实验要求:

1、服务器组双链路 上联核心,调高数据可靠性
2、配置vlan,减小广播域范围
3、所有网关都设在核心上,部分ip需自动获取
4、业务端口,配置边缘端口,减小频繁up down对网络的影响
5、配置相关路由,使的用户可以访问外网及新校区
6、广域网出口做主备,线路正常走联通
7、所有设备可以被Telnet ,管理网段255.x,vlan999
8、vlan30 用户不能访问200.4

服务器sw网桥聚合

思路

1、起网桥聚合
2、聚合口为trunk
1
2

server-sw

[H3C]SY S-SW
[S-SW]vlan 200
[S-SW-vlan200]port g1/0/1
[S-SW-vlan200]port g1/0/2
dis 
[S-SW-vlan200]int b 1
[S-SW-Bridge-Aggregation1]qu
[S-SW]int range Ten-GigabitEthernet1/0/50 to Ten-GigabitEthernet1/0/51
[S-SW-if-range]port link-aggregation group 1
[S-SW-if-range]qu

[S-SW]dis link-aggregation v
  Port             Status  Priority Oper-Key
--------------------------------------------------------------------------------
  XGE1/0/50        S       32768    1
  XGE1/0/51        S       32768    1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

没有设置网桥模式为dynamic（动态）就会出现上面情况

[S-SW]int b 1
[S-SW-Bridge-Aggregation1]link mode dynamic   ==开启动态模式==
[S-SW-Bridge-Aggregation1]dis link-aggregation v

System ID: 0x8000, 6e7e-6251-1200
Local:
  Port                Status  Priority Oper-Key  Flag
--------------------------------------------------------------------------------
  XGE1/0/50           S       32768    1         {ACDEFG}
  XGE1/0/51           U       32768    1         {ACG}
Remote:
  Actor               Partner Priority Oper-Key  SystemID               Flag
--------------------------------------------------------------------------------
  XGE1/0/50           0       32768    0         0x8000, 0000-0000-0000 {DEF}
  XGE1/0/51           0       32768    0         0x8000, 0000-0000-0000 {DEF}
====================由于对端摸开启 显示上面的 U  ====================================
[S-SW-Bridge-Aggregation1]dis link-aggregation v
System ID: 0x8000, 6e7e-6251-1200
Local:
  Port                Status  Priority Oper-Key  Flag
--------------------------------------------------------------------------------
  XGE1/0/50           S       32768    1         {ACDEF}
  XGE1/0/51           S       32768    1         {ACDEF}
Remote:
  Actor               Partner Priority Oper-Key  SystemID               Flag
--------------------------------------------------------------------------------
  XGE1/0/50           51      32768    1         0x8000, 6e7d-01a4-0100 {ACDEF}
  XGE1/0/51           52      32768    1         0x8000, 6e7d-01a4-0100 {ACDEF}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

在PC14（服务器）上ping网关 200.1 不通,分析原因为没有设置trunk

[S-SW-Bridge-Aggregation1]qu
[S-SW]in b 1
[S-SW-Bridge-Aggregation1]port link-ty trunk
		Configuring Ten-GigabitEthernet1/0/50 done.    ==这两done要出现==
		Configuring Ten-GigabitEthernet1/0/51 done.
[S-SW-Bridge-Aggregation1]por tr pe v a
		Configuring Ten-GigabitEthernet1/0/50 done.
		Configuring Ten-GigabitEthernet1/0/51 done.
1
2
3
4
5
6
7
8

核心sw

这个顺序好像很重要

sy SW1
vlan 200

int vlan 200
ip add 192.168.200.1 24

int b 1
qu

int range Ten-GigabitEthernet1/0/50 to Ten-GigabitEthernet1/0/51
port link-ag gr 1

int b 1
link mode dynamic
port link-ty trunk
port tr pe v all
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

验证

<H3C>PING 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 192.168.200.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 192.168.200.1: icmp_seq=2 ttl=255 time=1.000 m
1
2
3
4
5

