ip综合实验
ip综合实验
Yang细节步骤没有完全记录,只记录了大概
1.配置vlan,接口放行vlan
(交换机放行vlan10,20,30,66,88,100)
汇聚1汇聚2之间做链路聚合,eth 1放通vlan
注意:汇聚1的g0/0/7只走WLAN的数据,vlan10 20 30不会走,只需放通vlan 66 88 100即可
2.配置MSTP
wlan的主根桥是汇聚1(66 88 100)
有线的主根桥是汇聚2(10 20 30)
stp mode mstp
stp region-configuration
region-name aa
instance 1 vlan 66 88 100
instance 2 vlan 10 20 30
active region-configuration
汇聚1:
stp instance 1 root primary
stp instance 2 root secondary
汇聚2:
stp instance 1 root secondary
stp instance 2 root primary
3.AC-AP
管理vlan100,业务vlan88和66
AC:
vlan 100
int g 0/0/1
p l t
p t a v 100 66 88
int vlanif 100
ip ad 192.168.100.254 24
capwap source interface vlanif 100
wlan配置:
wlan
ap-group name ap(创建ap组)
regulatory-domain-profile default
security-profile name yuangong(两个安全模板)
security wpa-wpa2 psk pass-phrase yuangong666 aes
security-profile name fangke
security wpa-wpa2 psk pass-phrase fangke888 aes
ssid-profile name yuangong(两个ssid模板)
ssid yuangong
ssid-profile name fangke
ssid fangke
vap-profile name yuangong(两个vap模板分别绑定yuangong和fangke)
security-profile yuangong
ssid-profile yuangong
service-vlan vlan-id 66
vap-profile name fangke
security-profile fangke
ssid-profile fangke
service-vlan vlan-id 88
ap-id 0 ap-mac 00e0-fca6-10f0(三个ap上线)
ap-name ap1
ap-group ap
ap-id 1 ap-mac 00e0-fc64-6810
ap-name ap2
ap-group ap
ap-id 2 ap-mac 00e0-fcbb-3530
ap-name ap3
ap-group ap
ap-group name ap(下发信号)
vap-profile yuangong wlan 1 radio all
vap-profile fangke wlan 2 radio all
dhcp enable(配置dhcp)
int vlanif100
dhcp se int
4.配置VRRP
汇聚1:
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254
汇聚2:
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254
vrrp vrid 1 priority 120(因为汇聚2是vlan10 20 30的主根桥,所以优先级改大)
只举例vrrp 1的
后边vlan 20 vlan 30同理创建
valn 66 88 的汇聚1优先级改大
5.配置DHCP
因为配置了VRRP,所以汇聚1和汇聚2都要配置dhcp
ip pool 10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.1 192.168.10.2
ip pool 20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.1 192.168.20.2
ip pool 30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.1 192.168.30.2
ip pool 66
gateway-list 192.168.66.254
network 192.168.66.0 mask 255.255.255.0
excluded-ip-address 192.168.66.1 192.168.66.2
ip pool 88
gateway-list 192.168.88.254
network 192.168.88.0 mask 255.255.255.0
excluded-ip-address 192.168.88.1 192.168.88.2
int vlanif 10
dhcp se g
int vlanif 20
dhcp se g
int vlanif 30
dhcp se g
int vlanif 66
dhcp se g
int vlanif 88
dhcp se g
6.配置OSPF
首先配置ip地址,汇聚交换机vlanif接口配置:过程略
汇聚1:
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.66.0 0.0.0.255
network 192.168.88.0 0.0.0.255
network 10.0.1.0 0.0.0.3
network 10.0.3.0 0.0.0.3
汇聚2:
ospf 1
area 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.66.0 0.0.0.255
network 192.168.88.0 0.0.0.255
network 10.0.2.0 0.0.0.3
network 10.0.3.0 0.0.0.3
出口路由器:
IP地址:略
ospf 1
area 0.0.0.0
network 10.0.1.0 0.0.0.3
network 10.0.2.0 0.0.0.3
network 192.168.60.0 0.0.0.255
7.配置IS-IS
汇聚2和员工宿舍路由器之间用vlanif 43相连:192.168.43.0/30网段
汇聚2:
isis 1
is-level level-2
network-entity 49.0001.0000.0000.0001.00
int vlan 43
isis enable
员工宿舍路由器:
isis 1
is-level level-2
network-entity 49.0001.0000.0000.0002.00
int g0/0/0
isis enable
8.员工宿舍区单臂路由
二层交换机:
vlan b 40 50
int e 0/0/3
p l a
p de v 50
int e 0/0/1
p l a
p de v 40
int g 0/0/1
p l t
p t a v 40 50
路由器:
interface GigabitEthernet0/0/1.10
dot1q termination vid 50
ip address 192.168.50.254 255.255.255.0
