2023年网络建设与运维国赛正式赛题答案解析
(二)交换配置
SW1port-group 1!Interface Ethernet1/0/22 switchport mode trunk switchport trunk allowed vlan 11-15 port-group 1 mode active!SW2port-group 1!Interface Ethernet1/0/22 switchport mode trunk switchport trunk allowed vlan 21-25 port-group 1 mode passive!
2.SW1 和 SW2 之间利用三条裸光缆实现互通,其中一条裸光缆承载三层 IP 业务、一条裸光缆承载 VPN 业务、一条裸光缆承载二层业务。
用相关技术分别实现财务 1 段、财务 2 段业务路由表与其它业务路由表隔离,财务业务 VPN 实例名称为 Finance,RD 为 1:1。承载二层业务的只有一条裸光缆通道,配置相关技术,方便后续链路扩容与冗余备份,编号为 1,用 LACP 协议,SW1 为 active,SW2 为 passive;采用目的、源 IP 进行实现流量负载分担。
SW1load-balance dst-src-ip //采用目的、源 IP !Interface Ethernet1/0/23 switchport access vlan 1023!Interface Ethernet1/0/24 switchport access vlan 1024! ip vrf Finance rd 1:1!interface Vlan1023 //三层业务 ip address 10.4.255.1 255.255.255.252!interface Vlan1024 //承载VPN业务 ip vrf forwarding Finance ip address 10.4.255.1 255.255.255.252 //注意,如果在绑定VRF之前已有IPv4地址,绑定后会被删除!interface Vlan14 VPN财务业务 ip vrf forwarding Finance ipv6 address 2001:10:4:14::1/64 ip address 10.4.14.1 255.255.255.0 !port-group 1!Interface Ethernet1/0/22 switchport mode trunk switchport trunk allowed vlan 11-15 port-group 1 mode active 主动模式!sw2load-balance dst-src-ip!Interface Ethernet1/0/23 switchport access vlan 1023!Interface Ethernet1/0/24 switchport access vlan 1024!ip vrf Finance rd 1:1!interface Vlan1023 ip address 10.4.255.2 255.255.255.252!interface Vlan1024 ip vrf forwarding Finance ip address 10.4.255.2 255.255.255.252!interface Vlan24 ip vrf forwarding Finance ipv6 address 2001:10:4:24::1/64 ip address 10.4.24.1 255.255.255.0!port-group 1!Interface Ethernet1/0/22 switchport mode trunk switchport trunk allowed vlan 21-25 port-group 1 mode passive 被动模式!
3.为方便后续验证与测试,SW3 的 E1/0/22 连接其他合适设备的一个接口,配置为 trunk,允许 Vlan31-34、110、120 通过。
这里可以连接到SW1的1/0/1口以测试ip dhcp snooping
4.将 SW3 模拟办事处交换机,实现与集团其它业务路由表隔离,办事处路由表 VPN 实例名称为 Office,RD 为 1:1。将 SW3 模拟为 Internet交换机,实现与集团其它业务路由表隔离,Internet 路由表 VPN 实例名称为 Internet,RD 为 2:2。
SW3ip vrf Office rd 1:1!ip vrf Internet rd 2:2! interface Vlan110 集团办事处产品1段 ip vrf forwarding Office ipv6 address 2001:10:4:110::1/64 ip address 10.4.110.1 255.255.255.0!interface Vlan120 集团办事处营销1段 ip vrf forwarding Office ipv6 address 2001:10:4:120::1/64 ip address 10.4.120.1 255.255.255.0!interface Vlan1015 ip vrf forwarding Office ip address 10.4.255.30 255.255.255.252!interface Vlan1017 ip vrf forwarding Internet ip address 200.200.200.1 255.255.255.252!interface Vlan1018 ip vrf forwarding Internet ip address 200.200.200.5 255.255.255.252!interface Loopback2 ip vrf forwarding Office ipv6 address 2001:10:4:3::2/128 ip address 10.4.3.2 255.255.255.255!
5.SW1 配置 SNMP,引擎 id 分别为 1000;创建组 GroupSkills,采用最高安全级别,配置组的读、写视图分别为:Skills_R、Skills_W;创建认证用户为 UserSkills,采用 aes 算法进行加密,密钥为 Key-1122,哈希算法为 sha,密钥为 Key-1122;当设备有异常时,需要用本地的环回地址 Loopback1 发送 v3 Trap 消息至集团网管服务器10.4.15.120、2001:10:4:15::120,采用最高安全级别;当法务部门的用户端口发生 updown 事件时禁止发送 trap 消息至上述集团网管服务器。
SW1snmp-server enablesnmp-server trap-source 10.4.1.1snmp-server trap-source 2001:10:4:1::1snmp-server engineid 1000snmp-server user UserSkills GroupSkills authPriv aes b693dfa497e63a03e2b4a1d3709b0723 auth sha b693dfa497e63a03e2b4a1d3709b0723f62da73asnmp-server group GroupSkills authpriv read Skills_R write Skills_Wsnmp-server host 2001:10:4:15::120 v3 authpriv UserSkillssnmp-server host 10.4.15.120 v3 authpriv UserSkills!Interface Ethernet1/0/3 no switchport updown notification enable switchport access vlan 13!
6.对 SW1 与 FW1 互连流量镜像到 SW1 E1/0/1,会话列表为 1。
SW1monitor session 1 source interface Ethernet1/0/19 txmonitor session 1 source interface Ethernet1/0/19 rxmonitor session 1 destination interface Ethernet1/0/1!
7.SW1 和 SW2 E1/0/21-28 启用单向链路故障检测,当发生该故障时,端口标记为 errdisable 状态,自动关闭端口,经过 1 分钟后,端口自动重启;发送 Hello 报文时间间隔为 15s;
SW1uldp enableuldp recovery-time 60uldp hello-interval 15uldp manual-shutdownuldp aggressive-mode!SW2uldp enableuldp recovery-time 60uldp hello-interval 15uldp manual-shutdownuldp aggressive-mode!
