-map SKILLS
match access-group SKILLS
policy-map SKILLS
class SKILLS
policy 100000 200000 300000 exceed-action drop violate-action drop
exit
network 110
client-qos enable
client-qos diffserv-policy down SKILLS
client-qos diffserv-policy up SKILLS
7、AP组播突发限制、AP发射功率
开启 AP 组播广播突发限制功能;AP 收到错误帧时,将不再发送 ACK 帧; AP 发送向无线终端表明 AP 存在的帧时间间隔为 1 秒。AP 发射功率为 80%。
radio 1
rate-limit
beacon-interval 1000
incorrect-frame-no-ack
power default 80
radio 2
rate-limit
beacon-interval 1000
incorrect-frame-no-ack
power default 80
8、配置vlan140无线接入用户上下行最大带宽为8000Mkps,arp上下行最大速率为6packets/s
client-qos bandwidth-limit down 800000
client-qos bandwidth-limit up 800000
client-qos bandwidth-limit arp down 6
client-qos bandwidth-limit arp up 6
9、配置vlan140无线接入用户相互隔离,开启ARP抑制功能,限制每天早上0点到4点禁止终端接入
station-isolation
arp-suppression
time-limit from 00:00 to 04:00 weekday all
10、特权模式下发:
AC1#wireless ap profile apply 1
All configurations will be send to the aps associated to this profile and associated clients on these aps will be disconnected. Because of work mode configurations, some aps associated to this profile will reboot. Are you sure you want to apply the profile configuration? [Y/N] y
AP Profile apply is in progress.