您现在的位置是:首页 > 技术教程 正文

2022华为ICT大赛全国总决赛网络赛道实验解析及验证

admin 阅读: 2024-03-17
后台-插件-广告管理-内容页头部广告(手机)

作者信息:苗浩15515026488微信同号

本文摘抄自《华为ICT大赛-网络赛道学习空间(中国区)》,如有侵权,请及时联系作者删除文章

一、项目背景

比赛模拟了某大型公司企业网通过广域网连接数据中心的场景。

考虑到网络冗余和流量负载均衡的需求,企业网部署MSTP、防火墙双机热备用于承载web业务和Internet访问业务。同时,为了满足员工的无线办公需求,工程师需要部署WLAN设备于企业网内,用于访问Internet。

在使用丰富的网络资源建设企业网络和数据中心网络的时代大背景下,工程师们证面临严峻的安全问题,NGFW可以部署于企业网络和数据中心网络出口有利于降低安全风险,以帮助实现安全且高效的网络管理。

该企业的私有云部署在总部数据中心机房,企业的各类业务系统都部署在其私有云上,其中企业的OA系统所在的web服务器部署在总部的数据中心,企业各分支需要通过MPLS VPN访问远端数据中心的Web-Server,并且出于安全因素,Web-Server的私网地址不通告到广域网,而是通过一个外部公网地址100.1.1.1提供访问,Web-Client到Web-Server的流量需要在防火墙FW3上做目的地址转换,转换成Web-Server私有地址实现访问。

为实现数据中心租户位于不用子网的业务虚拟机互通,这里业务虚拟机为VM1和VM2,需要在数据中心部署GRE隧道,以打通VM1和VM2的三层通道。

广域网为企业的内网和远端总部数据中心提供链接,提供在广域网上部署MPLS VPN实现企业的互联网专线功能,以确保在广域网上的业务隔离的效果。

二、网络赛道

        实验环境使用如下设备:

  1. 2台S5700(SW2、SW3)
  2. 1台S3700(SW1)
  3. 3台防火墙USG6000V(FW1-FW3)
  4. 7台路由器Router(PE1、PE2、P、Internet、Leaf1、Leaf2)
  5. 1台AC6605(AC)
  6. 1台AP6050(AP)
  7. 1台WLAN终端(PC)
  8. 1台Web服务器(Web-Server)
  9. 1台Web客户端(Web-Client)
  10. 2台虚拟机(VM1、VM2) 

2.1 比赛任务

任务1:VLAN 

        根据2-2规划,配置网络设备名称,在SW1、SW2、SW3上配置VLAN链路类型和VLAN参数、在PE1、FW1和FW2上配置子接口和子接口ID。 

任务2:IP地址

        根据图2-1和表2-3配置网络设备名称和接口IP地址。

配置过程:

