交换机部分
1、生成树spanning-tree
SW1、SW2、SW3启用MSTP,实现网络二层负载均衡和冗余备份,创建实例Instance10和Instance20,名称为SKILLS,修订版本为1,其中Instance10关联vlan60和vlan70,Instance20关联vlan80和vlan90。SW1为Instance0和Instance10的根交换机,为Instance20备份根交换机;SW2为Instance20根交换机,为Instance0和Instance10的备份根交换机;根交换机STP优先级为0,备份根交换机STP优先级为4096。关闭交换机之间三层互联接口的STP。
SW1配置步骤:
-
进入全局配置模式:
enable -
配置Instance0为根交换机:
conf t spanning-tree mst 0 priority 0 -
配置Instance10为根交换机:
spanning-tree mst 10 priority 0 -
配置Instance20为备份根交换机:
spanning-tree mst 20 priority 4096 -
禁用Ethernet1/0/22和Ethernet1/0/26上的STP:
interface Ethernet1/0/22 no spanning-treeinterface Ethernet1/0/26 no spanning-tree`
SW2配置步骤:
-
进入全局配置模式:
enable -
配置Instance0为备份根交换机:
conf t spanning-tree mst 0 priority 4096 -
配置Instance10为备份根交换机:
spanning-tree mst 10 priority 4096 -
配置Instance20为根交换机:
spanning-tree mst 20 priority 0 -
禁用Ethernet1/0/22和Ethernet1/0/26上的STP:
interface Ethernet1/0/22 no spanning-treeinterface Ethernet1/0/26 no spanning-tree`
SW3配置步骤:
-
进入全局配置模式:
enable -
禁用Ethernet1/0/21和Ethernet1/0/22上的STP:
conf t interface Ethernet1/0/21 no spanning-tree interface Ethernet1/0/22 no spanning-tree
完成以上配置后,网络中的生成树协议将按照所配置的优先级和备份关系进行运行,实现二层负载均衡和冗余备份的目标。
2、链路聚合(LACP):
SW1 和 SW2 之间利用三条裸光缆实现互通,其中一条裸光缆承载三层 IP业务、一条裸光缆承载 VPN 业务、一条裸光缆承载二层业务。用相关技术分别实现财务 1 段、财务 2 段业务路由表与其它业务路由表隔离,财务业务 VPN 实例名称为 CW。
SW1配置:
-
进入全局配置模式:
SW1> enable SW1# configure terminal -
创建端口组并配置为主动模式:
SW1(config)# port-channel 1 SW1(config)# interface range Ethernet1/0/25 - 28 SW1(config-if-range)# channel-group 1 mode active -
配置流量负载均衡模式为源和目的 IP 地址:
SW1(config)# port-channel load-balance dst-src-ip
SW2配置:
-
进入全局配置模式:
SW2> enable SW2# configure terminal -
创建端口组并配置为主动模式:
SW2(config)# port-channel 1 SW2(config)# interface range Ethernet1/0/25 - 28 SW2(config-if-range)# channel-group 1 mode active -
配置流量负载均衡模式为源和目的 IP 地址:
SW2(config)# port-channel load-balance dst-src-ip
配置结果验证:
你可以使用以下命令来验证链路聚合的配置是否成功:
配置结果:
SW1#sho port-group 1 detail
Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Port-group number: 1, Mode: active, Load-balance: dst-src-ip
Port-group detail information:
System ID: 0x8000,00-03-0f-e0-f9-b3
Local:
Port Status Priority Oper-Key Flag
-----------------------------------------------------------
Ethernet1/0/25 Unselected 32768 1 {ACG}
Ethernet1/0/28 Selected 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
Ethernet1/0/28 28 32768 1 0x8000,00-03-0f-e0-f9-b6 {ACDEF}
SW2----------------------------------------------=---------=-=-=-=-=-=
SW2#sho port-group 1 detail
Flags: A -- LACP_Activity, B -- LACP_timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Port-group number: 1, Mode: active, Load-balance: dst-src-ip
Port-group detail information:
System ID: 0x8000,00-03-0f-e0-f9-b6
Local:
Port Status Priority Oper-Key Flag
-----------------------------------------------------------
Ethernet1/0/25 Unselected 32768 1 {ACG}
Ethernet1/0/28 Selected 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
Ethernet1/0/28 28 32768 1 0x8000,00-03-0f-e0-f9-b3 {ACDEF}
3、路由表隔离VPN
将 SW3 模拟为 Internet 交换机,实现与集团其它业务路由表隔离,Internet 路由表 VPN 实例名称为 Internet。将 SW3 模拟办事处交换机,实现与集团其它业务路由表隔离,办事处路由表 VPN 实例名称为 Guangdong。
SW3配置:
-
创建VPN实例并分配VRF:
SW3(config)# ip vrf Guangdong SW3(config)# ip vrf Internet -
配置Loopback接口并分配给相应的VRF:
SW3(config)# interface Loopback2 SW3(config-if)# ip vrf forwarding Guangdong SW3(config-if)# ip address 10.10.3.2 255.255.255.255 SW3(config)# interface Loopback3 SW3(config-if)# ip vrf forwarding Internet SW3(config-if)# ip address 200.200.3.3 255.255.255.255 -
配置VLAN接口并分配给相应的VRF:
SW3(config)# interface Vlan110 SW3(config-if)# ip vrf forwarding Guangdong SW3(config-if)# ip address 10.16.110.1 255.255.255.0 SW3(config)# interface Vlan120 SW3(config-if)# ip vrf forwarding Guangdong SW3(config-if)# ip address 10.16.120.1 255.255.255.0 SW3(config)# interface Vlan1015 SW3(config-if)# ip vrf forwarding Guangdong SW3(config-if)# ip address 10.10.255.46 255.255.255.252 SW3(config)# interface Vlan1017 SW3(config-if)# ip vrf forwarding Internet SW3(config-if)# ip address 200.200.200.1 255.255.255.252 SW3(config)# interface Vlan1018 SW3(config-if)# ip vrf forwarding Internet SW3(config-if)# ip address 200.200.200.5 255.255.255.252
配置结果验证:
您可以使用以下命令来验证VRF配置:
SW3#sho ip vrf
VRF Guangdong, FIB ID 1
Router ID: 10.10.3.2 (loopback)
Interfaces:
Vlan110
Vlan120
Vlan1015
Loopback2
!
VRF Internet, FIB ID 2
Router ID: 200.200.3.3 (loopback)
Interfaces:
Vlan1017
Vlan1018
Loopback3
!
