0


2023年网络建设与运维国赛答案解析

2023年网络建设与运维国赛正式赛题答案解析

網絡拓補圖

(二)交换配置

業務端口劃分表(1)
業務端口劃分表(2)

SW1

port-group 1
!
Interface Ethernet1/0/22
 switchport mode trunk
 switchport trunk allowed vlan 11-15 
 port-group 1 mode active
!

SW2

port-group 1
!
Interface Ethernet1/0/22
 switchport mode trunk
 switchport trunk allowed vlan 21-25 
 port-group 1 mode passive
!

2.SW1 和 SW2 之间利用三条裸光缆实现互通,其中一条裸光缆承载三层 IP 业务、一条裸光缆承载 VPN 业务、一条裸光缆承载二层业务。

用相关技术分别实现财务 1 段、财务 2 段业务路由表与其它业务路由表隔离,财务业务 VPN 实例名称为 Finance,RD 为 1:1。承载二层业务的只有一条裸光缆通道,配置相关技术,方便后续链路扩容与冗余备份,编号为 1,用 LACP 协议,SW1 为 active,SW2 为 passive;采用目的、源 IP 进行实现流量负载分担。
SW1

load-balance dst-src-ip  //采用目的、源 IP 
!
Interface Ethernet1/0/23
 switchport access vlan 1023
!
Interface Ethernet1/0/24
 switchport access vlan 1024
!        
ip vrf Finance
 rd 1:1
!
interface Vlan1023  //三层业务
 ip address 10.4.255.1 255.255.255.252
!
interface Vlan1024  //承载VPN业务
 ip vrf forwarding Finance
 ip address 10.4.255.1 255.255.255.252  //注意,如果在绑定VRF之前已有IPv4地址,绑定后会被删除
!
interface Vlan14 VPN财务业务
 ip vrf forwarding Finance
 ipv6 address 2001:10:4:14::1/64
 ip address 10.4.14.1 255.255.255.0  
!

port-group 1
!
Interface Ethernet1/0/22
 switchport mode trunk
 switchport trunk allowed vlan 11-15 
 port-group 1 mode active  主动模式
!

sw2

load-balance dst-src-ip
!
Interface Ethernet1/0/23
 switchport access vlan 1023
!
Interface Ethernet1/0/24
 switchport access vlan 1024
!
ip vrf Finance
 rd 1:1
!
interface Vlan1023
 ip address 10.4.255.2 255.255.255.252
!
interface Vlan1024
 ip vrf forwarding Finance
 ip address 10.4.255.2 255.255.255.252
!
interface Vlan24
 ip vrf forwarding Finance
 ipv6 address 2001:10:4:24::1/64
 ip address 10.4.24.1 255.255.255.0
!

port-group 1
!
Interface Ethernet1/0/22
 switchport mode trunk
 switchport trunk allowed vlan 21-25 
 port-group 1 mode passive  被动模式
!

3.为方便后续验证与测试,SW3 的 E1/0/22 连接其他合适设备的一个接口,配置为 trunk,允许 Vlan31-34、110、120 通过。

这里可以连接到SW1的1/0/1口以测试ip dhcp snooping 

4.将 SW3 模拟办事处交换机,实现与集团其它业务路由表隔离,办事处路由表 VPN 实例名称为 Office,RD 为 1:1。将 SW3 模拟为 Internet交换机,实现与集团其它业务路由表隔离,Internet 路由表 VPN 实例名称为 Internet,RD 为 2:2。

SW3

ip vrf Office
 rd 1:1
!
ip vrf Internet
 rd 2:2
!  

interface Vlan110 集团办事处产品1段
 ip vrf forwarding Office
 ipv6 address 2001:10:4:110::1/64
 ip address 10.4.110.1 255.255.255.0
!
interface Vlan120  集团办事处营销1段
 ip vrf forwarding Office
 ipv6 address 2001:10:4:120::1/64
 ip address 10.4.120.1 255.255.255.0
!
interface Vlan1015 
 ip vrf forwarding Office
 ip address 10.4.255.30 255.255.255.252
!
interface Vlan1017
 ip vrf forwarding Internet
 ip address 200.200.200.1 255.255.255.252
!
interface Vlan1018
 ip vrf forwarding Internet
 ip address 200.200.200.5 255.255.255.252
!
interface Loopback2
 ip vrf forwarding Office
 ipv6 address 2001:10:4:3::2/128
 ip address 10.4.3.2 255.255.255.255
!

5.SW1 配置 SNMP,引擎 id 分别为 1000;创建组 GroupSkills,采用最高安全级别,配置组的读、写视图分别为:Skills_R、Skills_W;创建认证用户为 UserSkills,采用 aes 算法进行加密,密钥为 Key-1122,哈希算法为 sha,密钥为 Key-1122;当设备有异常时,需要用本地的环回地址 Loopback1 发送 v3 Trap 消息至集团网管服务器10.4.15.120、2001:10:4:15::120,采用最高安全级别;当法务部门的用户端口发生 updown 事件时禁止发送 trap 消息至上述集团网管服务器。

SW1

snmp-server enable
snmp-server trap-source 10.4.1.1
snmp-server trap-source 2001:10:4:1::1
snmp-server engineid 1000
snmp-server user UserSkills GroupSkills authPriv aes b693dfa497e63a03e2b4a1d3709b0723 auth sha b693dfa497e63a03e2b4a1d3709b0723f62da73a
snmp-server group GroupSkills authpriv read Skills_R write Skills_W
snmp-server host 2001:10:4:15::120 v3 authpriv UserSkills
snmp-server host 10.4.15.120 v3 authpriv UserSkills
!
Interface Ethernet1/0/3
 no switchport updown notification enable
 switchport access vlan 13
!

6.对 SW1 与 FW1 互连流量镜像到 SW1 E1/0/1,会话列表为 1。

SW1

monitor session 1 source interface Ethernet1/0/19 tx
monitor session 1 source interface Ethernet1/0/19 rx
monitor session 1 destination interface Ethernet1/0/1
!

7.SW1 和 SW2 E1/0/21-28 启用单向链路故障检测,当发生该故障时,端口标记为 errdisable 状态,自动关闭端口,经过 1 分钟后,端口自动重启;发送 Hello 报文时间间隔为 15s;

SW1

uldp enable
uldp recovery-time 60
uldp hello-interval 15
uldp manual-shutdown
uldp aggressive-mode
!

