China Skills——22年国赛配置

本文为原创，转载请标明出处。

        强调一下，我的所有文章、配置仅供大家参考学习，受到设备软件版本、偶然性等的影响不一定会百分百正确。

        关于本文的相应的试题、标准答题卡等，大家可以到我主页的资源一栏去下载，这里就只展现一下拓扑图

1、rstp防环(所谓接入层设备指的是AC1/2、s1/2/3/4缺一不可，否则会造成环路)

S1

spanning-tree mode rstp
spanning-tree priority 4096
spanning-tree

S2

spanning-tree mode rstp
spanning-tree priority 32768
spanning-tree

AC1/AC2/S3/S4

spanning-tree mode rstp
spanning-tree
exit

2、环路检测：

        局域网接入设备启用环路功能优化，规避不同设备间、同一设备不同端口、同 一设备单一端口下的多种环路现象；检测到环路后处理方式 Shutdown-Port；

interface range GigabitEthernet 0/1-22
switchport protected  //开启端口保护，即使在同一个vlan内，各个端口之间也相互隔离

3、VRRP

北京总部启用 VRRP 功能实现网关冗余备份的目的，其中 S1 为主设备，优先级 255；S2 为备设备，优先级为 100；

S1

int vlan10
vrrp 10 ip 172.16.1.1
int vlan20
vrrp 20 ip 172.16.1.254
int vlan100
vrrp 100 ip 172.16.100.254
exit

S2

int vlan10
vrrp 10 ip 172.16.1.1
int vlan20
vrrp 20 ip 172.16.1.254
int vlan100
vrrp 100 ip 172.16.100.254
exit

        为什么没有配置优先级，因为如果virtual-ip和本机ip一样的话优先级默认为255，正常情况下为100。

4、链路聚合

S1、S2 的 2 条互联链路（Gi0/7、Gi0/8），启用二层链路聚合，采取 LACP 动态 聚合模式；

S1/S2

int range g0/7-8
port-group 1 mode active
exit
int agg1
switchport mode trunk 
switchport trunk allow vlan only 10,20,100
exit

5、DHCP

R1

ervice dhcp
ip dhcp pool pool_vlan10
option 138 ip 172.16.100.1 172.16.100.2
network 172.16.1.0 255.255.255.128
default-router 172.16.1.1
ip dhcp pool pool_vlan20
network 172.16.1.128 255.255.255.128
default-router 172.16.1.254
exit

R2

service dhcp
ip dhcp pool pool_vlan10
option 138 ip 172.16.100.1 172.16.100.2
network 172.16.2.0 255.255.255.128
default-router 172.16.2.1
ip dhcp pool pool_vlan20
network 172.16.2.128 255.255.255.128
default-router 172.16.2.254
exit

R3

service dhcp
ip dhcp pool pool_vlan10
option 138 ip 172.16.100.1 172.16.100.2
network 172.16.3.0 255.255.255.128
default-router 172.16.3.1
ip dhcp pool pool_vlan20
network 172.16.3.128 255.255.255.128
default-router 172.16.3.254
exit

S1/S2

service dhcp
ip helper-address 10.10.10.10   //DHCP中继命令，中继到的地址

 AC1/AC2

ip route 0.0.0.0 0.0.0.0 172.16.100.254

        这里的中继先不指定路由，因为等下做ospf的时候会将中继地址宣告到进程中。

6、DHCP 安全防护机制

总部局域网内启用 DHCP 安全防护机制，通过硬件 IP/MAC 表项过滤匹配，保证动态环境下网关及终端主机安全；

分部局域网内启用 DHCP 安全防护机制，规避动态环境下用户私设 IP 地址；

S3/S4

ip dhcp snooping
ip dhcp snooping check-giaddr 
interface range GigabitEthernet 0/1-20
switchport protected  //端口保护             
ip verify source port-security     //源ip地址和mac地址的检查 
arp-check         //arp检测
interface range gigabitEthernet 0/23-24
ip dhcp snooping trust     //将上联dhcp服务器的接口设置为信任接口，默认为不信任

R2/R3

ip dhcp snooping
ip dhcp snooping check-giadr
interface GigabitEthernet 1/1
ip dhcp snooping trust
ip verify source port-security
exit

