1.要求:
(1)总部实现高可靠性设计,接入层断掉一根线或汇聚、核心设备故障都不能影响数据正常转发
(2)分部1人数较少,采用单臂路由互通
(3)总部、分部1、2之间都能访问互联网
(4)外网能够访问总部的HTTP server 和FTP server
(5)总部和两个分部之间通过DSVPN实现内网互通
2.总部配置
(1)创建vlan并加入接口,将核心交换机之间链路捆绑为e-trunk,确保任何一台故障时另一台能正常转发数据
[LSW3]vlan batch 10 20 30
[LSW3]int g0/0/3
[LSW3-GigabitEther***0/0/3]port link-type a***ess
[LSW3-GigabitEther***0/0/3]port default vlan 10
[LSW3-GigabitEther***0/0/3]int g0/0/1
[LSW3-GigabitEther***0/0/1]port link-type trunk
[LSW3-GigabitEther***0/0/1]port trunk allow-pass vlan 10 20 30
[LSW3-GigabitEther***0/0/1]int g0/0/2
[LSW3-GigabitEther***0/0/2]port link-type trunk
[LSW3-GigabitEther***0/0/2]port trunk allow-pass vlan 10 20 30
[LSW4]vlan batch 10 20 30
[LSW4]int g0/0/3
[LSW4-GigabitEther***0/0/3]port link-type a***ess
[LSW4-GigabitEther***0/0/3]port default vlan 20
[LSW4-GigabitEther***0/0/3]int g0/0/1
[LSW4-GigabitEther***0/0/1]port link-type trunk
[LSW4-GigabitEther***0/0/1]port trunk allow-pass vlan 10 20 30
[LSW4-GigabitEther***0/0/1]int g0/0/2
[LSW4-GigabitEther***0/0/2]port link-type trunk
[LSW4-GigabitEther***0/0/2]port trunk allow-pass vlan 10 20 30
[LSW5]vlan batch 10 20 30
[LSW5]int g0/0/3
[LSW5-GigabitEther***0/0/3]port link-type a***ess
[LSW5-GigabitEther***0/0/3]port default vlan 30
[LSW5-GigabitEther***0/0/3]int g0/0/1
[LSW5-GigabitEther***0/0/1]port link-type trunk
[LSW5-GigabitEther***0/0/1]port trunk allow-pass vlan 10 20 30
[LSW5-GigabitEther***0/0/1]int g0/0/2
[LSW5-GigabitEther***0/0/2]port link-type trunk
[LSW5-GigabitEther***0/0/2]port trunk allow-pass vlan 10 20 30
[LSW1]vlan batch 10 20 30 11 12
[LSW1]int g0/0/1
[LSW1-GigabitEther***0/0/1]port link-type a***ess
[LSW1-GigabitEther***0/0/1]port default vlan 11
[LSW1-GigabitEther***0/0/1]int g0/0/2
[LSW1-GigabitEther***0/0/2]port link-type a***ess
[LSW1-GigabitEther***0/0/2]port default vlan 12
[LSW1-GigabitEther***0/0/2]int g0/0/3
[LSW1-GigabitEther***0/0/3]port link-type trunk
[LSW1-GigabitEther***0/0/3]port trunk allow-pass vlan 10 20 30 11 12
[LSW1-GigabitEther***0/0/3]int g0/0/4
[LSW1-GigabitEther***0/0/4]port link-type trunk
[LSW1-GigabitEther***0/0/4]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW1-GigabitEther***0/0/4]int g0/0/5
[LSW1-GigabitEther***0/0/5]port link-type trunk
[LSW1-GigabitEther***0/0/5]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW1-GigabitEther***0/0/5]quit
[LSW1]int Eth-Trunk 1
[LSW1-Eth-Trunk1]trunkport GigabitEther*** 0/0/6 to 0/0/7
[LSW1-Eth-Trunk1]port link-type trunk
[LSW1-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2]vlan batch 10 20 30 13 14
[LSW2]int g0/0/1
[LSW2-GigabitEther***0/0/1]port link-type a***ess
[LSW2-GigabitEther***0/0/1]port default vlan 14
[LSW2-GigabitEther***0/0/1]int g0/0/2
[LSW2-GigabitEther***0/0/2]port link-type a***ess
[LSW2-GigabitEther***0/0/2]port default vlan 13
[LSW2-GigabitEther***0/0/2]int g0/0/3
[LSW2-GigabitEther***0/0/3]port link-type t
[LSW2-GigabitEther***0/0/3]port link-type trunk