SW2

uldp enable
uldp recovery-time 60
uldp hello-interval 15
uldp manual-shutdown
uldp aggressive-mode
!

8.SW1 和 SW2 所有端口启用链路层发现协议,更新报文发送时间间隔为 20s,老化时间乘法器值为 5,Trap 报文发送间隔为 10s,配置三条裸光缆端口使能 Trap 功能。

SW1

lldp enable
lldp msgTxHold 5
lldp tx-interval 20
lldp notification interval 10
!     
Interface Ethernet1/0/22
 lldp trap enable
!
Interface Ethernet1/0/23
 lldp trap enable
!
Interface Ethernet1/0/24
 lldp trap enable
!        

SW2

lldp enable
lldp msgTxHold 5
lldp tx-interval 20
lldp notification interval 10
!     
Interface Ethernet1/0/22
 lldp trap enable
!
Interface Ethernet1/0/23
 lldp trap enable
!
Interface Ethernet1/0/24
 lldp trap enable
!        

(三)路由调试

1.配置所有设备主机名,名称见“网络拓扑”。启用所有设备的 ssh 服务,用户名和明文密码均为 admin;配置所有设备 ssh 连接超时为 9分钟,console 连接超时为 30 分钟。

SW

exec-timeout 30 0
!
ssh-server  enable
ssh-server  timeout 540

RT

line console 0
 exec-timeout 1800
!
!
ip sshd timeout 540
ip sshd enable
!  

FW

ssh  timeout   9
console  timeout   30

2.配置所有设备的时区为 GMT+08:00。调整 SW1 时间为实际时间,SW1配置为 ntp server,其他设备为 ntp client,请求报文时间间隔 1分钟,用 SW1 Loopback1 IPv6 地址作为 ntp server 地址。

SW1

clock timezone GMT add 8 0
!
ntp enable
ntp-service refclock-master 1 
!     

SW2-3;AC
clock timezone GMT add 8 0
!
ntp enable
ntp syn-interval 60
ntp server 2001:10:4:1::1
!

RT1

time-zone GMT 8 0
ntp query-interval 60
ntp server 2001:10:4:1::1
!

FW
clock zoon GMT     8 0
ntp query-interval 60
ntp server 2001:10:4:1::1

### 3.配置接口 IPv4 地址和 IPv6 地址,互联接口 IPv6 地址用本地链路地址。FW1 和 FW2 接口仅启用 ping 功能以及 Loopback1 的 ssh 功能。

RT

ipv6 unicast-routing 開啓IPV6本地鏈路地址

接口
ipv6 enable

FW

ipv6 enable

接口
man ping 
man ssh

4.SW2 配置 DHCPv4 和 DHCPv6,分别为 Vlan11、Vlan21、Vlan130、Vlan140、Vlan150 分配地址。DHCPv4 地址池名称分别为 PC1、PC2、AP1、POOLv4-VLAN11、POOLv4-VLAN21、POOLv4-VLAN130POOLv4-VLAN140 、POOLv4-VLAN150 ,排除网关, DNS 为 10.4.210.101 和10.4.220.101。DHCPv6 地址池名称分别为 POOLv6-VLAN11、POOLv6-VLAN21、POOLv6-VLAN130、POOLv6-VLAN140、POOLv6-VLAN150,DHCPv6地址池用网络前缀表示,排除网关,DNS 为 2400:3200::1。PC1 保留地址 10.4.11.9(DHCPv4 地址池名称为 PC1)和 2001:10:4:11::9,PC2保留地址 10.4.21.9(DHCPv4 地址池名称为 PC2)和 2001:10:4:21::9,AP1 保 留 地 址 10.4.130.9 ( DHCPv4 地 址 池 名 称 为 AP1 ) 和2001:10:4:130::9。SW1、AC1 中继地址为 SW2 Loopback1 地址。SW1启用 DHCPv4 和 DHCPv6 snooping 功能,如果 E1/0/1 连接 DHCPv4 服务器,则关闭端口,恢复时间为 10 分钟。

SW1

service dhcp
!
ip forward-protocol udp bootps
!
ip dhcp snooping enable
!
service dhcpv6
!
savi enable
 savi ipv6 dhcp-only enable
!
Interface Ethernet1/0/1
 ip dhcp snooping action shutdown recovery 600
!
interface Vlan11
no ipv6 nd suppress-ra
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ip helper-address 10.4.2.1
 ipv6 dhcp relay destination 2001:10:4:2::1
!

SW2

service dhcp
!
ip forward-protocol udp bootps
!
ip dhcp pool POOLv4-VLAN11
 network-address 10.4.11.0 255.255.255.0
 default-router 10.4.11.1
 dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool POOLv4-VLAN21
 network-address 10.4.21.0 255.255.255.0
 default-router 10.4.21.1
 dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool POOLv4-VLAN130
 network-address 10.4.130.0 255.255.255.0
 default-router 10.4.130.1
 dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool POOLv4-VLAN140
 network-address 10.4.140.0 255.255.255.0
 default-router 10.4.140.1
 dns-server 10.4.210.101 10.4.220.101
!         
ip dhcp pool POOLv4-VLAN150
 network-address 10.4.150.0 255.255.255.0
 default-router 10.4.150.1
 dns-server 10.4.210.101 10.4.220.101
!
ip dhcp pool AP1
 host 10.4.130.9 255.255.255.0
 hardware-address 00-03-0F-D9-CD-C0
!
ip dhcp pool PC1
 host 10.4.11.9 255.255.255.0
 hardware-address C0-18-03-BB-9F-94
!
ip dhcp pool PC2
 host 10.4.21.9 255.255.255.0
 hardware-address 98-0E-24-AB-83-F1
!

service dhcpv6
!
ipv6 dhcp pool POOLv6-VLAN11
 network-address 2001:10:4:11::1 64
 static-binding 2001:10:4:11::9 c0-18-03-bb-9f-94
 excluded-address 2001:10:4:11::1
 dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN21
 network-address 2001:10:4:21::1 64
 static-binding 2001:10:4:21::9 98-0e-24-ab-83-f1
 excluded-address 2001:10:4:21::1
 dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN130
 network-address 2001:10:4:130::1 64
 static-binding 2001:10:4:130::9 00-03-0f-d9-cd-c0
 excluded-address 2001:10:4:130::1
 dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN140
 network-address 2001:10:4:140::1 64
 excluded-address 2001:10:4:140::1
 dns-server 2400:3200::1
!
ipv6 dhcp pool POOLv6-VLAN150
 network-address 2001:10:4:150::1 64
 excluded-address 2001:10:4:150::1
 dns-server 2400:3200::1
!