7、OSPF和运营商维护

联通运营商 S5/S6/S7 骨干网设备间启用 OSPF 路由协议，进程号 10，区域号 0；

联通运营商只维护宽带业务与专线业务网段，对于客户私有网段不做转发；(只将设备互联网段、宽带业务网段进行通告)

S5

router ospf 10
router-id  10.10.10.5
yes
redistribute connected metric-type 1 subnets   
network 56.1.1.1 0.0.0.3 area 0
int te0/27
ip ospf network point-to-point 
exit

        这里因为是运营商，正常情况下并不会和私网进行建立邻居等、所以只在运营商接口上通告路由然后重分布直连路由到ospf进程中即可。

S6

router ospf 10
router-id 10.10.10.6
yes
redistribute connected metric-type 1 subnets   
network 56.1.1.2 0.0.0.3 area 0
network 67.1.1.2 0.0.0.3 area 0
int range te0/27-28
ip ospf network point-to-point 
exit

S7

router ospf 10
router-id 10.10.10.7
yes
redistribute connected metric-type 1 subnets
network 67.1.1.1 0.0.0.3 area 0
int te0/28
ip ospf network point-to-point 
exit

点到多点GRE隧道

        总部R1与分部R2、R3 上启用点到多点GRE隧道，隧道IP 地址段为10.5.1.0/24；Tunnel 0 隧道口调整 OSPF 网络类型使其可以完成分支机构间路由交互的同时 自动优化下一跳的目的；启用 IPSEC VPN 加密 GRE 隧道流量，对总部与分部，分部与分部间业务数据进行保护；规避报文分片导致的设备性能消耗，调整 IPSEC 隧道封装模式减小报文长度；

R1/R2/R3

crypto isakmp policy 1   
encryption 3des
authentication pre-share
hash md5
group 2
crypto isakmp key 7 ruijie address 0.0.0.0 0.0.0.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode transport   
exit
crypto ipsec profile  wenjian 
set transform-set myset   

R1

ip route 0.0.0.0 0.0.0.0 17.1.1.1
interface Tunnel 0
ip address 10.5.1.1 255.255.255.0
tunnel mode gre multipoint    
tunnel source GigabitEthernet 0/2    
tunnel protection ipsec profile wenjian  
ip nhrp network-id 100   
ip nhrp map multicast dynamic 
ip ospf network broadcast   

R2

ip route 0.0.0.0 0.0.0.0 25.1.1.1
int tunnel 0
ip address 10.5.1.2 255.255.255.0
tunnel mode gre multipoint    
tunnel source GigabitEthernet 0/2     
tunnel protection ipsec profile wenjian  
ip nhrp shortcut
ip nhrp network-id 100
ip nhrp nhs 10.5.1.1  
ip nhrp map 10.5.1.1 17.1.1.2    
ip nhrp map multicast 17.1.1.2   
ip ospf network broadcast
ip ospf priority 0

R3

ip route 0.0.0.0 0.0.0.0 37.1.1.1
interface Tunnel 0
ip address 10.5.1.3 255.255.255.0
tunnel mode gre multipoint   
tunnel source GigabitEthernet 0/2     
tunnel protection ipsec profile wenjian  
ip nhrp shortcut
ip nhrp network-id 100
ip nhrp nhs 10.5.1.1  
ip nhrp map 10.5.1.1 17.1.1.2    
ip nhrp map multicast 17.1.1.2    
ip ospf network broadcast
ip ospf priority 0

路由策略

        路由策略部署中如若过滤非必须路由，策略名称定义为 filter；

        这里吧策略放到前面来做因为通过GRE OVER IPSEC建立ospf邻居后引入直连路由时，连接运营商的直连网段也会被引入，会造成邻居关系震荡，并且对端邻居不会有本设备的路由

R1

ip access-list standard 10
permit 17.1.1.0 0.0.0.3
exit
route-map filter deny 10
match ip ad 10
route-map filter permit 20
exit
router ospf 11
redistribute connected route-map filter metric-type 1 subnets 

 R2

ip access-list standard 10
permit 25.1.1.0 0.0.0.3
exit
route-map filter deny 10
match ip ad 10
route-map filter permit 20
exit
router ospf 12
redistribute connected route-map filter metric-type 1 subnets 

R3

exit
route-map filter deny 10
match ip ad 10
route-map filter permit 20
exit
router ospf 13
redistribute connected route-map filter metric-type 1 subnets 