[LSW2-GigabitEther***0/0/3]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2-GigabitEther***0/0/3]int g0/0/4
[LSW2-GigabitEther***0/0/4]port link-type trunk
[LSW2-GigabitEther***0/0/4]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2-GigabitEther***0/0/4]int g0/0/5
[LSW2-GigabitEther***0/0/5]port link-type trunk
[LSW2-GigabitEther***0/0/5]port trunk allow-pass vlan 10 20 30 11 12 13 14
[LSW2-GigabitEther***0/0/5]quit
[LSW2]int Eth-Trunk 1
[LSW2-Eth-Trunk1]trunkport GigabitEther*** 0/0/6 to 0/0/7
[LSW2-Eth-Trunk1]port link-type trunk
[LSW2-Eth-Trunk1]port trunk allow-pass vlan 10 20 30 11 12 13 14
(2)配置MSTP破除环路:LSW1为vlan 10 20的根桥、vlan 30 的次根,LSW2为vlan 30的根桥、vlan 10 20的次根;将连接终端的接口配置为边缘端口
[LSW1]stp region-configuration
[LSW1-mst-region]region-name 1
[LSW1-mst-region]revision-level 1
[LSW1-mst-region]instance 1 vlan 10 20
[LSW1-mst-region]instance 2 vlan 30
[LSW1-mst-region]active region-configuration
[LSW1]stp instance 1 priority 0
[LSW1]stp instance 2 priority 4096
[LSW2]stp region-configuration
[LSW2-mst-region]region-name 1
[LSW2-mst-region]revision-level 1
[LSW2-mst-region]instance 1 vlan 10 20
[LSW2-mst-region]instance 2 vlan 30
[LSW2-mst-region]active region-configuration
[LSW2]stp instance 1 priority 4096
[LSW2]stp instance 2 priority 0
[LSW3]stp region-configuration
[LSW3-mst-region]region-name 1
[LSW3-mst-region]revision-level 1
[LSW3-mst-region]instance 1 vlan 10 20
[LSW3-mst-region]instance 2 vlan 30
[LSW3-mst-region]active region-configuration
[LSW3-mst-region]quit
[LSW4]stp region-configuration
[LSW4-mst-region]region-name 1
[LSW4-mst-region]revision-level 1
[LSW4-mst-region]instance 1 vlan 10 20
[LSW4-mst-region]instance 2 vlan 30
[LSW4-mst-region]active region-configuration
[LSW4-mst-region]quit
[LSW5]stp region-configuration
[LSW5-mst-region]region-name 1
[LSW5-mst-region]revision-level 1
[LSW5-mst-region]instance 1 vlan 10 20
[LSW5-mst-region]instance 2 vlan 30
[LSW5-mst-region]active region-configuration
[LSW3]int g0/0/3
[LSW3-GigabitEther***0/0/3]stp edged-port enable
[LSW4]int g0/0/3
[LSW4-GigabitEther***0/0/3]stp edged-port enable
[LSW5]int g0/0/3
[LSW5-GigabitEther***0/0/3]stp edged-port enable
(3)配置vlan间路由,使内网互通:配置vrrp,LSW1为vlan 10 20的master、为vlan 30的backup,LSW2为vlan 10 20的backup、为vlan 30的master
[LSW1]int Vlanif 10
[LSW1-Vlanif10]ip add 10.1.1.1 24
[LSW1-Vlanif10]int Vlanif 20
[LSW1-Vlanif20]ip add 10.1.2.1 24
[LSW1-Vlanif20]int Vlanif 30
[LSW1-Vlanif30]ip add 10.1.3.1 24
[LSW2]int Vlanif 10
[LSW2-Vlanif10]ip add 10.1.1.2 24
[LSW2-Vlanif10]int Vlanif 20
[LSW2-Vlanif20]ip add 10.1.2.2 24
[LSW2-Vlanif20]int Vlanif 30
[LSW2-Vlanif30]ip add 10.1.3.2 24
[LSW1]int Vlanif 10
[LSW1-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254
[LSW1-Vlanif10]vrrp vrid 1 priority 200
[LSW1-Vlanif10]vrrp vrid 1 preempt-mode timer delay 60
[LSW1-Vlanif10]vrrp vrid 1 track interface GigabitEther*** 0/0/1 reduced 120
[LSW1]int Vlanif 20
[LSW1-Vlanif20]vrrp vrid 2 virtual-ip 10.1.2.254
[LSW1-Vlanif20]vrrp vrid 2 priority 200