8.SW1 和 SW2 所有端口启用链路层发现协议,更新报文发送时间间隔为 20s,老化时间乘法器值为 5,Trap 报文发送间隔为 10s,配置三条裸光缆端口使能 Trap 功能。
SW1lldp enablelldp msgTxHold 5lldp tx-interval 20lldp notification interval 10! Interface Ethernet1/0/22 lldp trap enable!Interface Ethernet1/0/23 lldp trap enable!Interface Ethernet1/0/24 lldp trap enable! SW2lldp enablelldp msgTxHold 5lldp tx-interval 20lldp notification interval 10! Interface Ethernet1/0/22 lldp trap enable!Interface Ethernet1/0/23 lldp trap enable!Interface Ethernet1/0/24 lldp trap enable!
(三)路由调试
1.配置所有设备主机名,名称见“网络拓扑”。启用所有设备的 ssh 服务,用户名和明文密码均为 admin;配置所有设备 ssh 连接超时为 9分钟,console 连接超时为 30 分钟。
SWexec-timeout 30 0!ssh-server enablessh-server timeout 540RTline console 0 exec-timeout 1800!!ip sshd timeout 540ip sshd enable! FWssh timeout 9console timeout 30
2.配置所有设备的时区为 GMT+08:00。调整 SW1 时间为实际时间,SW1配置为 ntp server,其他设备为 ntp client,请求报文时间间隔 1分钟,用 SW1 Loopback1 IPv6 地址作为 ntp server 地址。
SW1clock timezone GMT add 8 0!ntp enablentp-service refclock-master 1 ! SW2-3;ACclock timezone GMT add 8 0!ntp enablentp syn-interval 60ntp server 2001:10:4:1::1!RT1time-zone GMT 8 0ntp query-interval 60ntp server 2001:10:4:1::1!FWclock zoon GMT 8 0ntp query-interval 60ntp server 2001:10:4:1::1
### 3.配置接口 IPv4 地址和 IPv6 地址,互联接口 IPv6 地址用本地链路地址。FW1 和 FW2 接口仅启用 ping 功能以及 Loopback1 的 ssh 功能。
RTipv6 unicast-routing 開啓IPV6本地鏈路地址接口ipv6 enableFWipv6 enable接口man ping man ssh
4.SW2 配置 DHCPv4 和 DHCPv6,分别为 Vlan11、Vlan21、Vlan130、Vlan140、Vlan150 分配地址。DHCPv4 地址池名称分别为 PC1、PC2、AP1、POOLv4-VLAN11、POOLv4-VLAN21、POOLv4-VLAN130POOLv4-VLAN140 、POOLv4-VLAN150 ,排除网关, DNS 为 10.4.210.101 和10.4.220.101。DHCPv6 地址池名称分别为 POOLv6-VLAN11、POOLv6-VLAN21、POOLv6-VLAN130、POOLv6-VLAN140、POOLv6-VLAN150,DHCPv6地址池用网络前缀表示,排除网关,DNS 为 2400:3200::1。PC1 保留地址 10.4.11.9(DHCPv4 地址池名称为 PC1)和 2001:10:4:11::9,PC2保留地址 10.4.21.9(DHCPv4 地址池名称为 PC2)和 2001:10:4:21::9,AP1 保 留 地 址 10.4.130.9 ( DHCPv4 地 址 池 名 称 为 AP1 ) 和2001:10:4:130::9。SW1、AC1 中继地址为 SW2 Loopback1 地址。SW1启用 DHCPv4 和 DHCPv6 snooping 功能,如果 E1/0/1 连接 DHCPv4 服务器,则关闭端口,恢复时间为 10 分钟。
SW1service dhcp!ip forward-protocol udp bootps!ip dhcp snooping enable!service dhcpv6!savi enable savi ipv6 dhcp-only enable!Interface Ethernet1/0/1 ip dhcp snooping action shutdown recovery 600!interface Vlan11no ipv6 nd suppress-ra ipv6 nd managed-config-flag ipv6 nd other-config-flag ip helper-address 10.4.2.1 ipv6 dhcp relay destination 2001:10:4:2::1!SW2service dhcp!ip forward-protocol udp bootps!ip dhcp pool POOLv4-VLAN11 network-address 10.4.11.0 255.255.255.0 default-router 10.4.11.1 dns-server 10.4.210.101 10.4.220.101!ip dhcp pool POOLv4-VLAN21 network-address 10.4.21.0 255.255.255.0 default-router 10.4.21.1 dns-server 10.4.210.101 10.4.220.101!ip dhcp pool POOLv4-VLAN130 network-address 10.4.130.0 255.255.255.0 default-router 10.4.130.1 dns-server 10.4.210.101 10.4.220.101!ip dhcp pool POOLv4-VLAN140 network-address 10.4.140.0 255.255.255.0 default-router 10.4.140.1 dns-server 10.4.210.101 10.4.220.101! ip dhcp pool POOLv4-VLAN150 network-address 10.4.150.0 255.255.255.0 default-router 10.4.150.1 dns-server 10.4.210.101 10.4.220.101!ip dhcp pool AP1 host 10.4.130.9 255.255.255.0 hardware-address 00-03-0F-D9-CD-C0!ip dhcp pool PC1 host 10.4.11.9 255.255.255.0 hardware-address C0-18-03-BB-9F-94!ip dhcp pool PC2 host 10.4.21.9 255.255.255.0 hardware-address 98-0E-24-AB-83-F1!service dhcpv6!ipv6 dhcp pool POOLv6-VLAN11 network-address 2001:10:4:11::1 64 static-binding 2001:10:4:11::9 c0-18-03-bb-9f-94 excluded-address 2001:10:4:11::1 dns-server 2400:3200::1!ipv6 dhcp pool POOLv6-VLAN21 network-address 2001:10:4:21::1 64 static-binding 2001:10:4:21::9 98-0e-24-ab-83-f1 excluded-address 2001:10:4:21::1 dns-server 2400:3200::1!ipv6 dhcp pool POOLv6-VLAN130 network-address 2001:10:4:130::1 64 static-binding 2001:10:4:130::9 00-03-0f-d9-cd-c0 excluded-address 2001:10:4:130::1 dns-server 2400:3200::1!ipv6 dhcp pool POOLv6-VLAN140 network-address 2001:10:4:140::1 64 excluded-address 2001:10:4:140::1 dns-server 2400:3200::1!ipv6 dhcp pool POOLv6-VLAN150 network-address 2001:10:4:150::1 64 excluded-address 2001:10:4:150::1 dns-server 2400:3200::1!
