实验主要涉及技术或协议:
MPLS LDP,BGP VPN,路由协议:OSPF,ISIS,BGP,DHCP,链路聚合,BFD,IP组播协议,WLAN(旁挂式组网),防火墙技术,VLAN划分,IP规划,STP,VRRP
实验拓扑:
实验要求:
要求:
某公司总部有ABC三部门,规划如图所示:
1.部署生成树协议防环,部门A为公司的重要部门,部门vlan 10内主机不能相互通信,不能访问外网
1..在总部部署高权限的无线网络(直接转发模式),即可访问外网也可访问公司分部
2.部署MSTP+VRRP协议做网关冗余,ABC的部门有线默认走SW1,部门的无线走SW2,实现负载分担效果,充分利用设备,LSW1为主设备。
3.vrrp联动bfd,实现对主备链路的监控
4.所有部门的IP地址均由DHCP服务器分配
5.汇聚设备部署链路聚合做链路冗余
6.IGP协议总部部署OSPF,分部部署ISIS
7.部署MPLS VPN实现总部的三个部门的终端和分部的通信
8.经NAT转换正常访问互联网
9.分部做vlan聚合vlan 10 20用同一个地址作为网关(vlan聚合)
10.分部vlan 30 40 105使用mux-vlan技术,实现vlan30不互通,vlan40 互通,并能够与主vlan105通信
11. 分部实现组播的简单部署,使到分部的部门都能使用组播应用
ps.所有设备均按照拓扑图所示为设备命名
一、 总部配置
①VLAN,MSTP,链路聚合
LSW1,LSW2,LSW3,LSW4,LSW5进行VLAN划分
无线业务VLAN:100 101,无线控制器接口属VLAN 111
由于交换机默认是MSTP模式,命令不进行配置STP模式,所有连接终端的接口开启边缘端口
LSW3:
sys
sys LSW3
vlan batch 10 20 30 111 100 101
int e 0/0/3
port link-type access
port default vlan 10
stp edge-port enable
port-isolate enable
int e 0/0/4
port link-type access
port default vlan 10
stp edge-port enable
port-isolate enable # 部门vlan 10之间不能相互通信,不能访问外网
int e 0/0/5
port link-type trunk
port trunk allow-pass vlan all
port trunk pvid vlan 111
stp edge-port enable # 部门vlan 10之间不能相互通信,不能访问外网
int e 0/0/1
port link-type trunk
port trunk allow-pass vlan all
int e 0/0/2
port link-type trunk
port trunk allow-pass vlan all
LSW4:
sys
sys LSW4
vlan batch 10 20 30 111 100 101
int e 0/0/3
port link-type access
port default vlan 20
stp edge-port enable
int e 0/0/4
port link-type access
port default vlan 20
stp edge-port enable
int e 0/0/5
port link-type trunk
port trunk allow-pass vlan all
port trunk pvid vlan 111
stp edge-port enable
int e 0/0/1
port link-type trunk
port trunk allow-pass vlan all
int e 0/0/2
port link-type trunk
port trunk allow-pass vlan allLSW5:
sys
sys LSW3
vlan batch 10 20 30 111 100 101
int e 0/0/3
port link-type access
port default vlan 30
stp edge-port enable
int e 0/0/4
port link-type access
port default vlan 30
stp edge-port enable
int e 0/0/5
port link-type trunk
port trunk allow-pass vlan all
port trunk pvid vlan 111
stp edge-port enable
int e 0/0/1
port link-type trunk
port trunk allow-pass vlan all
int e 0/0/2
port link-type trunk
port trunk allow-pass vlan allLSW1:
sys
sys LSW1
vlan batch 10 20 30 111 100 101 13
int g 0/0/1
port link-type trunk
port trunk allow-pass vlan all
int g 0/0/2
port link-type trunk
port trunk allow-pass vlan all
int g 0/0/3
port link-type trunk
port trunk allow-pass vlan all
int eth 1 # 链路聚合
mode lacp-static
trunkport g 0/0/4 0/0/5
port link-type trunk
port trunk allow-pass vlan all
int g 0/0/7
port link-type trunk
port trunk allow-pass vlan all
int g 0/0/6
port link-type access
port default vlan 13
quit
stp root primary # 设置LSW1为主设备LSW2:
sys
sys LSW2
vlan batch 10 20 24 30 111 100 101