VRF Guangdong; (id=1); RIP is not enabled
VRF Internet; (id=2); RIP is not enabled
Name Interfaces
Guangdong Vlan110 Vlan120 Vlan1015 Loopback2
Internet Vlan1017 Vlan1018 Loopback3
Name Default RD Interfaces
Guangdong Vlan110
Vlan120
Vlan1015
Loopback2
Internet Vlan1017
Vlan1018
Loopback3
4、端口安全
SW1 法务物理接口限制收发数据占用的带宽均为 1000Mbps,限制所有报文最大收包速率为 1000packets/s,如果超过了配置交换机端口的报文最大收包速率则关闭此端口,1 分钟后恢复此端口;启用端口安全功能,最大安全 MAC 地址数为 20,当超过设定 MAC 地址数量的最大值,不学习新的 MAC、丢弃数据包、发nmp trap、同时在 syslog 日志中记录,端口的老化定时器到期后,在老化周期中没有流量的部分表项老化,有流量的部分依旧保留,恢复时间为 10 分钟;禁止采用访控制列表,只允许 IP 主机位为 20-50 的数据包进行转发;禁止配置访问控制列表,实现端口间二层流量无法互通,组名称 FW。
SW1配置:
-
配置端口带宽限制和报文最大收包速率:
SW1(config)# interface Ethernet1/0/3 SW1(config-if)# bandwidth control 1000000 both SW1(config-if)# rate-violation all 1000 SW1(config-if)# rate-violation control shutdown recovery 60 -
启用端口安全功能并设置最大安全MAC地址数:
SW1(config-if)# switchport port-security SW1(config-if)# switchport port-security maximum 20 -
配置违规处理策略:
SW1(config-if)# switchport port-security violation restrict recovery 600 -
配置MAC地址学习控制和老化定时器类型:
SW1(config)# mac-address-learning cpu-control SW1(config)# interface Ethernet1/0/3 SW1(config-if)# switchport port-security aging type inactivity -
启用AM功能并配置IP池:
SW1(config)# am enable SW1(config)# interface Ethernet1/0/3 SW1(config-if)# am port SW1(config-if)# am ip-pool 10.10.120.20 31 -
禁止端口间二层流量互通,并应用组名称为FW:
SW1(config)# isolate-port group FW switchport interface Ethernet1/0/3 SW1(config)# isolate-port apply l2
配置结果验证:
您可以使用以下命令来验证端口安全配置:
SW1# show running-config interface Ethernet1/0/3
SW1# show isolate-port group FW
SW1(config-if-ethernet1/0/3)#sho run c
bandwidth control 1000000 both
rate-violation all 1000
rate-violation control shutdown recovery 60
switchport access vlan 30
switchport port-security
switchport port-security maximum 20
switchport port-security violation restrict recovery 600
switchport port-security aging type inactivity
am port
am ip-pool 10.10.120.20 31
SW1#sho isolate-port group FW
Isolate-port group FW
The isolate-port Ethernet1/0/3
5、开启日志记录&保护功能:
开启 SW1日志记录功能和保护功能,采样周期5s一次,恢复周期为100s,从而保障 CPU 稳定运行。
SW1配置:
-
开启日志记录功能:
SW1(config)# cpu-protect log enable -
开启保护功能并设置采样周期和恢复周期:
SW1(config)# cpu-protect enable SW1(config)# cpu-protect interval 5 SW1(config)# cpu-protect recovery-time 100
配置结果验证:
您可以使用以下命令来验证CPU保护的运行配置:
SW1# show cpu-protect running-config
SW1#sho cpu-protect running-config
Cpu-Protect Globle: enable
Cpu-Protect trap : disable
Cpu-Protect Log: enable
Cpu-Protect Interval: 5
Cpu-Protect Recovery-Time: 100
Cap-Num Ip-Num Mac-Num Protocal-Num
0 0 0 0
Stream Threshould Limit-Speed Action
IP 300 150 Speed-Limit
DHCP 150 80 Speed-Limit
IGMP 150 80 Speed-Limit
ARP 300 150 Speed-Limit
ICMP 80 50 Speed-Limit
PER-IP 400 200 Speed-Limit
PER-MAC 400 200 Speed-Limit
6、SNMP配置:
SW1 配置 SNMP,引擎 id 分别为 1;创建组 GROUP2022,采用最高安全级别,配置组的读、写视图分别为:SKILLS_R、SKILLS_W;创建认证用户为SER2022,采用 aes 算法进行加密,密钥为 Pass-1234,哈希算法为 sha,密钥为 Pass-1234;当设备有异常时,需要用本地的环回地址 loopback1 发送 v3 Trap 消息至集团网管服务器 10.10.11.99、2001:10:10:11::99,采用最高安全级别;
SW1配置:
-
启用SNMP功能:
snmp-server enable -
配置允许接收SNMP消息的安全IP地址:
snmp-server securityip 10.1.15.120 snmp-server securityip 2001:10:1:15::120 -
配置Trap消息的源IP地址:
snmp-server trap-source 10.1.1.1 snmp-server trap-source 2001:10:1:1::1 -
配置SNMP引擎ID:
snmp-server engineid 1000 -
创建SNMP认证用户和组:
snmp-server user UserSkills GroupSkills authPriv aes Key-1122 auth sha Key-1122 snmp-server group GroupSkills authpriv read Skills_R write Skills_W -
配置发送Trap消息的目标主机:
snmp-server host 10.1.1.1 v3 authpriv UserSkills snmp-server host 2001:10:1:1::1 v3 authpriv UserSkills -
启用SNMP Trap:
snmp-server enable traps
配置结果验证:
您可以使用以下命令验证SNMP配置的结果:
SW1# show snmp engineid
SW1# show snmp group
SW1# show snmp status
SW1# show snmp user
SW1# show running-config interface Ethernet1/0/3
SW1(config)#sho snmp engineid
SNMP engineID:1
Engine Boots is:1
SW1(config)#sho snmp group
Group Name:GROUP2022
Security Level:AuthPriv
Read View:SKILLS_R
Write View:SKILLS_W
Notify View:<no notifyview specified>
SW1(config)#sho snmp status
System Name : DC YunKe Networks Co.,Ltd.
System Contact : 400-810-9119
System Location : China
Trap enable
RMON enable
Community Information:
V1/V2c Trap Host Information:
V3 Trap Host Information:
Trap-rec-address: 2001:10:10:11::99
User-name :USER2022
Security Level:AuthPriv
Trap-rec-address: 10.10.11.99
User-name :USER2022
Security Level:AuthPriv
Security IP is Enabled.
Security IP: 10.10.11.99
Security IP: 2001:10:10:11::99
SW1(config)#sho snmp user
User name: USER2022
Engine ID: 0x31
Auth Protocol:SHA Priv Protocol:AES-CFB-128
Row status:active
当法务部门对应的用户接口发生 UP DOWN 事件时,禁止发送 trap 消息至上述集团网管服务器。
SW1(config-if-ethernet1/0/3)#sho run c
no switchport updown notification enable
7、互联流量镜像
将 W1 与 FW1 互连流量镜像到 SW1 E1/0/1,会话列表为 1。
monitor session 1 source interface Ethernet1/0/21 tx
monitor session 1 source interface Ethernet1/0/21 rx
monitor session 1 destination interface Ethernet1/0/1
配置结果:
SW1(config)#sho monitor
monitor session 1:
Destination Ethernet1/0/1
Card: slot 1
source ports:
RX port: 21
TX port: 21
--------------------------------------------------------
No monitor in session 2
--------------------------------------------------------
No monitor in session 3
--------------------------------------------------------
No monitor in session 4
--------------------------------------------------------
No monitor in session 5
--------------------------------------------------------
No monitor in session 6
--------------------------------------------------------
No monitor in session 7
--------------------------------------------------------
8、ULDP:
SW1 和 SW2 E1/0/21-28 启用单向链路故障检测,当发生该故障时,端口标记为 errdisable 状态,自动关闭端口,经过 1 分钟后,端口自动重启;发送 Hello 报文时间间隔为 15s。
SW1配置:
SW1(config)# uldp enable
SW1(config)# uldp aggressive-mode
SW1(config)# interface range Ethernet1/0/21-28
SW1(config-if-range)# uldp enable
SW1(config-if-range)# uldp aggressive-mode
SW1(config)# uldp recovery-time 60
SW1(config)# uldp hello-interval 15
SW2配置:
SW2(config)# uldp enable
SW2(config)# uldp aggressive-mode
SW2(config)# interface range Ethernet1/0/21-28
SW2(config-if-range)# uldp enable
SW2(config-if-range)# uldp aggressive-mode
SW2(config)# uldp recovery-time 60
SW2(config)# uldp hello-interval 15
配置结果:
SW1(config)# sho uldp
uldp enable
uldp hello interval is 15
uldp recovery time is 60
uldp shut down mode is AUTO
uldp global work mode is AGGRESSIVE
the total number of the port is 8
---------------------------------------------------------------------------
PortName PhyLink LineProto WorkMode PortState NeighborNum
---------------------------------------------------------------------------
Ethernet1/0/21 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/22 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/23 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/24 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/25 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/26 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/27 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/28 UP UP AGGRESSIVE BIDIRECTION 1
---------------------------------------------------------------------------
SW2(config)# sho uldp
uldp enable
uldp hello interval is 15
uldp recovery time is 60
uldp shut down mode is AUTO
uldp global work mode is AGGRESSIVE
the total number of the port is 8
---------------------------------------------------------------------------
PortName PhyLink LineProto WorkMode PortState NeighborNum
---------------------------------------------------------------------------
Ethernet1/0/21 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/22 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/23 UP UP AGGRESSIVE BIDIRECTION 0
Ethernet1/0/24 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/25 UP DOWN AGGRESSIVE INACTIVE 0
Ethernet1/0/26 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/27 UP UP AGGRESSIVE BIDIRECTION 1
Ethernet1/0/28 UP UP AGGRESSIVE BIDIRECTION 1
---------------------------------------------------------------------------
9、LLDP:
SW1和SW2所有端口启用链路层发现协议,更新报文发送时间间隔为20s,老化时间乘法器值为 5,Trap 报文发送间隔为 10s,配置三条裸光缆端口使能Trap 功能。
SW1配置:
SW1(config)# lldp enable
SW1(config)# lldp msgTxHold 5
SW1(config)# lldp tx-interval 10
!
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
SW2配置:
SW2(config)# lldp enable
SW2(config)# lldp msgTxHold 5
SW2(config)# lldp tx-interval 10
!
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
配置结果:
SW1# sho lldp
-----LLDP GLOBAL INFORMATIONS-----
LLDP has been enabled globally.
LLDP enabled port : Ethernet1/0/21 Ethernet1/0/22 Ethernet1/0/23 Ethernet1/0/26 Ethernet1/0/27 Ethernet1/0/28
LLDP interval :10
LLDP txTTL :50
LLDP NotificationInterval :5
LLDP txDelay :2
LLDP-MED FastStart Repeat Count :4
-------------END------------------
SW1(config)# interface range Ethernet1/0/26-28
SW1(config-if-range)# sho run c
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
Sw2!!!!!!!!!!!!
SW2# sho lldp
-----LLDP GLOBAL INFORMATIONS-----
LLDP has been enabled globally.
LLDP enabled port : Ethernet1/0/21 Ethernet1/0/22 Ethernet1/0/23 Ethernet1/0/26 Ethernet1/0/27 Ethernet1/0/28
LLDP interval :10
LLDP txTTL :50
LLDP NotificationInterval :5
LLDP txDelay :2
LLDP-MED FastStart Repeat Count :4
-------------END------------------
SW2(config)# interface range Ethernet1/0/26-28
SW2(config-if-range)# sho run c
Interface Ethernet1/0/26
lldp trap enable
!