5.SW1、SW2、SW3、RT1 以太链路、RT2 以太链路、FW1、FW2、AC1 之间运行 OSPFv2 和 OSPFv3 协议(路由模式发布网络用网络地址,按照IP 地址从小到大的顺序发布。每个 prefix-list 的序号从 5 开始,按照 IP 地址从小到大的顺序递增 5;route-map 的序号从 10 开始,递增 10,route-map 名称与 prefix-list 名称相同。每个 ACL 序号从10 开始,按照 IP 地址从小到大的顺序递增 10)。
SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv2 和 OSPFv3 协议,process1,area 0,分别发布 Loopback1 地址路由和产品路由,FW1 通告 type1默认路由。
SW1router ospf 1 ospf router-id 10.4.1.1 network 10.4.1.1/32 area 0 network 10.4.11.0/24 area 0 network 10.4.255.0/30 area 0 network 10.4.255.4/30 area 0 network 10.4.255.12/30 area 0!router ipv6 ospf 1 router-id 10.4.1.1!interface Loopback1 ipv6 router ospf area 0 tag 1!interface Vlan1019 ipv6 router ospf area 0 tag 1!interface Vlan1020 ipv6 router ospf area 0 tag 1!interface Vlan1023 ipv6 router ospf area 0 tag 1!interface Vlan11 ipv6 router ospf area 0 tag 1!SW2router ospf 1 ospf router-id 10.4.2.1 network 10.4.2.1/32 area 0 network 10.4.21.0/24 area 0 network 10.4.255.0/30 area 0 network 10.4.255.8/30 area 0 network 10.4.255.20/30 area 0!router ipv6 ospf 1 router-id 10.4.2.1!interface Loopback1 ipv6 router ospf area 0 tag 1!interface Vlan1019 ipv6 router ospf area 0 tag 1! interface Vlan1020 ipv6 router ospf area 0 tag 1!interface Vlan1023 ipv6 router ospf area 0 tag 1!interface Vlan21 ipv6 router ospf area 0 tag 1!SW3router ospf 1 ospf router-id 10.4.3.1 network 10.4.3.1/32 area 0 network 10.4.31.0/24 area 0 network 10.4.255.4/30 area 0 network 10.4.255.8/30 area 0!router ipv6 ospf 1 router-id 10.4.3.1!interface Loopback1 ipv6 router ospf area 0 tag 1!interface Vlan1019 ipv6 router ospf area 0 tag 1!interface Vlan1020 ipv6 router ospf area 0 tag 1!interface Vlan31 ipv6 router ospf area 0 tag 1!RT1router ospf 1 router-id 10.4.5.1 network 10.4.5.1 255.255.255.255 area 0 network 10.4.255.32 255.255.255.252 area 0 network 10.4.255.16 255.255.255.252 area 0 network 10.4.255.20 255.255.255.252 area 0!router ospfv3 1 router-id 10.4.5.1!interface Loopback1 ipv6 enable ipv6 ospf 1 area 0 !interface GigaEthernet0/0 ipv6 enable ipv6 ospf 1 area 0 !interface GigaEthernet0/1 ipv6 enable ipv6 ospf 1 area 0 !interface GigaEthernet0/2 ipv6 enable ipv6 ospf 1 area 0 !RT2router ospf 1 router-id 10.4.6.1 network 10.4.6.1 255.255.255.255 area 0 network 10.4.255.32 255.255.255.252 area 0!router ospfv3 1 router-id 10.4.6.1!interface Loopback1 ipv6 enable ipv6 ospf 1 area 0 !interface GigaEthernet0/0 ipv6 enable ipv6 ospf 1 area 0 !FW1 router ospf 1 router-id 10.4.7.1 default-information originate type 1 network 10.4.7.1/32 area 0 network 10.4.255.12/30 area 0 network 10.4.255.16/30 area 0 exit ipv6 router ospf 1 router-id 10.4.7.1 exit interface loopback1 ipv6 enable ipv6 ospf 1 area 0exitinterface ethernet0/1 ipv6 enable ipv6 ospf 1 area 0exitinterface ethernet0/2 ipv6 enable ipv6 ospf 1 area 0exit
RT2 与 AC1 之间运行 OSPFv2 协议,process 1,area 1 nssa no-summary;AC1 发布 Loopback1 地址路由、管理、产品和营销路由,用prefix-list 重发布 Loopback3,prefix-list 名称为 AC1-Loopback3-IPv4。
RT2 与 AC1 之间运行 OSPFv3 协议,process 1,area 1 stub no-summary;AC1 发布 Loopback1 地址路由、管理、产品和营销路由。
RT2router ospf 1 network 10.4.255.44 255.255.255.252 area 1 area 1 nssa no-summary!router ospfv3 1 area 1 stub no-summary!interface GigaEthernet0/1 ipv6 enable ipv6 ospf 1 area 1 !AC1ip prefix-list ACL-Loopback3-IPv4 seq 5 permit 10.4.4.3/32!route-map ACL-Loopback3-IPv4 permit 10 match ip address prefix-list ACL-Loopback3-IPv4!router ospf 1 ospf router-id 10.4.4.1 area 1 nssa no-summary network 10.4.4.1/32 area 1 network 10.4.130.0/24 area 1 network 10.4.140.0/24 area 1 network 10.4.150.0/24 area 1 network 10.4.255.44/30 area 1 redistribute connected route-map ACL-Loopback3-IPv4!router ipv6 ospf 1 router-id 10.4.4.1 area 1 stub no-summary!interface Loopback1 ipv6 router ospf area 1 tag 1!interface Vlan1001 ipv6 router ospf area 1 tag 1!interface Vlan130 ipv6 router ospf area 1 tag 1!interface Vlan140 ipv6 router ospf area 1 tag 1!interface Vlan150 ipv6 router ospf area 1 tag 1!