int g 0/0/1
port link-type trunk
port trunk allow-pass vlan all
int g 0/0/2
port link-type trunk
port trunk allow-pass vlan all
int g 0/0/3
port link-type trunk
port trunk allow-pass vlan all
int g 0/0/6
port link-type access
port default vlan 24
int eth 1
mode lacp-static
trunkport g 0/0/4 0/0/5
port link-type trunk
port trunk allow-pass vlan all
②MSTP联动VRRP
部署MSTP+VRRP协议做网关冗余,ABC的部门有线默认走SW1,部门的无线走SW2,实现负载分担效果
LSW1:
stp region-configuration
region-name ZB
instance 10 vlan 10 20 30
instance 20 vlan 100 101
active region-configuration
quit
stp instance 10 root primary
stp instance 20 root secondary
int vlanif 10
ip add 192.168.10.1 24
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
int vlanif 20
ip add 192.168.20.1 24
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 120
int vlanif 30
ip add 192.168.30.1 24
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 120
int vlanif 100
ip add 192.168.100.1 24
vrrp vrid 100 virtual-ip 192.168.100.254
int vlanif 101
ip add 192.168.101.1 24
vrrp vrid 101 virtual-ip 192.168.101.254LSW2:
stp region-configuration
region-name ZB
instance 10 vlan 10 20 30
instance 20 vlan 100 101
active region-configuration
quit
stp instance 10 root secondary
stp instance 20 root primary
int vlanif 10
ip add 192.168.10.1 24
vrrp vrid 10 virtual-ip 192.168.10.254
int vlanif 20
ip add 192.168.20.1 24
vrrp vrid 20 virtual-ip 192.168.20.254
int vlanif 30
ip add 192.168.30.1 24
vrrp vrid 30 virtual-ip 192.168.30.254
int vlanif 100
ip add 192.168.100.1 24
vrrp vrid 100 virtual-ip 192.168.100.254
vrrp vrid 100 priority 120
int vlanif 101
ip add 192.168.101.1 24
vrrp vrid 101 virtual-ip 192.168.101.254
vrrp vrid 100 priority 120LSW3:
stp region-configuration
region-name ZB
instance 10 vlan 10 20 30
instance 20 vlan 100 101
active region-configurationLSW4:
stp region-configuration
region-name ZB
instance 10 vlan 10 20 30
instance 20 vlan 100 101
active region-configurationLSW5:
stp region-configuration
region-name ZB
instance 10 vlan 10 20 30
instance 20 vlan 100 101
active region-configuration查看命令:display stp brief
dis vrrp brief
③BFD联动VRRP
LSW1和LSW2配置vlanif的IP地址,R3和R4完成IP配置,顺便完成所有IP规划
LSW1:
# IP配置
int vlanif 13
ip add 10.1.13.1 24
quit
# bfd配置(自动模式)
bfd
quit
bfd 1 bind peer-ip 10.1.13.3 source-ip 10.1.13.1 auto
# 完成bfd配置后进行配置联动vrrp
int vlanif 10
vrrp vrid 10 track bfd-session session-name 1 reduced 50
int vlanif 20
vrrp vrid 20 track bfd-session session-name 1 reduced 50
int vlanif 30
vrrp vrid 30 track bfd-session session-name 1 reduced 50LSW2:
# IP配置
int vlanif 24
ip add 10.1.24.1 24
quit
# bfd配置(自动模式)
bfd
quit
bfd 2 bind peer-ip 10.1.24.4 source-ip 10.1.24.2 auto
# 完成bfd配置后进行配置vrrp
int vlanif 100
vrrp vrid 100 track bfd-session session-name 2 reduced 50