  1. 任务1/2:设备命名/VLAN/IP地址
  2. #SW1
  3. system-view
  4. [Huawei]sysname SW1
  5. [SW1]vlan batch 2 to 20
  6. [SW1]interface Ethernet0/0/1
  7. [SW1-Ethernet0/0/1]port link-type access
  8. [SW1-Ethernet0/0/1]port default vlan 10
  9. [SW1]interface Ethernet0/0/2
  10. [SW1-Ethernet0/0/2]port link-type access
  11. [SW1-Ethernet0/0/2]port default vlan 19
  12. [SW1]port-group group-member GigabitEthernet 0/0/1 GigabitEthernet 0/0/2
  13. [SW1-port-group]port link-type trunk
  14. [SW1-port-group]undo port trunk allow-pass vlan 1
  15. [SW1-port-group]port trunk allow-pass vlan 2 to 20
  17. #SW2
  18. system-view
  19. [Huawei]sysname SW2
  20. [SW2]vlan batch 2 to 20
  21. [SW2]port-group group-member GigabitEthernet 0/0/1 GigabitEthernet 0/0/3 GigabitEthernet 0/0/5
  22. [SW2-port-group]port link-type trunk
  23. [SW2-port-group]undo port trunk allow-pass vlan 1
  24. [SW2-port-group]port trunk allow-pass vlan 2 to 20
  26. #SW3
  27. system-view
  28. [Huawei]sysname SW3
  29. [SW3]vlan batch 2 to 20
  30. [SW3]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/3 GigabitEthernet 0/0/5
  31. [SW3-port-group]port link-type trunk
  32. [SW3-port-group]undo port trunk allow-pass vlan 1
  33. [SW3-port-group]port trunk allow-pass vlan 2 to 20
  35. #FW1
  36. system-view
  37. [USG6000V1]sysname FW1
  38. [FW1]interface GigabitEthernet 1/0/5.1
  39. [FW1-GigabitEthernet1/0/5.1]vlan-type dot1q 10
  40. [FW1-GigabitEthernet1/0/5.1]ip address 192.168.1.2 24
  41. [FW1]interface GigabitEthernet 1/0/5.2
  42. [FW1-GigabitEthernet1/0/5.2]vlan-type dot1q 20
  43. [FW1-GigabitEthernet1/0/5.2]ip address 192.168.2.2 24
  44. [FW1]interface GigabitEthernet 1/0/3.1
  45. [FW1-GigabitEthernet1/0/3.1]vlan-type dot1q 1
  46. [FW1-GigabitEthernet1/0/3.1]ip address 10.2.2.1 30
  47. [FW1]interface GigabitEthernet 1/0/1
  48. [FW1-GigabitEthernet1/0/1]ip address 15.1.1.1 24
  49. [FW1]interface GigabitEthernet 1/0/3
  50. [FW1-GigabitEthernet1/0/3]ip address 10.2.1.1 30
  52. #FW2
  53. system-view
  54. [USG6000V1]sysname FW2
  55. [FW2]interface GigabitEthernet 1/0/5.1
  56. [FW2-GigabitEthernet1/0/5.1]vlan-type dot1q 10
  57. [FW2-GigabitEthernet1/0/5.1]ip address 192.168.1.3 24
  58. [FW2]interface GigabitEthernet 1/0/5.2
  59. [FW2-GigabitEthernet1/0/5.2]vlan-type dot1q 20
  60. [FW2-GigabitEthernet1/0/5.2]ip address 192.168.2.3 24
  61. [FW2]interface GigabitEthernet 1/0/3.1
  62. [FW2-GigabitEthernet1/0/3.1]vlan-type dot1q 1
  63. [FW2-GigabitEthernet1/0/3.1]ip address 10.3.2.1 30
  64. [FW2]interface GigabitEthernet 1/0/1
  65. [FW2-GigabitEthernet1/0/1]ip address 15.1.1.2 24
  66. [FW2]interface GigabitEthernet 1/0/3
  67. [FW2-GigabitEthernet1/0/3]ip address 10.3.1.1 30
  69. #PE1
  70. system-view
  71. [Huawei]sysname PE1
  72. [PE1]interface GigabitEthernet 0/0/1.1
  73. [PE1-GigabitEthernet0/0/1.1]dot1q termination vid 1
  74. [PE1-GigabitEthernet0/0/1.1]arp broadcast enable
  75. [PE1-GigabitEthernet0/0/1.1]ip address 10.2.2.2 30
  76. [PE1]interface GigabitEthernet 0/0/3.1
  77. [PE1-GigabitEthernet0/0/3.1]dot1q termination vid 1
  78. [PE1-GigabitEthernet0/0/3.1]arp broadcast enable
  79. [PE1-GigabitEthernet0/0/3.1]ip address 10.3.2.2 30
  80. [PE1]interface LoopBack 0
  81. [PE1-LoopBack0]ip address 1.1.1.1 32
  82. [PE1]interface GigabitEthernet0/0/1
  83. [PE1-GigabitEthernet0/0/1]ip address 10.2.1.2 30
  84. [PE1]interface GigabitEthernet0/0/2
  85. [PE1-GigabitEthernet0/0/2]ip address 20.1.1.1 30
  86. [PE1]interface GigabitEthernet0/0/3
  87. [PE1-GigabitEthernet0/0/3]ip address 10.3.1.2 30
  89. #AC1
  90. system-view
  91. [AC6605]sysname AC
  92. [AC]vlan batch 19 20
  93. [AC]interface GigabitEthernet 0/0/1
  94. [AC-GigabitEthernet0/0/1]port link-type trunk
  95. [AC-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
  96. [AC-GigabitEthernet0/0/1]port trunk allow-pass vlan 19 20
  98. #FW3
  99. system-view
  100. [USG6000V1]sysname FW3
  101. [FW3]interface GigabitEthernet 1/0/1
  102. [FW3-GigabitEthernet1/0/1]ip address 30.1.1.1 30
  103. [FW3]interface GigabitEthernet 1/0/2
  104. [FW3-GigabitEthernet1/0/2]ip address 20.1.3.2 30
  106. #P
  107. system-view
  108. [Huawei]sysname P
  109. [P]interface LoopBack 0
  110. [P-LoopBack0]ip address 2.2.2.2 32
  111. [P]interface GigabitEthernet0/0/1
  112. [P-GigabitEthernet0/0/1]ip address 20.1.2.1 30
  113. [P]interface GigabitEthernet0/0/2
  114. [P-GigabitEthernet0/0/2]ip address 20.1.1.2 30
  116. #PE2
  117. system-view
  118. [Huawei]sysname PE2
  119. [PE2]interface LoopBack 0
  120. [PE2-LoopBack0]ip address 3.3.3.3 32
  121. [PE2]interface GigabitEthernet0/0/1
  122. [PE2-GigabitEthernet0/0/1]ip address 20.1.2.2 30
  123. [PE2]interface GigabitEthernet0/0/2
  124. [PE2-GigabitEthernet0/0/2]ip address 20.1.3.1 30
  125. [PE2]interface GigabitEthernet0/0/3
  126. [PE2-GigabitEthernet0/0/3]ip address 20.1.4.1 30
  128. #Internet
  129. system-view
  130. [Huawei]sysname Internet
  131. [Internet]interface LoopBack 0
  132. [Internet-LoopBack0]ip address 16.16.16.16 32
  133. [Internet]interface GigabitEthernet0/0/3
  134. [Internet-GigabitEthernet0/0/3]ip address 20.1.4.2 30
  136. #DC-GW
  137. system-view
  138. [Huawei]sysname DC-GW
  139. [DC-GW]interface LoopBack 0
  140. [DC-GW-LoopBack0]ip address 11.11.11.11 32
  141. [DC-GW]interface GigabitEthernet0/0/1
  142. [DC-GW-GigabitEthernet0/0/1]ip address 30.1.1.2 30
  143. [DC-GW]interface GigabitEthernet0/0/2
  144. [DC-GW-GigabitEthernet0/0/2]ip address 30.1.2.1 30
  145. [DC-GW]interface GigabitEthernet0/0/3
  146. [DC-GW-GigabitEthernet0/0/3]ip address 30.1.3.1 30
  148. #Leaf1
  149. system-view
  150. [Huawei]sysname Leaf1
  151. [Leaf1]interface LoopBack 0
  152. [Leaf1-LoopBack0]ip address 12.12.12.12 32
  153. [Leaf1]interface GigabitEthernet0/0/1
  154. [Leaf1-GigabitEthernet0/0/1]ip address 172.16.3.254 24
  155. [Leaf1]interface GigabitEthernet0/0/2
  156. [Leaf1-GigabitEthernet0/0/2]ip address 30.1.2.2 30
  157. [Leaf1]interface GigabitEthernet0/0/3
  158. [Leaf1-GigabitEthernet0/0/3]ip address 172.16.1.254 24
  160. #Leaf2
  161. system-view
  162. [Huawei]sysname Leaf2
  163. [Leaf2]interface LoopBack 0
  164. [Leaf2-LoopBack0]ip address 13.13.13.13 32
  165. [Leaf2]interface GigabitEthernet0/0/1
  166. [Leaf2-GigabitEthernet0/0/1]ip address 172.16.2.254 24
  167. [Leaf2]interface GigabitEthernet0/0/3
  168. [Leaf2-GigabitEthernet0/0/3]ip address 30.1.3.2 30

