HCIE必經之路
- 📻Lab拓撲
- 📠Lab題目
- 📢Lab講解
📻Lab拓撲
📠Lab題目
考試要求
不要洗掉或添加埠,嚴格按照拓撲完成題目需求,
考試題目
1、Layer-2(16分)
1.1鏈路聚合(2分)
1.S1和S2之間配置鏈路聚合,使用手動負載分擔模式,基于源目MAC地址負載分擔,(2分)
📢Lab講解
解法:分別在S1,S2上配置Eth-Trunk.
S1配置如下:.
interface Eth-Trunk12
mode manual load-balance
load-balance src-dst-mac
trunkport GigabitEthernet 0/0/23 0/0/24
S2配置如下:
int Eth-Trunk 12
mode manual load-balance
load-balance src-dst-macb
trunkport GigabitEthernet 0/0/23 0/0/24
1.2Link-type(7分)
1.S1、S2、S3、S4互連介面的鏈路型別為Trunk,允許除VLAN1外的所有VLAN通過,(3分)解法:在S1,S2,S3,S4上分別創建VLAN10,VLAN20,配置交換機之間的鏈路為Trunk,并放行除VLAN1之外的VLAN通過,
S1配置如下
vlan batch 10 20
interface GigabitEthernet 0/0/1
port link-type trunk
port trunk allow-pass vlan all.
undo port trunk allow-pass vlan 1
interface Gigabitethernet 0/0/2
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface GigabitEthernet 0/0/12
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface eth-trunk 12
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
S2配置如下:
vlan batch 10 20
interface GigabitEthernet 0/0/1
port link-type trunk
port trunk allow-pass vlan all.
undo port trunk allow-pass vlan 1
interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface GigabitEthernet 0/0/12
port link-type trunk…
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface eth-trunk 12
port link-type trunk…
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
S3配置如下:
vlan batch 10 20
interface GigabitEthernet 0/0/1
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface Ethernet 0/0/1
port link-type access
port default vlan 10
S4配置如下:
vlan batch 10 20
interface GigabitEthernet 0/0/1
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface GigabitEthernet 0/0/2
port link-type trunk
port trunk allow-pass vlan all
undo port trunk allow-pass vlan 1
interface Ethernet 0/0/1
port link-type access
port default vlan 20
2.CE1、CE2的VRRP虛擬IP地址10.3.1.254,為PC1的網關,CE1會周期性發送Sender IP為10.3.1.254、源MAC為00-00-5E-00-01-01的免費ARP,PC1與網關之間的資料包封裝在VLAN10中(PC1收發untag的幀),
3.CE1、CE2的VRRP虛擬IP地址10.3.2.254,為Server1的網關,CE2會周期性發送SenderIP為10.3.2.254、源MAC為00-00-5E-00-01-02的免費ARP,server1與網關之間的資料包封裝在VLAN20中(Server1 收發untag的幀),
4.VRRP的master設備重啟時,在G0/0/2變為up1分鐘后,才能重新成為master,(4分).
解法:在CE1的G0/0/2.10和G0/0/2.20介面上配置VRRP協議,介面地址已經預配,
interface GigabitEthernet0/0/2.10
vrrp vrid 1 virtual-ip 10.3.1.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 60
arp broadcast enable
interface GigabitEtherneto/0/2.20
vrrp vrid 2 virtual-ip 10.3.2.254
arp broadcast enable
在CE2的GO/0/2.10和G0/0/2.20介面上配置VRRP協議,介面地址已經預配,
interface GigabitEthernet0/0/2.10
vrrp vrid 1 virtual-ip 10.3.1.254
arp broadcast enable、
interface GigabitEthernet0/0/2.20
vrrp vrid 2 virtual-ip 10.3.2.254
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 60
arp broadcast enable
使用 dis vrrp查看CE1和CE2上VRRP備份組狀態,CE1為vrid 1的Master,vrid2的 Backup,CE2為vrid2的Master,vrid1的Backup,如果不是請完成MSTP配置后再次查看,如果還不是,請查看Trunk介面是否配置有誤,
1.3MSTP(5分)
1.S1、S2、S3、S4都運行MSTP,VLAN10在Instance 10,S1作為Primary Root,S2作為Secondary Root,VLAN20在Instance20,S2作為Primary Root,S1作為Secondary Root,MSTP的 region name是HUAWEI,Revision-level為12,(3分)
2.除了交換機互連的介面,其他介面要確保不參與MSTP計算,由Disabled 會直接轉到Forwarding狀態,(2分)
解法:分別在S1,S2,S3,54上配置MSTP,配置如下:
stp region-configuration
region-name HUAWEI
revision-level 12
instance 10 vlan 10.