5.SW1、SW2、SW3、RT1 以太链路、RT2 以太链路、FW1、FW2、AC1 之间运行 OSPFv2 和 OSPFv3 协议(路由模式发布网络用网络地址,按照IP 地址从小到大的顺序发布。每个 prefix-list 的序号从 5 开始,按照 IP 地址从小到大的顺序递增 5;route-map 的序号从 10 开始,递增 10,route-map 名称与 prefix-list 名称相同。每个 ACL 序号从10 开始,按照 IP 地址从小到大的顺序递增 10)。

SW1、SW2、SW3、RT1、RT2、FW1 之间 OSPFv2 和 OSPFv3 协议,process1,area 0,分别发布 Loopback1 地址路由和产品路由,FW1 通告 type1默认路由。
SW1

router ospf 1
 ospf router-id 10.4.1.1
 network 10.4.1.1/32 area 0
 network 10.4.11.0/24 area 0
 network 10.4.255.0/30 area 0
 network 10.4.255.4/30 area 0
 network 10.4.255.12/30 area 0
!
router ipv6 ospf 1
 router-id 10.4.1.1
!
interface Loopback1
 ipv6 router ospf area 0 tag 1
!
interface Vlan1019
 ipv6 router ospf area 0 tag 1
!
interface Vlan1020
 ipv6 router ospf area 0 tag 1
!
interface Vlan1023
 ipv6 router ospf area 0 tag 1
!
interface Vlan11
 ipv6 router ospf area 0 tag 1
!

SW2

router ospf 1
 ospf router-id 10.4.2.1
 network 10.4.2.1/32 area 0
 network 10.4.21.0/24 area 0
 network 10.4.255.0/30 area 0
 network 10.4.255.8/30 area 0
 network 10.4.255.20/30 area 0
!
router ipv6 ospf 1
 router-id 10.4.2.1
!
interface Loopback1
 ipv6 router ospf area 0 tag 1
!
interface Vlan1019
 ipv6 router ospf area 0 tag 1
!         
interface Vlan1020
 ipv6 router ospf area 0 tag 1
!
interface Vlan1023
 ipv6 router ospf area 0 tag 1
!
interface Vlan21
 ipv6 router ospf area 0 tag 1
!

SW3

router ospf 1
 ospf router-id 10.4.3.1
 network 10.4.3.1/32 area 0
 network 10.4.31.0/24 area 0
 network 10.4.255.4/30 area 0
 network 10.4.255.8/30 area 0
!
router ipv6 ospf 1
 router-id 10.4.3.1
!
interface Loopback1
 ipv6 router ospf area 0 tag 1
!
interface Vlan1019
 ipv6 router ospf area 0 tag 1
!
interface Vlan1020
 ipv6 router ospf area 0 tag 1
!
interface Vlan31
 ipv6 router ospf area 0 tag 1
!

RT1

router ospf 1
 router-id 10.4.5.1
 network 10.4.5.1 255.255.255.255 area 0
 network 10.4.255.32 255.255.255.252 area 0
 network 10.4.255.16 255.255.255.252 area 0
 network 10.4.255.20 255.255.255.252 area 0
!
router ospfv3 1
 router-id 10.4.5.1
!
interface Loopback1
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/0
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/1
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/2
 ipv6 enable
 ipv6 ospf 1 area 0 
!

RT2

router ospf 1
 router-id 10.4.6.1
 network 10.4.6.1 255.255.255.255 area 0
 network 10.4.255.32 255.255.255.252 area 0
!
router ospfv3 1
 router-id 10.4.6.1
!
interface Loopback1
 ipv6 enable
 ipv6 ospf 1 area 0 
!
interface GigaEthernet0/0
 ipv6 enable
 ipv6 ospf 1 area 0 
!

FW1

  router ospf 1
    router-id 10.4.7.1
    default-information originate type 1
    network 10.4.7.1/32 area 0
    network 10.4.255.12/30 area 0
    network 10.4.255.16/30 area 0
  exit
    ipv6 router ospf 1
    router-id 10.4.7.1
  exit    
  interface loopback1
  ipv6 enable
  ipv6 ospf 1 area 0
exit
interface ethernet0/1
  ipv6 enable
  ipv6 ospf 1 area 0
exit
interface ethernet0/2
  ipv6 enable
  ipv6 ospf 1 area 0
exit
RT2 与 AC1 之间运行 OSPFv2 协议,process 1,area 1 nssa no-summary;AC1 发布 Loopback1 地址路由、管理、产品和营销路由,用prefix-list 重发布 Loopback3,prefix-list 名称为 AC1-Loopback3-IPv4。
RT2 与 AC1 之间运行 OSPFv3 协议,process 1,area 1 stub no-summary;AC1 发布 Loopback1 地址路由、管理、产品和营销路由。
RT2

router ospf 1
 network 10.4.255.44 255.255.255.252 area 1
 area 1 nssa no-summary
!
router ospfv3 1
 area 1 stub no-summary
!
interface GigaEthernet0/1
 ipv6 enable
 ipv6 ospf 1 area 1 
!

AC1

ip prefix-list ACL-Loopback3-IPv4 seq 5 permit 10.4.4.3/32
!
route-map ACL-Loopback3-IPv4 permit 10
 match ip address prefix-list ACL-Loopback3-IPv4
!
router ospf 1
 ospf router-id 10.4.4.1
 area 1 nssa no-summary
 network 10.4.4.1/32 area 1
 network 10.4.130.0/24 area 1
 network 10.4.140.0/24 area 1
 network 10.4.150.0/24 area 1
 network 10.4.255.44/30 area 1
 redistribute connected route-map ACL-Loopback3-IPv4
!
router ipv6 ospf 1
 router-id 10.4.4.1
 area 1 stub no-summary
!
interface Loopback1
 ipv6 router ospf area 1 tag 1
!
interface Vlan1001
 ipv6 router ospf area 1 tag 1
!
interface Vlan130
 ipv6 router ospf area 1 tag 1
!
interface Vlan140
 ipv6 router ospf area 1 tag 1
!
interface Vlan150
 ipv6 router ospf area 1 tag 1
!