RT1、FW2、SW3 模拟办事处之间运行 OSPFv2 和 OSPFv3 协议,process2,area 2。SW3 模拟办事处发布 Loopback2、产品和营销路由。FW2发布 Loopback1 路由。RT1 发布 Loopback4 路由,向该区域通告 type1默认路由;RT1 用 prefix-list 匹配 SW3 模拟办事处 Loopback2 和产品路由、FW2 Loopback1 路由(prefix-list 名称分别为 SW3-FW2-IPv4和 SW3-FW2-IPv6)、RT1 与 FW2 直连 IPv4 路由(prefix-list 名称为RT1-FW2-IPv4),以上路由重发布到 process 1。
SW3 Officerouter ospf 2 vrf Office ospf router-id 10.4.3.2 network 10.4.3.2/32 area 2 network 10.4.110.0/24 area 2 network 10.4.120.0/24 area 2 network 10.4.255.28/30 area 2!router ipv6 ospf 2 vrf Office router-id 10.4.3.2!interface Loopback2 ip vrf forwarding Office ipv6 address 2001:10:4:3::2/128 ipv6 router ospf area 2 tag 2 ip address 10.4.3.2 255.255.255.255!interface Vlan1015 ip vrf forwarding Office ipv6 router ospf area 2 tag 2 ip address 10.4.255.30 255.255.255.252!interface Vlan110 ip vrf forwarding Office ipv6 address 2001:10:4:110::1/64 ipv6 router ospf area 2 tag 2 ip address 10.4.110.1 255.255.255.0!interface Vlan120 ip vrf forwarding Office ipv6 address 2001:10:4:120::1/64 ipv6 router ospf area 2 tag 2 ip address 10.4.120.1 255.255.255.0!FW2ip vrouter "trust-vr" router ospf 2 router-id 10.4.8.1 network 10.4.8.1/32 area 2 network 10.4.255.24/30 area 2 network 10.4.255.28/30 area 2 exit ipv6 router ospf 2 router-id 10.4.8.1 exitexitinterface loopback1 zone "trust" ipv6 enable ipv6 ospf 2 area 2exitinterface loopback1 zone "trust" ipv6 enable ipv6 ospf 2 area 2exitinterface ethernet0/1 zone "dmz" ipv6 enable ipv6 ospf 2 area 2exitinterface ethernet0/2 zone "trust" ipv6 enable ipv6 ospf 2 area 2exitRT1ip route default Null0 //这里必须要加黑洞路由,否则无法生成OSPF默认路由route-map SW3-FW2-IPv6 10 permit match ipv6 address prefix-list SW3-FW2-IPv6!route-map SW3-FW2-IPv4 10 permit match ip address prefix-list SW3-FW2-IPv4!ip prefix-list SW3-FW2-IPv4 seq 5 permit 10.4.3.2/32ip prefix-list SW3-FW2-IPv4 seq 10 permit 10.4.255.24/30!ipv6 prefix-list SW3-FW2-IPv6 seq 5 permit 2001:10:4:3::2/128ipv6 prefix-list SW3-FW2-IPv6 seq 10 permit 2001:10:4:110::/64!router ospf 2 router-id 10.4.5.4 network 10.4.5.4 255.255.255.255 area 2 network 10.4.255.24 255.255.255.252 area 2 redistribute ospf 1 default-information originate metric-type 1!router ospfv3 2 router-id 10.4.5.4 redistribute ospf 1 default-information originate metric-type 1!router ospf 1 redistribute ospf 2 route-map SW3-FW2-IPv4!router ospfv3 1 redistribute ospf 2 route-map SW3-FW2-IPv6!
6.RT1 串行链路、RT2 串行链路、FW1、AC1 之间分别运行 RIP 和 RIPng协议,分别发布 Loopback2 地址路由(FW1 的 RIPng 发布路由时用接口名称)。RT1 配置 offset 值为 3 的路由策略,实现 RT1/S1/0-RT2/S1/1 为主链路,RT1/S1/1-RT2/S1/0 为备份链路,IPv4 的 ACL 名称为 ACL-RIP-IPv4,IPv6 的 ACL 名称为 ACL-RIP-IPv6。RT1 的 S1/0与 RT2 的 S1/1 之间采用 chap 双向认证,用户名为对端设备名称,密码为 Key-1122。
建立串口链路RT1aaa authentication login default none aaa authentication enable default none 取消登录认证aaa authentication ppp default local PPP认证方式本地!username RT2 password 0 Key-1122!interface Serial1/0 ip address 10.4.255.37 255.255.255.252 encapsulation ppp ppp authentication chap ppp chap hostname RT1 ppp chap password 0 Key-1122 physical-layer speed 2048000 ipv6 enable!interface Serial1/1 ip address 10.4.255.41 255.255.255.252 encapsulation ppp ipv6 enable!RT2aaa authentication login default noneaaa authentication enable default noneaaa authentication ppp default local!username RT71 password 0 Key-1122!interface Serial1/0 ip address 10.4.255.42 255.255.255.252 encapsulation ppp ppp authentication chap ppp chap hostname RT2 ppp chap password 0 Key-1122 physical-layer speed 2048000 ipv6 enable!interface Serial1/1 ip address 10.4.255.38 255.255.255.252 encapsulation ppp ipv6 enable!RIPRT1ip access-list standard ACL-RIP-IPv4 permit any sequence 10!ipv6 access-list ACL-RIP-IPv6 permit ipv6 any any sequence 10!router rip 1 offset Serial1/1 in ACL-RIP-IPv4 3 offset Serial1/1 out ACL-RIP-IPv4 3 !router ripng 1 offset Serial1/1 in ACL-RIP-IPv6 3 offset Serial1/1 out ACL-RIP-IPv6 3 !interface Loopback2 ipv6 enable ip rip 1 enable ipv6 rip 1 enable !interface GigaEthernet0/1 ipv6 enable ip rip 1 enable ipv6 rip 1 enable !interface Serial1/0 ipv6 enable ip rip 1 enable ipv6 rip 1 enable !interface Serial1/1 ipv6 enable ip rip 1 enable ipv6 rip 1 enable !RT2router rip 1 !router ripng 1!interface Loopback2 ip address 10.4.6.2 255.255.255.255 ipv6 enable ipv6 address 2001:10:4:6::2/128 ip rip 1 enable*!interface GigaEthernet0/1 ipv6 enable ip rip 1 enable ipv6 rip 1 enable !interface Serial1/0 ipv6 enable ip rip 1 enable ipv6 rip 1 enable !interface Serial1/1 ipv6 enable ip rip 1 enable ipv6 rip 1 enable !AC1router rip network 10.4.4.2/32 network 10.4.255.44/30!router ipv6 rip! interface Loopback2 ipv6 router rip ! interface Vlan1001 ipv6 router rip !