R1

router ospf 11
router-id 10.10.10.10
yes
network 10.3.1.1 0.0.0.0 area 0
network 10.4.1.1 0.0.0.0 area 0
network 10.5.1.1 0.0.0.0 area 0
network 10.10.10.10 0.0.0.0 area 0
exit
int range g0/0-1
ip ospf network point-to-point
exit

R2

router ospf 12
router-id 10.10.10.20
yes
network 10.5.1.2 0.0.0.0 area 0
network 10.10.10.20 0.0.0.0 area 0
summary-address 172.16.2.0 255.255.255.0    //汇总vlan10和20
exit

R3

router ospf 13
router-id 10.10.10.30
yes
network 10.5.1.3 0.0.0.0 area 0
network 10.10.10.30 0.0.0.0 area 0
summary-address 172.16.3.0 255.255.255.0

S1

int range gigabitEthernet 0/5-6
ip ospf network point-to-point
router ospf 11
redistribute connected metric-type 1 subnets
network 10.1.1.2 0.0.0.0 area 0
network 10.3.1.2 0.0.0.0 area 0
network 172.16.100.254 0.0.0.0 area 0
exit
int vlan 100
ip ospf network point-to-point
int range g0/5-6
ip ospf network point-to-point
exit

S2

int range gigabitEthernet 0/5-6
 ip ospf network point-to-point

router ospf 11
 redistribute connected metric-type 1 subnets
 network 10.2.1.2 0.0.0.0 area 0
 network 10.4.1.2 0.0.0.0 area 0
 network 172.16.100.253 0.0.0.0 area 0
 exit
 int range g0/5-6
ip ospf network point-to-point
exit

EG1

ip route 20.10.10.5 255.255.255.255 10.1.1.2
ip route 20.10.10.6 255.255.255.255 10.1.1.2
router ospf 11
redistribute connected metric-type 1 subnets
redistribute static metric-type 1 subnets
network 10.1.1.1 0.0.0.0 area 0
exit
int g0/1
ip ospf network point-to-point
exit

EG2

ip route 20.10.10.0 255.255.255.0 10.2.1.2
router ospf 11
redistribute connected metric-type 1 subnets
redistribute static metric-type 1 subnets
network 10.2.1.1 0.0.0.0 area 0
int g0/1
ip ospf network point-to-point
exit

        隧道内运行 OSPF 协议

        GRE 隧道内运行 OSPF 协议，实现总部与分部，分部与分部间局域网互联互通。 其中总部 S1/S2/EG1/EG2/R1 局域网内启用 OSPF 路由协议，进程号 11，区域号 0；

        局域网内启用 OSPF

        广州分部 R2 局域网内启用 OSPF 路由协议，进程号 12，区域号 0；上海分部 R3 局 域网内启用 OSPF 路由协议，进程号 13，区域号 0；

        引入路由

        联通运营商、公司总部、各分支机构以 OSPF LSA5 OE1 的方式引入路由，并基于业务网段各自汇总发布 C 类路由（包含 VLAN10、VLAN20、宽带业务网段、专线 业务网段）；

R1

router ospf 11
router-id 10.10.10.10
yes
network 10.3.1.1 0.0.0.0 area 0
network 10.4.1.1 0.0.0.0 area 0
network 10.5.1.1 0.0.0.0 area 0
redistribute connected route-map filter metric-type 1 subnets
exit
int range g0/0-1
ip ospf network point-to-point
exit

R2

router ospf 12
router-id 10.10.10.20
yes
network 10.5.1.2 0.0.0.0 area 0
redistribute connected route-map filter metric-type 1 subnets
summary-address 172.16.2.0 255.255.255.0    //汇总vlan10和20
exit

R3

router ospf 13
router-id 10.10.10.30
yes
network 10.5.1.3 0.0.0.0 area 0
redistribute connected route-map filter metric-type 1 subnets
summary-address 172.16.3.0 255.255.255.0
exit

S1

int range gigabitEthernet 0/5-6
ip ospf network point-to-point
router ospf 11
redistribute connected metric-type 1 subnets
network 10.1.1.2 0.0.0.0 area 0
network 10.3.1.2 0.0.0.0 area 0
network 172.16.100.254 0.0.0.0 area 0
exit
int vlan 100
ip ospf network point-to-point
int range g0/5-6
ip ospf network point-to-point
exit