int vlanif 101
vrrp vrid 101 track bfd-session session-name 2 reduced 50R3:
sys
sys R3
int g 0/0/0
ip add 10.1.13.3 24
int g 0/0/1
ip add 10.1.34.3 24
int g 0/0/2
ip add 10.1.35.3 24
int eth 0/0/0
ip add 10.1.123.3 24
quit
bfd
quit
bfd 1 bind peer-ip 10.1.13.1 source-ip 10.1.13.3 autoR4:
sys
sys R4
int g 0/0/0
ip add 10.1.24.4 24
int g 0/0/1
ip add 10.1.34.4 24
int g 0/0/2
ip add 10.1.45.4 24
int eth 0/0/0
ip add 10.1.123.4 24
quit
bfd
quit
bfd 2 bind peer-ip 10.1.24.2 source-ip 10.1.24.4 auto配置完成IP后使用命令:dis ip interface brief检查,验证
④OSPF DHCP
平常我们见过的最多是将DHCP放置在核心交换机上,但是这里是跨两个广播域要下发IP
所以这里是DHCP中继的配置,要先配置ospf使路由打通
LSW1,LSW2,R3,R4,DHCP Server-R7全部宣告所有网段
router-id使用设备的名称数字,例如1.1.1.1
DHCP配置,LSW1,LSW2,R3,R4均是配置DHCP中继
DHCP服务器配置IP地址池
DHCP-Server-R7:
sys
sys DHCP-Server-R7
dhcp enable
int g 0/0/0
ip add 10.1.123.7 24
dhcp select global
ospf 1 router-id 7.7.7.7
area 0
network 0.0.0.0 0.0.0.0
quit
quit
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.1.0 mask 24
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.2.0 mask 24
ip pool vlan30
gateway-list 192.168.30.254
network 192.168.3.0 mask 24
ip pool vlan100
gateway-list 192.168.100.254
network 192.168.100.0 mask 24
ip pool vlan101
gateway-list 192.168.101.254
network 192.168.101.0 mask 24LSW1:
# 配置OSPF
ospf 1 router-id 1.1.1.1
area 0
network 0.0.0.0 0.0.0.0
# DHCP配置
dhcp enable
int vlanif 10
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 20
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 30
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 100
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 101
dhcp select relay
dhcp relay server-ip 10.1.123.7LSW2:
# 配置OSPF
ospf 1 router-id 2.2.2.2
area 0
network 0.0.0.0 0.0.0.0
# DHCP配置
dhcp enable
int vlanif 10
dis this
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 20
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 30
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 100
dhcp select relay
dhcp relay server-ip 10.1.123.7
int vlanif 101
dhcp select relay
dhcp relay server-ip 10.1.123.7R3:
# ospf配置
ospf 1 router-id 3.3.3.3
area 0
network 0.0.0.0 0.0.0.0
# DHCP配置
dhcp enable
int g 0/0/0
dhcp select relay
dhcp relay server-ip 10.1.123.7(指定dhcp服务器的接口ip,发送端)R4:
# ospf配置
ospf 1 router-id 4.4.4.4
area 0
network 0.0.0.0 0.0.0.0
# DHCP配置
dhcp enable
int g 0/0/0
dhcp select relay
dhcp relay server-ip 10.1.123.7(指定dhcp服务器的接口ip,发送端)⑤AC配置
# IP配置,vlan划分
sys
sys AC-1
vlan batch 111
int g 0/0/1
port link-type trunk
port trunk allow-pass vlan all
quit
int vlanif 111
ip add 192.168.111.254 24
# DHCP配置
dhcp enable
int vlanif 111
dhcp select interface
# WLAN配置--AP组和成员配置
wlan
ap-group name AP
quit
ap auth-mode no-auth # 配置了这条才会检测到链路的AP,无认证模式