7.RT1 以太链路(物理速率为 2048000)、RT2 以太链路、FW1 之间运行 ISIS 协议,instance 1,实现 Loopback3 之间 IPv4 互通和 IPv6互 通 。 RT1 、 RT2 、 FW1 的 NET 分 别 为 10.0000.0000.0005.00 、 10.0000.0000.0006.00 、 10.0000.0000.0007.00 , 路 由 器 类 型 是Level-2,互联接口网络类型为点到点。
RT1router isis 1 is-type level-2 net 10.0000.0000.0005.00!interface Loopback3 ipv6 enable ip router isis 1 ipv6 router isis 1!interface GigaEthernet0/0 ipv6 enable ip router isis 1 ipv6 router isis 1 isis network point-to-point isis circuit-type level-2!interface GigaEthernet0/1 ipv6 enable ip router isis 1 ipv6 router isis 1 isis network point-to-point isis circuit-type level-2!FW1 router isis net 10.0000.0000.0007.00 is-type level-2-only exitexitinterface loopback3 ipv6 enable isis enable isis ipv6 enableexitinterface ethernet0/2 ipv6 enable isis enable isis circuit-type level-2-only isis network point-to-point isis ipv6 enableexitRT2router isis 1 is-type level-2 net 10.0000.0000.0006.00!interface Loopback3 ipv6 enable ip router isis 1 ipv6 router isis 1!interface GigaEthernet0/0 ipv6 enable ip router isis 1 ipv6 router isis 1 isis network point-to-point isis circuit-type level-2!
8.SW1、SW2、SW3、RT1、RT2 之间运行 BGP 协议,SW1、SW2、RT1 AS号 65001、RT2 AS 号 65002、SW3 AS 号 65003。
SW1、SW2、SW3、RT1、RT2 之间通过 Loopback1 建立 IPv4 和 IPv6 BGP邻居。
SW1 和 SW2 之间财务通过 Loopback2 建立 IPv4 和 IPv6 BGP 邻居。SW1和 SW2 的 Loopback2 IPv4 互通采用静态路由;IPv6 互通采用 OSPFv3,process 2,area 2。
SW1、SW2、SW3 分别只发布营销、法务、人力、财务等 IPv4 和 IPv6路由;RT1 发布办事处营销 IPv4 和 IPv6 路由到 BGP;RT2 发布分公司营销 IPv4 和 IPv6 路由到 BGP。
SW1router bgp 65001 network 10.4.12.0/24 network 10.4.13.0/24 network 10.4.15.0/24 neighbor 10.4.2.1 remote-as 65001 neighbor 10.4.2.1 update-source Loopback1 neighbor 10.4.2.1 next-hop-self neighbor 10.4.3.1 remote-as 65003 neighbor 10.4.3.1 ebgp-multihop 255 neighbor 10.4.3.1 update-source Loopback1 neighbor 2001:10:4:2::1 remote-as 65001 neighbor 2001:10:4:2::1 update-source Loopback1 no neighbor 2001:10:4:2::1 activate neighbor 2001:10:4:3::1 remote-as 65003 neighbor 2001:10:4:3::1 ebgp-multihop 255 neighbor 2001:10:4:3::1 update-source Loopback1 no neighbor 2001:10:4:3::1 activate address-family ipv6 unicast network 2001:10:4:12::/64 network 2001:10:4:13::/64 network 2001:10:4:15::/64 neighbor 2001:10:4:2::1 activate neighbor 2001:10:4:3::1 activate exit-address-family address-family ipv4 vrf Finance network 10.4.14.0/24 neighbor 10.4.2.2 remote-as 65001 exit-address-family!ip route vrf Finance 10.4.2.2/32 10.4.255.2!router ipv6 ospf 2 vrf Finance router-id 10.4.1.2!interface Loopback2 ip vrf forwarding Finance ipv6 router ospf area 2 tag 2! interface Vlan1024 ip vrf forwarding Finance ipv6 router ospf area 2 tag 2!SW2router bgp 65001 network 10.4.22.0/24 network 10.4.23.0/24 network 10.4.25.0/24 neighbor 10.4.1.1 remote-as 65001 neighbor 10.4.1.1 update-source Loopback1 neighbor 10.4.1.1 next-hop-self neighbor 10.4.3.1 remote-as 65003 neighbor 10.4.3.1 ebgp-multihop 255 neighbor 10.4.3.1 update-source Loopback1 neighbor 10.4.5.1 remote-as 65001 neighbor 10.4.5.1 update-source Loopback1 neighbor 10.4.5.1 next-hop-self neighbor 2001:10:4:1::1 remote-as 65001 neighbor 2001:10:4:1::1 update-source Loopback1 no neighbor 2001:10:4:1::1 activate neighbor 2001:10:4:3::1 remote-as 65003 neighbor 2001:10:4:3::1 ebgp-multihop 255 neighbor 2001:10:4:3::1 update-source Loopback1 no neighbor 2001:10:4:3::1 activate neighbor 2001:10:4:5::1 remote-as 65001 neighbor 2001:10:4:5::1 update-source Loopback1 no neighbor 2001:10:4:5::1 activate address-family ipv6 unicast network 2001:10:4:22::/64 network 2001:10:4:23::/64 network 2001:10:4:25::/64 neighbor 2001:10:4:1::1 activate neighbor 2001:10:4:3::1 activate neighbor 2001:10:4:5::1 activate exit-address-family address-family ipv4 vrf Finance network 10.4.24.0/24 neighbor 10.4.1.2 remote-as 65001 exit-address-family!ip route vrf Finance 10.4.1.2/32 10.4.255.1!router ipv6 ospf 2 vrf Finance router-id 10.4.2.2!interface Loopback2 ip vrf forwarding Finance ipv6 router ospf area 2 tag 2! interface Vlan1024 ip vrf forwarding Finance ipv6 router ospf area 2 tag 2!SW3router bgp 