RT1、FW2、SW3 模拟办事处之间运行 OSPFv2 和 OSPFv3 协议,process2,area 2。SW3 模拟办事处发布 Loopback2、产品和营销路由。FW2发布 Loopback1 路由。RT1 发布 Loopback4 路由,向该区域通告 type1默认路由;RT1 用 prefix-list 匹配 SW3 模拟办事处 Loopback2 和产品路由、FW2 Loopback1 路由(prefix-list 名称分别为 SW3-FW2-IPv4和 SW3-FW2-IPv6)、RT1 与 FW2 直连 IPv4 路由(prefix-list 名称为RT1-FW2-IPv4),以上路由重发布到 process 1。

SW3 Office

router ospf 2 vrf Office
 ospf router-id 10.4.3.2
 network 10.4.3.2/32 area 2
 network 10.4.110.0/24 area 2
 network 10.4.120.0/24 area 2
 network 10.4.255.28/30 area 2
!
router ipv6 ospf 2 vrf Office
 router-id 10.4.3.2
!
interface Loopback2
 ip vrf forwarding Office
 ipv6 address 2001:10:4:3::2/128
 ipv6 router ospf area 2 tag 2
 ip address 10.4.3.2 255.255.255.255
!
interface Vlan1015
 ip vrf forwarding Office
 ipv6 router ospf area 2 tag 2
 ip address 10.4.255.30 255.255.255.252
!
interface Vlan110
 ip vrf forwarding Office
 ipv6 address 2001:10:4:110::1/64
 ipv6 router ospf area 2 tag 2
 ip address 10.4.110.1 255.255.255.0
!
interface Vlan120
 ip vrf forwarding Office
 ipv6 address 2001:10:4:120::1/64
 ipv6 router ospf area 2 tag 2
 ip address 10.4.120.1 255.255.255.0
!

FW2
ip vrouter "trust-vr"
  router ospf 2
    router-id 10.4.8.1
    network 10.4.8.1/32 area 2
    network 10.4.255.24/30 area 2
    network 10.4.255.28/30 area 2
  exit
  ipv6 router ospf 2
    router-id 10.4.8.1
  exit
exitinterface loopback1
  zone  "trust"
  ipv6 enable
  ipv6 ospf 2 area 2
exit
interface loopback1
  zone  "trust"
  ipv6 enable
  ipv6 ospf 2 area 2
exit
interface ethernet0/1
  zone  "dmz"
  ipv6 enable
  ipv6 ospf 2 area 2
exit
interface ethernet0/2
  zone  "trust"
  ipv6 enable
  ipv6 ospf 2 area 2
exit

RT1

ip route default Null0 //这里必须要加黑洞路由,否则无法生成OSPF默认路由

route-map SW3-FW2-IPv6 10 permit
 match ipv6 address prefix-list SW3-FW2-IPv6
!
route-map SW3-FW2-IPv4 10 permit
 match ip address prefix-list SW3-FW2-IPv4
!
ip prefix-list SW3-FW2-IPv4 seq 5 permit 10.4.3.2/32
ip prefix-list SW3-FW2-IPv4 seq 10 permit 10.4.255.24/30
!
ipv6 prefix-list SW3-FW2-IPv6 seq 5 permit 2001:10:4:3::2/128
ipv6 prefix-list SW3-FW2-IPv6 seq 10 permit 2001:10:4:110::/64
!
router ospf 2
 router-id 10.4.5.4
 network 10.4.5.4 255.255.255.255 area 2
 network 10.4.255.24 255.255.255.252 area 2
 redistribute ospf 1
 default-information originate metric-type 1

!
router ospfv3 2
 router-id 10.4.5.4
 redistribute ospf 1
 default-information originate metric-type 1

!
router ospf 1
 redistribute ospf 2 route-map SW3-FW2-IPv4
!
router ospfv3 1
 redistribute ospf 2 route-map SW3-FW2-IPv6
!

6.RT1 串行链路、RT2 串行链路、FW1、AC1 之间分别运行 RIP 和 RIPng协议,分别发布 Loopback2 地址路由(FW1 的 RIPng 发布路由时用接口名称)。RT1 配置 offset 值为 3 的路由策略,实现 RT1/S1/0-RT2/S1/1 为主链路,RT1/S1/1-RT2/S1/0 为备份链路,IPv4 的 ACL 名称为 ACL-RIP-IPv4,IPv6 的 ACL 名称为 ACL-RIP-IPv6。RT1 的 S1/0与 RT2 的 S1/1 之间采用 chap 双向认证,用户名为对端设备名称,密码为 Key-1122。

建立串口链路

RT1

aaa authentication login default none  
aaa authentication enable default none 取消登录认证
aaa authentication ppp default local  PPP认证方式本地
!
username RT2 password 0 Key-1122
!
interface Serial1/0
 ip address 10.4.255.37 255.255.255.252
 encapsulation ppp
 ppp authentication chap 
 ppp chap hostname RT1
 ppp chap password 0 Key-1122
 physical-layer speed 2048000
 ipv6 enable
!
interface Serial1/1
 ip address 10.4.255.41 255.255.255.252
 encapsulation ppp
 ipv6 enable
!

RT2

aaa authentication login default none
aaa authentication enable default none
aaa authentication ppp default local
!
username RT71 password 0 Key-1122
!
interface Serial1/0
 ip address 10.4.255.42 255.255.255.252
 encapsulation ppp
 ppp authentication chap 
 ppp chap hostname RT2
 ppp chap password 0 Key-1122
 physical-layer speed 2048000
 ipv6 enable
!
interface Serial1/1
 ip address 10.4.255.38 255.255.255.252
 encapsulation ppp
 ipv6 enable
!

RIP

RT1

ip access-list standard ACL-RIP-IPv4
 permit any  sequence 10
!
ipv6 access-list ACL-RIP-IPv6
 permit ipv6 any any sequence 10
!
router rip 1 
 offset Serial1/1 in ACL-RIP-IPv4 3 
 offset Serial1/1 out ACL-RIP-IPv4 3 
!
router ripng 1
 offset Serial1/1 in ACL-RIP-IPv6 3 
 offset Serial1/1 out ACL-RIP-IPv6 3 
!
interface Loopback2
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface GigaEthernet0/1
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/0
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/1
 ipv6 enable
 
 
 
 
  
 ip rip 1 enable
 ipv6 rip 1 enable 
!

RT2

router rip 1 
!
router ripng 1
!
interface Loopback2
 ip address 10.4.6.2 255.255.255.255
 ipv6 enable
 ipv6 address 2001:10:4:6::2/128
 ip rip 1 enable
*!
interface GigaEthernet0/1
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/0
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!
interface Serial1/1
 ipv6 enable
 ip rip 1 enable
 ipv6 rip 1 enable 
!