验证:

任务3:MSTP配置 

        为了实现二层网络的防环功能和流量负载均衡的目的,需要在SW1、SW2、SW3上配置 MSTP功能 

  1. 配置region名称为RG1。
  2. 将VLAN2到VLAN10映射到生成树实例instance 1,将VLAN11到VLAN20映射到生成树实例instance 2。
  3. 配置SW2为instance 1的根桥,instance 2的备份根桥;配置SW3为instance 2的根桥,instance 1的备份根桥。
  4. 配置SW2的GE 0/0/1口为STP根保护,关闭GE0/0/5的STP功能;配置SW3的GE0/0/2口为STP根保护,配置GE0/0/1口为STP边缘端口,关闭GE0/0/5口的STP功能。
  5. 配置SW1的E0/0/1和E0/0/2口为STP边缘端口。

配置过程:

  1. 任务3:MSTP
  2. #SW2
  3. [SW2]stp region-configuration
  4. [SW2-mst-region]region-name RG1
  5. [SW2-mst-region]instance 1 vlan 2 to 10
  6. [SW2-mst-region]instance 2 vlan 11 to 20
  7. [SW2-mst-region]active region-configuration
  8. [SW2]stp instance 1 root primary
  9. [SW2]stp instance 2 root secondary
  10. [SW2]interface GigabitEthernet 0/0/1
  11. [SW2-GigabitEthernet0/0/1]stp root-protection
  12. [SW2]interface GigabitEthernet 0/0/5
  13. [SW2-GigabitEthernet0/0/5]stp disable
  15. #SW3
  16. [SW3]stp region-configuration
  17. [SW3-mst-region]region-name RG1
  18. [SW3-mst-region]instance 1 vlan 2 to 10
  19. [SW3-mst-region]instance 2 vlan 11 to 20
  20. [SW3-mst-region]active region-configuration
  21. [SW3]stp instance 1 root secondary
  22. [SW3]stp instance 2 root primary
  23. [SW3]interface GigabitEthernet 0/0/2
  24. [SW3-GigabitEthernet0/0/2]stp root-protection
  25. [SW3]interface GigabitEthernet 0/0/1
  26. [SW3-GigabitEthernet0/0/1]stp edged-port enable
  27. [SW3]interface GigabitEthernet 0/0/5
  28. [SW3-GigabitEthernet0/0/5]stp disable
  30. #SW1
  31. [SW1]stp region-configuration
  32. [SW1-mst-region]region-name RG1
  33. [SW1-mst-region]instance 1 vlan 2 to 10
  34. [SW1-mst-region]instance 2 vlan 11 to 20
  35. [SW1-mst-region]active region-configuration
  36. [SW1]port-group group-member Ethernet 0/0/1 Ethernet 0/0/2
  37. [SW1-port-group]stp edged-port enable

验证: 

 

任务4:防火墙安全区域配置 

为实现网络安全的需求,需要部署防火墙,按要求规划安全区域,并且按照最小权限原则放开必要的端口权限,确保业务的正常通信。

请按照如下表格2-4的数据规划完成防火墙的安全区域配置。

验证:

 