[LSW1-Vlanif20]vrrp vrid 2 preempt-mode timer delay 60
[LSW1-Vlanif20]vrrp vrid 2 track interface GigabitEther*** 0/0/1 reduced 120
[LSW1]int Vlanif 30
[LSW1-Vlanif30]vrrp vrid 3 virtual-ip 10.1.3.254
[LSW2]int Vlanif 10
[LSW2-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254
[LSW2-Vlanif10]int Vlanif 20
[LSW2-Vlanif20]vrrp vrid 2 virtual-ip 10.1.2.254
[LSW2-Vlanif20]int Vlanif 30
[LSW2-Vlanif30]vrrp vrid 3 virtual-ip 10.1.3.254
[LSW2-Vlanif30]vrrp vrid 3 priority 200
[LSW2-Vlanif30]vrrp vrid 3 preempt-mode timer delay 60
[LSW2-Vlanif30]vrrp vrid 3 track interface GigabitEther*** 0/0/1 reduced 120
(4)配置三层互联接口
[LSW1]int Vlanif 11
[LSW1-Vlanif11]ip add 192.168.11.1 24
[LSW1-Vlanif11]int Vlanif 12
[LSW1-Vlanif12]ip add 192.168.12.1 24
[LSW2]int Vlanif 13
[LSW2-Vlanif13]ip add 192.168.13.2 24
[LSW2-Vlanif13]int Vlanif 14
[LSW2-Vlanif14]ip add 192.168.14.2 24
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEther*** 1/0/2
[FW1-zone-trust]add interface GigabitEther*** 1/0/0
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEther*** 1/0/1
[FW1-zone-untrust]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEther*** 1/0/3
[FW1-zone-dmz]add interface GigabitEther*** 1/0/4
[FW1]int g1/0/1
[FW1-GigabitEther***1/0/1]ip add 20.1.1.3 24
[FW1-GigabitEther***1/0/1]int g1/0/0
[FW1-GigabitEther***1/0/0]ip add 192.168.13.3 24
[FW1-GigabitEther***1/0/0]int g1/0/2
[FW1-GigabitEther***1/0/2]ip add 192.168.11.3 24
[FW1-GigabitEther***1/0/2]int g1/0/3
[FW1-GigabitEther***1/0/3]ip add 192.168.15.3 24
[FW1-GigabitEther***1/0/3]int g1/0/4
[FW1-GigabitEther***1/0/4]ip add 192.168.16.3 24
[AR2]int g0/0/0
[AR2-GigabitEther***0/0/0]ip add 192.168.12.4 24
[AR2-GigabitEther***0/0/0]int g0/0/1
[AR2-GigabitEther***0/0/1]ip add 192.168.14.4 24
[AR2-GigabitEther***0/0/1]int g0/0/2
[AR2-GigabitEther***0/0/2]ip add 20.1.1.4 24
[AR1]int g4/0/0
[AR1-GigabitEther***4/0/0]ip add 50.1.1.5 24
[AR1-GigabitEther***4/0/0]int g0/0/1
[AR1-GigabitEther***0/0/1]ip add 30.1.1.5 24
[AR1-GigabitEther***0/0/1]int g0/0/2
[AR1-GigabitEther***0/0/2]ip add 40.1.1.5 24
[AR1-GigabitEther***0/0/2]int g0/0/0
[AR1-GigabitEther***0/0/0]ip add 20.1.1.5 24
(5)配置DMZ区域
1)配置vlan
[LSW10]vlan batch 100 101
[LSW10]int g0/0/3
[LSW10-GigabitEther***0/0/3]port link-type a***ess
[LSW10-GigabitEther***0/0/3]port default vlan 100
[LSW10-GigabitEther***0/0/3]int g0/0/4
[LSW10-GigabitEther***0/0/4]port link-type a***ess
[LSW10-GigabitEther***0/0/4]port default vlan 101
[LSW10-GigabitEther***0/0/4]int g0/0/1
[LSW10-GigabitEther***0/0/1]port link-type trunk
[LSW10-GigabitEther***0/0/1]port trunk allow-pass vlan 100 101
[LSW10-GigabitEther***0/0/1]int g0/0/2
[LSW10-GigabitEther***0/0/2]port link-type trunk
[LSW10-GigabitEther***0/0/2]port trunk allow-pass vlan 100 101
[LSW8]vlan batch 15 100 101
[LSW8]int g0/0/1
[LSW8-GigabitEther***0/0/1]port link-type a***ess
[LSW8-GigabitEther***0/0/1]port default vlan 15
[LSW8-GigabitEther***0/0/1]int g0/0/2
[LSW8-GigabitEther***0/0/2]port link-type trunk