Interface Ethernet1/0/27
lldp trap enable
!
Interface Ethernet1/0/28
lldp trap enable
路由器部分
1、SSH服务
启用所有设备的 ssh 服务,防火墙用户名 admin,明文密码 Pass-1234,其余设备用户名和明文密码均为 admin
交换机&AC:
SW(config)#ssh-server enable
SW(config)#username admin password 0 admin
路由器:
RT1_config#username admin password 0 admin
RT1_config#aaa authentication login default local
RT1_config#aaa authentication enable default none
RT1_config#ip sshd enable
防火墙:
需要在web页面上开启
<你一定能找到的=-=>
2、配置时区
配置所有设备的时区为 GMT+08:00,调整 SW1 时间为实际时间,SW1 配置为 ntp server,其他设备用 SW1 loopback1 ipv4 地址作为 ntp server 地址,ntp client 请求报文时间间隔 1 分钟。
SW1配置:
SW1#clock set 14:41:30 2023.4.24
SW1#config
SW1(config)#clock timezone GMT add 8 0
SW1(config)#ntp enable
SW1(config)#ntp-service refclock-master 1
SW1(config)#ntp server 10.10.1.1
SW1(config)#ntp syn-interval 60
SW2、SW3、AC配置:
clock timezone GMT add 8 0
ntp enable
ntp syn-interval 60
ntp server 10.10.1.1
路由器配置:
time-zone GMT 8 0
ntp query-interval 60
ntp server 10.10.1.1
防火墙配置:
FW1(config)# clock zone GMT 8 0
FW1(config)# ntp enable
FW1(config)# ntp server 10.10.1.1
FW1(config)# ntp query-interval 1
配置结果:
SW1(config)#sho clock
Current time is Mon Apr 24 15:13:30 2023 [GMT+08:00]
SW1(config)#sho ntp status
ntp clock status: synchronized
Clock stratum:4
Reference clock server:10.10.1.1
Clock offset:0.0 s
Root delay:0.000 ms
Root dispersion:0.000 ms
Reference time:Mon Apr 24 07:06:3.203 2023
Syn-interval:60s
3、VRRP
利用 vrrpv2 和 vrrpv3 技术实现 vlan60、vlan70、vlan80、vlan90 网关冗余备份,vrrp id 与 vlan id 相同。vrrpv2 vip 为 10.10.vlanid.9(如 vlan60的 vrrpv2 vip 为 10.10.60.9),vrrpv3 vip 为 FE80:vlanid::9(如 vlan60 的vrrpv3 vip 为 FE80:60::9)。配置 SW1 为 vlan60、vlan70 的 Master,SW2 为vlan80、vlan90 的 aster。要求 vrrp 组中高优先级为 120,低优先级为默认值,抢占模式为默认值,vrrpv2 和 vrrpv3 发送通告报文时间间隔为默认值。当 SW1或 SW2 上联链路发生故障,Master 优先级降低 50。
VRRPv2 配置:
SW1配置:
SW1(config)# interface Vlan60
SW1(config-if)# ip address 10.10.60.1 255.255.255.0
SW1(config-if)# exit
SW1(config)# interface Vlan70
SW1(config-if)# ip address 10.10.70.1 255.255.255.0
SW1(config-if)# exit
SW1(config)# router vrrp 60
SW1(config-router)# virtual-ip 10.10.60.9
SW1(config-router)# priority 120
SW1(config-router)# circuit-failover Vlan1021 50
SW1(config-router)# enable
SW1(config-router)# exit
SW1(config)# router vrrp 70
SW1(config-router)# virtual-ip 10.10.70.9
SW1(config-router)# priority 120
SW1(config-router)# circuit-failover Vlan1021 50
SW1(config-router)# enable
SW1(config-router)# exit
SW2配置:
SW2(config)# interface Vlan80
SW2(config-if)# ip address 10.10.80.1 255.255.255.0
SW2(config-if)# exit
SW2(config)# interface Vlan90
SW2(config-if)# ip address 10.10.90.1 255.255.255.0
SW2(config-if)# exit
SW2(config)# router vrrp 80
SW2(config-router)# virtual-ip 10.10.80.9
SW2(config-router)# priority 120
SW2(config-router)# circuit-failover Vlan1021 50
SW2(config-router)# enable
SW2(config-router)# exit
SW2(config)# router vrrp 90
SW2(config-router)# virtual-ip 10.10.90.9
SW2(config-router)# priority 120
SW2(config-router)# circuit-failover Vlan1021 50
SW2(config-router)# enable
SW2(config-router)# exit
VRRPv3 配置:
SW1配置:
SW1(config)# ipv6 unicast-routing
SW1(config)# interface Vlan60
SW1(config-if)# ipv6 address FE80::1 link-local
SW1(config-if)# ipv6 address 2001:DB8:0:60::1/64
SW1(config-if)# exit
SW1(config)# interface Vlan70
SW1(config-if)# ipv6 address FE80::1 link-local
SW1(config-if)# ipv6 address 2001:DB8:0:70::1/64
SW1(config-if)# exit
SW1(config)# router ipv6 vrrp 60
SW1(config-router)# virtual-ipv6 FE80:60::9 interface Vlan60
SW1(config-router)# priority 120
SW1(config-router)# circuit-failover Vlan1021 50
SW1(config-router)# enable
SW1(config-router)# exit
SW1(config)# router ipv6 vrrp 70
SW1(config-router)# virtual-ipv6 FE80:70::9 interface Vlan70
SW1(config-router)# priority 120
SW1(config-router)# circuit-failover Vlan1021 50
SW1(config-router)# enable
SW1(config-router)# exit
SW2配置:
SW2(config)# ipv6 unicast-routing
SW2(config)# interface Vlan80
SW2(config-if)# ipv6 address FE80::1 link-local
SW2(config-if)# ipv6 address 2001:DB8:0:80::1/64
SW2(config-if)# exit
SW2(config)# interface Vlan90
SW2(config-if)# ipv6 address FE80::1 link-local
SW2(config-if)# ipv6 address 2001:DB8:0:90::1/64
SW2(config-if)# exit
SW2(config)# router ipv6 vrrp 80
SW2(config-router)# virtual-ipv6 FE80:80::9 interface Vlan80
SW2(config-router)# priority 120
SW2(config-router)# circuit-failover Vlan1021 50
SW2(config-router)# enable
SW2(config-router)# exit
SW2(config)# router ipv6 vrrp 90
SW2(config-router)# virtual-ipv6 FE80:90::9 interface Vlan90
SW2(config-router)# priority 120
SW2(config-router)# circuit-failover Vlan1021 50
SW2(config-router)# enable
SW2(config-router)# exit
4、DHCP 服务:
在 AC1 上配置了 DHCPv4 服务,为 SW1 的产品1段 VLAN10 和分公司 VLAN100、VLAN110、VLAN120 分配地址池。IPv4 地址池名称分别为 POOLv4-10、POOLv4-100、POOLv4-110、POOLv4-120。
配置 DHCP 服务和 DHCP Snooping
在 AC1 上配置 DHCPv4 和 DHCPv6 服务,为 SW1 和分公司的 VLAN 分配地址,并在 SW1 上启用 DHCP Snooping。
启用 DHCPv4 和 DHCPv6 服务。
AC1(config)#service dhcp
AC1(config)#service dhcpv6
为 VLAN10、VLAN100、VLAN110 和 VLAN120 配置 DHCPv4 地址池,并分配地址、设置默认网关和 DNS 服务器
AC1(config)#ip dhcp pool POOLv4-10
AC1(dhcp-config)#network 10.10.11.0 255.255.255.0
AC1(dhcp-config)#default-router 10.10.11.1
AC1(dhcp-config)#dns-server 114.114.114.114
AC1(config)#ip dhcp pool POOLv4-100
AC1(dhcp-config)#network 10.17.100.0 255.255.255.0
AC1(dhcp-config)#default-router 10.17.100.1
AC1(dhcp-config)#dns-server 114.114.114.114
AC1(config)#ip dhcp pool POOLv4-110
AC1(dhcp-config)#network 10.17.110.0 255.255.255.0
AC1(dhcp-config)#default-router 10.17.110.1
AC1(dhcp-config)#dns-server 114.114.114.114
AC1(config)#ip dhcp pool POOLv4-120
AC1(dhcp-config)#network 10.17.120.0 255.255.255.0
AC1(dhcp-config)#default-router 10.17.120.1
AC1(dhcp-config)#dns-server 114.114.114.114
为 VLAN10、VLAN100、VLAN110 和 VLAN120 配置 DHCPv6 地址池,并分配 IPv6 地址。
AC1(config)#ipv6 dhcp pool POOLv6-10
AC1(config-dhcpv6)#address prefix 2001:10:10:11::/64
AC1(config)#ipv6 dhcp pool POOLv6-100
AC1(config-dhcpv6)#address prefix 2001:10:17:100::/64
AC1(config)#ipv6 dhcp pool POOLv6-110
AC1(config-dhcpv6)#address prefix 2001:10:17:110::/64
AC1(config)#ipv6 dhcp pool POOLv6-120
AC1(config-dhcpv6)#address prefix 2001:10:17:120::/64
排除网关地址以外的地址池范围内的地址。
AC1(config)#ip dhcp excluded-address 10.10.11.1
AC1(config)#ip dhcp excluded-address 10.17.100.1
AC1(config)#ip dhcp excluded-address 10.17.110.1
AC1(config)#ip dhcp excluded-address 10.17.120.1
AC1(config)#ipv6 dhcp pool POOLv6-120
AC1(config-dhcpv6)#excluded-address 2001:10:17:120::1
AC1(config)#ipv6 dhcp pool POOLv6-110
AC1(config-dhcpv6)#excluded-address 2001:10:17:110::1
AC1(config)#ipv6 dhcp pool POOLv6-100
AC1(config-dhcpv6)#excluded-address 2001:10:17:100::1
AC1(config)#ipv6 dhcp pool POOLv6-10
AC1(config-dhcpv6)#dns-server 2400:3200::1
AC1(config-dhcpv6)#excluded-address 2001:10:10:11::1
为设备保留地址。
AC1(config)#ip dhcp pool AP1
AC1(dhcp-config)#host 10.17.100.9 255.255.255.0
AC1(dhcp-config)#hardware-address 00-03-0F-8A-F8-B0