AC1

router rip
 network 10.4.4.2/32
 network 10.4.255.44/30
!
router ipv6 rip
!    
interface Loopback2
 ipv6 router rip 
!         
interface Vlan1001
 ipv6 router rip 
!

7.RT1 以太链路(物理速率为 2048000)、RT2 以太链路、FW1 之间运行 ISIS 协议,instance 1,实现 Loopback3 之间 IPv4 互通和 IPv6互 通 。 RT1 、 RT2 、 FW1 的 NET 分 别 为 10.0000.0000.0005.00 、 10.0000.0000.0006.00 、 10.0000.0000.0007.00 , 路 由 器 类 型 是Level-2,互联接口网络类型为点到点。

RT1

router isis 1
 is-type level-2
 net 10.0000.0000.0005.00
!
interface Loopback3
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
!
interface GigaEthernet0/0
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
 isis network point-to-point
 isis circuit-type level-2
!
interface GigaEthernet0/1
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
 isis network point-to-point
 isis circuit-type level-2
!

FW1

  router isis
    net 10.0000.0000.0007.00
    is-type level-2-only
  exit
exit
interface loopback3
  ipv6 enable
  isis enable
  isis ipv6 enable
exit
interface ethernet0/2
  ipv6 enable
  isis enable
  isis circuit-type level-2-only
  isis network point-to-point
  isis ipv6 enable
exit

RT2

router isis 1
 is-type level-2
 net 10.0000.0000.0006.00
!
interface Loopback3
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
!
interface GigaEthernet0/0
 ipv6 enable
 ip router isis 1 
 ipv6 router isis 1
 isis network point-to-point
 isis circuit-type level-2
!

8.SW1、SW2、SW3、RT1、RT2 之间运行 BGP 协议,SW1、SW2、RT1 AS号 65001、RT2 AS 号 65002、SW3 AS 号 65003。

SW1、SW2、SW3、RT1、RT2 之间通过 Loopback1 建立 IPv4 和 IPv6 BGP邻居。
SW1 和 SW2 之间财务通过 Loopback2 建立 IPv4 和 IPv6 BGP 邻居。SW1和 SW2 的 Loopback2 IPv4 互通采用静态路由;IPv6 互通采用 OSPFv3,process 2,area 2。
SW1、SW2、SW3 分别只发布营销、法务、人力、财务等 IPv4 和 IPv6路由;RT1 发布办事处营销 IPv4 和 IPv6 路由到 BGP;RT2 发布分公司营销 IPv4 和 IPv6 路由到 BGP。
SW1

router bgp 65001

 network 10.4.12.0/24
 network 10.4.13.0/24
 network 10.4.15.0/24
 
 neighbor 10.4.2.1 remote-as 65001
 neighbor 10.4.2.1 update-source Loopback1
 neighbor 10.4.2.1 next-hop-self
 
 neighbor 10.4.3.1 remote-as 65003
 neighbor 10.4.3.1 ebgp-multihop 255
 neighbor 10.4.3.1 update-source Loopback1
 
 neighbor 2001:10:4:2::1 remote-as 65001
 neighbor 2001:10:4:2::1 update-source Loopback1
 no neighbor 2001:10:4:2::1 activate
 
 neighbor 2001:10:4:3::1 remote-as 65003
 neighbor 2001:10:4:3::1 ebgp-multihop 255
 neighbor 2001:10:4:3::1 update-source Loopback1
 no neighbor 2001:10:4:3::1 activate
 
 address-family ipv6 unicast
 
 network 2001:10:4:12::/64
 network 2001:10:4:13::/64
 network 2001:10:4:15::/64
 
 neighbor 2001:10:4:2::1 activate
 neighbor 2001:10:4:3::1 activate
 
 exit-address-family
 
 address-family ipv4 vrf Finance
 network 10.4.14.0/24
 neighbor 10.4.2.2 remote-as 65001
 exit-address-family
!
ip route vrf Finance 10.4.2.2/32 10.4.255.2
!

router ipv6 ospf 2 vrf Finance
 router-id 10.4.1.2
!
interface Loopback2
 ip vrf forwarding Finance
 ipv6 router ospf area 2 tag 2
! 
interface Vlan1024
 ip vrf forwarding Finance
 ipv6 router ospf area 2 tag 2
!
SW2

router bgp 65001

 network 10.4.22.0/24
 network 10.4.23.0/24
 network 10.4.25.0/24
 
 neighbor 10.4.1.1 remote-as 65001
 neighbor 10.4.1.1 update-source Loopback1
 neighbor 10.4.1.1 next-hop-self
 
 neighbor 10.4.3.1 remote-as 65003
 neighbor 10.4.3.1 ebgp-multihop 255
 neighbor 10.4.3.1 update-source Loopback1
 
 neighbor 10.4.5.1 remote-as 65001
 neighbor 10.4.5.1 update-source Loopback1
 neighbor 10.4.5.1 next-hop-self
 
 neighbor 2001:10:4:1::1 remote-as 65001
 neighbor 2001:10:4:1::1 update-source Loopback1
 no neighbor 2001:10:4:1::1 activate
 
 neighbor 2001:10:4:3::1 remote-as 65003
 neighbor 2001:10:4:3::1 ebgp-multihop 255
 neighbor 2001:10:4:3::1 update-source Loopback1
 no neighbor 2001:10:4:3::1 activate
 
 neighbor 2001:10:4:5::1 remote-as 65001
 neighbor 2001:10:4:5::1 update-source Loopback1
 no neighbor 2001:10:4:5::1 activate
 
 address-family ipv6 unicast
 
 network 2001:10:4:22::/64
 network 2001:10:4:23::/64
 network 2001:10:4:25::/64
 
 neighbor 2001:10:4:1::1 activate
 neighbor 2001:10:4:3::1 activate
 neighbor 2001:10:4:5::1 activate
 
 exit-address-family
 
 address-family ipv4 vrf Finance
 network 10.4.24.0/24
 neighbor 10.4.1.2 remote-as 65001
 exit-address-family
!
ip route vrf Finance 10.4.1.2/32 10.4.255.1
!

router ipv6 ospf 2 vrf Finance
 router-id 10.4.2.2
!
interface Loopback2
 ip vrf forwarding Finance
 ipv6 router ospf area 2 tag 2
! 
interface Vlan1024
 ip vrf forwarding Finance
 ipv6 router ospf area 2 tag 2
!