S2

int range gigabitEthernet 0/5-6
ip ospf network point-to-point
router ospf 11
redistribute connected metric-type 1 subnets
network 10.2.1.2 0.0.0.0 area 0
network 10.4.1.2 0.0.0.0 area 0
network 172.16.100.253 0.0.0.0 area 0
exit
int range g0/5-6
ip ospf network point-to-point
exit

EG1

ip route 20.10.10.5 255.255.255.255 10.1.1.2
ip route 20.10.10.6 255.255.255.255 10.1.1.2
router ospf 11
redistribute connected metric-type 1 subnets
redistribute static metric-type 1 subnets
default-infor orig metric-type 1
network 10.1.1.1 0.0.0.0 area 0
exit
int g0/1
ip ospf network point-to-point
exit

EG2

ip route 20.10.10.0 255.255.255.0 10.2.1.2
router ospf 11
redistribute connected metric-type 1 subnets
redistribute static metric-type 1 subnets
default-infor orig metric-type 1
network 10.2.1.1 0.0.0.0 area 0
int g0/1
ip ospf network point-to-point
exit

网络异常时业务连通路径要求：EG1 宕机情况，总部访问互联网的路径切换为： S1-S2-EG2-S6-S5；S1/R1 间线路故障情况，总部访问分部的路径切换为： S1-S2-R1-(R2/R3)。

S2

router ospf 11
summary-address 172.16.1.0 255.255.255.0

EG1

ip route 20.10.10.5 255.255.255.255 15.1.1.1
ip route 20.10.10.6 255.255.255.255 15.1.1.1
router ospf 11
redistribute static metric-type 1 subnets

EG2

ip route 20.10.10.0 255.255.255.0 26.1.1.1
router ospf 11
redistribute static metric-type 1 subnets

        IPV6 网络建设

        IPV6 网络建设要求：总部与各分部通过隧道口 Tunnel 1 口建立 IPV6 点到多点 隧道，实现总部与分部间 VLAN20 IPV6 网段互联互通；总分部 VLAN20 IPV6 地址 自行规划计算。隧道内启动静态路由协议；北京总部局域网S1/S2/R1间启用OSPFV3 协议；总部 VLAN20 网段以 O 类路由引入，通过 cost 值修改（取值 5 或 10）实现 S1 主转发 IPV6 终端业务数据；重发布路由采用 OE1 方式；总分部 VLAN20 终端使 用无状态地址获取自动从网关获取 IPV6 前缀地址。

 S1

ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:1101:102::254/64
vrrp 20 ipv6 FE80::
vrrp 20 ipv6 2002:1101:102::254
no ipv6 nd suppress-ra
vrrp ipv6 20 accept_mode
ipv6 ospf 11 area 0
ipv6 router ospf 11

S2

ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:1101:102::253/64
vrrp 20 ipv6 FE80::
vrrp 20 ipv6 2002:1101:102::254
no ipv6 nd suppress-ra
vrrp ipv6 20 accept_mode
ipv6 ospf 11 area 0
ipv6 router ospf 11

R1

interface GigabitEthernet 0/1
ipv6 enable
ipv6 ospf cost 10
ipv6 ospf 11 area 0
interface Tunnel 1
ipv6 enable
tunnel mode ipv6ip 6to4
tunnel source GigabitEthernet 0/2
ipv6 route 2002:1901:102::/64 Tunnel 1
ipv6 route 2002:2501:102::/64 Tunnel 1
ipv6 router ospf 11
redistribute static metric-type 1

R2

ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:1901:102::254/64
no ipv6 nd suppress-ra
interface Tunnel 1
ipv6 enable
tunnel mode ipv6ip 6to4
tunnel source GigabitEthernet 0/2
ipv6 route 2002:1101:102::/64 Tunnel 1
ipv6 route 2002:2501:102::/64 Tunnel 1

R3

ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:2501:102::254/64
no ipv6 nd suppress-ra
interface Tunnel 1
ipv6 enable
tunnel mode ipv6ip 6to4
tunnel source GigabitEthernet 0/2
ipv6 route 2002:1101:102::/64 Tunnel 1
ipv6 route 2002:1901:102::/64 Tunnel 1