欢迎光临散文网 会员登陆 & 注册

HCL基础实验(vrrp+mstp+ospf+ipsec vpn+链路聚合)

2022-04-05 18:17 作者:尐德  | 我要投稿

SW1

 

sys

sys SW1

vlan 10

vlan 20

vlan 30

vlan 40

quit

stp region-configuration

region-name mstp

 instance 1 vlan 10 30

 instance 2 vlan 20 40

 active region-configuration


 stp instance 1 root primary

 stp instance 2 root secondary

 stp global enable


interface Bridge-Aggregation1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface Vlan-interface10

 ip add 192.168.10.1 255.255.255.0

 vrrp vrid 10 virtual-ip 192.168.10.254

 vrrp vrid 10 priority 254

 vrrp vrid 10 preempt-mode delay 5


interface Vlan-interface20

 ip add 192.168.20.1 255.255.255.0

 vrrp vrid 20 virtual-ip 192.168.20.254

 vrrp vrid 20 preempt-mode delay 5


interface Vlan-interface30

 ip add 192.168.30.1 255.255.255.0

 vrrp vrid 30 virtual-ip 192.168.30.254

 vrrp vrid 30 priority 254

 vrrp vrid 30 preempt-mode delay 5


interface Vlan-interface40

 ip add 192.168.40.1 255.255.255.0

 vrrp vrid 40 virtual-ip 192.168.40.254

 vrrp vrid 40 preempt-mode delay 5


interface Vlan-interface100

 ip add 100.1.1.1 255.255.255.0


interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/3

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/4

 port access vlan 100


interface GigabitEthernet1/0/47

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40

 port link-aggregation group 1


interface GigabitEthernet1/0/48

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40

 port link-aggregation group 1


ospf 1

 area 0

 network 100.1.1.0 0.0.0.255

 network 192.168.10.0 0.0.0.255

 network 192.168.20.0 0.0.0.255

 network 192.168.30.0 0.0.0.255

 network 192.168.40.0 0.0.0.255

 

 

SW2

sys

sys SW2

vlan 10

vlan 20

vlan 30

vlan 40

vlan 101


stp region-configuration

region-name mstp

 instance 1 vlan 10 30

 instance 2 vlan 20 40

 active region-configuration


 stp instance 1 root secondary

 stp instance 2 root primary

 stp global enable


interface Bridge-Aggregation1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface Vlan-interface10

 ip add 192.168.10.2 255.255.255.0

 vrrp vrid 10 virtual-ip 192.168.10.254

 vrrp vrid 10 preempt-mode delay 5


interface Vlan-interface20

 ip add 192.168.20.2 255.255.255.0

 vrrp vrid 20 virtual-ip 192.168.20.254

 vrrp vrid 20 priority 254

 vrrp vrid 20 preempt-mode delay 5


interface Vlan-interface30

 ip add 192.168.30.2 255.255.255.0

 vrrp vrid 30 virtual-ip 192.168.30.254

 vrrp vrid 30 preempt-mode delay 5


interface Vlan-interface40

 ip add 192.168.40.2 255.255.255.0

 vrrp vrid 40 virtual-ip 192.168.40.254

 vrrp vrid 40 priority 254

 vrrp vrid 40 preempt-mode delay 5


interface Vlan-interface101

 ip add 101.1.1.1 255.255.255.0



interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/3

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/4

 port access vlan 101




interface GigabitEthernet1/0/47

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40

 port link-aggregation group 1


interface GigabitEthernet1/0/48

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40

 port link-aggregation group 1


ospf 1

 area 0.0.0.0

 network 101.1.1.0 0.0.0.255

 network 192.168.20.0 0.0.0.255

 network 192.168.30.0 0.0.0.255

 network 192.168.40.0 0.0.0.255

 

 

SW3

system-view

 sysname SW3

vlan 10

vlan 20

vlan 30

vlan 40




stp region-configuration

region-name mstp

 instance 1 vlan 10 30

 instance 2 vlan 20 40

 active region-configuration




interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40



interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/3

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


 

 

SW4

system-view

 sysname SW4

vlan 10

vlan 20

vlan 30

vlan 40




stp region-configuration

region-name mstp

 instance 1 vlan 10 30

 instance 2 vlan 20 40

 active region-configuration




interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40



interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/3

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


 

 

SW5

system-view

 sysname SW5

vlan 10

vlan 20

vlan 30

vlan 40





stp region-configuration

region-name mstp

 instance 1 vlan 10 30

 instance 2 vlan 20 40

 active region-configuration



interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40



interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40


interface GigabitEthernet1/0/3

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40

 

 