任务5:防火墙VRRP、双机热备和安全策略配置 

为了避免防火墙单点故障,且充分利用网络资源,采用负载均衡模式部署防火墙双机热备,以增加网络健壮性。 

  1. 按表2-5的VRRP规划,完成VRRP配置。
  2. 使能FW1和FW2的hrp功能,配置FW1和FW2的G1/0/1口为HRP接口,并使能session快速备份功能。
  3. 然后按照需求完成防火墙安全策略配置。
    1. FW1:创建名称为“web”的安全策略,放通web服务流量;
    2. FW1:创建名称为“Wireless”的安全策略,放通WLAN流量;
    3. FW3:创建名称为“web”的安全策略,放通web服务流量;
    4. 在FW3配置NAT server功能,global地址和端口号分别为100.1.1.1和8080,inside地址和协议分别为172.16.1.1和http。

                安全策略禁止全放通,要求所有安全策略按照实际细化配置。

配置过程:

  1. 任务4:防火墙安全区域配置
  2. #FW1
  3. [FW1]firewall zone trust
  4. [FW1-zone-trust]add interface GigabitEthernet 1/0/5.1
  5. [FW1-zone-trust]add interface GigabitEthernet 1/0/5.2
  6. [FW1]firewall zone untrust
  7. [FW1-zone-untrust]add interface GigabitEthernet 1/0/3
  8. [FW1-zone-untrust]add interface GigabitEthernet 1/0/3.1
  9. [FW1]firewall zone dmz
  10. [FW1-zone-dmz]add interface GigabitEthernet 1/0/1
  12. #FW2
  13. [FW2]firewall zone trust
  14. [FW2-zone-trust]add interface GigabitEthernet 1/0/5.1
  15. [FW2-zone-trust]add interface GigabitEthernet 1/0/5.2
  16. [FW2]firewall zone untrust
  17. [FW2-zone-untrust]add interface GigabitEthernet 1/0/3
  18. [FW2-zone-untrust]add interface GigabitEthernet 1/0/3.1
  19. [FW2]firewall zone dmz
  20. [FW2-zone-dmz]add interface GigabitEthernet 1/0/1
  22. #FW3
  23. [FW3]firewall zone trust
  24. [FW3-zone-trust]add interface GigabitEthernet 1/0/1
  25. [FW3]firewall zone untrust
  26. [FW3-zone-untrust]add interface GigabitEthernet 1/0/2
  28. 任务5:防火墙VRRP、双机热备和安全策略配置
  29. 防火墙VRRP
  30. #FW1
  31. [FW1]interface GigabitEthernet 1/0/5.1
  32. [FW1-GigabitEthernet1/0/5.1]vrrp vrid 1 virtual-ip 192.168.1.254 active
  33. [FW1]interface GigabitEthernet 1/0/5.2
  34. [FW1-GigabitEthernet1/0/5.2]vrrp vrid 2 virtual-ip 192.168.2.254 standby
  36. #FW2
  37. [FW2]interface GigabitEthernet 1/0/5.1
  38. [FW2-GigabitEthernet1/0/5.1]vrrp vrid 1 virtual-ip 192.168.1.254 standby
  39. [FW2]interface GigabitEthernet 1/0/5.2
  40. [FW2-GigabitEthernet1/0/5.2]vrrp vrid 2 virtual-ip 192.168.2.254 active
  42. HRP
  43. #FW1
  44. [FW1]hrp interface GigabitEthernet 1/0/1 remote 15.1.1.2
  45. [FW1]hrp enable
  46. HRP_M[FW1]hrp mirror session enable
  47. HRP_M[FW1]hrp auto-sync config static-route (+B)
  49. #FW2
  50. [FW2]hrp interface GigabitEthernet 1/0/1 remote 15.1.1.1
  51. [FW2]hrp enable
  52. HRP_S[FW2]hrp mirror session enable
  54. 安全策略
  55. #FW1
  56. HRP_M[FW1]security-policy (+B)
  57. HRP_M[FW1-policy-security]rule name web (+B)
  58. HRP_M[FW1-policy-security-rule-web]source-zone trust (+B)
  59. HRP_M[FW1-policy-security-rule-web]destination-zone untrust (+B)
  60. HRP_M[FW1-policy-security-rule-web]source-address 192.168.1.1 32 (+B)
  61. HRP_M[FW1-policy-security-rule-web]destination-address 172.16.1.1 32 (+B)
  62. HRP_M[FW1-policy-security-rule-web]service http (+B)
  63. HRP_M[FW1-policy-security-rule-web]service https (+B)
  64. HRP_M[FW1-policy-security-rule-web]action permit (+B)
  65. HRP_M[FW1-policy-security]rule name Wireless (+B)
  66. HRP_M[FW1-policy-security-rule-Wireless]source-zone trust (+B)
  67. HRP_M[FW1-policy-security-rule-Wireless]source-zone local (+B)
  68. HRP_M[FW1-policy-security-rule-Wireless]source-zone untrust (+B)
  69. HRP_M[FW1-policy-security-rule-Wireless]destination-zone untrust (+B)
  70. HRP_M[FW1-policy-security-rule-Wireless]destination-zone trust (+B)
  71. HRP_M[FW1-policy-security-rule-Wireless]destination-zone local (+B)
  72. HRP_M[FW1-policy-security-rule-Wireless]source-address 192.168.2.0 24 (+B)
  73. HRP_M[FW1-policy-security-rule-Wireless]action permit (+B)
  74. HRP_M[FW1]int g1/0/5.1 (+B)
  75. HRP_M[FW1-GigabitEthernet1/0/5.1]service-manage ping permit (+B)
  76. HRP_M[FW1]int g1/0/5.2 (+B)
  77. HRP_M[FW1-GigabitEthernet1/0/5.2]service-manage ping permit (+B)
  79. #FW3
  80. [FW3]security-policy
  81. [FW3-policy-security]rule name web
  82. [FW3-policy-security-rule-web]source-zone untrust
  83. [FW3-policy-security-rule-web]destination-zone trust
  84. [FW3-policy-security-rule-web]source-address 192.168.1.1 32
  85. [FW3-policy-security-rule-web]destination-address 172.16.1.1 32
  86. [FW3-policy-security-rule-web]service http
  87. [FW3-policy-security-rule-web]service https
  88. [FW3-policy-security-rule-web]action permit
  89. [FW3-policy-security]rule name BGP
  90. [FW3-policy-security-rule-BGP]source-zone untrust
  91. [FW3-policy-security-rule-BGP]destination-zone local
  92. [FW3-policy-security-rule-BGP]source-address 20.1.3.1 mask 255.255.255.255
  93. [FW3-policy-security-rule-BGP]destination-address 20.1.3.2 mask 255.255.255.255
  94. [FW3-policy-security-rule-BGP]service bgp
  95. [FW3-policy-security-rule-BGP]service tcp
  96. [FW3-policy-security-rule-BGP]action permit
  97. [FW3]security-policy
  98. [FW3-policy-security]rule name OSPF
  99. [FW3-policy-security-rule-OSPF]source-zone trust
  100. [FW3-policy-security-rule-OSPF]destination-zone local
  101. [FW3-policy-security-rule-OSPF]source-address 30.1.1.2
  102. [FW3-policy-security-rule-OSPF]service ospf
  103. [FW3-policy-security-rule-OSPF]action permit
  105. NAT Server
  106. #FW3
  107. [FW3]nat server nat_server zone untrust protocol tcp global 100.1.1.1 8080 inside 172.16.1.1 www