65003 network 10.4.32.0/24 network 10.4.33.0/24 network 10.4.35.0/24 neighbor 10.4.1.1 remote-as 65001 neighbor 10.4.1.1 ebgp-multihop 255 neighbor 10.4.1.1 update-source Loopback1 neighbor 10.4.2.1 remote-as 65001 neighbor 10.4.2.1 ebgp-multihop 255 neighbor 10.4.2.1 update-source Loopback1 neighbor 2001:10:4:1::1 remote-as 65001 neighbor 2001:10:4:1::1 ebgp-multihop 255 neighbor 2001:10:4:1::1 update-source Loopback1 no neighbor 2001:10:4:1::1 activate neighbor 2001:10:4:2::1 remote-as 65001 neighbor 2001:10:4:2::1 ebgp-multihop 255 neighbor 2001:10:4:2::1 update-source Loopback1 no neighbor 2001:10:4:2::1 activate address-family ipv6 unicast network 2001:10:4:32::/64 network 2001:10:4:33::/64 network 2001:10:4:35::/64 neighbor 2001:10:4:1::1 activate neighbor 2001:10:4:2::1 activate exit-address-family!RT1router bgp 65001 no synchronization bgp log-neighbor-changes network 10.4.110.0/24 neighbor 10.4.2.1 remote-as 65001 neighbor 10.4.2.1 update-source Loopback1 neighbor 10.4.2.1 next-hop-self neighbor 10.4.6.1 remote-as 65002 neighbor 10.4.6.1 ebgp-multihop 255 neighbor 10.4.6.1 update-source Loopback1 neighbor 2001:10:4:2::1 remote-as 65001 neighbor 2001:10:4:2::1 update-source Loopback1 no neighbor 2001:10:4:2::1 activate neighbor 2001:10:4:6::1 remote-as 65002 neighbor 2001:10:4:6::1 ebgp-multihop 255 neighbor 2001:10:4:6::1 update-source Loopback1 no neighbor 2001:10:4:6::1 activate address-family ipv6 no synchronization network 2001:10:4:110::/64 neighbor 2001:10:4:2::1 activate neighbor 2001:10:4:6::1 activate exit-address-family!RT2router bgp 65002 no synchronization bgp log-neighbor-changes neighbor 10.4.5.1 remote-as 65001 neighbor 10.4.5.1 ebgp-multihop 255 neighbor 10.4.5.1 update-source Loopback1 neighbor 2001:10:4:5::1 remote-as 65001 neighbor 2001:10:4:5::1 ebgp-multihop 255 neighbor 2001:10:4:5::1 update-source Loopback1 no neighbor 2001:10:4:5::1 activate address-family ipv6 no synchronization neighbor 2001:10:4:5::1 activate exit-address-family!
SW3 营销分别与 SW1 和 SW2 营销 IPv4 和 IPv6 互访优先在 SW1-SW3 链路转发;SW3 法务及人力分别与 SW1 和 SW2 法务及人力 IPv4 和 IPv6互访优先在 SW2-SW3 链路转发,主备链路相互备份;在 SW3 上用prefix-list、route-map 和 BGP 路径属性进行选路,新增 AS 65000。(SW1 和 SW2 营销路由 prefix-list 名称分别为 SW1-SW2-YX-IPv4 和SW1-SW2-YX-IPv6、法务及人力路由 prefix-list 名称分别为 SW1-SW2-FWRL-IPv4 和 SW1-SW2-FWRL-IPv6;SW3 营销路由 prefix-list 名称分别为 SW3-YX-IPv4 和 SW3-YX-IPv6、法务及人力路由 prefix-list名称分别为 SW3-FWRL-IPv4 和 SW3-FWRL-IPv6)
SW3ip prefix-list SW1-SW2-FWRL-IPv4 seq 5 permit 10.4.23.1/24ip prefix-list SW1-SW2-FWRL-IPv4 seq 10 permit 10.4.13.1/24ip prefix-list SW1-SW2-FWRL-IPv4 seq 15 permit 10.4.15.1/24ip prefix-list SW1-SW2-FWRL-IPv4 seq 20 permit 10.4.25.1/24ip prefix-list SW1-SW2-YX-IPv4 seq 5 permit 10.4.12.1/24ip prefix-list SW1-SW2-YX-IPv4 seq 10 permit 10.4.22.1/24ip prefix-list SW3-FWRL-IPv4 seq 5 permit 10.4.33.1/24ip prefix-list SW3-FWRL-IPv4 seq 10 permit 10.4.35.1/24ip prefix-list SW3-YX-IPv4 seq 5 permit 10.4.32.1/24!ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 5 permit 2001:10:4:23::1/64ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 10 permit 2001:10:4:13::1/64ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 15 permit 2001:10:4:15::1/64ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 20 permit 2001:10:4:25::1/64ipv6 prefix-list SW1-SW2-YX-IPv6 seq 5 permit 2001:10:4:12::1/64ipv6 prefix-list SW1-SW2-YX-IPv6 seq 10 permit 2001:10:4:22::1/64ipv6 prefix-list SW3-FWRL-IPv6 seq 5 permit 2001:10:4:35::1/64ipv6 prefix-list SW3-FWRL-IPv6 seq 10 permit 2001:10:4:33::1/64ipv6 prefix-list SW3-YX-IPv6 seq 5 permit 2001:10:4:32::1/64!route-map SW1-SW2-YX-IPv4 permit 10 match ip address prefix-list SW1-SW2-YX-IPv4 set as-path prepend 65000 set ip next-hop 10.4.1.1!route-map SW1-SW2-YX-IPv4 permit 20!route-map SW1-SW2-FWRL-IPv4 permit 10 match ip address prefix-list SW1-SW2-FWRL-IPv4 set as-path prepend 65000 set ip next-hop 10.4.2.1!route-map SW1-SW2-FWRL-IPv4 permit 20!route-map SW3-FWRL-IPv4 permit 10 match ip address prefix-list SW3-FWRL-IPv4 set as-path prepend 65000 set ip next-hop 10.4.2.1!route-map