SW6


system-view

 sysname SW6

vlan 10

vlan 20

vlan 30

vlan 40



interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40



interface GigabitEthernet1/0/2

 port access vlan 10

 

 


SW7

system-view

 sysname SW7

vlan 10

vlan 20

vlan 30

vlan 40



interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40



interface GigabitEthernet1/0/2

 port access vlan 20


 

 

SW8

system-view

 sysname SW8

vlan 10

vlan 20

vlan 30

vlan 40



interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40



interface GigabitEthernet1/0/2

 port access vlan 30

 

 

SW9

system-view

 sysname SW9

vlan 10

vlan 20

vlan 30

vlan 40



interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 10 20 30 40



interface GigabitEthernet1/0/2

 port access vlan 40


 

  

 

R1

sys

sys R1


interface GigabitEthernet0/0

 ip add 200.1.1.1 255.255.255.0



interface GigabitEthernet0/1

 ip add 100.1.1.2 255.255.255.0


interface GigabitEthernet0/2

 ip add 101.1.1.2 255.255.255.0



ospf 1

 area 0.0.0.0

 network 100.1.1.0 0.0.0.255

 network 101.1.1.0 0.0.0.255

 network 200.1.1.0 0.0.0.255

 

 

R2


sys

sys R2



interface GigabitEthernet0/0

 ip add 200.1.1.2 255.255.255.0


interface GigabitEthernet0/1

 ip add 201.1.1.2 255.255.255.0



ospf 1

 area 0.0.0.0

 network 172.16.1.0 0.0.0.255

 network 200.1.1.0 0.0.0.255

 network 201.1.1.0 0.0.0.255

 

 

R3

sys

sys R3



interface GigabitEthernet0/0

 ip add 201.1.1.3 255.255.255.0


interface GigabitEthernet0/1

 ip add 172.16.1.254 255.255.255.0



ospf 1

 area 0.0.0.0

 network 172.16.1.0 0.0.0.255

 network 201.1.1.0 0.0.0.255





VPN部分配置命令

R1的配置:


//配置感兴趣流,匹配VPN流量

acl advanced 3000

rule 0 permit ip source 192.168.10.1 0.0.0.255 destination 172.16.1.0 0.0.0.255

quit

//配置acl,匹配连接外网流量

acl advanced 3005

 rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 //拒绝VPN流量,对于VPN流量不做NAT转换

 rule 5 permit ip source 192.168.10.0 0.0.0.255

 quit

//内网网关的默认路由,指向公网路由器

ip route-static 0.0.0.0 0 200.1.1.2

//创建ike proposal,由于ike提议的参数有默认值,本实验就直接使用默认值,所以创建ike提议后,便直接退出了

ike proposal 1

quit

//创建预共享密钥

ike keychain r3

pre-shared-key address 201.1.1.3 key simple 123

quit

//创建ike模板,指定源和目的地址、ike提议、预共享密钥

ike profile r3

proposal 1

keychain r3

local-identity address 200.1.1.1

match remote identity address 201.1.1.3

quit

//创建ipsec转换集,指定安全协议及其认证、加密算法

ipsec transform-set r3

encapsulation-mode tunnel //可不配置,默认为隧道模式

protocol esp //可不配置,默认安全协议为esp

esp authentication-algorithm md5

esp encryption-algorithm des-cbc

quit

//创建ipsec策略

ipsec policy r3 1 isakmp

security acl 3000

ike-profile r3

transform-set r3

remote-address 201.1.1.3

quit

//将ipsec策略应用在接口g0/1

int g0/0

ipsec apply policy r3

//在g0/0口上做esay-ip

nat outbound 3005



R3的配置:

//R3的ipsec配置和R1的相差不大,因此就不解释了


ip route-static 0.0.0.0 0 201.1.1.2

acl advance 3000

rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

quit

acl advanced 3005

 rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

 rule 5 permit ip source 172.16.1.0 0.0.0.255

 quit

ike proposal 1

quit

ike keychain r1

pre-shared-key address 200.1.1.1 key simple 123

quit

ike profile r1

proposal 1

keychain r1

local-identity address 201.1.1.3

match remote identity address 200.1.1.1

quit

ipsec transform-set r1

encapsulation-mode tunnel

protocol esp

esp authentication-algorithm md5

esp encryption-algorithm des-cbc

quit

ipsec policy r1 1 isakmp

security acl 3000

transform-set r1

ike-profile r1

remote-address 200.1.1.1

int g0/0

ipsec apply policy r1

nat outbound 3005







标签:

HCL基础实验(vrrp+mstp+ospf+ipsec vpn+链路聚合)的评论 (共 条)

分享到微博请遵守国家法律