AC1(dhcp-config)#default-router 10.17.100.1
AC1(config)#ip dhcp pool PC1
AC1(dhcp-config)#host 10.10.11.9 255.255.255.0
AC1(dhcp-config)#hardware-address 8C-16-45-78-8D-98
AC1(dhcp-config)#default-router 10.10.11.1
AC1(dhcp-config)#dns-server 114.114.114.114
AC1(config)#ip dhcp pool PC2
AC1(dhcp-config)#host 10.17.110.9 255.255.255.0
AC1(dhcp-config)#hardware-address 24-69-8E-1E-B9-5E
AC1(dhcp-config)#default-router 10.17.110.1
AC1(dhcp-config)#dns-server 114.114.114.114
在 AC1 上配置 DHCP 服务,并为 VLAN1000、VLAN110 和 VLAN120 启用 DHCPv6 服务器。
AC1(config)#interface Vlan1000
AC1(config-if)#ipv6 dhcp server POOLv6-100
AC1(config)#interface Vlan110
AC1(config-if)#ipv6 dhcp server POOLv6-110
AC1(config)#interface Vlan120
AC1(config-if)#ipv6 dhcp server POOLv6-120
在 SW1 上启用 DHCP Snooping,并将 E1/0/1 端口配置为受信任的端口,以允许 DHCP 流量通过。
SW1(config)#ip dhcp snooping
SW1(config)#ip dhcp snooping vlan 10,100-110
SW1(config)#interface Ethernet1/0/1
SW1(config-if)#ip dhcp snooping trust
配置 DHCPv6 中继,将 DHCPv6 请求转发到 AC1 上的 DHCPv6 服务器。
SW1(config)#ipv6 dhcp relay destination 2001:10:10:8::1 Vlan10-Vlan110
5、OSPF
SW1、SW2、SW3、RT1 以太链路、RT2 以太链路、FW1、FW2、AC1 之间运行OSPFv2 和 OSPFv3 协议(路由模式发布网络用接口地址,- BGP 协议除外)。
OSPFv2
(1) SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv2 ,进程 1,区域 0,分别发布 loopback1 地址路由和产品路由,FW1 通告 type2 默认路由。
1、配置SW1:
SW1(config)# router ospf 1
SW1(config-router)# ospf router-id 10.10.1.1
SW1(config-router)# network 10.10.1.1/32 area 0
SW1(config-router)# network 10.10.11.1/32 area 0
SW1(config-router)# network 10.10.255.1/32 area 0
SW1(config-router)# network 10.10.255.5/32 area 0
SW1(config-router)# network 10.10.255.14/32 area 0
2、 配置SW2:
SW2(config)# router ospf 1
SW2(config-router)# ospf router-id 10.10.2.1
SW2(config-router)# network 10.10.2.1/32 area 0
SW2(config-router)# network 10.10.21.1/32 area 0
SW2(config-router)# network 10.10.255.2/32 area 0
SW2(config-router)# network 10.10.255.9/32 area 0
SW2(config-router)# network 10.10.255.22/32 area 0
3、 配置SW3:
SW3(config)# router ospf 1
SW3(config-router)# ospf router-id 10.10.3.1
SW3(config-router)# network 10.10.3.1/32 area 0
SW3(config-router)# network 10.10.31.1/32 area 0
SW3(config-router)# network 10.10.255.6/32 area 0
SW3(config-router)# network 10.10.255.10/32 area 0
4、配置RT1:
RT1(config)# router ospf 1
RT1(config-router)# router-id 10.10.4.1
RT1(config-router)# network 10.10.4.1 255.255.255.255 area 0
RT1(config-router)# network 10.10.255.29 255.255.255.255 area 0
RT1(config-router)# network 10.10.255.21 255.255.255.255 area 0
RT1(config-router)# network 10.10.255.18 255.255.255.255 area 0
5、 配置RT2
RT2(config)# router ospf 1
RT2(config-router)# router-id 10.10.5.1
RT2(config-router)# network 10.10.5.1 255.255.255.255 area 0
RT2(config-router)# network 10.10.255.30 255.255.255.255 area 0
6、 配置FW1
FW1(config)# ip vrouter "trust-vr"
FW1(config-vrouter)# ip route 0.0.0.0/0 200.200.200.1
FW1(config-vrouter)# router ospf 1
FW1(config-router)# router-id 10.10.6.1
FW1(config-router)# default-information originate
FW1(config-router)# network 10.10.6.1/32 area 0
FW1(config-router)# network 10.10.255.13/32 area 0
FW1(config-router)# network 10.10.255.17/32 area 0
7、 配置RT2与AC1之间的OSPFv2协议
RT2(config)# router ospf 1
RT2(config-router)# network 10.10.255.41 255.255.255.255 area 1
RT2(config-router)# area 1 nssa no-summary
AC1(config)# router ospf 1
AC1(config-router)# ospf router-id 10.10.8.1
AC1(config-router)# area 1 nssa no-summary
AC1(config-router)# network 10.10.8.1/32 area 1
AC1(config-router)# network 10.10.255.42/32 area 1
AC1(config-router)# network 10.17.110.1/32 area 1
AC1(config-router)# network 10.17.120.1/32 area 1
AC1(config-router)# redistribute connected route-map L3
AC1(config-router)# ip prefix-list L3 seq 5 permit 10.10.8.3/32
AC1(config-router)# route-map L3 permit 10
AC1(config-router)# match ip address prefix-list L3
8、 配置SW3模拟办事处与FW2之间的OSPFv2协议
SW3(config)# interface Ethernet1/0/11
SW3(config-if)# loopback
SW3(config-if)# switchport access vlan 110
SW3(config)# interface Ethernet1/0/12
SW3(config-if)# loopback
SW3(config-if)# switchport access vlan 120
SW3(config)# router ospf 2
SW3(config-router)# ospf router-id 10.10.3.2
SW3(config-router)# network 10.10.3.2/32 area 2
SW3(config-router)# network 10.10.255.46/32 area 2
SW3(config-router)# network 10.16.110.1/32 area 2
SW3(config-router)# network 10.16.120.1/32 area 2
FW2(config)# ip vrouter "trust-vr"
FW2(config-vrouter)# router ospf 2
FW2(config-router)# router-id 10.10.7.1
FW2(config-router)# network 10.10.255.45/32 area 2
FW2(config-router)# network 10.10.255.26/32 area 2
FW2(config-router)# network 10.10.7.1/32 area 2
9、配置RT1与FW2之间的OSPFv2协议和重发布路由
RT1(config)# router ospf 2
RT1(config-router)# router-id 10.10.4.4
RT1(config-router)# network 10.10.4.4 255.255.255.255 area 2
RT1(config-router)# network 10.10.255.25 255.255.255.255 area 2
RT1(config-router)# default-information originate always metric-type 1
FW2(config)# ip vrouter "trust-vr"
FW2(config-vrouter)# router ospf 2
FW2(config-router)# router-id 10.10.7.1
FW2(config-router)# network 10.10.255.45/32 area 2
FW2(config-router)# network 10.10.255.26/32 area 2
FW2(config-router)# network 10.10.7.1/32 area 2
RT1(config)# router ospf 1
RT1(config-router)# router-id 10.10.4.1
RT1(config-router)# network 10.10.4.1 255.255.255.255 area 0
RT1(config-router)# network 10.10.255.29 255.255.255.255 area 0
RT1(config-router)# network 10.10.255.21 255.255.255.255 area 0
RT1(config-router)# network 10.10.255.18 255.255.255.255 area 0
RT1(config-router)# redistribute ospf 2 route-map BSC
RT1(config-router)# redistribute connect route-map ZL
RT1(config)# route-map BSC 10 permit
RT1(config-route-map)# match ip address prefix-list BSC
RT1(config)# ip prefix-list BSC seq 5 permit 10.10.7.1/32
RT1(config)# ip prefix-list BSC seq 10 permit 10.10.3.2/32
RT1(config)# ip prefix-list BSC seq 15 permit 10.16.110.0/24
RT1(config)# route-map ZL 10 permit
RT1(config-route-map)# match ip address prefix-list ZL
RT1(config)# ip prefix-list ZL seq 5 permit 10.10.255.24/30
路由表对照:
SW1:
SW1(config)#sho ip route ospf
O*E2 0.0.0.0/0 [110/10] via 10.10.255.13, Vlan1021, 12:37:46 tag:0
O 10.10.2.1/32 [110/2] via 10.10.255.2, Vlan1026, 15:51:53 tag:0
O 10.10.3.1/32 [110/2] via 10.10.255.6, Vlan1022, 15:46:35 tag:0
O E2 10.10.3.2/32 [110/100] via 10.10.255.13, Vlan1021, 11:56:19 tag:0
[110/100] via 10.10.255.2, Vlan1026, 11:56:19 tag:0
O 10.10.4.1/32 [110/3] via 10.10.255.13, Vlan1021, 14:40:59 tag:0
[110/3] via 10.10.255.2, Vlan1026, 14:40:59 tag:0
O 10.10.5.1/32 [110/4] via 10.10.255.13, Vlan1021, 14:40:59 tag:0
[110/4] via 10.10.255.2, Vlan1026, 14:40:59 tag:0
O 10.10.6.1/32 [110/2] via 10.10.255.13, Vlan1021, 14:42:20 tag:0
O E2 10.10.7.1/32 [110/100] via 10.10.255.13, Vlan1021, 12:02:08 tag:0
[110/100] via 10.10.255.2, Vlan1026, 12:02:08 tag:0
O IA 10.10.8.1/32 [110/5] via 10.10.255.13, Vlan1021, 13:59:39 tag:0
[110/5] via 10.10.255.2, Vlan1026, 13:59:39 tag:0