2、配置vlan,减小广播域范围

思路

1、目标 vlan 10 vlan 20 vlan 30 vlan 40 vlan 80 vlan 200
疑问：服务器支路和pc9支路,如果按需开启vlan200 和999  会怎样 ？
答：就是要按需开启,没有必要开启其他的
2、用dis vlan b
1
2
3
4

vlan10段

核心sw1 起vlan trunk 虚接口

vlan 10
int vlan 10 
ip ad 192.168.10.1 24
qu
iint Ten-GigabitEthernet1/0/52
port link-ty trunk
port trunk pe v all
1
2
3
4
5
6
7

检测 - vlan

[sw1]dis po tr
Interface             PVID    VLAN Passing
BAGG1                 1       1, 10, 200, 999
XGE1/0/50             1       1, 10, 200, 999
XGE1/0/51             1       1, 10, 200, 999
XGE1/0/52             1       1, 10, 200, 999
1
2
3
4
5
6

检测 -trunk

10        VLAN 0010                        BAGG1  XGE1/0/50  XGE1/0/51
                                           XGE1/0/52
200       VLAN 0200                        BAGG1  XGE1/0/50  XGE1/0/51
                                           XGE1/0/52
999       VLAN 0999                        BAGG1  XGE1/0/50  XGE1/0/51
                                           XGE1/0/52
1
2
3
4
5
6

检测 -虚接口

[sw1]dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
MGE0/0/0                 down     down     --              --
Vlan10                   up       up       192.168.10.1    --
Vlan200                  up       up       192.168.200.1   --
1
2
3
4
5
6
7

汇聚sw2 起vlan, 并三个trunk口

1、起vlan, 并三个trunk口 就ok

[sw-核心]sy sw-汇聚
[sw-汇聚]vlan 10
[sw-汇聚-vlan10]vlan 20
[sw-汇聚-vlan20]vlan 999
[sw-汇聚-vlan999]qu

[sw-汇聚]int Ten-GigabitEthernet1/0/52
[sw-汇聚-Ten-GigabitEthernet1/0/52]port link-ty trunk
[sw-汇聚-Ten-GigabitEthernet1/0/52]port tr pe v a
[sw-汇聚-GigabitEthernet1/0/1]qu

[sw-汇聚]int g1/0/1
[sw-汇聚-GigabitEthernet1/0/1]port link-ty trunk
[sw-汇聚-GigabitEthernet1/0/1]port tr pe v a
[sw-汇聚-GigabitEthernet1/0/1]int g1/0/2
[sw-汇聚-GigabitEthernet1/0/2]port link-ty trunk
[sw-汇聚-GigabitEthernet1/0/2]port tr pe v a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

[sw2]dis vlan b
.......
10        VLAN 0010                        GE1/0/1  GE1/0/2  XGE1/0/52
20        VLAN 0020                        GE1/0/1  GE1/0/2  XGE1/0/52
999       VLAN 0999                        GE1/0/1  GE1/0/2  XGE1/0/52

[sw-汇聚]dis por tr
Interface             PVID    VLAN Passing
GE1/0/1               1       1, 10, 20, 999
GE1/0/2               1       1, 10, 20, 999
XGE1/0/52             1       1, 10, 20, 999

1
2
3
4
5
6
7
8
9
10
11
12

接入sw4 起vlan 开trunk

开通vlan10 （不用全部）并纳口 , 开通trunk 并all

[H3C]sy sw-接入
[sw-接入]vlan 10
[sw-接入-vlan10]port g1/0/2
[sw-接入-vlan10]port g1/0/3
[sw-接入-vlan10]int g1/0/1
[sw-接入-GigabitEthernet1/0/1]port link-ty tr
[sw-接入-GigabitEthernet1/0/1]port tr pe v a

========= 顺便业务端口
[sw4-vlan10]qu
[sw4]int range g1/0/2 to g1/0/3
[sw4-if-range]stp edged-port
1
2
3
4
5
6
7
8
9
10
11
12

10        VLAN 0010                        GE1/0/1  GE1/0/2  GE1/0/3
999       VLAN 0999                        GE1/0/1
1
2

pc9 能ping通网关10.1和200.1

<H3C>ping 192.168.10.1
Ping 192.168.10.1 (192.168.10.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.10.1: icmp_seq=0 ttl=255 time=1.000 ms