ap-id 0
ap-name AP1
ap-group AP
quit
ap-id 1
ap-name AP2
ap-group AP
quit
ap-id 2
ap-name AP3
ap-group AP
quit
# WLAN配置--配置AP接入点的参数
ssid-profile name ZB
ssid ZB
quit
security-profile name ZB
security wpa-wpa2 psk pass-phrase HUAWEI@123 aes
quit
quit
# WLAN配置--虚拟接入点(VAP)配置
# 用户界面
vlan pool ZB
vlan 100 101
quit
wlan
vap-profile name ZB
ssid-profile ZB
security-profile ZB
service-vlan vlan-pool ZB
quit
ap-group name AP
regulatory-domin-profile default
vap-profile ZB wlan 1 radio A
quit⑥防火墙配置
IP配置,区域划分,安全策略,nat策略,静态路由,OSPF
username:admin
password:Admin@123或者是admin@123然后改密码
sys
sys CE-5
# IP配置
int g 1/0/1
ip add 10.1.35.5 24
int g 1/0/0
ip add 10.1.45.5 24
int g 1/0/2
ip add 10.1.25.5 24
int g 1/0/3
ip add 10.1.51.5 24
quit
# 区域划分
firewall zone trust
add interface g 1/0/1
add interface g 1/0/0
quit
firewall zone untrust
add interface g 1/0/2
add interface g 1/0/3
quit
# 安全策略
security-policy
rule name t2u
source-zone trust
destination-zone untrust
action permit
quit
quit
# nat策略
nat-policy
rule name t2u
source-zone trust
destination-zone untrust
destination-address-exclude192.168.105.0 mask 24
destination-address-exclude192.168.103.0 mask 24
#精确访问的IP网段
quit
quit
# 静态路由
ip route-static 0.0.0.0 0.0.0.0 10.1.51.1
# ospf
ospf 1
default-route-advertise
area 0
network 10.1.35.5 0.0.0.0
network 10.1.45.5 0.0.0.0二、MPLS VPN部分配置
①PE-1配置
IP,OSPF,静态
MPLS LDP
VPN
sys
sys PE-1
# IP配置
int g 0/0/1
ip add 10.1.13.1 24
int loopback 0
ip add 1.1.1.1 32
int g 4/0/0
ip add 100.0.1.2 24
int g 0/0/0
ip add 10.1.25.1 24
int g 0/0/2
ip add 10.1.51.1 24
# ospf配置,静态路由配置
ip route-static 0.0.0.0 0 10.1.51.5 # 访问外网(51网段)配置
ospf 1 router-id 1.1.1.1
area 0
network 0.0.0.0 0.0.0.0
# MPLS LDP
MPLS lsr-id 1.1.1.1
mpls
mpls ldp
int g 0/0/1
mpls
mpls ldp
# VPN
ip vpn-instance VPNA
route-distinguisher 1:1
vpn-target 100:100 # 后面PE-2配置的一样
int g 0/0/0 #(绑定在0/0/0口,使用15网段出去)
ip binding vpn-instance VPNA②P-3配置
sys
sys P-3
# IP地址配置
int loopback 0
ip add 3.3.3.3 32
int g 0/0/1
ip add 10.1.13.3 24
int g 0/0/0
ip add 10.1.23.3 24
# ospf
ospf 1 router-id 3.3.3.3
area 0
network 0.0.0.0 0.0.0.0
# MPLS配置:
mpls LSR-id 3.3.3.3
mpls
mpls ldp
int g 0/0/1
mpls LDP
int g 0/0/0
mpls LDP
③PE-2配置
sys
sys PE-2
# IP地址
int loopback 0
ip add 2.2.2.2 32
int g 0/0/0
ip add 10.1.23.2 24
int g 0/0/1.26 # VPN专线
int g 0/0/1.62
ip add 10.1.62.2 24
dot1q ter vid 62
arp broadcast enable
# OSPF配置
ospf 1 router-id 2.2.2.2
area 0
network 0.0.0.0 0.0.0.0
# MPLS配置
mpls LSR-id 2.2.2.2.2
mpls
mpls ldp
int g 0/0/0
mpls
mpls LDP
# VPN配置
ip vpn-instance VPNB
route-distinguisher 2:2
vpn-target 100:100
int g 0/0/1.26
ip binding vpn-instance VPNB
dot1q ter vid 26
arp broadcast enable
ip add 10.1.26.2 24三、 分部配置
完成基础IP配置,VLAN划分,VLAN聚合,VLAN隔离,ISIS,BGP,简单的IP组播,DHCP;