arp broadcast enable
interface GigabitEthernet0/0/1.20
dot1q termination vid 40
ip address 192.168.40.254 255.255.255.0
arp broadcast enable
9.汇聚2配置DHCP为员工宿舍区pc分配ip地址
不在同一网段,用dhcp 中继
汇聚2:
ip pool 40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
ip pool 50
gateway-list 192.168.50.254
network 192.168.50.0 mask 255.255.255.0
interface Vlanif43
dhcp select global
员工宿舍区路由器:
开启relay
interface GigabitEthernet0/0/1.10
dhcp select relay
dhcp relay server-ip 192.168.43.1
interface GigabitEthernet0/0/1.20
dhcp select relay
dhcp relay server-ip 192.168.43.1
子接口宣告进isis 1
interface GigabitEthernet0/0/1.10
isis enable 1
interface GigabitEthernet0/0/1.20
isis enable 1
此时宿舍区可以获取ip
10.汇聚2 ospf和isis互相引入
使得宿舍区不能访问业务大楼(20)和财政大楼(30)
ospf 1
import-route isis 1
isis 1
import-route ospf 1
此时内网全部互通
过滤
汇聚2:
ip ip-prefix aa index 10 permit 192.168.20.0 24 less-equal 32
ip ip-prefix aa index 20 permit 192.168.30.0 24 less-equal 32
route-policy aa deny node 10
if-match ip-prefix aa
route-policy aa permit node 20
isis 1
import-route ospf 1 route-policy aa
11.NAPT
nat address-group 1 200.10.10.5 200.10.10.10
acl 2000
rule 5 permit any(都可以访问外网)
interface GigabitEthernet4/0/0
ip address 200.10.10.3 255.255.255.0
nat outbound 2000 address-group 1
12.NAT Server
要求内网正常访问ftp和http服务器
外网只能访问http服务器
nat server protocol tcp global 200.10.10.1 any inside 192.168.60.1
nat server protocol tcp global 200.10.10.2 any inside 192.168.60.2
13.下发缺省路由
出口路由器:
ospf 1
default-route-advertise always
汇聚2:
isis 1
default-route-advertise always
此时发现pc4ping30网段可以通,但是做了过滤(原因:下发了缺省路由)
PC>ping 192.168.30.253
Ping 192.168.30.253: 32 data bytes, Press Ctrl_C to break
From 192.168.30.253: bytes=32 seq=1 ttl=126 time=79 ms
From 192.168.30.253: bytes=32 seq=2 ttl=126 time=93 ms
解决:策略路由做过滤
员工宿舍路由器:
acl 3000
rule deny ip source 192.168.40.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule deny ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule deny ip source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule deny ip source 192.168.50.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
interface GigabitEthernet0/0/0
traffic-filter outbound acl 3000
此时过滤成功
14.ISP区域配置isis
配置ip地址,配置isis:基操,略
15.ISP区域配置IBGP
R5:
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 1.1.1.1 reflect-client(路由反射器配置客户端)
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
peer 2.2.2.2 reflect-client
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
peer 3.3.3.3 reflect-client
bgp 100
peer 4.4.4.4 as-number 100
peer 4.4.4.4 connect-interface LoopBack0
peer 4.4.4.4 reflect-client
R1R2R3R4:
bgp 100
peer 5.5.5.5 as-number 100
peer 5.5.5.5 connect-interface LoopBack0
建立EBGP:略
16.公司B做NAT
AR9:
acl 2000
rule permit source any
int g 0/0/2
nat outbound 2000
nat server global 200.10.20.3 inside 192.168.10.3(nat server)
17.BGP通告路由
公司B访问A园区的服务器,没有路由
需要将200.10.10.0网段路由通告进BGP
AR1:
bgp 100
network 200.10.10.0 24
此时发现路由在R3不是最优的
原因:没有改下一跳
R5:
bgp 100
peer 1.1.1.1 next-hop -local
peer 3.3.3.3 next-hop -local
仍然不是最优
原因:R3在level-1区域,不能学习到level-2区域的路由
解决:isis路由渗透
R5:
isis 1
import-route isis level-2 into level-1
此时是最优
R3也要通告200.10.20.0网段的路由到bgp
R3:
network 200.10.20.0 24
发现R1上可以学习到,并且是最优的
AR9:
(缺省路由)
ip route-static 0.0.0.0 0 200.10.20.1
A园区出口路由器添加缺省路由:
ip route-static 0.0.0.0 0 200.10.10.4
此时公司B应该可以访问A园区的服务器
但是测试ping不通,FTP服务器可以通
原因:做nat server时候没有放通icmp协议,只放通了tcp协议