<H3C>ping 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.200.1: icmp_seq=1 ttl=255 time=1.000 ms
1
2
3
4
5
6
7
8
9

至此接入sw不能ping通 网关

[sw-接入]ping 192.168.10.1
Ping 192.168.10.1 (192.168.10.1): 56 data bytes, press CTRL_C to break
Request time out
Request time out
1
2
3
4

vlan 20段

sw1 起vlan 虚拟口

[sw1]vlan 20
[sw1-vlan20]int vlan 20
[sw1-Vlan-interface20]ip address 192.168.20.1 24
1
2
3

汇聚 sw 不用设置

sw5接入 起vlan 配trunk

[sw]sy sw5-接入
[sw5-接入]vlan 20
[sw5-接入-vlan20]por g1/0/1
[sw5-接入-vlan20]int g1/0/2
[sw5-接入-GigabitEthernet1/0/2]port link-ty tr
[sw5-接入-GigabitEthernet1/0/2]por tr pe v a
1
2
3
4
5
6

验证 ping 10.1 20.1 200.1都ok

<H3C>ping 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=255 time=1.000 ms
1
2
3

vlan 30 40段

sw1起vlan 设虚拟口 配trunk

[sw1]vlan 30
[sw1-vlan30]int vlan 30
[sw1-Vlan-interface30]ip ad 192.168.30.1 24
[sw1-Vlan-interface30]vlan 40
[sw1-vlan40]int vlan 40
[sw1-Vlan-interface40]ip ad 192.168.40.1 24
[sw1-Vlan-interface40]qu

[sw1]int Ten-GigabitEthernet1/0/49
[sw1-Ten-GigabitEthernet1/0/49]port link-ty tr
[sw1-Ten-GigabitEthernet1/0/49]port link-ty trunk
[sw1-Ten-GigabitEthernet1/0/49]port tr pe v a
1
2
3
4
5
6
7
8
9
10
11
12

汇聚sw3 三个trunk

[sw-汇聚]int Ten-GigabitEthernet1/0/49
[sw-汇聚-Ten-GigabitEthernet1/0/49]port link-ty tr
[sw-汇聚-Ten-GigabitEthernet1/0/49]po tr pe v a
[sw-汇聚-Ten-GigabitEthernet1/0/49]qu

[sw-汇聚]int range g1/0/1 to g1/0/2
[sw-汇聚-if-range]port link-ty tr
[sw-汇聚-if-range]po tr pe v a
1
2
3
4
5
6
7
8

接入sw6 vlan30

[H3C]sy sw-接入
[sw-接入]vlan 30
[sw-接入-vlan30]por g1/0/1

[sw-接入-vlan30]int g1/0/2
[sw-接入-GigabitEthernet1/0/2]port link-ty tr
[sw-接入-GigabitEthernet1/0/2]po tr pe v a
1
2
3
4
5
6
7

验证vlan30

<H3C>ping 192.168.200.5
Ping 192.168.200.5 (192.168.200.5): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.5: icmp_seq=0 ttl=254 time=2.000 ms
1
2
3

接入sw vlan40

[H3C]sy sw-接入
[sw-接入]vlan 40
[sw-接入-vlan40]port g1/0/1

[sw-接入-vlan4int g1/0/2
[sw-接入-GigabitEthernet1/0/2]port link-ty tr
[sw-接入-GigabitEthernet1/0/2]port tr pe v a
1
2
3
4
5
6
7

验证 vlan40 因未配置DHCP 不能 分配IP

3、配置DHCP 使部分PC自动获取ip

核心 sw1 起dhcp 设地址段和网关

[sw1]dhcp enable
[sw1]dhcp server ip-pool 10
[sw1-dhcp-pool-10]network 192.168.10.0 mask 255.255.255.0
[sw1-dhcp-pool-10]gateway-list 192.168.10.1 24
[sw1-dhcp-pool-10]dns-list 8.8.8.8

[sw1]dhcp server ip-pool 40
[sw1-dhcp-pool-40]network 192.168.40.0 mask 255.255.255.0
[sw1-dhcp-pool-40]gateway-list 192.168.40.1
[sw1-dhcp-pool-40]dns-list 8.8.8.8
1
2
3
4
5
6
7
8
9
10