①CE-6:
# IP地址配置:
sys
sys CE-6
int g 0/0/0.26
ip add 10.1.26.6 24
d t v 26
a b e
int g 0/0/0.62
ip add 10.1.62.6 24
d t v 62
a b e
int g 0/0/1
ip add 192.168.104.254 24
int g0/0/2
ip add 10.1.69.6 24
# ISIS配置
isis
network-entity 49.0000.0000.0006.00
int g 0/0/1
isis enable
int g 0/0/2
isis enable
int vlanif 69
isis enable
# 组播配置
multicast routing-enable ---组播路由开启
int g 0/0/1
pim dm
int g 0/0/2
pim dm ②LSW7:
# VLAN划分,IP配置
sys
sys LSW9
vlan batch 69 105 103 10 20
int vlanif 69
ip add 10.1.69.7 24
int g 0/0/1
port L access
port default vlan 69
int g 0/0/2
port L access
port default vlan 10
int g 0/0/3
port L access
port default vlan 20
int vlanif 105
ip add 192.168.105.254 24
int g 0/0/4
p l a
p d vlan 105
int vlanif 103
ip add 192.168.103.254 24
# vlan聚合:
vlan 103
aggregate-vlan
access-vlan 10 20
# DHCP配置:
dhcp enable
int vlanif 105
dhcp select interface
int vlanif 103
dhcp select interface
# ISIS配置
isis
network-entity 49.0000.0000.0009.00
int vlanif 69
isis enable
int vlanif 103
isis enable
int vlanif 105
isis enable
# 组播配置
multicast routing-enable
int vlanif 69
pim dm
int vlanif 103
igmp enable
int vlanif 105
igmp enable③LSW8:
# vlan划分
sys
sys LSW12
vlan batch 30 40 105
int g 0/0/1
P L A
P D V 30
stp edge-port enable
int g 0/0/2
P L A
P D V 30
stp edge-port enable
int g 0/0/3
P L A
P D V 40
stp edge-port enable
int g 0/0/4
P L A
P D V 40
stp edge-port enable
int g 0/0/5
p l a
p d vlan 105
# vlan隔离和互通
vlan 105
mux-vlan
subordinate group 40 # (互通性vlan)
subordinate separate 30
int g 0/0/1
port mux-vlan enable
int g 0/0/2
port mux-vlan enable
int g 0/0/3
port mux-vlan enable
int g 0/0/4
port mux-vlan enable
int g 0/0/5
port mux-vlan enable
④MCS1配置:
组播组IP地址:239.1.1.1
组播组MAC地址:01-00-5E-01-01-01
源IP地址:192.168.104.1
源MAC地址:54-89-98-96-38-BF
组播源的文件路径是一个mp4视频文件
然后点击运行
⑤PC11、P12配置:
IGMP version 2
组播
源IP---DHCP自己获取的
源MAC-自己看自己的
目的:239.1.1.1
目的MAC:01-00-5E-01-01-01
点击加入;
点击启动VLC;
四、 配置总部可访问分部配置
IBGP,EBGP,路由引入
PE1:
# ibgp配置bgp 200
peer 2.2.2.2 as-number 200
peer 2.2.2.2 connect-interface loopback 0
ipv4-family vpnv4
peer 2.2.2.2 enable
# ebgp配置
bgp 200
ipv4-family vpn-instance vpna # 与总部建立邻居关系
peer 10.1.15.5 as-number 100
PE2:
# ibgp配置
bgp 200
peer 1.1.1.1 as-number 200
peer 1.1.1.1 connect-interface loopback 0
ipv4-family vpnv4
peer 1.1.1.1 enable
# ebgp配置
bgp 200
ipv4-family vpn-instance vpnb
peer 10.1.26.6 as-number 300
CE-5:
# ebgp配置
bgp 100
peer 10.1.15.1 as-number 200
# 路由引入
bgp 100
import-route ospf 1
ospf
import-route bgp
CE-6:
# ebgp配置
bgp 300
peer 10.1.26.2 as-number 200
# 路由引入
bgp 300
import-route isis 1
isis
import-route bgp五、测试
PC3-PC6进行ping分部PC和外网----能ping通,实验成功!
PC1,PC2测试互ping----相互ping不通,不能访问外网和分部,实验成功!
PC10和PC11或是其他分部的PC可以获取组播资源---实验成功!