SW3-FWRL-IPv4 permit 20!route-map SW3-YX-IPv4 permit 10 match ip address prefix-list SW3-YX-IPv4 set as-path prepend 65000 set ip next-hop 10.4.1.1!route-map SW3-YX-IPv4 permit 20!route-map SW1-SW2-YX-IPv6 permit 10 match ipv6 address prefix-list SW1-SW2-YX-IPv6 set as-path prepend 65000 set ipv6 next-hop 2001:10:4:1::1!route-map SW1-SW2-YX-IPv6 permit 20!route-map SW1-SW2-FWRL-IPv6 permit 10 match ipv6 address prefix-list SW1-SW2-FWRL-IPv6 set as-path prepend 65000 set ipv6 next-hop 2001:10:4:2::1!route-map SW1-SW2-FWRL-IPv6 permit 20!route-map SW3-FWRL-IPv6 permit 10 match ipv6 address prefix-list SW3-FWRL-IPv6 set as-path prepend 65000 set ipv6 next-hop 2001:10:4:2::1!route-map SW3-FWRL-IPv6 permit 20!route-map SW3-YX-IPv6 permit 10 match ipv6 address prefix-list SW3-YX-IPv6 set as-path prepend 65000 set ipv6 next-hop 2001:10:4:1::1! route-map SW3-YX-IPv6 permit 20!router bgp 65003 neighbor 10.4.1.1 route-map SW1-SW2-FWRL-IPv4 in neighbor 10.4.1.1 route-map SW3-FWRL-IPv4 out neighbor 10.4.2.1 route-map SW1-SW2-YX-IPv4 in neighbor 10.4.2.1 route-map SW3-YX-IPv4 out address-family ipv6 unicast neighbor 2001:10:4:1::1 route-map SW1-SW2-FWRL-IPv6 in neighbor 2001:10:4:1::1 route-map SW3-FWRL-IPv6 out neighbor 2001:10:4:2::1 route-map SW1-SW2-YX-IPv6 in neighbor 2001:10:4:2::1 route-map SW3-YX-IPv6 out exit-address-family!
9.利用 BGP MPLS VPN 技术,RT1 与 RT2 以太链路间运行多协议标签交换、标签分发协议。RT1 与 RT2 间创建财务 VPN 实例,名称为 Finance,RT1 的 RD 值为 1:1,export rt 值为 1:2,import rt 值为 2:1;RT2的 RD 值为 2:2。通过两端 Loopback1 建立 VPN 邻居,分别实现两端Loopback5 IPv4 互通和 IPv6 互通。
RT1ipv6 unicast-routingipv6 vrf Finance rd 1:1 route-target import 2:1 route-target export 1:2!!!mpls ipmpls ldp router-id 10.4.5.1!!ip vrf Finance rd 1:1 route-target export 1:2 route-target import 2:1!interface Loopback1 ipv6 enable mpls ip encapsulate !interface Loopback5 ip vrf forwarding Finance ip address 10.4.5.5 255.255.255.255 ipv6 enable ipv6 address 2001:10:4:5::5/128 ipv6 vrf forwarding Finance mpls ip encapsulate !interface GigaEthernet0/0 ipv6 enable mpls ip mpls ip encapsulate mpls ldp enable!router bgp 65001 address-family vpnv4 neighbor 10.4.6.1 activate neighbor 10.4.6.1 send-community extended exit-address-family address-family vpnv6 neighbor 2001:10:4:6::1 activate neighbor 2001:10:4:6::1 send-community extended exit-address-family address-family ipv4 vrf Finance no synchronization network 10.4.5.5/32 exit-address-family address-family ipv6 vrf Finance no synchronization network 2001:10:4:5::5/128 exit-address-family!RT2ipv6 unicast-routingipv6 vrf Finance rd 2:2 route-target import 1:2 route-target export 2:1!!!mpls ipmpls ldp router-id 10.4.6.1!!ip vrf Finance rd 2:2 route-target export 2:1 route-target import 1:2!interface Loopback1 ipv6 enable mpls ip encapsulate !interface Loopback5 ip vrf forwarding Finance ip address 10.4.6.5 255.255.255.255 ipv6 enable ipv6 address 2001:10:4:6::5/128 ipv6 vrf forwarding Finance mpls ip encapsulate ! interface GigaEthernet0/0 ipv6 enable mpls ip mpls ip encapsulate mpls ldp enable!router bgp 65002 address-family vpnv4 neighbor 10.4.5.1 activate neighbor 10.4.5.1 send-community extended exit-address-family address-family vpnv6 neighbor 2001:10:4:5::1 activate neighbor 2001:10:4:5::1 send-community extended exit-address-family address-family ipv4 vrf Finance no synchronization network 10.4.6.5/32 exit-address-family address-family ipv6 vrf Finance no synchronization network 2001:10:4:6::5/128 exit-address-family!
10.RT2 配置 IPv4 NAT,ACL 名称为 ACL-NAT,实现 AC1 IPv4 产品用RT2 外网接口 IPv4 地址访问 Internet。RT2 配置 NAT64,ACL 名称为ACL-NAT64,实现 AC1 IPv6 产品用 RT2 外网接口 IPv4 地址访问Internet,IPv4 地址转 IPv6 地址前缀为 64:ff9b::/96。
RT2interface GigaEthernet0/1 ip nat inside!interface GigaEthernet0/2 ip nat outside!ip access-list standard ACL-NAT permit 10.4.140.1 255.255.255.255 sequence 10!ipv6 access-list ACL-NAT64 permit ipv6 2001:10:4:140::/64 any sequence 10!ip nat inside source list ACL-NAT interface GigaEthernet0/2!ipv6 nat v6v4 source list ACL-NAT64 interface GigaEthernet0/2ipv6 nat prefix 64:FF9B::/96 v4-mapped ACL-NAT64!