验证 等几分钟后

4 STP 协议树

核心为根网桥 优先级改成0

[sw1]stp priority 0

业务口配置边缘口

使得pc up down不影响网络
依次

[sw-接入]in g1/0/1
[sw-接入-GigabitEthernet1/0/1]stp edged-port
1
2

5、配置ospf 联通新校区

思路

1、核心sw1 起ospf ,宣告网段

[sw1]ospf 1
[sw1-ospf-1]area 1
[sw1-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.20.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.30.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.40.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.200.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.1]network 192.168.100.0 0.0.0.255
1
2
3
4
5
6
7
8

2、外网R起ospf ,宣告网段

[R-外网]ospf 1
[R-外网-ospf-1]area 1
[R-外网-ospf-1-area-0.0.0.1]network 192.168.100.0 0.0.0.255
[R-外网-ospf-1-area-0.0.0.1]network 12.1.1.0 0.0.0.255
[R-外网-ospf-1-area-0.0.0.1]network 13.1.1.0 0.0.0.255
[R-外网-ospf-1-area-0.0.0.1]network 14.1.1.0 0.0.0.255
1
2
3
4
5
6

3、新校区 R 配IP 起ospf ,宣告网段

[R-新]int s1/0
[R-新-Serial1/0]ip address 14.1.1.2 24

[R-新-Serial1/0]int g0/0
[R-新-GigabitEthernet0/0]ip address 192.168.80.1 24

[R-新]ospf 1
[R-新-ospf-1-area-0.0.0.1]network 192.168.14.0 0.0.0.255  ======错误
[R-新-ospf-1-area-0.0.0.1]network 14.1.1.1  0.0.0.255
[R-新-ospf-1-area-0.0.0.1]dis this
#
 area 0.0.0.1
  network 14.1.1.0 0.0.0.255
  network 192.168.14.0 0.0.0.255
# 
[R-新-ospf-1-area-0.0.0.1]un network 192.168.14.0 0.0.0.255
[R-新-ospf-1-area-0.0.0.1]dis this
#
 area 0.0.0.1
  network 14.1.1.0 0.0.0.255
#
return
[R-新-ospf-1-area-0.0.0.1]network 192.168.80.0 0.0.0.255
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

验证 用新校区路由器及PC_13可以ping通 服务器200.4

[R-新-Serial1/0]ping 192.168.200.4
Ping 192.168.200.4 (192.168.200.4): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.200.4: icmp_seq=0 ttl=253 time=2.000 ms

[R-新-Serial1/0]ping 192.168.20.11
Ping 192.168.20.11 (192.168.20.11): 56 data bytes, press CTRL+C to break
56 bytes from 192.168.20.11: icmp_seq=0 ttl=253 time=1.000 ms
1
2
3
4
5
6
7

<H3C>ping 192.168.200.1
Ping 192.168.200.1 (192.168.200.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.1: icmp_seq=0 ttl=253 time=1.000 ms
1
2
3

**PC_9pingPC_13

<H3C>ping 192.168.80.13
Ping 192.168.80.13 (192.168.80.13): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.80.13: icmp_seq=0 ttl=252 time=2.000 ms
1
2
3

6、访问外网

1) 核心 sw1 改02口为route模式,并设置地址

[sw1]int g1/0/2
[sw1-GigabitEthernet1/0/2]port link-mode route
[sw1-GigabitEthernet1/0/2]ip address 192.168.100.1 24
1
2
3

2) R-外网 设各口IP地址

[R-外网]int g0/2
[R-外网-GigabitEthernet0/2]ip a 192.168.100.2 24

[R-外网-GigabitEthernet0/2]int g0/0
[R-外网-GigabitEthernet0/0]ip a 12.1.1.1 24
[R-外网-GigabitEthernet0/0]int g0/1
[R-外网-GigabitEthernet0/1]ip a 13.1.1.1 24

[R-外网-GigabitEthernet0/1]int s1/0
[R-外网-Serial1/0]ip ad 14.1.1.1 24
1
2
3
4
5
6
7
8
9
10