[LSW8-GigabitEther***0/0/2]port trunk allow-pass vlan 15 100 101
[LSW8-GigabitEther***0/0/2]quit
[LSW8]int Eth-Trunk 1
[LSW8-Eth-Trunk1]trunkport GigabitEther*** 0/0/3 to 0/0/4
[LSW8-Eth-Trunk1]port link-type trunk
[LSW8-Eth-Trunk1]port trunk allow-pass vlan 15 100 101
[LSW9]vlan batch 16 100 101
[LSW9]int g0/0/1
[LSW9-GigabitEther***0/0/1]port link-type a***ess
[LSW9-GigabitEther***0/0/1]port default vlan 16
[LSW9-GigabitEther***0/0/1]int g0/0/2
[LSW9-GigabitEther***0/0/2]port link-type trunk
[LSW9-GigabitEther***0/0/2]po
[LSW9-GigabitEther***0/0/2]port trunk allow-pass vlan 16 100 101
[LSW9-GigabitEther***0/0/2]quit
[LSW9]int Eth-Trunk 1
[LSW9-Eth-Trunk1]trunkport GigabitEther*** 0/0/3 to 0/0/4
[LSW9-Eth-Trunk1]port link-type trunk
[LSW9-Eth-Trunk1]port trunk allow-pass vlan 16 100 101
2)配置MSTP(要求vlan 100的根桥为LSW8,vlan 101的根桥为LSW9)
[LSW10]stp region-configuration
[LSW10-mst-region]region-name DMZ1
[LSW10-mst-region]revision-level 1
[LSW10-mst-region]instance 1 vlan 100
[LSW10-mst-region]instance 2 vlan 101
[LSW10-mst-region]active region-configuration
[LSW8]stp region-configuration
[LSW8-mst-region]region-name DMZ1
[LSW8-mst-region]revision-level 1
[LSW8-mst-region]instance 1 vlan 100
[LSW8-mst-region]instance 2 vlan 101
[LSW8-mst-region]active region-configuration
[LSW9]stp region-configuration
[LSW9-mst-region]region-name DMZ1
[LSW9-mst-region]revision-level 1
[LSW9-mst-region]instance 1 vlan 100
[LSW9-mst-region]instance 2 vlan 101
[LSW9-mst-region]active region-configuration
[LSW8]stp instance 1 priority 0
[LSW8]stp instance 2 priority 4096
[LSW9]stp instance 1 priority 4096
[LSW9]stp instance 2 priority 0
[LSW10]int g0/0/3
[LSW10-GigabitEther***0/0/3]stp edged-port enable
[LSW10-GigabitEther***0/0/3]int g0/0/4
[LSW10-GigabitEther***0/0/4]stp edged-port enable
3)配置VLAN间路由
[LSW8]int Vlanif 15
[LSW8-Vlanif15]ip add 192.168.15.1 24
[LSW8]int Vlanif 100
[LSW8-Vlanif100]ip add 10.1.100.1 24
[LSW8-Vlanif100]int Vlanif 101
[LSW8-Vlanif101]ip add 10.1.101.1 24
[LSW9]int Vlanif 16
[LSW9-Vlanif16]ip add 192.168.16.2 24
[LSW9]int Vlanif 100
[LSW9-Vlanif100]ip add 10.1.100.2 24
[LSW9-Vlanif100]int Vlanif 101
[LSW9-Vlanif101]ip add 10.1.101.2 24
4)配置VRRP,保证链路备份
[LSW8]int Vlanif 100
[LSW8-Vlanif100]vrrp vrid 1 virtual-ip 10.1.100.254
[LSW8-Vlanif100]vrrp vrid 1 priority 200
[LSW8-Vlanif100]vrrp vrid 1 preempt-mode timer delay 60
[LSW8-Vlanif100]vrrp vrid 1 track interface g0/0/1 reduced 120
[LSW8-Vlanif100]quit
[LSW8]int Vlanif 101
[LSW8-Vlanif101]vrrp vrid 2 virtual-ip 10.1.101.254
[LSW9]int Vlanif 100
[LSW9-Vlanif100]vrrp vrid 1 virtual-ip 10.1.100.254
[LSW9-Vlanif100]int Vlanif 101
[LSW9-Vlanif101]vrrp vrid 2 virtual-ip 10.1.101.254
[LSW9-Vlanif101]vrrp vrid 2 preempt-mode timer delay 60
[LSW9-Vlanif101]vrrp vrid 2 priority 200
[LSW9-Vlanif101]vrrp vrid 2 track interface g0/0/1 reduced 120
(6)配置全网路由:将总部在OSFP的area 0区域,服务器在 area 1区域,分部1在area 2区域,分部2在area 3区域
1)配置OSPF
[LSW1]ospf 1 router-id 11.1.1.1