SW3

router bgp 65003
 network 10.4.32.0/24
 network 10.4.33.0/24
 network 10.4.35.0/24
 
 neighbor 10.4.1.1 remote-as 65001
 neighbor 10.4.1.1 ebgp-multihop 255
 neighbor 10.4.1.1 update-source Loopback1
 
 neighbor 10.4.2.1 remote-as 65001
 neighbor 10.4.2.1 ebgp-multihop 255
 neighbor 10.4.2.1 update-source Loopback1
 
 neighbor 2001:10:4:1::1 remote-as 65001
 neighbor 2001:10:4:1::1 ebgp-multihop 255
 neighbor 2001:10:4:1::1 update-source Loopback1
 no neighbor 2001:10:4:1::1 activate
 
 neighbor 2001:10:4:2::1 remote-as 65001
 neighbor 2001:10:4:2::1 ebgp-multihop 255
 neighbor 2001:10:4:2::1 update-source Loopback1
 no neighbor 2001:10:4:2::1 activate
 
 address-family ipv6 unicast
 
 network 2001:10:4:32::/64
 network 2001:10:4:33::/64
 network 2001:10:4:35::/64
 
 neighbor 2001:10:4:1::1 activate
 neighbor 2001:10:4:2::1 activate
 
 exit-address-family
!

RT1

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 
 network 10.4.110.0/24
 
 neighbor 10.4.2.1 remote-as 65001 
 neighbor 10.4.2.1 update-source Loopback1
 neighbor 10.4.2.1 next-hop-self
 
 neighbor 10.4.6.1 remote-as 65002 
 neighbor 10.4.6.1 ebgp-multihop 255
 neighbor 10.4.6.1 update-source Loopback1
 
 neighbor 2001:10:4:2::1 remote-as 65001 
 neighbor 2001:10:4:2::1 update-source Loopback1
 no neighbor 2001:10:4:2::1 activate
 
 neighbor 2001:10:4:6::1 remote-as 65002 
 neighbor 2001:10:4:6::1 ebgp-multihop 255
 neighbor 2001:10:4:6::1 update-source Loopback1
 no neighbor 2001:10:4:6::1 activate

 address-family ipv6
 no synchronization
 
 network 2001:10:4:110::/64
 
 neighbor 2001:10:4:2::1 activate
 neighbor 2001:10:4:6::1 activate
 
 exit-address-family

!

RT2

router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 
 neighbor 10.4.5.1 remote-as 65001 
 neighbor 10.4.5.1 ebgp-multihop 255
 neighbor 10.4.5.1 update-source Loopback1
 
 neighbor 2001:10:4:5::1 remote-as 65001 
 neighbor 2001:10:4:5::1 ebgp-multihop 255
 neighbor 2001:10:4:5::1 update-source Loopback1
 no neighbor 2001:10:4:5::1 activate

 address-family ipv6
 no synchronization
 neighbor 2001:10:4:5::1 activate
 exit-address-family

!

SW3 营销分别与 SW1 和 SW2 营销 IPv4 和 IPv6 互访优先在 SW1-SW3 链路转发;SW3 法务及人力分别与 SW1 和 SW2 法务及人力 IPv4 和 IPv6互访优先在 SW2-SW3 链路转发,主备链路相互备份;在 SW3 上用prefix-list、route-map 和 BGP 路径属性进行选路,新增 AS 65000。(SW1 和 SW2 营销路由 prefix-list 名称分别为 SW1-SW2-YX-IPv4 和SW1-SW2-YX-IPv6、法务及人力路由 prefix-list 名称分别为 SW1-SW2-FWRL-IPv4 和 SW1-SW2-FWRL-IPv6;SW3 营销路由 prefix-list 名称分别为 SW3-YX-IPv4 和 SW3-YX-IPv6、法务及人力路由 prefix-list名称分别为 SW3-FWRL-IPv4 和 SW3-FWRL-IPv6)

SW3

ip prefix-list SW1-SW2-FWRL-IPv4 seq 5 permit 10.4.23.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 10 permit 10.4.13.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 15 permit 10.4.15.1/24
ip prefix-list SW1-SW2-FWRL-IPv4 seq 20 permit 10.4.25.1/24
ip prefix-list SW1-SW2-YX-IPv4 seq 5 permit 10.4.12.1/24
ip prefix-list SW1-SW2-YX-IPv4 seq 10 permit 10.4.22.1/24
ip prefix-list SW3-FWRL-IPv4 seq 5 permit 10.4.33.1/24
ip prefix-list SW3-FWRL-IPv4 seq 10 permit 10.4.35.1/24
ip prefix-list SW3-YX-IPv4 seq 5 permit 10.4.32.1/24
!
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 5 permit 2001:10:4:23::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 10 permit 2001:10:4:13::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 15 permit 2001:10:4:15::1/64
ipv6 prefix-list SW1-SW2-FWRL-IPv6 seq 20 permit 2001:10:4:25::1/64
ipv6 prefix-list SW1-SW2-YX-IPv6 seq 5 permit 2001:10:4:12::1/64
ipv6 prefix-list SW1-SW2-YX-IPv6 seq 10 permit 2001:10:4:22::1/64
ipv6 prefix-list SW3-FWRL-IPv6 seq 5 permit 2001:10:4:35::1/64
ipv6 prefix-list SW3-FWRL-IPv6 seq 10 permit 2001:10:4:33::1/64
ipv6 prefix-list SW3-YX-IPv6 seq 5 permit 2001:10:4:32::1/64
!