至此 PC_可以访问到12.1.1.1 但到不了 12.1.1.2 更到不了 6.6.6.6

<H3C>ping 192.168.80.13
Ping 192.168.80.13 (192.168.80.13): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.80.13: icmp_seq=0 ttl=252 time=2.000 ms
56 bytes from 192.168.80.13: icmp_seq=0 ttl=252 time=2.000 ms

ping 12.1.1.1
Ping 12.1.1.1 (12.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 12.1.1.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 12.1.1.1: icmp_seq=0 ttl=254 time=1.000 ms

ping 12.1.1.2
Ping 12.1.1.2 (12.1.1.2): 56 data bytes, press CTRL_C to break
Request time out
Request time out

[H3C]PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
Request time out

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

应该配置 直连路由了吧

3) 核心sw1 设置默认路由,下一条100.2

[sw1]ip route-static 0.0.0.0 0 192.168.100.2
1

4） R-外网设置默认路由 ,吓一跳 12.1.1.2

[R-外网]ip route-static 0.0.0.0 0 12.1.1.2
1

5） R_联通 设置ip

[R-联通]int g0/0
[R-联通-GigabitEthernet0/0]ip address 12.1.1.2 24

[R-联通]int LoopBack 1
[R-联通-LoopBack1]ip address 6.6.6.6 24
1
2
3
4
5

至此连不通 6 6 6 6,应起acl

[H3C]PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
Request time out
Request time out
1
2
3
4

6) R_外网 起acl NAT地址转换

[R-外网]acl basic 2000
[R-外网-acl-ipv4-basic-2000]rule permit source 192.168.0.0 0.0.255.255 
# 规则：允许192.168.0.0段,通过无条件通过
[R-外网-acl-ipv4-basic-2000]int g0/0
[R-外网-GigabitEthernet0/0]nat outbound 2000
# 0/0端口 ,调用2000规则
1
2
3
4
5
6

7) 验证

验证 可以 ping 6.6.6.6

PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
56 bytes from 6.6.6.6: icmp_seq=0 ttl=253 time=1.000 ms
56 bytes from 6.6.6.6: icmp_seq=1 ttl=253 time=2.000 ms
1
2
3
4

==R-外网

[R-外网]dis  ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       12.1.1.1/24        --           --
GE0/1               up       up       13.1.1.1/24        --           --
GE0/2               up       up       192.168.100.2/24   --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Ser1/0              up       up       14.1.1.1/24        --           --
Ser2/0              down     down     --                 --           --
Ser3/0              down     down     --                 --           --
Ser4/0              down     down     --                 --           -


[R-外网dis ip routing-table
Destinations : 27       Routes : 27
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           12.1.1.2        GE0/0
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
12.1.1.0/24        Direct  0   0           12.1.1.1        GE0/0
12.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
12.1.1.255/32      Direct  0   0           12.1.1.1        GE0/0
13.1.1.0/24        Direct  0   0           13.1.1.1        GE0/1
13.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
13.1.1.255/32      Direct  0   0           13.1.1.1        GE0/1
14.1.1.0/24        Direct  0   0           14.1.1.1        Ser1/0
14.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
14.1.1.2/32        Direct  0   0           14.1.1.2        Ser1/0
14.1.1.255/32      Direct  0   0           14.1.1.1        Ser1/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
192.168.10.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.20.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.30.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.40.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.80.0/24    O_INTRA 10  1563        14.1.1.2        Ser1/0
192.168.100.0/24   Direct  0   0           192.168.100.2   GE0/2
192.168.100.2/32   Direct  0   0           127.0.0.1       InLoop0
192.168.100.255/32 Direct  0   0           192.168.100.2   GE0/2
192.168.200.0/24   O_INTRA 10  2           192.168.100.1   GE0/2
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

R-联通

<R-联通>dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       12.1.1.2/24        --           --
GE0/1               up       up       --                 --           --
GE0/2               down     down     --                 --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Loop1               up       up(s)    6.6.6.6/24         --           --
Ser1/0              down     down     --                 --           --
Ser2/0              down     down     --                 --           --
Ser3/0              down     down     --                 --           --
Ser4/0              down     down     --                 --           0