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]ne
[LSW1-ospf-1-area-0.0.0.0]***work 10.1.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]***work 10.1.2.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]***work 10.1.3.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]***work 192.168.11.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]***work 192.168.12.0 0.0.0.255
[LSW2]ospf 1 router-id 22.1.1.1
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]***work 10.1.1.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]***work 10.1.2.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]***work 10.1.3.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]***work 192.168.13.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]***work 192.168.14.0 0.0.0.255
[FW1]ospf router-id 33.1.1.1
[FW1-ospf-1]ospf 1
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]***work 192.168.11.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]***work 192.168.13.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]***work 192.168.15.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]***work 192.168.16.0 0.0.0.255
[AR2]ospf router-id 44.1.1.1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]***work 192.168.12.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]***work 192.168.14.0 0.0.0.255
[LSW8]ospf router-id 111.1.1.1
[LSW8-ospf-1]area 0
[LSW8-ospf-1-area-0.0.0.0]***work 192.168.15.0 0.0.0.255
[LSW8-ospf-1-area-0.0.0.0]area 1
[LSW8-ospf-1-area-0.0.0.1]***work 10.1.100.0 0.0.0.255
[LSW8-ospf-1-area-0.0.0.1]***work 10.1.101.0 0.0.0.255
[LSW9]ospf router-id 222.1.1.1
[LSW9-ospf-1]area 0
[LSW9-ospf-1-area-0.0.0.0]***
[LSW9-ospf-1-area-0.0.0.0]***work 192.168.16.0 0.0.0.255
[LSW9-ospf-1-area-0.0.0.0]area 1
[LSW9-ospf-1-area-0.0.0.1]***work 10.1.101.0 0.0.0.255
[LSW9-ospf-1-area-0.0.0.1]***work 10.1.100.0 0.0.0.255
2)将vlanif接口静默
[LSW1]ospf 1
[LSW1-ospf-1]silent-interface Vlanif 10
[LSW1-ospf-1]silent-interface Vlanif 20
[LSW1-ospf-1]silent-interface Vlanif 30
[LSW2]ospf 1
[LSW2-ospf-1]silent-interface Vlanif 10
[LSW2-ospf-1]silent-interface Vlanif 20
[LSW2-ospf-1]silent-interface Vlanif 30
[LSW8-ospf-1]silent-interface Vlanif 100
[LSW8-ospf-1]silent-interface Vlanif 101
[LSW9-ospf-1]silent-interface Vlanif 100
[LSW9-ospf-1]silent-interface Vlanif 101
(7)配置trust到dmz的安全策略
[FW1]security-policy
[FW1-policy-security]rule name t-to-dmz
[FW1-policy-security-rule-t-to-dmz]source-zone trust
[FW1-policy-security-rule-t-to-dmz]source-address 10.1.0.0 16
[FW1-policy-security-rule-t-to-dmz]destination-zone dmz
[FW1-policy-security-rule-t-to-dmz]action permit
(8)配置 NAT
[FW1]nat-policy
[FW1-policy-nat]rule name to-ISP
[FW1-policy-nat-rule-to-ISP]source-zone trust
[FW1-policy-nat-rule-to-ISP]destination-zone untrust
[FW1-policy-nat-rule-to-ISP]source-address 10.1.0.0 16
[FW1-policy-nat-rule-to-ISP]action source-nat easy-ip
[FW1]security-policy
[FW1-policy-security]rule name to-ISP
