ip综合实验

QQ截图20240629212923

QQ截图20240629213005

细节步骤没有完全记录,只记录了大概

1.配置vlan,接口放行vlan

(交换机放行vlan10,20,30,66,88,100)

汇聚1汇聚2之间做链路聚合,eth 1放通vlan

注意:汇聚1的g0/0/7只走WLAN的数据,vlan10 20 30不会走,只需放通vlan 66 88 100即可

2.配置MSTP

wlan的主根桥是汇聚1(66 88 100)

有线的主根桥是汇聚2(10 20 30)

stp mode mstp

stp region-configuration
region-name aa
instance 1 vlan 66 88 100
instance 2 vlan 10 20 30
active region-configuration

汇聚1:

stp instance 1 root primary
stp instance 2 root secondary

汇聚2:

stp instance 1 root secondary
stp instance 2 root primary

3.AC-AP

管理vlan100,业务vlan88和66

AC:

vlan 100

int g 0/0/1

p l t

p t a v 100 66 88

int vlanif 100

ip ad 192.168.100.254 24

capwap source interface vlanif 100

wlan配置:

wlan

ap-group name ap(创建ap组)

regulatory-domain-profile default

security-profile name yuangong(两个安全模板)

security wpa-wpa2 psk pass-phrase yuangong666 aes

security-profile name fangke

security wpa-wpa2 psk pass-phrase fangke888 aes

ssid-profile name yuangong(两个ssid模板)

ssid yuangong

ssid-profile name fangke

ssid fangke

vap-profile name yuangong(两个vap模板分别绑定yuangong和fangke)

security-profile yuangong

ssid-profile yuangong

service-vlan vlan-id 66

vap-profile name fangke

security-profile fangke

ssid-profile fangke

service-vlan vlan-id 88

ap-id 0 ap-mac 00e0-fca6-10f0(三个ap上线)

ap-name ap1

ap-group ap

ap-id 1 ap-mac 00e0-fc64-6810

ap-name ap2

ap-group ap

ap-id 2 ap-mac 00e0-fcbb-3530

ap-name ap3

ap-group ap

ap-group name ap(下发信号)

vap-profile yuangong wlan 1 radio all

vap-profile fangke wlan 2 radio all

dhcp enable(配置dhcp)

int vlanif100

dhcp se int

4.配置VRRP

汇聚1:

interface Vlanif10
ip address 192.168.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254

汇聚2:

interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254
vrrp vrid 1 priority 120(因为汇聚2是vlan10 20 30的主根桥,所以优先级改大)

只举例vrrp 1的

后边vlan 20 vlan 30同理创建

valn 66 88 的汇聚1优先级改大

5.配置DHCP

因为配置了VRRP,所以汇聚1和汇聚2都要配置dhcp

ip pool 10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.1 192.168.10.2

ip pool 20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.1 192.168.20.2
ip pool 30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.1 192.168.30.2
ip pool 66
gateway-list 192.168.66.254
network 192.168.66.0 mask 255.255.255.0
excluded-ip-address 192.168.66.1 192.168.66.2
ip pool 88
gateway-list 192.168.88.254
network 192.168.88.0 mask 255.255.255.0
excluded-ip-address 192.168.88.1 192.168.88.2

int vlanif 10
dhcp se g
int vlanif 20
dhcp se g
int vlanif 30
dhcp se g
int vlanif 66
dhcp se g
int vlanif 88
dhcp se g

6.配置OSPF

首先配置ip地址,汇聚交换机vlanif接口配置:过程略

汇聚1:

ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.66.0 0.0.0.255
network 192.168.88.0 0.0.0.255
network 10.0.1.0 0.0.0.3
network 10.0.3.0 0.0.0.3

汇聚2:

ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.66.0 0.0.0.255
network 192.168.88.0 0.0.0.255
network 10.0.2.0 0.0.0.3
network 10.0.3.0 0.0.0.3

出口路由器:

IP地址:略

ospf 1
area 0.0.0.0
network 10.0.1.0 0.0.0.3
network 10.0.2.0 0.0.0.3
network 192.168.60.0 0.0.0.255

7.配置IS-IS

汇聚2和员工宿舍路由器之间用vlanif 43相连:192.168.43.0/30网段

汇聚2:

isis 1
is-level level-2
network-entity 49.0001.0000.0000.0001.00

int vlan 43

isis enable

员工宿舍路由器:

isis 1
is-level level-2
network-entity 49.0001.0000.0000.0002.00

int g0/0/0

isis enable

8.员工宿舍区单臂路由

二层交换机:

vlan b 40 50

int e 0/0/3

p l a

p de v 50

int e 0/0/1

p l a

p de v 40

int g 0/0/1

p l t

p t a v 40 50

路由器:

interface GigabitEthernet0/0/1.10
dot1q termination vid 50
ip address 192.168.50.254 255.255.255.0
arp broadcast enable

interface GigabitEthernet0/0/1.20
dot1q termination vid 40
ip address 192.168.40.254 255.255.255.0
arp broadcast enable