验证:

 

任务6:公网静态路由配置(路由可参考图2-2、图2-3及描述)

  1. 为了实现将去往Internet的流量和去往数据中心Web-server的流量引流到广域网上,需要在FW1和FW2上配置静态路由实现。PE1的主接口用于接收Internet流量,PE1的子接口用于接收Web-Server流量。在PE1上配置两台指向WLAN客户端的回程静态路由,回程路由需要指向FW1和FW2实现负载分担,用于引导Internet回程流量。
  2. 因需要发布global地址段到VPN,所以需要在防火墙FW3上配置到Web-Server global地址100.1.1.1的静态黑洞路由,用于引导Web-Server的VPN流量。
  3. 在FW3上配置一条缺省路由,引导Web-Server从数据中心到企业内网的回程流量。 

配置过程:

  1. #FW1
  2. [FW1]ip route-static 0.0.0.0 0.0.0.0 10.2.1.2
  3. [FW1]ip route-static 100.1.1.1 255.255.255.255 10.2.2.2
  5. #FW2
  6. [FW2]ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
  8. #FW3
  9. [FW3]ip route-static 100.1.1.1 32 NULL 0
  10. [FW3]ip route-static 100.1.1.1 255.255.255.255 10.3.2.2
  11. [FW3]ip route-static 0.0.0.0 0.0.0.0 20.1.3.1
  13. #PE1
  14. [PE1]ip route-static 192.168.2.0 24 10.2.1.1
  15. [PE1]ip route-static 192.168.2.0 24 10.3.1.1

验证: 

 

任务7:公网动态路由配置

  1. 在PE1、P、PE2组成的广域网里部署ISIS路由协议,进程ID为1,ISIS域配置为Level-2层,区域ID号为01,systemid值自行规划。要求PE1的Loopback0和GE0/0/2,P路由器Loopback0、GE0/0/1和GE0/0/2,PE2的Loopback0和GE0/0/1使能ISIS协议。
  2. 为了提高网络安全性,需要配置对LSP、CSNP、PSNP报文MD5认证功能,认证密码为ICTEXAM。
  3. DC数据中心部署OSPF,DC内所有路由器均部署在ospf area 0骨干区域,要求FW3的GE1/0/1,DC-GW的loopback0、GE0/0/1、GE0/0/2和GE0/0/3,Leaf1的Loopback0、GE0/0/2和GE0/0/3,Leaf2的loopback0和GE0/0/3所在的地址段发布到OSPF区域。
  4. FW3往OSPF路由域发布缺省路由引导Web-Server服务器到企业内网的回程流量。要求当FW3与PE2的链路中断后,FW3可以同步停止发布缺省路由,避免产生无效流量。 
  5. PE1的loopback0和P路由器的loopback0配置为IBGP邻居,PE2的loopback0和P路由器的loopback0配置为IBGP邻居,P路由器配置IBGP邻居组,添加PE1和PE2为邻居组成员,P路由器配置为反射器RR,PE1和PE2是P路由器的客户端。PE2的GE0/0/3和Internet路由器的GE0/0/3配置为EBGP邻居。把Internet路由器上的loopback0地址提供EBGP通告给对端路由器PE2,引导流量上行。(路由可参考图2-2及描述)