[FW1-policy-security-rule-to-ISP]source-zone trust
[FW1-policy-security-rule-to-ISP]destination-zone untrust
[FW1-policy-security-rule-to-ISP]source-address 10.1.0.0 16
[FW1-policy-security-rule-to-ISP]action permit
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.5
[FW1]ospf 1
[FW1-ospf-1]default-route-advertise
(9)公网访问 dmz 区域的 http 服务和 FTP 服务:通过 nat-server 进行映射
[FW1]nat server protocol tcp global 20.1.1.100 80 inside 10.1.100.10 80
[FW1]nat server protocol tcp global 20.1.1.101 21 inside 10.1.101.10 21
[FW1]security-policy
[FW1-policy-security]rule name u-to-dmz
[FW1-policy-security-rule-u-to-dmz]source-zone untrust
[FW1-policy-security-rule-u-to-dmz]destination-zone dmz
[FW1-policy-security-rule-u-to-dmz]destination-address 10.1.100.10 32
[FW1-policy-security-rule-u-to-dmz]destination-address 10.1.101.10 32
[FW1-policy-security-rule-u-to-dmz]action permit
4.分部1的配置:单臂路由和NAT
(1)单臂路由配置
[LSW11]vlan batch 10 20
[LSW11]int g0/0/2
[LSW11-GigabitEther***0/0/2]port link-type a***ess
[LSW11-GigabitEther***0/0/2]port default vlan 10
[LSW11-GigabitEther***0/0/2]int g0/0/3
[LSW11-GigabitEther***0/0/3]port link-type a***ess
[LSW11-GigabitEther***0/0/3]port default vlan 20
[LSW11-GigabitEther***0/0/3]int g0/0/1
[LSW11-GigabitEther***0/0/1]port link-type trunk
[LSW11-GigabitEther***0/0/1]port trunk allow-pass vlan 10 20
[AR4]int g0/0/1.10
[AR4-GigabitEther***0/0/1.10]dot1q termination vid 10
[AR4-GigabitEther***0/0/1.10]arp broadcast enable
[AR4-GigabitEther***0/0/1.10]ip add 10.2.1.1 2
[AR4-GigabitEther***0/0/1.10]int g0/0/1.20
[AR4-GigabitEther***0/0/1.20]dot1q termination vid 20
[AR4-GigabitEther***0/0/1.20]arp broadcast enable
[AR4-GigabitEther***0/0/1.20]ip add 10.2.2.1 24
[AR4]int g0/0/0
[AR4-GigabitEther***0/0/0]ip add 40.1.1.1 24
[AR4]ip route-static 0.0.0.0 0.0.0.0 40.1.1.5
[AR4]acl 2000
[AR4-acl-basic-2000]rule permit source 10.2.0.0 0.0.255.255
[AR4-acl-basic-2000]int g0/0/0
[AR4-GigabitEther***0/0/0]nat outbound 2000
5.分部2的配置
(1)配置vlan
[LSW13]vlan batch 10 20 17
[LSW13]int g0/0/1
[LSW13-GigabitEther***0/0/1]port link-type a***ess
[LSW13-GigabitEther***0/0/1]port default vlan 17
[LSW13-GigabitEther***0/0/1]int g0/0/2
[LSW13-GigabitEther***0/0/2]port link-type trunk
[LSW13-GigabitEther***0/0/2]port trunk allow-pass vlan 10 20 17
[LSW13-GigabitEther***0/0/2]int g0/0/3
[LSW13-GigabitEther***0/0/3]port link-type trunk
[LSW13-GigabitEther***0/0/3]port trunk allow-pass vlan 10 20 17
[LSW13-GigabitEther***0/0/3]quit
[LSW13]int Eth-Trunk 1
[LSW13-Eth-Trunk1]trunkport GigabitEther*** 0/0/4 to 0/0/5
[LSW13-Eth-Trunk1]port link-type trunk
[LSW13-Eth-Trunk1]port trunk allow-pass vlan 10 20 17
[LSW14]vlan batch 10 20 18
[LSW14]int g0/0/1
[LSW14-GigabitEther***0/0/1]port link-type a***ess
[LSW14-GigabitEther***0/0/1]port default vlan 18
[LSW14-GigabitEther***0/0/1]int g0/0/2
[LSW14-GigabitEther***0/0/2]port link-type trunk
[LSW14-GigabitEther***0/0/2]port trunk allow-pass vlan 10 20 18
[LSW14-GigabitEther***0/0/2]int g0/0/3