O E2 10.10.8.3/32 [110/20] via 10.10.255.13, Vlan1021, 12:32:00 tag:0
[110/20] via 10.10.255.2, Vlan1026, 12:32:00 tag:0
O 10.10.21.0/24 [110/2] via 10.10.255.2, Vlan1026, 15:51:53 tag:0
O 10.10.31.0/24 [110/2] via 10.10.255.6, Vlan1022, 15:46:35 tag:0
O 10.10.255.8/30 [110/2] via 10.10.255.6, Vlan1022, 15:46:35 tag:0
[110/2] via 10.10.255.2, Vlan1026, 15:46:35 tag:0
O 10.10.255.16/30 [110/2] via 10.10.255.13, Vlan1021, 14:41:09 tag:0
O 10.10.255.20/30 [110/2] via 10.10.255.2, Vlan1026, 15:51:53 tag:0
O E2 10.10.255.24/30 [110/100] via 10.10.255.13, Vlan1021, 11:52:58 tag:0
[110/100] via 10.10.255.2, Vlan1026, 11:52:58 tag:0
O 10.10.255.28/30 [110/3] via 10.10.255.13, Vlan1021, 14:40:59 tag:0
[110/3] via 10.10.255.2, Vlan1026, 14:40:59 tag:0
O IA 10.10.255.40/30 [110/4] via 10.10.255.13, Vlan1021, 13:59:30 tag:0
[110/4] via 10.10.255.2, Vlan1026, 13:59:30 tag:0
O E2 10.16.110.0/24 [110/100] via 10.10.255.13, Vlan1021, 11:55:52 tag:0
[110/100] via 10.10.255.2, Vlan1026, 11:55:52 tag:0
O IA 10.17.110.0/24 [110/5] via 10.10.255.13, Vlan1021, 13:59:39 tag:0
[110/5] via 10.10.255.2, Vlan1026, 13:59:39 tag:0
O IA 10.17.120.0/24 [110/5] via 10.10.255.13, Vlan1021, 13:59:39 tag:0
[110/5] via 10.10.255.2, Vlan1026, 13:59:39 tag:0
Total routes are : 34 item(s)
SW2:
SW2(config)#sho ip rout ospf
O*E2 0.0.0.0/0 [110/10] via 10.10.255.1, Vlan1026, 12:38:26 tag:0
[110/10] via 10.10.255.21, Vlan1021, 12:38:26 tag:0
O 10.10.1.1/32 [110/2] via 10.10.255.1, Vlan1026, 15:52:34 tag:0
O 10.10.3.1/32 [110/2] via 10.10.255.10, Vlan1022, 15:47:42 tag:0
O E2 10.10.3.2/32 [110/100] via 10.10.255.21, Vlan1021, 11:57:00 tag:0
O 10.10.4.1/32 [110/2] via 10.10.255.21, Vlan1021, 15:18:41 tag:0
O 10.10.5.1/32 [110/3] via 10.10.255.21, Vlan1021, 15:03:50 tag:0
O 10.10.6.1/32 [110/3] via 10.10.255.1, Vlan1026, 14:41:39 tag:0
[110/3] via 10.10.255.21, Vlan1021, 14:41:39 tag:0
O E2 10.10.7.1/32 [110/100] via 10.10.255.21, Vlan1021, 12:02:49 tag:0
O IA 10.10.8.1/32 [110/4] via 10.10.255.21, Vlan1021, 14:00:19 tag:0
O E2 10.10.8.3/32 [110/20] via 10.10.255.21, Vlan1021, 12:32:40 tag:0
O 10.10.11.0/24 [110/2] via 10.10.255.1, Vlan1026, 15:52:34 tag:0
O 10.10.31.0/24 [110/2] via 10.10.255.10, Vlan1022, 15:47:42 tag:0
O 10.10.255.4/30 [110/2] via 10.10.255.1, Vlan1026, 15:47:42 tag:0
[110/2] via 10.10.255.10, Vlan1022, 15:47:42 tag:0
O 10.10.255.12/30 [110/2] via 10.10.255.1, Vlan1026, 15:52:34 tag:0
O 10.10.255.16/30 [110/2] via 10.10.255.21, Vlan1021, 15:18:41 tag:0
O E2 10.10.255.24/30 [110/100] via 10.10.255.21, Vlan1021, 11:53:38 tag:0
O 10.10.255.28/30 [110/2] via 10.10.255.21, Vlan1021, 15:08:47 tag:0
O IA 10.10.255.40/30 [110/3] via 10.10.255.21, Vlan1021, 14:00:11 tag:0
O E2 10.16.110.0/24 [110/100] via 10.10.255.21, Vlan1021, 11:56:32 tag:0
O IA 10.17.110.0/24 [110/4] via 10.10.255.21, Vlan1021, 14:00:19 tag:0
O IA 10.17.120.0/24 [110/4] via 10.10.255.21, Vlan1021, 14:00:19 tag:0
Total routes are : 24 item(s)
SW3:
SW3(config)#sho ip route ospf
O*E2 0.0.0.0/0 [110/10] via 10.10.255.5, Vlan1021, 12:38:54 tag:0
O 10.10.1.1/32 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
O 10.10.2.1/32 [110/2] via 10.10.255.9, Vlan1022, 15:48:13 tag:0
O E2 10.10.3.2/32 [110/100] via 10.10.255.9, Vlan1022, 11:57:27 tag:0
O 10.10.4.1/32 [110/3] via 10.10.255.9, Vlan1022, 15:19:09 tag:0
O 10.10.5.1/32 [110/4] via 10.10.255.9, Vlan1022, 15:04:17 tag:0
O 10.10.6.1/32 [110/3] via 10.10.255.5, Vlan1021, 14:43:28 tag:0
O E2 10.10.7.1/32 [110/100] via 10.10.255.9, Vlan1022, 12:03:16 tag:0
O IA 10.10.8.1/32 [110/5] via 10.10.255.9, Vlan1022, 14:00:47 tag:0
O E2 10.10.8.3/32 [110/20] via 10.10.255.9, Vlan1022, 12:33:08 tag:0
O 10.10.11.0/24 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
O 10.10.21.0/24 [110/2] via 10.10.255.9, Vlan1022, 15:48:13 tag:0
O 10.10.255.0/30 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
[110/2] via 10.10.255.9, Vlan1022, 15:47:43 tag:0
O 10.10.255.12/30 [110/2] via 10.10.255.5, Vlan1021, 15:47:43 tag:0
O 10.10.255.16/30 [110/3] via 10.10.255.5, Vlan1021, 14:42:17 tag:0
[110/3] via 10.10.255.9, Vlan1022, 14:42:17 tag:0
O 10.10.255.20/30 [110/2] via 10.10.255.9, Vlan1022, 15:48:13 tag:0
O E2 10.10.255.24/30 [110/100] via 10.10.255.9, Vlan1022, 11:54:06 tag:0
O 10.10.255.28/30 [110/3] via 10.10.255.9, Vlan1022, 15:09:14 tag:0
O IA 10.10.255.40/30 [110/4] via 10.10.255.9, Vlan1022, 14:00:39 tag:0
O E2 10.16.110.0/24 [110/100] via 10.10.255.9, Vlan1022, 11:57:00 tag:0
O IA 10.17.110.0/24 [110/5] via 10.10.255.9, Vlan1022, 14:00:47 tag:0
O IA 10.17.120.0/24 [110/5] via 10.10.255.9, Vlan1022, 14:00:47 tag:0
Total routes are : 24 item(s)
SW3(config)#sho ip route vrf Guangdong ospf
O*E1 0.0.0.0/0 [110/102] via 10.10.255.45, Vlan1015, 12:10:12 tag:0
O 10.10.4.4/32 [110/3] via 10.10.255.45, Vlan1015, 12:10:13 tag:0
O 10.10.7.1/32 [110/2] via 10.10.255.45, Vlan1015, 12:19:31 tag:0
O 10.10.255.24/30 [110/2] via 10.10.255.45, Vlan1015, 12:10:33 tag:0
Total routes are : 4 item(s)
RT1:
RT1_config#sho ip route ospf
VRF ID: 0
O E2 0.0.0.0/0 [150,10] via 10.10.255.17(on GigaEthernet0/2)
O 10.10.1.1/32 [110,3] via 10.10.255.17(on GigaEthernet0/2)
[110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.2.1/32 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.3.1/32 [110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.3.2/32 [110,3] via 10.10.255.26(on GigaEthernet0/3)
O 10.10.5.1/32 [110,2] via 10.10.255.30(on GigaEthernet0/0)
O 10.10.6.1/32 [110,2] via 10.10.255.17(on GigaEthernet0/2)
O 10.10.7.1/32 [110,2] via 10.10.255.26(on GigaEthernet0/3)
O IA 10.10.8.1/32 [110,3] via 10.10.255.30(on GigaEthernet0/0)
O E2 10.10.8.3/32 [150,20] via 10.10.255.30(on GigaEthernet0/0)
O 10.10.11.0/24 [110,3] via 10.10.255.17(on GigaEthernet0/2)
[110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.21.0/24 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.31.0/24 [110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.0/30 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.4/30 [110,3] via 10.10.255.17(on GigaEthernet0/2)
[110,3] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.8/30 [110,2] via 10.10.255.22(on GigaEthernet0/1)
O 10.10.255.12/30 [110,2] via 10.10.255.17(on GigaEthernet0/2)
O IA 10.10.255.40/30 [110,2] via 10.10.255.30(on GigaEthernet0/0)
O 10.10.255.44/30 [110,2] via 10.10.255.26(on GigaEthernet0/3)
O 10.16.110.0/24 [110,3] via 10.10.255.26(on GigaEthernet0/3)
O 10.16.120.0/24 [110,3] via 10.10.255.26(on GigaEthernet0/3)
O IA 10.17.110.0/24 [110,3] via 10.10.255.30(on GigaEthernet0/0)
O IA 10.17.120.0/24 [110,3] via 10.10.255.30(on GigaEthernet0/0)
RT2:
RT2_config#sho ip route ospf
VRF ID: 0