route-map SW1-SW2-YX-IPv4 permit 10
 match ip address prefix-list SW1-SW2-YX-IPv4
 set as-path prepend 65000
 set ip next-hop 10.4.1.1
!
route-map SW1-SW2-YX-IPv4 permit 20
!
route-map SW1-SW2-FWRL-IPv4 permit 10
 match ip address prefix-list SW1-SW2-FWRL-IPv4
 set as-path prepend 65000
 set ip next-hop 10.4.2.1
!
route-map SW1-SW2-FWRL-IPv4 permit 20
!
route-map SW3-FWRL-IPv4 permit 10
 match ip address prefix-list SW3-FWRL-IPv4
 set as-path prepend 65000
 set ip next-hop 10.4.2.1
!
route-map SW3-FWRL-IPv4 permit 20
!
route-map SW3-YX-IPv4 permit 10
 match ip address prefix-list SW3-YX-IPv4
 set as-path prepend 65000
 set ip next-hop 10.4.1.1
!
route-map SW3-YX-IPv4 permit 20
!
route-map SW1-SW2-YX-IPv6 permit 10
 match ipv6 address prefix-list SW1-SW2-YX-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:4:1::1
!
route-map SW1-SW2-YX-IPv6 permit 20
!
route-map SW1-SW2-FWRL-IPv6 permit 10
 match ipv6 address prefix-list SW1-SW2-FWRL-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:4:2::1
!
route-map SW1-SW2-FWRL-IPv6 permit 20
!
route-map SW3-FWRL-IPv6 permit 10
 match ipv6 address prefix-list SW3-FWRL-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:4:2::1
!
route-map SW3-FWRL-IPv6 permit 20
!
route-map SW3-YX-IPv6 permit 10
 match ipv6 address prefix-list SW3-YX-IPv6
 set as-path prepend 65000
 set ipv6 next-hop 2001:10:4:1::1
!         
route-map SW3-YX-IPv6 permit 20
!

router bgp 65003

 neighbor 10.4.1.1 route-map SW1-SW2-FWRL-IPv4 in
 neighbor 10.4.1.1 route-map SW3-FWRL-IPv4 out

 neighbor 10.4.2.1 route-map SW1-SW2-YX-IPv4 in
 neighbor 10.4.2.1 route-map SW3-YX-IPv4 out

 address-family ipv6 unicast
 
 neighbor 2001:10:4:1::1 route-map SW1-SW2-FWRL-IPv6 in
 neighbor 2001:10:4:1::1 route-map SW3-FWRL-IPv6 out
 
 neighbor 2001:10:4:2::1 route-map SW1-SW2-YX-IPv6 in
 neighbor 2001:10:4:2::1 route-map SW3-YX-IPv6 out
 exit-address-family
!

9.利用 BGP MPLS VPN 技术,RT1 与 RT2 以太链路间运行多协议标签交换、标签分发协议。RT1 与 RT2 间创建财务 VPN 实例,名称为 Finance,RT1 的 RD 值为 1:1,export rt 值为 1:2,import rt 值为 2:1;RT2的 RD 值为 2:2。通过两端 Loopback1 建立 VPN 邻居,分别实现两端Loopback5 IPv4 互通和 IPv6 互通。

RT1

ipv6 unicast-routing
ipv6 vrf Finance
 rd 1:1
 route-target import 2:1
 route-target export 1:2
!
!
!
mpls ip
mpls ldp router-id 10.4.5.1
!
!
ip vrf Finance
 rd 1:1
 route-target export 1:2
 route-target import 2:1
!
interface Loopback1
 ipv6 enable
 mpls ip encapsulate 
!
interface Loopback5
 ip vrf forwarding Finance
 ip address 10.4.5.5 255.255.255.255
 ipv6 enable
 ipv6 address 2001:10:4:5::5/128
 ipv6 vrf forwarding Finance
 mpls ip encapsulate 
!
interface GigaEthernet0/0
 ipv6 enable
 mpls ip
 mpls ip encapsulate 
 mpls ldp enable
!

router bgp 65001

 address-family vpnv4
 neighbor 10.4.6.1 activate
 neighbor 10.4.6.1 send-community extended
 exit-address-family

 address-family vpnv6
 neighbor 2001:10:4:6::1 activate
 neighbor 2001:10:4:6::1 send-community extended
 exit-address-family
 
 address-family ipv4 vrf Finance
 no synchronization
 network 10.4.5.5/32
 exit-address-family
 
 address-family ipv6 vrf Finance
 no synchronization
 network 2001:10:4:5::5/128
 exit-address-family
!

RT2

ipv6 unicast-routing
ipv6 vrf Finance
 rd 2:2
 route-target import 1:2
 route-target export 2:1
!
!
!
mpls ip
mpls ldp router-id 10.4.6.1
!
!
ip vrf Finance
 rd 2:2
 route-target export 2:1
 route-target import 1:2
!
interface Loopback1
 ipv6 enable
 mpls ip encapsulate 
!
interface Loopback5
 ip vrf forwarding Finance
 ip address 10.4.6.5 255.255.255.255
 ipv6 enable
 ipv6 address 2001:10:4:6::5/128
 ipv6 vrf forwarding Finance
 mpls ip encapsulate 
!       
interface GigaEthernet0/0
 ipv6 enable
 mpls ip
 mpls ip encapsulate 
 mpls ldp enable
!
router bgp 65002
 
 address-family vpnv4
 neighbor 10.4.5.1 activate
 neighbor 10.4.5.1 send-community extended
 exit-address-family

 address-family vpnv6
 neighbor 2001:10:4:5::1 activate
 neighbor 2001:10:4:5::1 send-community extended
 exit-address-family
 
 address-family ipv4 vrf Finance
 no synchronization
 network 10.4.6.5/32
 exit-address-family
 
 address-family ipv6 vrf Finance
 no synchronization
 network 2001:10:4:6::5/128
 exit-address-family
!

10.RT2 配置 IPv4 NAT,ACL 名称为 ACL-NAT,实现 AC1 IPv4 产品用RT2 外网接口 IPv4 地址访问 Internet。RT2 配置 NAT64,ACL 名称为ACL-NAT64,实现 AC1 IPv6 产品用 RT2 外网接口 IPv4 地址访问Internet,IPv4 地址转 IPv6 地址前缀为 64:ff9b::/96。

RT2

interface GigaEthernet0/1
 ip nat inside
!
interface GigaEthernet0/2
 ip nat outside
!
ip access-list standard ACL-NAT
 permit 10.4.140.1 255.255.255.255 sequence 10
!
ipv6 access-list ACL-NAT64
 permit ipv6 2001:10:4:140::/64 any sequence 10
!
ip nat inside source list ACL-NAT interface GigaEthernet0/2
!
ipv6 nat v6v4 source list ACL-NAT64 interface GigaEthernet0/2
ipv6 nat prefix 64:FF9B::/96 v4-mapped ACL-NAT64
!