9.汇聚2配置DHCP为员工宿舍区pc分配ip地址

不在同一网段,用dhcp 中继

汇聚2:

ip pool 40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0

ip pool 50
gateway-list 192.168.50.254
network 192.168.50.0 mask 255.255.255.0

interface Vlanif43

dhcp select global

员工宿舍区路由器:

开启relay

interface GigabitEthernet0/0/1.10

dhcp select relay

dhcp relay server-ip 192.168.43.1

interface GigabitEthernet0/0/1.20

dhcp select relay

dhcp relay server-ip 192.168.43.1

子接口宣告进isis 1

interface GigabitEthernet0/0/1.10

isis enable 1

interface GigabitEthernet0/0/1.20

isis enable 1

此时宿舍区可以获取ip

10.汇聚2 ospf和isis互相引入

使得宿舍区不能访问业务大楼(20)和财政大楼(30)

ospf 1
import-route isis 1

isis 1

import-route ospf 1

此时内网全部互通

过滤

汇聚2:

ip ip-prefix aa index 10 permit 192.168.20.0 24 less-equal 32

ip ip-prefix aa index 20 permit 192.168.30.0 24 less-equal 32

route-policy aa deny node 10

if-match ip-prefix aa

route-policy aa permit node 20

isis 1

import-route ospf 1 route-policy aa

11.NAPT

nat address-group 1 200.10.10.5 200.10.10.10

acl 2000
rule 5 permit any(都可以访问外网)

interface GigabitEthernet4/0/0
ip address 200.10.10.3 255.255.255.0
nat outbound 2000 address-group 1

12.NAT Server

要求内网正常访问ftp和http服务器

外网只能访问http服务器

nat server protocol tcp global 200.10.10.1 any inside 192.168.60.1
nat server protocol tcp global 200.10.10.2 any inside 192.168.60.2

13.下发缺省路由

出口路由器:

ospf 1
default-route-advertise always

汇聚2:

isis 1
default-route-advertise always

此时发现pc4ping30网段可以通,但是做了过滤(原因:下发了缺省路由)

PC>ping 192.168.30.253

Ping 192.168.30.253: 32 data bytes, Press Ctrl_C to break
From 192.168.30.253: bytes=32 seq=1 ttl=126 time=79 ms
From 192.168.30.253: bytes=32 seq=2 ttl=126 time=93 ms

解决:策略路由做过滤

员工宿舍路由器:

acl 3000

rule deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

rule deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

rule deny ip source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

rule deny ip source 192.168.50.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

interface GigabitEthernet0/0/0
traffic-filter outbound acl 3000

此时过滤成功

14.ISP区域配置isis

配置ip地址,配置isis:基操,略

15.ISP区域配置IBGP

R5:

bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0

peer 1.1.1.1 reflect-client(路由反射器配置客户端)

bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
peer 2.2.2.2 reflect-client

bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 3.3.3.3 reflect-client

bgp 100
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack0
peer 4.4.4.4 reflect-client

R1R2R3R4:

bgp 100
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack0

建立EBGP:略

16.公司B做NAT

AR9:

acl 2000

rule permit source any

int g 0/0/2

nat outbound 2000

nat server global 200.10.20.3 inside 192.168.10.3(nat server)

17.BGP通告路由

公司B访问A园区的服务器,没有路由

需要将200.10.10.0网段路由通告进BGP

AR1:

bgp 100

network 200.10.10.0 24

此时发现路由在R3不是最优的

原因:没有改下一跳

R5:

bgp 100

peer 1.1.1.1 next-hop -local

peer 3.3.3.3 next-hop -local

仍然不是最优

原因:R3在level-1区域,不能学习到level-2区域的路由

解决:isis路由渗透

R5:

isis 1

import-route isis level-2 into level-1

此时是最优

R3也要通告200.10.20.0网段的路由到bgp

R3:

network 200.10.20.0 24

发现R1上可以学习到,并且是最优的

AR9:

(缺省路由)

ip route-static 0.0.0.0 0 200.10.20.1

A园区出口路由器添加缺省路由:

ip route-static 0.0.0.0 0 200.10.10.4

此时公司B应该可以访问A园区的服务器

但是测试ping不通,FTP服务器可以通

原因:做nat server时候没有放通icmp协议,只放通了tcp协议