<R-联通>dis ip routing-table
Destinations : 13       Routes : 13
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
6.6.6.0/24         Direct  0   0           6.6.6.6         Loop1
6.6.6.6/32         Direct  0   0           127.0.0.1       InLoop0
6.6.6.255/32       Direct  0   0           6.6.6.6         Loop1
12.1.1.0/24        Direct  0   0           12.1.1.2        GE0/0
12.1.1.2/32        Direct  0   0           127.0.0.1       InLoop0
12.1.1.255/32      Direct  0   0           12.1.1.2        GE0/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

R_移动

<R_移动>dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       13.1.1.2/24        --           --
GE0/1               up       up       --                 --           --
GE0/2               down     down     --                 --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Loop3               up       up(s)    7.7.7.7/24         --           --
Ser1/0              down     down     --                 --           --
Ser2/0              down     down     --                 --           --
Ser3/0              down     down     --                 --           --
Ser4/0              down     down     --                 --           --
<R_移动>dis ip rou
<R_移动>dis ip routing-table

Destinations : 13       Routes : 13

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
7.7.7.0/24         Direct  0   0           7.7.7.7         Loop3
7.7.7.7/32         Direct  0   0           127.0.0.1       InLoop0
7.7.7.255/32       Direct  0   0           7.7.7.7         Loop3
13.1.1.0/24        Direct  0   0           13.1.1.2        GE0/0
13.1.1.2/32        Direct  0   0           127.0.0.1       InLoop0
13.1.1.255/32      Direct  0   0           13.1.1.2        GE0/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

7、外网双线备份 ,联通为主,移动为副 ,自动切换

1） R_外网 设路由 设优先级

ip route-static 0.0.0.0 0 13.1.1.2 preference 70
1

2) R_移动 设置ip

[R_移动]int LoopBack 3
[R_移动-LoopBack3]ip a 7.7.7.7 24

[R_移动-LoopBack3]int g0/0
[R_移动-GigabitEthernet0/0]ip a 13.1.1.2 24
1
2
3
4
5

检验

[R_移动]dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface           Physical Protocol IP address/Mask    VPN instance Description
GE0/0               up       up       13.1.1.2/24        --           --
GE0/1               up       up       --                 --           --
GE0/2               down     down     --                 --           --
GE5/0               down     down     --                 --           --
GE5/1               down     down     --                 --           --
GE6/0               down     down     --                 --           --
GE6/1               down     down     --                 --           --
Loop3               up       up(s)    7.7.7.7/24         --           --
1
2
3
4
5
6
7
8
9
10
11
12

3） 断开联通6.6.6.6 线路后,自动切换到 7.7.7.7

断开后 R_外网 路由表边长 注意第一行 优先级70

[R-外 dis ip routing-table
Destinations : 25       Routes : 25
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  70  0           13.1.1.2        GE0/1
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
12.1.1.1/32        Direct  1   0           0.0.0.0         NULL0
13.1.1.0/24        Direct  0   0           13.1.1.1        GE0/1
13.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
13.1.1.255/32      Direct  0   0           13.1.1.1        GE0/1
14.1.1.0/24        Direct  0   0           14.1.1.1        Ser1/0
14.1.1.1/32        Direct  0   0           127.0.0.1       InLoop0
14.1.1.2/32        Direct  0   0           14.1.1.2        Ser1/0
14.1.1.255/32      Direct  0   0           14.1.1.1        Ser1/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
192.168.10.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.20.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.30.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.40.0/24    O_INTRA 10  2           192.168.100.1   GE0/2
192.168.80.0/24    O_INTRA 10  1563        14.1.1.2        Ser1/0
192.168.100.0/24   Direct  0   0           192.168.100.2   GE0/2
192.168.100.2/32   Direct  0   0           127.0.0.1       InLoop0
192.168.100.255/32 Direct  0   0           192.168.100.2   GE0/2
192.168.200.0/24   O_INTRA 10  2           192.168.100.1   GE0/2
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