[LSW14-GigabitEther***0/0/3]port link-type trunk
[LSW14-GigabitEther***0/0/3]port trunk allow-pass vlan 10 20 18
[LSW14-GigabitEther***0/0/3]quit
[LSW14]int Eth-Trunk 1
[LSW14-Eth-Trunk1]trunkport GigabitEther*** 0/0/4 to 0/0/5
[LSW14-Eth-Trunk1]port link-type trunk
[LSW14-Eth-Trunk1]port trunk allow-pass vlan 10 20 18
[LSW15]vlan batch 10 20
[LSW15]int g0/0/3
[LSW15-GigabitEther***0/0/3]port link-type a***ess
[LSW15-GigabitEther***0/0/3]port default vlan 10
[LSW15-GigabitEther***0/0/3]int g0/0/1
[LSW15-GigabitEther***0/0/1]port link-type trunk
[LSW15-GigabitEther***0/0/1]port trunk allow-pass vlan 10 20
[LSW15-GigabitEther***0/0/1]int g0/0/2
[LSW15-GigabitEther***0/0/2]port link-type trunk
[LSW15-GigabitEther***0/0/2]port trunk allow-pass vlan 10 20
[LSW16]vlan batch 10 20
[LSW16]int g0/0/3
[LSW16-GigabitEther***0/0/3]port link-type a***ess
[LSW16-GigabitEther***0/0/3]port default vlan 20
[LSW16-GigabitEther***0/0/3]int g0/0/1
[LSW16-GigabitEther***0/0/1]port link-type trunk
[LSW16-GigabitEther***0/0/1]port trunk allow-pass vlan 10 20
[LSW16-GigabitEther***0/0/1]int g0/0/2
[LSW16-GigabitEther***0/0/2]port link-type trunk
[LSW16-GigabitEther***0/0/2]port trunk allow-pass vlan 10 20
(2)配置MSTP:LSW13为vlan 10的主根、vlan 20的次根,LSW14为vlan 20的主根、vlan 10的次根
[LSW13]stp region-configuration
[LSW13-mst-region]region-name FB2
[LSW13-mst-region]revision-level 1
[LSW13-mst-region]instance 1 vlan 10
[LSW13-mst-region]instance 2 vlan 20
[LSW13-mst-region]active region-configuration
[LSW14]stp region-configuration
[LSW14-mst-region]region-name FB2
[LSW14-mst-region]revision-level 1
[LSW14-mst-region]instance 1 vlan 10
[LSW14-mst-region]instance 2 vlan 20
[LSW14-mst-region]active region-configuration
[LSW15]stp region-configuration
[LSW15-mst-region]region-name FB2
[LSW15-mst-region]revision-level 1
[LSW15-mst-region]instance 1 vlan 10
[LSW15-mst-region]instance 2 vlan 20
[LSW15-mst-region]active region-configuration
[LSW16]stp region-configuration
[LSW16-mst-region]region-name FB2
[LSW16-mst-region]revision-level 1
[LSW16-mst-region]instance 1 vlan 10
[LSW16-mst-region]instance 2 vlan 20
[LSW16-mst-region]active region-configuration
[LSW13]stp instance 1 priority 0
[LSW13]stp instance 2 priority 4096
[LSW14]stp instance 1 priority 4096
[LSW14]stp instance 2 priority 0
[LSW16-GigabitEther***0/0/3]stp edged-port enable
[LSW15-GigabitEther***0/0/3]stp edged-port enable
(3)配置vlan间路由
[LSW13]int Vlanif 10
[LSW13-Vlanif10]ip add 10.3.1.1 24
[LSW13-Vlanif10]int Vlanif 20
[LSW13-Vlanif20]ip add 10.3.2.1 24
[LSW13-Vlanif20]int Vlanif 10
[LSW13-Vlanif10]vrrp vrid 1 virtual-ip 10.3.1.254
[LSW13-Vlanif10]vrrp vrid 1 priority 200
[LSW13-Vlanif10]vrrp vrid 1 preempt-mode timer delay 60
[LSW13-Vlanif10]vrrp vrid 1 track interface g0/0/1 reduced 120
[LSW13-Vlanif10]int Vlanif 20
[LSW13-Vlanif20]vrrp vrid 2 virtual-ip 10.3.2.254
[LSW14]int Vlanif 10
[LSW14-Vlanif10]ip add 10.3.1.2 24
[LSW14-Vlanif10]int Vlanif 20
[LSW14-Vlanif20]ip add 10.3.2.2 24