配置过程:

  1. 任务7:公网动态路由配置
  2. ISIS
  3. #PE1
  4. [PE1]isis 1
  5. [PE1-isis-1]network-entity 01.0000.0000.0001.00
  6. [PE1-isis-1]is-level level-2
  7. [PE1-isis-1]domain-authentication-mode md5 ICTEXAM
  8. [PE1]interface LoopBack 0
  9. [PE1-LoopBack0]isis enable 1
  10. [PE1]interface GigabitEthernet0/0/2
  11. [PE1-GigabitEthernet0/0/2]isis enable 1
  13. #P
  14. [P]isis 1
  15. [P-isis-1]network-entity 01.0000.0000.0002.00
  16. [P-isis-1]is-level level-2
  17. [PE1-isis-1]domain-authentication-mode md5 ICTEXAM
  18. [P]interface LoopBack 0
  19. [P-LoopBack0]isis enable 1
  20. [P]interface GigabitEthernet0/0/1
  21. [P-GigabitEthernet0/0/1]isis enable 1
  22. [P]interface GigabitEthernet0/0/2
  23. [P-GigabitEthernet0/0/2]isis enable 1
  26. #PE2
  27. [PE2]isis 1
  28. [PE2-isis-1]network-entity 01.0000.0000.0003.00
  29. [PE2-isis-1]is-level level-2
  30. [PE1-isis-1]domain-authentication-mode md5 ICTEXAM
  31. [PE2]interface LoopBack 0
  32. [PE2-LoopBack0]isis enable 1
  33. [PE2]interface GigabitEthernet0/0/1
  34. [PE2-GigabitEthernet0/0/1]isis enable 1
  37. OSPF
  38. #FW3
  39. [FW3]ospf 1
  40. [FW3-ospf-1]default-route-advertise type 1
  41. [FW3-ospf-1]area 0
  42. [FW3-ospf-1-area-0.0.0.0]network 30.1.1.1 0.0.0.0
  44. #DC-GW
  45. [DC-GW]ospf 1
  46. [DC-GW-ospf-1]area 0
  47. [DC-GW-ospf-1-area-0.0.0.0]network 11.11.11.11 0.0.0.0
  48. [DC-GW-ospf-1-area-0.0.0.0]network 30.1.1.2 0.0.0.0
  49. [DC-GW-ospf-1-area-0.0.0.0]network 30.1.2.1 0.0.0.0
  50. [DC-GW-ospf-1-area-0.0.0.0]network 30.1.3.1 0.0.0.0
  52. #Leaf1
  53. [Leaf1]ospf 1
  54. [Leaf1-ospf-1]area 0
  55. [Leaf1-ospf-1-area-0.0.0.0]network 12.12.12.12 0.0.0.0
  56. [Leaf1-ospf-1-area-0.0.0.0]network 30.1.2.2 0.0.0.0
  57. [Leaf1-ospf-1-area-0.0.0.0]network 172.16.1.254 0.0.0.0
  59. #Leaf2
  60. [Leaf2]ospf 1
  61. [Leaf2-ospf-1]area 0
  62. [Leaf2-ospf-1-area-0.0.0.0]network 30.1.3.2 0.0.0.0
  63. [Leaf2-ospf-1-area-0.0.0.0]network 13.13.13.13 0.0.0.0
  65. BGP
  66. #PE1
  67. [PE1]bgp 100
  68. [PE1-bgp]peer 2.2.2.2 as-number 100
  69. [PE1-bgp]peer 2.2.2.2 connect-interface LoopBack0
  71. #P
  72. [P]bgp 100
  73. [P-bgp]group PE1-PE2 internal
  74. [P-bgp]peer 1.1.1.1 group PE1-PE2
  75. [P-bgp]peer 3.3.3.3 group PE1-PE2
  76. [P-bgp]peer PE1-PE2 connect-interface LoopBack 0
  77. [P-bgp]peer PE1-PE2 reflect-client
  79. #PE2
  80. [PE2]bgp 100
  81. [PE2-bgp]peer 2.2.2.2 as-number 100
  82. [PE2-bgp]peer 2.2.2.2 connect-interface LoopBack 0
  83. [PE2-bgp]peer 20.1.4.2 as-number 200
  84. [PE2-bgp]peer 20.1.3.2 as-number 300
  85. [PE2-bgp]peer 2.2.2.2 next-hop-local
  87. #Internet
  88. [Internet]bgp 200
  89. [Internet-bgp]peer 20.1.4.1 as-number 100
  90. [Internet-bgp]network 16.16.16.16 32
  92. #FW3
  93. [Internet]bgp 300
  94. [Internet-bgp]peer 20.1.3.1 as-number 100
  95. [Internet-bgp]network 100.1.1.1 32

 验证:

 

 

 任务8:MPLS VPN(路由可参考图2-3及描述)

