华为1+x(高级)实验1


华为1+X《网络系统建设与运维(高级)》认证实验(1)

拓扑图

VLAN信息表:

Agg1 链路类型 VLAN参数 Agg2 链路类型 VLAN参数
GE0/0/1 Trunk Allow pass:30 GE0/0/2 Trunk Allow pass:1 to 4094
GE0/0/2 Trunk Allow pass:1 to 4094 GE0/0/3 Trunk Allow pass:1 to 4094
Eth-Trunk 1 Trunk Allow pass:1 to 4094 Eth-Trunk 1 Trunk Allow pass:1 to 4094
GE0/0/3 Trunk Allow pass:1 to 4094 GE0/0/4 Access VLAN 106
GE0/0/4 Access VLAN 105 N/A N/A N/A
Acc1 链路类型 VLAN参数 Acc2 链路类型 VLAN参数
GE0/0/2 Trunk Allow pass:10,20 GE0/0/1 Access VLAN 10
GE0/0/3 Trunk Allow pass:10,20 GE0/0/2 Trunk Allow pass:1 to 4094
GE0/0/4 Access PVID:30 Allow pass:1,30,40 GE0/0/3 Trunk Allow pass:1 to 4094
Agg3 链路类型 VLAN参数 Acc3 链路类型 VLAN参数
GE0/0/1 Access VLAN 108 GE0/0/1 Access VLAN50
GE0/0/2 Trunk Allow pass:1 to 4094 GE0/0/2 Trunk Allow pass:1 to 4094
DC1 链路类型 VLAN参数 AC1 链路类型 VLAN参数
GE0/0/2 Access VLAN 201 GE0/0/1 Trunk Allow pass:30

IP地址表:

Internet IP地址 SR1 IP地址 AC1 IP地址
GE0/0/2 14.1.1.1/30 GE0/0/0 210.28.1.1/27 VLAN-IF30 192.168.30.1/24
Loopback0 14.4.4.4/32 GE0/0/1 223.2.1.1/26 N/A N/A
N/A N/A GE0/0/2 14.1.1.2/30 N/A N/A
Core1 IP地址 Core2 N/A Agg1 IP地址
GE0/0/0 210.28.1.2/27 GE0/0/0 223.2.1.2/26 VLAN-IF10 192.168.10.1/24
GE0/0/1 10.1.79.9/24 GE0/0/1 10.1.56.6/24 VLAN-IF40 192.168.40.254/24
GE0/0/2 10.1.89.9/24 GE0/0/2 10.1.201.6/24 VLAN-IF105 10.1.79.7/24
GE2/0/0 10.3.69.9/24 GE2/0/0 10.3.69.6/24 Loopback0 10.1.7.7/32
GE2/0/2 10.2.69.9/24 GE2/0/2 10.2.69.6/24 N/A N/A
Loopback0 10.1.9.9/32 Loopback0 10.1.128.6/32 N/A N/A
Agg2 IP地址 N/A N/A Agg3 IP地址
VLAN-IF10 192.168.10.2/24 N/A N/A VLANIF-50 192.168.50.254/24
VLAN-IF106 10.1.89.8/24 N/A N/A VLANIF 108 10.1.56.5/24
Loopback0 10.1.8.8/32 N/A N/A Loopback0 10.1.128.5./32

链路聚合配置:

在Agg1与Agg2之间配置链路聚合。请通过Lacp模式实现二层链路聚合,成员接口为GE0/0/5、GE0/0/6,链路聚合接口ID为0。

Agg1:
interface Eth-Trunk 0
mode lacp-static 
trunkport GigabitEthernet 0/0/5 to 0/0/6
Agg2:
interface Eth-Trunk 0
mode lacp-static 
trunkport GigabitEthernet 0/0/5 to 0/0/6

VLAN&Trunk配置:

根据VLAN配置表,将eth-trunk和交换机互联的链路配置为Trunk以及主机加入到对应VLAN中。

Acc1:
vlan batch 10 30 40

interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/3
port link-type trunk
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/4
port link-type trunk
port trunk pvid vlan 30
port trunk allow-pass vlan 1 30 40
Acc2:
vlan 10 30 40

interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/3
port link-type trunk
port trunk allow-pass vlan 1 to 4094
Agg1:
vlan batch 10 30 40 105

interface Eth-Trunk 0
port link-type trunk 
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/1
port link-type trunk 
port trunk allow-pass vlan 30 40

interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/3
port link-type trunk
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/4
port link-type access
port default vlan 105
Agg2:
vlan batch 10 30 40 106

interface Eth-Trunk 0
port link-type trunk 
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/3
port link-type trunk
port trunk allow-pass vlan 1 to 4094

interface GigabitEthernet 0/0/4
port link-type access
port default vlan 106
Agg3:
vlan batch 50 108

interface GigabitEthernet 0/0/1
port link-type access
port default vlan 108

interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 4094
ACC3:
vlan 50

interface GigabitEthernet 0/0/1
port link-type access
port default vlan 50

interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan 1 to 4094
DC1:
vlan 201

interface GigabitEthernet 0/0/2
port link-type access 
port default vlan 201
AC1:
vlan batch 30 40

interface GigabitEthernet 0/0/1
port link-type trunk 
port trunk allow-pass vlan 30 40

IP地址配置:

Core1:
interface GigabitEthernet 0/0/0
ip address 210.28.1.2 27

interface GigabitEthernet 0/0/1
ip address 10.1.79.9 24

interface GigabitEthernet 0/0/2
ip address 10.1.89.9 24

interface GigabitEthernet 2/0/0
ip address 10.3.69.9 24

interface GigabitEthernet 2/0/2
ip address 10.2.69.9 24

interface LoopBack 0
ip address 10.1.9.9 32
Core2:
interface GigabitEthernet 0/0/0
ip address 223.2.1.2 26

interface GigabitEthernet 0/0/1
ip address 10.1.56.6 24

interface GigabitEthernet 0/0/2
ip address 10.1.201.6 24

interface GigabitEthernet 2/0/0
ip address 10.3.69.6 24

interface GigabitEthernet 2/0/2
ip address 10.2.69.6 24

interface LoopBack 0
ip address 10.1.128.6 32
Agg1:
interface Vlanif 10
ip address 192.168.10.1 24

interface Vlanif 30
ip address 192.168.30.254 24

interface Vlanif 40
ip address 192.168.40.254 24

interface Vlanif 105
ip address 10.1.79.7 24

interface LoopBack 0
ip address 10.1.7.7 32
Agg2:
interface Vlanif 10
ip address 192.168.10.2 24

interface Vlanif 106
ip address 10.1.89.8 24

interface LoopBack 0
ip address 10.1.8.8 32
Agg3:
interface LoopBack 0
ip address 10.1.128.5 32

interface Vlanif 50
ip address 192.168.50.254 24

interface Vlanif 108
ip address 10.1.56.5 24
AC1:
interface Vlanif 30
ip address 192.168.30.1 24
DC1:
interface vlanif 201
ip address 10.1.201.9 24

interface loopback 0
ip address 8.8.8.8 32
SR1:
interface GigabitEthernet 0/0/0
ip address 210.28.1.1 27

interface GigabitEthernet 0/0/1
ip address 223.2.1.1 26

interface GigabitEthernet 0/0/2
ip address 14.1.1.2 30
Internet:
interface GigabitEthernet 0/0/2
ip address 14.1.1.1 30

interface LoopBack 0
ip address 14.4.4.4 32

MSTP协议配置:

为了防止Acc1 、Acc2 、Agg1 、Agg2之间出现环路使用设备默认支持的MSTP。

1.Agg1为instance 0的根桥;Agg2为instance 0的备份根桥

2.通过配置桥优先级值来明确根桥(桥优先级为0)、备份根桥(桥优先级为4096)的角色。

Acc1:
stp mode mstp
Acc2:
stp mode mstp 
Agg1:
stp mode mstp 
stp region-configuration 
active region-configuration 
stp instance 0 priority 0
Agg2:
stp mode mstp 
stp region-configuration 
active region-configuration 
stp instance 0 priority 4096

VRRP协议配置:

Agg1和Agg2作为研究生教学的网关,为了保证业务网段的可靠性和连续性,要求在Agg1和Agg2上配置VRRP来实现网关的备份。

1.VLAN10使用VRRP备份组1;VRRP备份组1虚拟IP地址为192.168.10.254。

2.VRRP备份组1以Agg1为主网关(优先级为200);Agg2作为备份网关(优先级为缺省)。

Agg1:

interface Vlanif 10
vrrp vrid 1 virtual-ip 192.168.10.254
vrrp vrid 1 priority 200