O E2 0.0.0.0/0 [150,10] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.1.1/32 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.2.1/32 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.3.1/32 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.10.3.2/32 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.4.1/32 [110,2] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.6.1/32 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.10.7.1/32 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.8.1/32 [110,2] via 10.10.255.42(on GigaEthernet0/1)
O N2 10.10.8.3/32 [150,20] via 10.10.255.42(on GigaEthernet0/1)
O 10.10.11.0/24 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.21.0/24 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.31.0/24 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.0/30 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.4/30 [110,4] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.8/30 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.12/30 [110,3] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.16/30 [110,2] via 10.10.255.29(on GigaEthernet0/0)
O 10.10.255.20/30 [110,2] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.10.255.24/30 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O E2 10.16.110.0/24 [150,100] via 10.10.255.29(on GigaEthernet0/0)
O 10.17.110.0/24 [110,2] via 10.10.255.42(on GigaEthernet0/1)
O 10.17.120.0/24 [110,2] via 10.10.255.42(on GigaEthernet0/1)
AC1:
AC1(config)#sho ip route os
O*IA 0.0.0.0/0 [110/101] via 10.10.255.41, Vlan1001, 14:02:54 tag:0
Total routes are : 1 item(s)
FW1:
FW1(config)# sho ip route ospf
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
O>* 10.10.1.1/32 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.2.1/32 [110/3/1] via 10.10.255.14, ethernet0/1, 14:44:57
* [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.3.1/32 [110/3/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.3.2/32 [110/100/1] via 10.10.255.18, ethernet0/2, 12:00:17
O>* 10.10.4.1/32 [110/2/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.5.1/32 [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.7.1/32 [110/100/1] via 10.10.255.18, ethernet0/2, 12:06:06
O>* 10.10.8.1/32 [110/4/1] via 10.10.255.18, ethernet0/2, 14:03:32
O>* 10.10.8.3/32 [110/20/1] via 10.10.255.18, ethernet0/2, 12:35:58
O>* 10.10.11.0/24 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.21.0/24 [110/3/1] via 10.10.255.14, ethernet0/1, 14:44:57
* [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.31.0/24 [110/3/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.255.0/30 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.255.4/30 [110/2/1] via 10.10.255.14, ethernet0/1, 14:46:08
O>* 10.10.255.8/30 [110/3/1] via 10.10.255.14, ethernet0/1, 14:44:57
* [110/3/1] via 10.10.255.18, ethernet0/2, 14:44:57
O>* 10.10.255.20/30 [110/2/1] via 10.10.255.18, ethernet0/2, 14:44:59
O>* 10.10.255.24/30 [110/100/1] via 10.10.255.18, ethernet0/2, 11:56:58
O>* 10.10.255.28/30 [110/2/1] via 10.10.255.18, ethernet0/2, 14:44:59
O>* 10.10.255.40/30 [110/3/1] via 10.10.255.18, ethernet0/2, 14:03:24
O>* 10.16.110.0/24 [110/100/1] via 10.10.255.18, ethernet0/2, 11:59:52
O>* 10.17.110.0/24 [110/4/1] via 10.10.255.18, ethernet0/2, 14:03:34
O>* 10.17.120.0/24 [110/4/1] via 10.10.255.18, ethernet0/2, 14:03:34
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
FW2:
FW2(config)# sho ip route os
<cr>
| Output modifiers
vrouter Virtual router
FW2(config)# sho ip route os
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
O>* 0.0.0.0/0 [110/101/1] via 10.10.255.25, ethernet0/2, 12:12:31
O>* 10.10.3.2/32 [110/2/1] via 10.10.255.46, ethernet0/1, 12:23:29
O>* 10.10.4.4/32 [110/2/1] via 10.10.255.25, ethernet0/2, 12:12:32
O>* 10.16.110.0/24 [110/2/1] via 10.10.255.46, ethernet0/1, 12:23:29
O>* 10.16.120.0/24 [110/2/1] via 10.10.255.46, ethernet0/1, 12:23:29
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
OSPFv3
(1) SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv3 ,进程 1,区域 0,分别发布 loopback1 地址路由和产品路由,FW1 通告 type2 默认路由。
SW1配置:
SW1(config)# router ipv6 ospf 1
SW1(config-router)# router-id 10.10.1.1
SW1(config-router)# interface Loopback1
SW1(config-if)# ipv6 router ospf 1 area 0 tag 1
SW1(config-router)# interface Vlan10
SW1(config-if)# ipv6 router ospf 1 area 0 tag 1
SW1(config-router)# interface Vlan1021
SW1(config-if)# ipv6 router ospf 1 area 0 tag 1
SW1(config-router)# interface Vlan1022
SW1(config-if)# ipv6 router ospf 1 area 0 tag 1
SW1(config-router)# interface Vlan1026
SW1(config-if)# ipv6 router ospf 1 area 0 tag 1
配置SW2:
SW2(config)# router ipv6 ospf 1
SW2(config-router)# router-id 10.10.2.1
SW2(config-router)# interface Loopback1
SW2(config-if)# ipv6 router ospf 1 area 0 tag 1
SW2(config-router)# interface Vlan10
SW2(config-if)# ipv6 router ospf 1 area 0 tag 1
SW2(config-router)# interface Vlan1021
SW2(config-if)# ipv6 router ospf 1 area 0 tag 1
SW2(config-router)# interface Vlan1022
SW2(config-if)# ipv6 router ospf 1 area 0 tag 1
SW2(config-router)# interface Vlan1026
SW2(config-if)# ipv6 router ospf 1 area 0 tag 1
配置SW3:
SW3(config)# router ipv6 ospf 1
SW3(config-router)# router-id 10.10.3.1
SW3(config-router)# interface Loopback1
SW3(config-if)# ipv6 router ospf 1 area 0 tag 1
SW3(config-router)# interface Vlan10
SW3(config-if)# ipv6 router ospf 1 area 0 tag 1
SW3(config-router)# interface Vlan1021
SW3(config-if)# ipv6 router ospf 1 area 0 tag 1
SW3(config-router)# interface Vlan1022
SW3(config-if)# ipv6 router ospf 1 area 0 tag 1
配置RT1:
RT1(config)# router ospfv3 1
RT1(config-router)# router-id 10.10.4.1
RT1(config-router)# interface Loopback1
RT1(config-if)# ipv6 enable
RT1(config-if)# ipv6 ospf 1 area 0
RT1(config-router)# interface GigaEthernet0/0
RT1(config-if)# ipv6 enable
RT1(config-if)# ipv6 ospf 1 area 0
RT1(config-router)# interface GigaEthernet0/1
RT1(config-if)# ipv6 enable
RT1(config-if)# ipv6 ospf 1 area 0
RT1(config-router)# interface GigaEthernet0/2
RT1(config-if)# ipv6 ospf 1 area 0
配置RT2:
RT2(config)# router ospfv3 1
RT2(config-router)# router-id 10.10.5.1
RT2(config-router)# interface Loopback1
RT2(config-if)# ipv6 enable
RT2(config-if)# ipv6 ospf 1 area 0
RT2(config-router)# interface GigaEthernet0/0
RT2(config-if)# ipv6 enable
RT2(config-if)# ipv6 ospf 1 area 0
配置FW1:
FW1(config)# ipv6 route ::/0 "ethernet0/3" FE80::203:FFF:FEE0:F9B8
FW1(config)# ipv6 router ospf 1
FW1(config-router)# router-id 10.10.6.1
FW1(config-router)# default-information originate
FW1(config-router)# exit
FW1(config)# interface loopback1
FW1(config-if)# ipv6 enable
FW1(config-if)# ipv6 ospf 1 area 0
FW1(config)# interface ethernet0/1
FW1(config-if)# ipv6 enable
FW1(config-if)# ipv6 ospf 1 area 0
FW1(config)# interface ethernet0/2
FW1(config-if)# ipv6 enable
FW1(config-if)# ipv6 ospf 1 area 0
配置RT2与AC1之间的OSPFv3:
RT2(config)# router ospfv3 1
RT2(config-router)# router-id 10.10.5.1
RT2(config-router)# area 1 stub no-summary
RT2(config-router)# interface GigaEthernet0/1
RT2(config-if)# ipv6 enable
RT2(config-if)# ipv6 ospf 1 area 1
AC1(config)# router ipv6 ospf 1
AC1(config-router)# router-id 10.10.8.1
AC1(config-router)# area 1 stub no-summary
AC1(config-router)# interface Loopback1