  1. PE1的loopback0和P路由器的Loopback0配置为MP-IBGP邻居,PE2的loopback0和P路由器的loopback0配置MP-IBGP邻居,P路由器配置为VPN反射器vRR,PE1和PE2是P路由器的客户端。为了能将路由顺利传递,需要在P路由器上配置undo policy vpn-target。
  2. PE1、P、PE2使能MPLS和MPLS LDP,并将各自的loopback0接口地址配置为MPLS LSR ID。PE1的GE0/0/2,P路由器的GE0/0/1和GE0/0/2,PE2的FE0/0/1均使能MPLS和MPLS LDP。
  3. PE1和PE2配置VPN实例,命名为ToDC,RD值为100:1,Export RT和Import RT均为200:1。把PE1的GE0/0/3.1接口绑定到PE1的VPN实例ToDC,PE2的GE0/0/2绑定到PE2的VPN实例ToDC。
  4. 在PE1的VPN实例ToDC内配置静态路由,目的网段为Web-Client地址段192.168.0.0/16,吓一跳指向FW1和FW2的GE1/0/3.1,以实现Web-Server回程流量的负载分担。将配置的两条等价静态路由引入到VPN实例ToDC中,让MP-IBGP通告给PE2,引导Web-Server的回程流量。
  5. PE2的VPN实例ToDC上的接口GE0/0/2与FW3的GE1/0/2配置为EBGP邻居,通过EBGP邻居交换Web-Server业务路由。
  1. 任务8:MPLS VPN配置
  2. VPN实例
  3. #PE1
  4. [PE1]ip vpn-instance ToDC
  5. [PE1-vpn-instance-ToDC]route-distinguisher 100:1
  6. [PE1-vpn-instance-ToDC-af-ipv4]vpn-target 200:1 both
  7. [PE1]interface GigabitEthernet0/0/3.1
  8. [PE1-GigabitEthernet0/0/3.1]ip binding vpn-instance ToDC
  9. [PE1-GigabitEthernet0/0/3.1]ip address 10.3.2.2 30
  10. [PE1]interface GigabitEthernet0/0/1.1
  11. [PE1-GigabitEthernet0/0/1.1]ip binding vpn-instance ToDC
  12. [PE1-GigabitEthernet0/0/1.1]ip address 10.2.2.2 30
  14. #PE2
  15. [PE2]ip vpn-instance ToDC
  16. [PE2-vpn-instance-ToDC]route-distinguisher 100:1
  17. [PE2-vpn-instance-ToDC-af-ipv4]vpn-target 200:1 both
  18. [PE2]interface GigabitEthernet0/0/2
  19. [PE2-GigabitEthernet0/0/2]ip binding vpn-instance ToDC
  20. [PE2-GigabitEthernet0/0/2]ip address 20.1.3.1 30
  22. MPLS
  23. #PE1
  24. [PE1]mpls lsr-id 1.1.1.1
  25. [PE1]mpls
  26. [PE1]mpls ldp
  27. [PE1]interface GigabitEthernet0/0/2
  28. [PE1-GigabitEthernet0/0/2]mpls
  29. [PE1-GigabitEthernet0/0/2]mpls ldp
  31. #P
  32. [P]mpls lsr-id 2.2.2.2
  33. [P]mpls
  34. [P]mpls ldp
  35. [P]interface GigabitEthernet0/0/1
  36. [P-GigabitEthernet0/0/1]mpls
  37. [P-GigabitEthernet0/0/1]mpls ldp
  38. [P]interface GigabitEthernet0/0/2
  39. [P-GigabitEthernet0/0/2]mpls
  40. [P-GigabitEthernet0/0/2]mpls ldp
  42. #PE2
  43. [PE2]mpls lsr-id 3.3.3.3
  44. [PE2]mpls
  45. [PE2]mpls ldp
  46. [PE2]interface GigabitEthernet0/0/1
  47. [PE2-GigabitEthernet0/0/1]mpls
  48. [PE2-GigabitEthernet0/0/1]mpls ldp
  50. MP-BGP
  51. #PE1
  52. [PE1]bgp 100
  53. [PE1-bgp]ipv4-family vpnv4
  54. [PE1-bgp-af-vpnv4]peer 2.2.2.2 enable
  56. #P
  57. [P]bgp 100
  58. [P-bgp]ipv4-family vpnv4
  59. [P-bgp-af-vpnv4]undo policy vpn-target
  60. [P-bgp-af-vpnv4]peer 1.1.1.1 enable
  61. [P-bgp-af-vpnv4]peer 3.3.3.3 enable
  62. [P-bgp-af-vpnv4]peer 1.1.1.1 reflect-client
  63. [P-bgp-af-vpnv4]peer 3.3.3.3 reflect-client
  65. #PE2
  66. [PE2-bgp]ipv4-family vpn-instance ToDC
  67. [PE2-bgp-ToDC]peer 20.1.3.2 as-number 300
  68. [PE2-bgp]ipv4-family vpnv4
  69. [PE2-bgp-af-vpnv4]peer 2.2.2.2 enable
  70. [PE2-bgp-af-vpnv4]peer 2.2.2.2 next-hop-local
  74. VPN静态路由
  75. #PE1
  76. [PE1]ip route-static vpn-instance ToDC 192.168.0.0 16 10.2.2.1
  77. [PE1]ip route-static vpn-instance ToDC 192.168.0.0 16 10.3.2.1
  78. [PE1]bgp 100
  79. [PE1-bgp]ipv4-family vpn-instance ToDC
  80. [PE1-bgp-ToDC]network 10.3.2.0 30
  81. [PE1-bgp-ToDC]network 192.168.0.0 16