Agg2:

interface Vlanif 10
vrrp vrid 1 virtual-ip 192.168.10.254

DHCP协议配置:

在大型网络中,一般使用DHCP来为终端分配IP地址 。

1.PC2通过DHCP获取IP地址Agg3作为VLAN50的DHCP服务器采用VLAN-IF 50的接口地址池。

Agg3:
第一种方法:
dhcp enable
ip pool VLAN50
gateway-list 192.168.50.254
network 192.168.50.0 mask 255.255.255.0

interface vlanif 50
dhcp select global 
第二种方法:
interface vlanif 50
dhcp select interface

WLAN配置:

使用Fit AP+AC的组网方式 ,为STA1提供WLAN接入。请根据以下参数进行组网。

DHCP服务器:AC1作为AP的DHCP服务器采用VLAN-IF 30的接口地址池Agg1 作为STA1的DHCP服务器,采用VLAN-IF 40的接口地址池。

AC源接口地址:192.168.30.254/24 (VLAN-IF 30)

SSID模板:SSID-profile Name NJUPT ssid:NJUPT

Security模板:Security Name:NJUPT 认证方式: wpa-wpa2-psk 加密方式:aes 密码:huawei@123

VAP模板:VAP-profile Name NJUPT Service-VLAN VLAN 40 绑定:ssid-profile NJUPT security-profile NJUPT

Ap-group:AP-Group Name g1 WLAN-id 1 引用VAP-profile Name NJUPT 应用在射频 radio 0 和radio 1

AP上线:认证方式:MAC认证 ap-Name AP1 AP-Group g1

STA1上线:选择SSID: NJUPT 输入密码:huawei@123

AC1:
interface Vlanif 30
dhcp select interface 
capwap source interface vlanif 30

wlan
ap-group name g1

ap auth-mode mac-auth 
ap-id 0 ap-mac 00e0-fc14-4510
ap-name AP1
ap-group g1
security-profile name NJUPT
security wpa-wpa2 psk pass-phrase huawei@123 aes
ssid-profile name NJUPT
ssid NJUPT
vap-profile name NJUPT
forward-mode direct-forward
service-vlan vlan-id 40
security-profile NJUPT
ssid-profile NJUPT
ap-group name g1
vap-profile NJUPT wlan 1 radio 0
vap-profile NJUPT wlan 1 radio 1
Agg1:
interface Vlanif 40
dhcp select interface 

OSPF协议配置:

在Core1、Agg1、Agg2配置ospf协议,ospf进程号为1,区域号为0。

在Core2、Agg3配置ospf协议,ospf进程号为1,区域号为1。

DC1、Core2之间运行OSPF,互连网段为10.1.201.0/24。OSPF进程号为1,区域号为1。

OSPF通告时,主机所在的直连网段整网段,宣告互连网段精确宣告。

Core1:
ospf 1 router-id 10.1.9.9
area 0.0.0.0
network 10.1.79.9 0.0.0.0
network 10.1.89.9 0.0.0.0
network 10.1.9.9 0.0.0.0
Agg1:
ospf 1 router-id 10.1.7.7
area 0.0.0.0
network 10.1.7.7 0.0.0.0
network 10.1.79.7 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.40.0 0.0.0.255
Agg2:
ospf 1 router-id 10.1.8.8
area 0.0.0.0
network 10.1.8.8 0.0.0.0
network 192.168.10.0 0.0.0.255
network 10.1.89.8 0.0.0.0
Core2:
ospf 1 router-id 10.1.128.6
area 0.0.0.0 
network 10.1.56.6 0.0.0.0 
network 10.1.128.6 0.0.0.0 
network 10.1.201.6 0.0.0.0 
Agg3:
ospf 1 router-id 10.1.128.5
area 0.0.0.0
network 10.1.128.5 0.0.0.0
network 10.1.56.5 0.0.0.0
network 192.168.50.0 0.0.0.255
DC1:
ospf 1 router-id 10.1.201.7
area 0.0.0.0
network 10.1.201.7 0.0.0.0

WAN连接配置:

从2个运营商,分别租了1条WAN链路:从运营商ISP1租用裸光纤(命名为WAN1)从运营商ISP2租用WDM电路(命名为WAN2。在实验中采用交换机模拟WDM设备T1、T2)。

Core1-Core2配置ospf协议,ospf进程号为1,区域号为1。

Core1-2建立ospf邻居,ospf进程号为1,区域号为1。

互通之间优选WAN2,WAN1的ospf链路cost值为3,WAN2的ospf链路cost值为1.