3.1）但是 ping不通 7.7.7.7 ,重新到R_外网NAT

ping不通 7.7.7.7 也不通 13.1.1.2 13.1.1.1通 ,说明没有配NAT

4) 返回 R_外网 匹配acl 规则

[R-外网]int g0/1
[R-外网-GigabitEthernet0/1]dis thi
# c发现 确实没有配置 NAT
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 13.1.1.1 255.255.255.0

[R-外网-GigabitEthernet0/1]nat outbound 2000
# c再次检测

[R-外网-GigabitEthernet0/1]DIS THI
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 13.1.1.1 255.255.255.0
 nat outbound 2000
# c返现有nat 规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

==用pc-14 ping7.7.7.7=

PING 7.7.7.7
Ping 7.7.7.7 (7.7.7.7): 56 data bytes, press CTRL_C to break
56 bytes from 7.7.7.7: icmp_seq=0 ttl=253 time=1.000 ms
56 bytes from 7.7.7.7: icmp_seq=1 ttl=253 time=1.000 ms
1
2
3
4

5) 再次接通 6.6.6.6 PC14 自动切换到 6.6.6.6

[H3C]PING 7.7.7.7
Ping 7.7.7.7 (7.7.7.7): 56 data bytes, press CTRL_C to break
56 bytes from 7.7.7.7: icmp_seq=0 ttl=253 time=2.000 ms
56 bytes from 7.7.7.7: icmp_seq=1 ttl=253 time=2.000 ms
Request time out
Request time out
Request time out
# c正连通的7在接通6.6后,断了
PING 6.6.6.6
Ping 6.6.6.6 (6.6.6.6): 56 data bytes, press CTRL_C to break
56 bytes from 6.6.6.6: icmp_seq=0 ttl=253 time=1.000 ms
56 bytes from 6.6.6.6: icmp_seq=1 ttl=253 time=1.000 ms
# c此时6.6 通路
[H3C]PING 7.7.7.7
Ping 7.7.7.7 (7.7.7.7): 56 data bytes, press CTRL_C to break
Request time out
Request time out
# c此时7.7 断路
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

8、所有设备科Telnet ,管理网段255.x,vlan999

1）所有设备可Telnet 每个设备都要配置 都一样

# c开启telnat服务
[sw1]telnet server enable
# c新增用户abc 设为管理员组,密码123  服务类型为Telnet
[sw1]local-user abc class mange
[sw1-luser-manage-abc]password simple 123
[sw1-luser-manage-abc]service-type telnet

# c改用户role 为网络管理员
[sw1-luser-manage-abc]authorization-attribute user-role network-admin

# c设用户登录方式为 账号密码  有意复制了 提示==
[sw1]use
[sw1]user-?
  user-group      Specify user group configuration information
  user-interface  Configure the line
  user-profile    Specify a user profile

[sw1]user-in
[sw1]user-interface ?
  INTEGER<0-147>  Number of the first line
  aux             AUX line
  class           Specify the line class to modify the default configuration
  console         Console line
  tty             Async serial line
  vty             Virtual type terminal (VTY) line

[sw1]user-interface vty ?
  INTEGER<0-63>  Number of the first line

[sw1]user-interface vty 0 4
[sw1-line-vty0-4]a
[sw1-line-vty0-4]authentication-mode ?
  none      Login without authentication
  password  Password authentication
  scheme    Authentication use AAA

[sw1-line-vty0-4]authentication-mode sc
[sw1-line-vty0-4]authentication-mode scheme
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

2） 通用代码 复制后 在每台设备上粘贴

telnet serv en
local-user abc class manage

pas sim 123
service-type telnet
authorization-attribute user-role network-admin
qu
user-interface vty 0 4
authentication-mode scheme
1
2
3
4
5
6
7
8
9

3）设置管理vlan 999和255.x的可以telnet

核心交换机和接入交换机以及路由器 , 要可被Telnet ,就必须有地址（虚接口）,
故要设置管理vlan999.并给他一个255.x的地址
使得  所有pc都可以访问各交换机和路由器
1
2
3

① 核心sw 起管理vlan999 +ip

[sw1-luser-manage-abc]int vlan 999
[sw1-Vlan-interface999]ip address 192.168.255.1 24
1
2