验证:

 

 

任务9:GRE

  1. 数据中心的租户会部署虚拟私有网络,该虚拟私有网络划分两个子网,VM1属于子网1(172.16.3.0/24),VM2属于子网2(172.16.2.0/24),为实现数据中心位于这两个不同子网的虚拟机互通,需要在VM1的网关Leaf和VM2的网关Leaf2之间部署GRE,根据表2-6参数规划完成GRE隧道配置。

配置过程:

  1. 任务9:GRE
  2. #Leaf1
  3. [Leaf1]interface Tunnel 0/0/0
  4. [Leaf1-Tunnel0/0/0]tunnel-protocol gre
  5. [Leaf1-Tunnel0/0/0]ip address 173.1.2.1 30
  6. [Leaf1-Tunnel0/0/0]source 12.12.12.12
  7. [Leaf1-Tunnel0/0/0]destination 13.13.13.13
  8. [Leaf1]ip route-static 172.16.2.0 24 173.1.2.2
  10. #Leaf2
  11. [Leaf2]interface Tunnel 0/0/0
  12. [Leaf2-Tunnel0/0/0]tunnel-protocol gre
  13. [Leaf2-Tunnel0/0/0]ip address 173.1.2.2 30
  14. [Leaf2-Tunnel0/0/0]source 13.13.13.13
  15. [Leaf2-Tunnel0/0/0]destination 12.12.12.12
  16. [Leaf2]ip route-static 172.16.3.0 24 173.1.2.1

验证: 

 

任务10:WLAN

Ⅰ.有线侧网络配置
  1. 完成企业内网的交换机侧配置,使得AP能够与AC进行通信,AP下的终端到WLAN网络后可以与网关(防火墙)进行通信。
  2. 完成AC侧底层网络配置,使得AC能够与AP进行通信,AC作为DHCP服务器分别为AP、Station分配IP地址。 
Ⅱ.WLAN业务配置 
  1. WLAN侧业务要求如下:AP与AC处于同一网段,AP直接二层注册到AC,AP通过AC来转发station流量,AC作为AP以及station的DHCP Server。
  2. 无线侧业务配置按照表2-8规划完成: 

配置过程:

  1. 任务10:WLAN
  2. DHCP
  3. #AC1
  4. [AC]interface Vlanif 19
  5. [AC-Vlanif19]ip address 192.168.19.254 24
  6. [AC]dhcp enable
  7. [AC]ip pool For_AP
  8. [AC-ip-pool-For_AP]network 192.168.19.0 mask 255.255.255.0
  9. [AC-ip-pool-For_AP]gateway-list 192.168.19.254
  10. [AC]ip pool STA
  11. [AC-ip-pool-STA]network 192.168.2.0 mask 255.255.255.0
  12. [AC-ip-pool-STA]gateway-list 192.168.2.254
  13. [AC]interface Vlanif 19
  14. [AC-Vlanif19]dhcp select global
  15. [AC]interface Vlanif 20
  16. [AC-Vlanif20]dhcp select global
  17. [AC]interface Vlanif 19
  18. [AC-Vlanif19]ip address 192.168.19.254 24
  20. WLAN业务配置
  21. [AC]capwap source interface Vlanif 19
  22. [AC]wlan
  23. [AC-wlan-view]ap auth-mode mac-auth
  24. [AC-wlan-view]ap-id 0 ap-mac 00e0-fc52-0650
  25. [AC-wlan-ap-0]ap-name AP
  26. [AC-wlan-ap-0]ap-group default
  27. [AC-wlan-view]ssid-profile name s1
  28. [AC-wlan-ssid-prof-s1]ssid ICT
  29. [AC-wlan-view]security-profile name s1
  30. [AC-wlan-sec-prof-s1]security wpa-wpa2 psk pass-phrase Huawei@123 aes
  31. [AC-wlan-view]vap-profile name p1
  32. [AC-wlan-vap-prof-p1]forward-mode tunnel
  33. [AC-wlan-vap-prof-p1]service-vlan vlan-id 20
  34. [AC-wlan-vap-prof-p1]ssid-profile s1
  35. [AC-wlan-vap-prof-p1]security-profile s1
  36. [AC-wlan-view]ap-group name default
  37. [AC-wlan-ap-group-default]regulatory-domain-profile default
  38. [AC-wlan-ap-group-default]vap-profile p1 wlan 1 radio all

验证:

 

标签:
声明

1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。

在线投稿:投稿 站长QQ:1888636

后台-插件-广告管理-内容页尾部广告(手机)
相关文章
关注我们

扫一扫关注我们,了解最新精彩内容

搜索
排行榜
最近发表
标签列表