Core1:
ospf 11 router-id 10.1.9.9
area 0.0.0.0
network 10.3.69.9 0.0.0.0 
network 10.2.69.9 0.0.0.0 
interface GigabitEthernet 2/0/0
ospf cost 3

interface GigabitEthernet 2/0/2
ospf cost 1
Core2:
ospf 1 router-id 10.1.128.6
area 0.0.0.0
network 10.3.69.6 0.0.0.0  
network 10.2.69.6 0.0.0.0 
interface GigabitEthernet 2/0/0
ospf cost 3

interface GigabitEthernet 2/0/2
ospf cost 1

OSPF和BFD联动:

T1-T2之间的光缆被挖断后,Core1、Core2需要40s (OSPF的dead interval)才能感知该故障。

为了缩短该段光缆故障的感知时间,在Core1、Core2配置OSPF与BFD联动:BFD的最小发送、接收间隔,都设为30ms。T1 T2之间的光缆被挖断后,Core1、Core3仅需要90ms就能够感知该故障。

Core1:
bfd

interface GigabitEthernet 2/0/2
ospf bfd enable 
ospf bfd min-rx-interval 30 min-tx-interval 30 detect-multiplier 3
Core2:
bfd

interface GigabitEthernet 2/0/2
ospf bfd enable 
ospf bfd min-rx-interval 30 min-tx-interval 30 detect-multiplier 3

Internet:

BGP:

跨组织间的路由学习,必须通过EBGP协议。Internet路由器与教育网的SR1路由器之间,通过EBGP互通。

Internet-SR1通过互联接口建立EBGP邻居。

Internet在AS 24429,将业务地址14.4.4.4/32,通过network通告到BGP中。

SR1在AS 4538,将直连网段210.28.1.0/27/223.2.1.0/26,通过network通告到BGP中。

SR1:
bgp 4538
router-id 14.1.1.2
peer 14.1.1.1 as-number 24429
ipv4-family unicast
peer 14.1.1.1 enable
network 210.28.1.0 255.255.255.224 
network 223.2.1.0 255.255.255.192 
Internet:
bgp 24429
router-id 14.1.1.1
peer 14.1.1.2 as-number 4538
ipv4-family unicast
peer 14.1.1.2 enable
network 14.4.4.4 255.255.255.255 

静态路由:

1.Core1 通过静态默认路由访问 Internet ,下一跳为 210.28.1.1。

2.Core2 通过静态默认路由访问 Internet ,下一跳为 223.2.1.1。

Core1:
ip route-static 0.0.0.0 0.0.0.0 210.28.1.1
Core2:
ip route-static 0.0.0.0 0.0.0.0 223.2.1.1

路由引入:

1.在Core1,将静态默认路由引入OSPF。

2.在Core2,将静态默认路由引入OSPF。

Core1:
ospf 11 router-id 10.1.9.9
default-route-advertise
Core2:
ospf 1 router-id 10.1.128.6
default-route-advertise

NAT配置:

1.在Core1的GE0/0/0,通过NAPT将192.168.0.0/16 的私网地址,转换为210.28.1.3 210.28.1.30 的公网地址。

2.在Core2的GE0/0/0,通过NAPT将192.168.0.0/16 的私网地址,转换为223.2.1.3 223.2.1.30的公网地址。

以上ACL均使用基本ACL编号2000 rule编号从5开始,采用默认步长。NAT address-group的编号为1。

Core1:
nat address-group 1 210.28.1.3 210.28.1.30
acl 2000
rule 5 permit 192.168.0.0 0.0.255.255
interface GigabitEthernet 0/0/0
nat outbound 2000 address-group 1
Core2:
nat address-group 1 223.2.1.3 223.2.1.30
acl 2000
rule 5 permit 192.168.0.0 0.0.255.255
interface GigabitEthernet 0/0/0
nat outbound 2000 address-group 1

文章作者: Naraku
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Naraku !
  目录