(四)无线部署
1.AC1 与 AP1 相 连 接 口 只 允许 Vlan140 和 Vlan150 通过 。 AC1Loopback1 IPv4 和 IPv6 地址分别作为 AC1 的 IPv4 和 IPv6 管理地址。AP 二层自动注册,AP 采用 MAC 地址认证。配置 2 个 ssid,分别为 SKILLS-2.4G 和 SKILLS-5G。SKILLS-2.4G 对应 Vlan140,用 Network140 和 radio1(profile 1, mode n-only-g),用户接入无线网络时需要采用基于 WPA-personal 加密方式,密码为 Key-1122,用第一个可用 VAP 发送 2.4G 信号。SKILLS-5G 对应 Vlan150,用 Network 150和 radio2(profile 1, mode n-only-a),不需要认证,隐藏 ssid,SKILLS-5G 用倒数第一个可用 VAP 发送 5G 信号。
AC1service dhcp!ip forward-protocol udp bootps!! !!!service dhcpv6!interface Vlan130 no ipv6 nd suppress-ra ipv6 nd managed-config-flag ipv6 nd other-config-flag ip helper-address 10.4.2.1 ipv6 dhcp relay destination 2001:10:4:2::1!interface Vlan140 no ipv6 nd suppress-ra ipv6 nd managed-config-flag ipv6 nd other-config-flag ip helper-address 10.4.2.1 ipv6 dhcp relay destination 2001:10:4:2::1!interface Vlan150 no ipv6 nd suppress-ra ipv6 nd managed-config-flag ipv6 nd other-config-flag ip helper-address 10.4.2.1 ipv6 dhcp relay destination 2001:10:4:2::1!no loginwireless ap authentication mac discovery ip-list 10.4.130.1 discovery ipv6-list 2001:10:4:130::1 discovery vlan-list 130 discovery vlan-list 1309 static-ip 10.4.4.1 static-ipv6 2001:10:4:4::1 network 1 device-finger enable! network 2! network 3! network 4! network 5! network 6! network 7! network 8! network 9! network 10! network 11! network 12! network 13! network 14! network 15! network 16! network 140 security mode wpa-personal ssid SKILLS-2.4G wpa key encrypted 02ee7ad3f247f1845d18a798ec17abd797a22f75a0f6cb5e2c2804706125ef61c2140fd7205150769d49a0b7b9f374be1975498ce48aa688ad20960fef0af8ba 這裏顯示的是加密後的密鑰! network 150 hide-ssid security mode wpa-personal ssid SKILLS-5G wpa key encrypted 02ee7ad3f247f1845d18a798ec17abd797a22f75a0f6cb5e2c2804706125ef61638f74dd55fd7f488a91c44652e1488e8a05bf91c1e6b02e805411e69bbbb31d! ap load-balance template 1! ap air-match template 1 air-match load-balance session air-match load-balance session 2! ap profile 1 channel-plan an time 05:00 channel-plan bgn time 05:00 air-match template 1 radio 1 mode n-only-g vap 0 network 140!! radio 2 mode n-only-a vap 0! vap 15 enable network 150!! radio 3 vap 0!!! ap database 00-03-0f-d9-cd-c0!
(五)安全维护
1.FW1 配置 IPv4 NAT,id 为 1,实现集团产品 1 段 IPv4 访问 InternetIPv4,转换 ip/mask 为 200.200.200.16/28,保证每一个源 ip 产生的所有会话将被映射到同一个固定的 IP 地址。
2.FW1 配置 NAT64,id 为 2,实现集团产品 1 段 IPv6 访问 InternetIPv4,转换为出接口 IP,IPv4 转 IPv6 地址前缀为 64:ff9b::/96。3.FW1 和 FW2 策略默认动作为拒绝,FW1 允许 集团产品 1 段 IPv4 和IPv6 访问 Internet 任意服务。
### 3.FW1 和 FW2 策略默认动作为拒绝,FW1 允许 集团产品 1 段 IPv4 和IPv6 访问 Internet 任意服务。<-防火墻默認動作為拒絕->
4.FW2 允许办事处产品 IPv4 访问集团产品 1 段 https 服务,允许集团产品 1 段和产品 2 段访问 SW3 模拟办事处 Loopback2 IPv4、FW2Loopback1 IPv4、办事处产品 IPv4。
5.FW1 与 RT2 之间用 Internet 互联地址建立 GRE Over IPSec VPN,实现 Loopback4 之间的加密访问。RT2 的 ACL 名称为 ACL-VPN,transform-set 名称为 SET-1,crypto map 名称为 MAP-1。FW1 的isakmp proposal 名称为 P-1,isakmp peer 名称为 PEER-1,ipsecproposal 名称为 P-2,tunnel ipsec 名称为 IPSEC-1,tunnel gre 名称为 GRE-1。
SW3 Internet ip route vrf Internet 0.0.0.0/0 200.200.200.2ip route vrf Internet 0.0.0.0/0 200.200.200.5!
RT2ip route default 200.200.200.5 !ip access-list extended ACL-VPN permit gre 200.200.200.6 255.255.255.252 200.200.200.2 255.255.255.252 sequence 10!interface Tunnel4 ip address 10.4.255.50 255.255.255.252 tunnel source 200.200.200.6 tunnel destination 200.200.200.2!crypto isakmp key 0 Key-1122 address 200.200.200.2 255.255.255.252 crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 lifetime 4000!crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac mode transport!crypto map MAP-1 10 ipsec-isakmp match address ACL-VPN set peer 200.200.200.2 set transform-set SET-1!interface GigaEthernet0/2 ipv6 enable crypto map MAP-1!ip route 10.4.7.4 255.255.255.255 Tunnel4 !
FW2
FW1tunnel gre "GRE-1" source 200.200.200.2 destination 200.200.200.6 interface ethernet0/3 next-tunnel ipsec IPSEC-1exitinterface tunnel4 zone "VPNHub" ip address 10.4.255.49 255.255.255.252 manage ping tunnel gre "GRE-1" gw 10.4.255.50exitip vrouter "trust-vr" ip route 0.0.0.0/0 200.200.200.1 ip route 10.4.6.4/32 10.4.255.50exit