(四)无线部署

1.AC1 与 AP1 相 连 接 口 只 允许 Vlan140 和 Vlan150 通过 。 AC1Loopback1 IPv4 和 IPv6 地址分别作为 AC1 的 IPv4 和 IPv6 管理地址。AP 二层自动注册,AP 采用 MAC 地址认证。配置 2 个 ssid,分别为 SKILLS-2.4G 和 SKILLS-5G。SKILLS-2.4G 对应 Vlan140,用 Network140 和 radio1(profile 1, mode n-only-g),用户接入无线网络时需要采用基于 WPA-personal 加密方式,密码为 Key-1122,用第一个可用 VAP 发送 2.4G 信号。SKILLS-5G 对应 Vlan150,用 Network 150和 radio2(profile 1, mode n-only-a),不需要认证,隐藏 ssid,SKILLS-5G 用倒数第一个可用 VAP 发送 5G 信号。

AC1

service dhcp
!
ip forward-protocol udp bootps
!
!         
!
!
!
service dhcpv6
!
interface Vlan130
 no ipv6 nd suppress-ra
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ip helper-address 10.4.2.1
 ipv6 dhcp relay destination 2001:10:4:2::1
!
interface Vlan140
 no ipv6 nd suppress-ra
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ip helper-address 10.4.2.1
 ipv6 dhcp relay destination 2001:10:4:2::1
!
interface Vlan150
 no ipv6 nd suppress-ra
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ip helper-address 10.4.2.1
 ipv6 dhcp relay destination 2001:10:4:2::1
!
no login
wireless
 ap authentication mac
 discovery ip-list 10.4.130.1
 discovery ipv6-list 2001:10:4:130::1
 discovery vlan-list 130
 discovery vlan-list 1309
 static-ip  10.4.4.1
 static-ipv6  2001:10:4:4::1
 network 1
  device-finger enable
!
 network 2
!
 network 3
!
 network 4
!
 network 5
!
 network 6
!
 network 7
!
 network 8
!
 network 9
!
 network 10
!
 network 11
!
 network 12
!
 network 13
!
 network 14
!
 network 15
!
 network 16
!
 network 140
  security mode wpa-personal
  ssid SKILLS-2.4G
  wpa key encrypted 02ee7ad3f247f1845d18a798ec17abd797a22f75a0f6cb5e2c2804706125ef61c2140fd7205150769d49a0b7b9f374be1975498ce48aa688ad20960fef0af8ba 這裏顯示的是加密後的密鑰
!
 network 150
  hide-ssid
  security mode wpa-personal
  ssid SKILLS-5G
  wpa key encrypted 02ee7ad3f247f1845d18a798ec17abd797a22f75a0f6cb5e2c2804706125ef61638f74dd55fd7f488a91c44652e1488e8a05bf91c1e6b02e805411e69bbbb31d
!
 ap load-balance template 1
!
 ap air-match template 1
  air-match load-balance session
  air-match load-balance session 2
!
 ap profile 1
  channel-plan an time 05:00
  channel-plan bgn time 05:00
  air-match template 1
  radio 1
   mode n-only-g
   vap 0
    network 140
!
!
  radio 2
   mode n-only-a
   vap 0
!
   vap 15
    enable
    network 150
!
!
  radio 3
   vap 0
!
!
!
 ap database 00-03-0f-d9-cd-c0
!

(五)安全维护

1.FW1 配置 IPv4 NAT,id 为 1,实现集团产品 1 段 IPv4 访问 InternetIPv4,转换 ip/mask 为 200.200.200.16/28,保证每一个源 ip 产生的所有会话将被映射到同一个固定的 IP 地址。在这里插入图片描述

2.FW1 配置 NAT64,id 为 2,实现集团产品 1 段 IPv6 访问 InternetIPv4,转换为出接口 IP,IPv4 转 IPv6 地址前缀为 64:ff9b::/96。3.FW1 和 FW2 策略默认动作为拒绝,FW1 允许 集团产品 1 段 IPv4 和IPv6 访问 Internet 任意服务。在这里插入图片描述

### 3.FW1 和 FW2 策略默认动作为拒绝,FW1 允许 集团产品 1 段 IPv4 和IPv6 访问 Internet 任意服务。<-防火墻默認動作為拒絕->

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

4.FW2 允许办事处产品 IPv4 访问集团产品 1 段 https 服务,允许集团产品 1 段和产品 2 段访问 SW3 模拟办事处 Loopback2 IPv4、FW2Loopback1 IPv4、办事处产品 IPv4。在这里插入图片描述

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

5.FW1 与 RT2 之间用 Internet 互联地址建立 GRE Over IPSec VPN,实现 Loopback4 之间的加密访问。RT2 的 ACL 名称为 ACL-VPN,transform-set 名称为 SET-1,crypto map 名称为 MAP-1。FW1 的isakmp proposal 名称为 P-1,isakmp peer 名称为 PEER-1,ipsecproposal 名称为 P-2,tunnel ipsec 名称为 IPSEC-1,tunnel gre 名称为 GRE-1。

SW3 Internet 

ip route vrf Internet 0.0.0.0/0 200.200.200.2
ip route vrf Internet 0.0.0.0/0 200.200.200.5
!
RT2

ip route default 200.200.200.5 
!
ip access-list extended ACL-VPN
 permit gre 200.200.200.6 255.255.255.252 200.200.200.2 255.255.255.252 sequence 10
!
interface Tunnel4
 ip address 10.4.255.50 255.255.255.252
 tunnel source 200.200.200.6
 tunnel destination 200.200.200.2
!
crypto isakmp key 0 Key-1122 address 200.200.200.2 255.255.255.252 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 lifetime 4000
!
crypto ipsec transform-set SET-1 esp-3des esp-md5-hmac
 mode transport
!
crypto map MAP-1 10 ipsec-isakmp
 match address ACL-VPN
 set peer 200.200.200.2
 set transform-set SET-1
!
interface GigaEthernet0/2
 ipv6 enable
 crypto map MAP-1
!
ip route 10.4.7.4 255.255.255.255 Tunnel4 
!

FW2

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

FW1

tunnel gre "GRE-1"
  source 200.200.200.2
  destination 200.200.200.6
  interface ethernet0/3
  next-tunnel ipsec IPSEC-1
exit
interface tunnel4
  zone  "VPNHub"
  ip address 10.4.255.49 255.255.255.252
  manage ping
  tunnel gre "GRE-1" gw 10.4.255.50
exit
ip vrouter "trust-vr"
  ip route 0.0.0.0/0 200.200.200.1
  ip route 10.4.6.4/32 10.4.255.50
exit
标签: 网络 运维 服务器

本文转载自: https://blog.csdn.net/Iustinianu/article/details/141935234
版权归原作者 浅见·莉莉丝 所有, 如有侵权,请联系我们删除。

“2023年网络建设与运维国赛答案解析”的评论:

还没有评论