②汇聚和接入交换机都要起管理vlan和管理地址

int vlan 999
ip add 192.168.255.x 24
1
2

③除主核心外 ,其他设备还要配置缺省路由 【不懂】

[sw14]ip route-static 0.0.0.0 0 192.168.255.1；用于管理流量的回包
1

总结以下,除了核心交换机,都应该这么设置

[sw-汇聚]vlan 999
[sw-汇聚-vlan999]int vlan 999
[sw-汇聚-Vlan-interface999]ip a 192.168.255.2 24
[sw-汇聚-Vlan-interface999]qu
[sw-汇聚]ip rou 0.0.0.0 0 192.168.255.1
# c默认路由的目的是为了管理流量回包,要不pc访问不了
1
2
3
4
5
6

检验排查

# c先看vlan999
[sw-接入]dis vlan
 Total VLANs: 3
 The VLANs include:
 1(default), 10, 999
# c2 排查 ip
[sw-接入]dis ip in b
*down: administratively down
(s): spoofing  (l): loopback
Interface                Physical Protocol IP Address      Description
MGE0/0/0                 down     down     --              --
Vlan999                  up       up       192.168.110.4   --
# c2 查看默认路由  
[sw-接入]dis ip rou
Destinations : 13       Routes : 13
Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/0          Static  60  0           192.168.255.1   Vlan999
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

9、vlan30 用户不能访问200.5 ACL NAT 是packet-filer

核心sw 设置高级阻断规则 acl

[sw1]acl advanced 3000
[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.0
# 0.0.0.255？ 是否合适
[sw1-acl-ipv4-adv-3000]qu
[sw1]int vlan 30
# 要设置  vlan
[sw1-Vlan-interface30]packet-filter 3000 inbound
# 不是nat  是packet-filer
1
2
3
4
5
6
7
8
9

检测

用192.168.30.12 ping 20.4 和200.5 成功

<H3C>ping 192.168.200.4
Ping 192.168.200.4 (192.168.200.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.200.4: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 192.168.200.4: icmp_seq=1 ttl=254 time=2.000 ms

ping 192.168.200.5
Ping 192.168.200.5 (192.168.200.5): 56 data bytes, press CTRL_C to break
Request time out
Request time out
1
2
3
4
5
6
7
8
9

用192.168.200.4 ping 30.12 通

ping 192.168.30.12
Ping 192.168.30.12 (192.168.30.12): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.30.12: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.30.12: icmp_seq=1 ttl=254 time=1.000 ms
1
2
3
4

用200.5 ping 30.12 不通

<H3C>ping 192.168.30.12
Ping 192.168.30.12 (192.168.30.12): 56 data bytes, press CTRL_C to break
Request time out
Request time out
1
2
3
4

结果很 ok 一切合乎设计要求

另 实验 如果 192.168.200.5 0.0.0.0.0 改成 0.0.0.255
[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.0

[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.255
1
2

#【结果】 0.0.0.255？ 是否合适 255 就使得200段的所有ip都不能ping通

<H3C>ping 192.168.200.4
Ping 192.168.200.4 (192.168.200.4): 56 data bytes, press CTRL_C to break
Request time out
Request time out

ping 192.168.200.5
Ping 192.168.200.5 (192.168.200.5): 56 data bytes, press CTRL_C to break
Request time out
Request time out
1
2
3
4
5
6
7
8
9

查看sw1相关配置

[sw1]int vlan 30
[sw1-Vlan-interface30]dis thi
#
interface Vlan-interface30
 ip address 192.168.30.1 255.255.255.0
 packet-filter 3000 inbound
1
2
3
4
5
6

[sw1]acl advanced 3000
[sw1-acl-ipv4-adv-3000]dis th
#
acl advanced 3000
 rule 0 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
1
2
3
4
5

再次改回来

[sw1]acl a 3000
[sw1-acl-ipv4-adv-3000]rule deny ip source 192.168.30.0 0.0.0.255 destination 19
2.168.200.5 0.0.0.0
[sw1-acl-ipv4-adv-3000]dis thi
#
acl advanced 3000
 rule 0 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.200.5 0
1
2
3
4
5
6
7

30.12ping 200.5 互不通 ping’ 200.4 互通