AC1(config-if)# ipv6 router ospf area 1 tag 1
AC1(config-router)# interface Vlan110
AC1(config-if)# ipv6 router ospf area 1 tag 1
AC1(config-router)# interface Vlan120
AC1(config-if)# ipv6 router ospf area 1 tag 1
AC1(config-router)# interface Vlan1001
AC1(config-if)# ipv6 router ospf area 1 tag 1
配置SW3和FW2的IPv6路由:
SW3(config)# ipv6 route vrf Guangdong ::/0 fe80::203:fff:fea6:8341 Vlan1015
FW2(config)# ip vrouter "trust-vr"
FW2(config-vrouter)# ipv6 route 2001:10:10:3::1/128 "ethernet0/1" FE80::203:FFF:FEE0:F9B8
FW2(config-vrouter)# ipv6 route 2001:10:16:110::/64 "ethernet0/1" FE80::203:FFF:FEE0:F9B8
FW2(config-vrouter)# ipv6 route 2001:10:16:120::/64 "ethernet0/1" FE80::203:FFF:FEE0:F9B8
FW2(config-vrouter)# ipv6 router ospf 2
FW2(config-router)# router-id 10.10.7.1
FW2(config-router)# redistribute static
配置RT1与FW2之间的OSPFv3:
RT1(config)# router ospfv3 2
RT1(config-router)# router-id 10.10.4.4
RT1(config-router)# default-information originate always metric-type 1
RT1(config-router)# interface Loopback4
RT1(config-if)# ipv6 enable
RT1(config-if)# ipv6 ospf 2 area 2
FW2(config)# interface loopback1
FW2(config-if)# ipv6 enable
FW2(config-if)# ipv6 ospf 2 area 2
FW2(config)# interface ethernet0/1
FW2(config-if)# ipv6 enable
FW2(config-if)# ipv6 ospf 2 area 2
FW2(config-if)# exit
FW2(config)# interface ethernet0/2
FW2(config-if)# ipv6 enable
FW2(config-if)# ipv6 ospf 2 area 2
FW2(config-if)# exit
RT1(config)# router ospfv3 1
RT1(config-router)# router-id 10.10.4.1
RT1(config-router)# redistribute ospf 2 route-map BSCV6
RT1(config)# route-map BSCV6 10 permit
RT1(config-route-map)# match ipv6 address prefix-list BSCV6
RT1(config)# ipv6 prefix-list BSCV6 seq 5 permit 2001:10:10:3::2/128
RT1(config)# ipv6 prefix-list BSCV6 seq 10 permit 2001:10:16:110::/64
修改ospf cost为100:
FW1(config)# interface ethernet0/2
FW1(config-if)# ip ospf cost 100
FW1(config-if)# ipv6 ospf cost 100
RT1(config)# interface GigaEthernet0/2
RT1(config-if)# ip ospf cost 100
RT1(config-if)# ipv6 ospf cost 100
验证部分:
SW1:
SW1(config)#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/21] via fe80::203:fff:fea6:72c1, Vlan1021, 12:00:39 tag:0
O 2001:10:10:2::1/128 [110/1] via fe80::203:fff:fee0:f9b5, Vlan1026, 12:24:12 tag:0
O 2001:10:10:3::1/128 [110/1] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:16:43 tag:0
O 2001:10:10:3::2/128 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:20 tag:0
O 2001:10:10:4::1/128 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:10:5::1/128 [110/3] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:10:6::1/128 [110/2] via fe80::203:fff:fea6:72c1, Vlan1021, 12:05:24 tag:0
O 2001:10:10:8::1/128 [110/4] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:10:21::/64 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1026, 12:24:12 tag:0
O 2001:10:10:31::/64 [110/2] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:16:43 tag:0
O 2001:10:16:110::/64 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:20 tag:0
O 2001:10:17:110::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
O 2001:10:17:120::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1026, 11:30:21 tag:0
Sw2:
SW2(config)#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/22] via fe80::203:fff:fee0:f9b2, Vlan1026, 11:31:37 tag:0
O 2001:10:10:1::1/128 [110/1] via fe80::203:fff:fee0:f9b2, Vlan1026, 12:24:52 tag:0
O 2001:10:10:3::1/128 [110/1] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:17:33 tag:0
O 2001:10:10:3::2/128 [110/150] via fe80::203:fff:fedc:c392, Vlan1021, 11:36:13 tag:0
O 2001:10:10:4::1/128 [110/1] via fe80::203:fff:fedc:c392, Vlan1021, 12:14:02 tag:0
O 2001:10:10:5::1/128 [110/2] via fe80::203:fff:fedc:c392, Vlan1021, 12:11:48 tag:0
O 2001:10:10:6::1/128 [110/3] via fe80::203:fff:fee0:f9b2, Vlan1026, 11:31:38 tag:0
O 2001:10:10:8::1/128 [110/3] via fe80::203:fff:fedc:c392, Vlan1021, 11:59:02 tag:0
O 2001:10:10:11::/64 [110/2] via fe80::203:fff:fee0:f9b2, Vlan1026, 12:24:52 tag:0
O 2001:10:10:31::/64 [110/2] via fe80::203:fff:fee0:f9b8, Vlan1022, 12:17:33 tag:0
O 2001:10:16:110::/64 [110/150] via fe80::203:fff:fedc:c392, Vlan1021, 11:36:13 tag:0
O 2001:10:17:110::/64 [110/4] via fe80::203:fff:fedc:c392, Vlan1021, 11:59:02 tag:0
O 2001:10:17:120::/64 [110/4] via fe80::203:fff:fedc:c392, Vlan1021, 11:59:02 tag:0
SW3:
SW3#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/22] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:01:49 tag:0
O 2001:10:10:1::1/128 [110/1] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:17:56 tag:0
O 2001:10:10:2::1/128 [110/1] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:17:56 tag:0
O 2001:10:10:3::2/128 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:36:44 tag:0
O 2001:10:10:4::1/128 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:14:33 tag:0
O 2001:10:10:5::1/128 [110/3] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:12:19 tag:0
O 2001:10:10:6::1/128 [110/3] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:06:35 tag:0
O 2001:10:10:8::1/128 [110/4] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:59:33 tag:0
O 2001:10:10:11::/64 [110/2] via fe80::203:fff:fee0:f9b2, Vlan1021, 12:17:56 tag:0
O 2001:10:10:21::/64 [110/2] via fe80::203:fff:fee0:f9b5, Vlan1022, 12:17:56 tag:0
O 2001:10:16:110::/64 [110/150] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:36:44 tag:0
O 2001:10:17:110::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:59:33 tag:0
O 2001:10:17:120::/64 [110/5] via fe80::203:fff:fee0:f9b5, Vlan1022, 11:59:33 tag:0
RT1:
RT1_config#sho ipv route ospf
OE1 ::/0[1]
[110,23] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:1::1/128[1]
[110,2] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:2::1/128[1]
[110,1] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:3::1/128[1]
[110,2] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
OE2 2001:10:10:3::2/128[1]
[110,20] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
O 2001:10:10:5::1/128[1]
[110,1] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
O 2001:10:10:6::1/128[1]
[110,4] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:7::1/128[1]
[110,2] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
OIA 2001:10:10:8::1/128[1]
[110,2] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
O 2001:10:10:11::/64[1]
[110,3] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:21::/64[1]
[110,2] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
O 2001:10:10:31::/64[1]
[110,3] via fe80::203:fff:fee0:f9b5(on GigaEthernet0/1)
OE2 2001:10:16:110::/64[1]
[110,20] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
OE2 2001:10:16:120::/64[1]
[110,20] via fe80::203:fff:fea6:8342(on GigaEthernet0/3)
OIA 2001:10:17:110::/64[1]
[110,3] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
OIA 2001:10:17:120::/64[1]
[110,3] via fe80::203:fff:fedc:c389(on GigaEthernet0/0)
RT2:
RT2_config#sho ipv route ospf
OE1 ::/0[1]