[LSW14-Vlanif20]vrrp vrid 2 virtual-ip 10.3.2.254
[LSW14-Vlanif20]vrrp vrid 2 priority 200
[LSW14-Vlanif20]vrrp vrid 2 preempt-mode timer delay 60
[LSW14-Vlanif20]vrrp vrid 2 track interface GigabitEther*** 0/0/1 reduced 120
[LSW14-Vlanif20]int Vlanif 10
[LSW14-Vlanif10]vrrp vrid 1 virtual-ip 10.3.1.254
(4)配置全网路由
[LSW13]int Vlanif 17
[LSW13-Vlanif17]ip add 192.168.17.1 24
[LSW13-Vlanif17]quit
[LSW13]ospf 1 router-id 17.1.1.1
[LSW13-ospf-1]area 2
[LSW13-ospf-1-area-0.0.0.2]ne
[LSW13-ospf-1-area-0.0.0.2]***work 192.168.17.0 0.0.0.255
[LSW13-ospf-1-area-0.0.0.2]***work 10.3.1.0 0.0.0.255
[LSW13-ospf-1-area-0.0.0.2]***work 10.3.2.0 0.0.0.255
[LSW13-ospf-1-area-0.0.0.2]qui
[LSW13-ospf-1]silent-interface Vlanif 10
[LSW13-ospf-1]silent-interface Vlanif 20
[LSW14]int Vlanif 18
[LSW14-Vlanif18]ip add 192.168.18.1 24
[LSW14-Vlanif18]quit
[LSW14]ospf 1 router-id 18.1.1.1
[LSW14-ospf-1]area 2
[LSW14-ospf-1-area-0.0.0.2]***work 10.3.1.0 0.0.0.255
[LSW14-ospf-1-area-0.0.0.2]***work 10.3.2.0 0.0.0.255
[LSW14-ospf-1-area-0.0.0.2]***work 192.168.18.0 0.0.0.255
[LSW14-ospf-1-area-0.0.0.2]quit
[LSW14-ospf-1]silent-interface Vlanif 10
[LSW14-ospf-1]silent-interface Vlanif 20
[AR5]int g0/0/1
[AR5-GigabitEther***0/0/1]ip add 192.168.17.6 24
[AR5-GigabitEther***0/0/1]int g0/0/2
[AR5-GigabitEther***0/0/2]ip add 192.168.18.6 24
[AR5-GigabitEther***0/0/2]int g0/0/0
[AR5-GigabitEther***0/0/0]ip add 50.1.1.6 24
[AR5]ospf 1 router-id 55.1.1.1
[AR5-ospf-1]area 2
[AR5-ospf-1-area-0.0.0.2]***work 192.168.17.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.2]***work 192.168.18.0 0.0.0.255
[AR5]ip route-static 0.0.0.0 0.0.0.0 50.1.1.5
[AR5]ospf 1
[AR5-ospf-1]default-route-advertise
(5)源NAT地址转换
[AR5]acl 2000
[AR5-acl-basic-2000]rule permit source 10.3.0.0 0.0.255.255
[AR5]int g0/0/0
[AR5-GigabitEther***0/0/0]nat outbound 2000
6.总校分校DSVPN配置:AR2作为hub端,AR4、AR5作为spoke端,三个接口配置在172.1.1.0网段
[AR2]int Tunnel 0/0/0
[AR2-Tunnel0/0/0]tunnel-protocol gre p2mp
[AR2-Tunnel0/0/0]ip add 172.1.1.1 24
[AR2-Tunnel0/0/0]source GigabitEther*** 0/0/2
[AR2-Tunnel0/0/0]nhrp entry multicast dynamic
[AR2-Tunnel0/0/0]ospf dr-priority 255 //调整优先级至最大,使其成为 DR
[AR4]int Tunnel 0/0/0
[AR4-Tunnel0/0/0]tunnel-protocol gre p2mp
[AR4-Tunnel0/0/0]ip add 172.1.1.3 24
[AR4-Tunnel0/0/0]source GigabitEther*** 0/0/0
[AR4-Tunnel0/0/0]nhrp entry 172.1.1.1 20.1.1.4 register
[AR4-Tunnel0/0/0]ospf ***work-type broadcast
[AR4-Tunnel0/0/0]ospf dr-priority 0
[AR5]int Tunnel 0/0/0
[AR5-Tunnel0/0/0]tunnel-protocol gre p2mp
[AR5-Tunnel0/0/0]ip add 172.1.1.2 24
[AR5-Tunnel0/0/0]source GigabitEther*** 0/0/0
[AR5-Tunnel0/0/0]nhrp entry 172.1.1.1 20.1.1.4 register
[AR5-Tunnel0/0/0]ospf ***work-type broadcast
[AR5-Tunnel0/0/0]ospf dr-priority 0
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]***work 172.1.1.0 0.0.0.255
[AR4]ospf 1
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]***work 172.1.1.0 0.0.0.255
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]***work 172.1.1.0 0.0.0.255