[110,24] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:1::1/128[1]
[110,3] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:2::1/128[1]
[110,2] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:3::1/128[1]
[110,3] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
OE2 2001:10:10:3::2/128[1]
[110,150] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:4::1/128[1]
[110,1] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:6::1/128[1]
[110,5] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:8::1/128[1]
[110,1] via fe80::203:fff:fed4:28b2(on GigaEthernet0/1)
O 2001:10:10:11::/64[1]
[110,4] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:21::/64[1]
[110,3] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:10:31::/64[1]
[110,4] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
OE2 2001:10:16:110::/64[1]
[110,150] via fe80::203:fff:fedc:c391(on GigaEthernet0/0)
O 2001:10:17:110::/64[1]
[110,2] via fe80::203:fff:fed4:28b2(on GigaEthernet0/1)
O 2001:10:17:120::/64[1]
[110,2] via fe80::203:fff:fed4:28b2(on GigaEthernet0/1)
AC1:
AC1(config)#sho ipv route nsm ospf
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - IS-IS, B - BGP
Timers: Uptime
O ::/0 [110/2] via fe80::203:fff:fedc:c38a, Vlan1001, 12:01:37 tag:0
FW1:
FW1(config)# sho ipv route ospf ?
<cr>
| Output modifiers
vrouter Virtual router
FW1(config)# sho ipv route ospf
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
B - BGP, I - ISIS, A - AUTOCONF, H - HOST, > - selected route,
* - FIB route,
Routing Table for Virtual Router <trust-vr>
==============================================================================
O> 2001:10:10:1::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/1/1]
O> 2001:10:10:2::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/2/1]
O> 2001:10:10:3::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/2/1]
O> 2001:10:10:3::2/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/150/1]
O> 2001:10:10:4::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/3/1]
O> 2001:10:10:5::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/4/1]
O> 2001:10:10:8::1/128
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/5/1]
O> 2001:10:10:11::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/2/1]
O> 2001:10:10:21::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/3/1]
O> 2001:10:10:31::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/3/1]
O> 2001:10:16:110::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/150/1]
O> 2001:10:17:110::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/6/1]
O> 2001:10:17:120::/64
* via FE80::203:FFF:FEE0:F9B2, ethernet0/1 [110/6/1]
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
FW2:
FW2(config)# sho ipv route ospf
Codes: K - kernel route, C - connected, S - static, R - RIPng, O - OSPFv3,
B - BGP, I - ISIS, A - AUTOCONF, H - HOST, > - selected route,
* - FIB route,
Routing Table for Virtual Router <trust-vr>
==============================================================================
O> ::/0
* via FE80::203:FFF:FEDC:C394, ethernet0/2 [110/151/1]
O> 2001:10:10:4::4/128
* via FE80::203:FFF:FEDC:C394, ethernet0/2 [110/1/1]
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
6、RIP
RT1串行链路、RT2串行链路、FW1、AC1之间分别运行RIP和RIPng协议, FW1、RT1、RT2的RIP和RIPng发布loopback2地址路由,AC1 RIP发布loopback2 地址路由,AC1 RIPng采用route-map匹配prefix-list重发布loopback2地址路由。
IPV4:
FW1:
FW1> enable
FW1# configure terminal
FW1(config)# router rip
FW1(config-router)# network 10.10.6.2/32
FW1(config-router)# network 10.10.255.16/30
RT1:
RT1> enable
RT1# configure terminal
RT1(config)# router rip 1
RT1(config-router)# version 2
RT1(config-router)# no auto-summary
RT1(config-router)# interface Loopback2
RT1(config-if)# ip rip 1 enable
RT1(config-if)# interface Serial1/0
RT1(config-if)# ip rip 1 enable
RT1(config-if)# interface Serial1/1
RT1(config-if)# ip rip 1 enable
RT1(config-if)# interface GigaEthernet0/2
RT1(config-if)# ip rip 1 enable
RT2:
RT2> enable
RT2# configure terminal
RT2(config)# router rip 1
RT2(config-router)# version 2
RT2(config-router)# no auto-summary
RT2(config-router)# interface Loopback2
RT2(config-if)# ip rip 1 enable
RT2(config-if)# interface Serial1/0
RT2(config-if)# ip rip 1 enable
RT2(config-if)# interface Serial1/1
RT2(config-if)# ip rip 1 enable
RT2(config-if)# interface GigaEthernet0/1
RT2(config-if)# ip rip 1 enable
AC1:
AC1> enable
AC1# configure terminal
AC1(config)# router rip
AC1(config-router)# network Loopback2
AC1(config-router)# network Vlan1001
RT1:
配置 RT1 路由策略:
RT1> enable
RT1# configure terminal
RT1(config)# router rip 1
RT1(config-router)# version 2
RT1(config-router)# no auto-summary
RT1(config-router)# offset Serial1/1 in AclRIP 3
RT1(config-router)# offset Serial1/1 out AclRIP 3
RT1(config-router)# ip access-list standard AclRIP
RT1(config-access-list)# permit any sequence 10
双向认证
RT1的S1/0与RT2的S1/1之间采用chap双向认证,用户名为对端设备名称,密码为Pass-1234。
RT1:
aaa authentication ppp default local
!
username RT2 password 0 Pass-1234
!
interface Serial1/0
ppp authentication chap
ppp chap hostname RT1
ppp chap password 0 Pass-1234
RT2:
aaa authentication ppp default local
!
username RT1 password 0 Pass-1234
!
interface Serial1/1
ppp authentication chap
ppp chap hostname RT2
ppp chap password 0 Pass-1234
验证:
FW1(config)# sho ip route rip
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
R>* 10.10.4.2/32 [120/2/1] via 10.10.255.18, ethernet0/2, 09:01:13
R>* 10.10.5.2/32 [120/3/1] via 10.10.255.18, ethernet0/2, 07:44:32
R>* 10.10.8.2/32 [120/4/1] via 10.10.255.18, ethernet0/2, 07:44:32
R>* 10.10.255.32/30 [120/2/1] via 10.10.255.18, ethernet0/2, 07:44:43
R>* 10.10.255.36/30 [120/2/1] via 10.10.255.18, ethernet0/2, 07:44:43
R 10.10.255.40/30 [120/3/1] via 10.10.255.18, ethernet0/2, 07:44:32
==============================================================================
Routing Table for Virtual Router <mgt-vr>
==============================================================================
==============================================================================
RT1_config#sho ip route rip
VRF ID: 0
R 10.10.5.2/32 [120,1] via 10.10.255.34(on Serial1/0)
R 10.10.6.2/32 [120,1] via 10.10.255.17(on GigaEthernet0/2)
R 10.10.8.2/32 [120,2] via 10.10.255.34(on Serial1/0)
RT2_config#sho ip route rip
VRF ID: 0
R 10.10.4.2/32 [120,1] via 10.10.255.33(on Serial1/1)
R 10.10.6.2/32 [120,2] via 10.10.255.33(on Serial1/1)
R 10.10.8.2/32 [120,1] via 10.10.255.42(on GigaEthernet0/1)
AC1(config)#sho ip route rip
R 10.10.4.2/32 [120/3] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.5.2/32 [120/2] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.6.2/32 [120/4] via 10.10.255.41, Vlan1001, 07:47:32 tag:0
R 10.10.255.16/30 [120/3] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.255.32/30 [120/2] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
R 10.10.255.36/30 [120/2] via 10.10.255.41, Vlan1001, 00:00:25 tag:1
Total routes are : 6 item(s)