instance 20 vlan 20
active region-configuration…
在S1上配置Instance10和Instance20的根橋和備份根橋,
stp instance 10 root primary
stp instance 20 root secondary
在S2上配置Instance10和Instance20的根橋和備份根橋,,
stp instance 10 root secondary
stp instance 20 root primary
在S3,S4上分別以下命令查看MSTP實體埠角色是否正確,S3的G0/0/1是Instance10的RP,是Instance20的AP,G0/0/2是Instance10的AP,是Instance20的RP,S4的G0/0/1是Instance10的AP,Instance20的RP,GO/0/2是Instance10的RP,Instance20的AP,
[S3]dis stp instance 10 brief
MSTID Port Role STP State Protection
10 GigabitEthernet0/0/1 ROOT FORWARDING NONE
10 GigabitEthernet0/0/2 ALTE DISCARDING NONE
[S3]dis stp instance 20 brief
MSTID Port Role STP State Protection
20 GigabitEthernet0/0/1 ALTE DISCARDING NONE
20 GigabitEthernet0/0/2 ROOT FORWARDING NONE
[S4]dis stp instance 20 brief
MSTID Port Role STP State Protection
10 GigabitEthernet0/0/1 ALTE DISCARDING NONE
10 GigabitEthernet0/0/2 ROOT FORWARDING NONE
[S4]dis stp instance 20 brief Role STP State Protection
MSTID Port
20 GigabitEthernet0/0/1 ROOT FORWARDING NONE
20 GigabitEthernet0/0/2 ALTE DISCARDING NONE
分別在S1,S2,S3,S4配置邊緣埠,
[S1]stp edged-port default
[S2]stp edged-port default
[S3]stp edged-port default.
[S4]stp edged-port default
分別在S1,S2的trunk介面配置非邊緣埠,
interface Eth-Trunk12.
stp edged-port disable
interface GigabitEthernet0/0/1.
stp edged-port disable
nterface GigabitEthernet0/0/12.
stp edged-port disable
分別在S3,S4的Trunk 介面配置非邊緣埠,
interface GigabitEthernet0/0/1
stp edged-port disable.
interface GigabitEthernet0/0/2
stp edged-port disable.
4、 WAN
- PE1- -RR1的互連Serial介面,系結為一個邏輯介面,成員鏈路采用HDLC,邏輯介面的ipv4地址,ipv6地址(ps:該ipv6地址放在ipv6需求中再進行配置)
[PE1-Serial0/0/0]link- protocol hdlc
[PE1-Serial0/0/1]link- protocol hdlc
[RR1-Serial0/0/0]link-protocol hdlc
[RR1-Serial0/0/1]link-protocol hdlc
[PE1]interface lp-Trunk 8
[PE1-|p-Trunk8]trunkport Serial 0/0/0
[PE1-|p-Trunk8]trunkport Serial 0/0/1
[PE1-|p-Trunk8]ip address 10.1.13.1 30
[RR1]interface lp-Trunk 8
[RR1-Ilp-Trunk8]trunkport Serial 0/0/0
[RR1-Ip-Trunk8]trunkport Serial 0/0/1
[RR1-Ip-Trunk8]jip address 10.1.13.2 30
- PE3–CE3的互連POS介面,系結為一個邏輯介面,成員鏈路采用ppp,邏輯介面的Ipv4地址,
[PE3]interface Mp-group 0/0/0
[PE3-Mp-group0/0/0]ip address 10.2.33.2 30
[PE3-Pos4/0/0]ppp mp Mp-group 0/0/0
[PE3-Pos6/0/0]ppp mp Mp-group 0/0/0
[CE3-Mp-group0/0/0]ip address 10.2.33.1 30
[CE3- Pos4/0/0]ppp mp Mp-group 0/0/0
[CE3-Pos6/0/0]ppp mp Mp-group 0/0/0
- IPv4 IGP
1.基本配置
-
所有設備的介面lpv4地址(除PE1- -RR1的邏輯介面之外,已預配置)
-
Router-id與Loopback0的lpv4地址相同,MPLS域中各設備的
Loopback0 ,從172.16.0.0/16取可用的主機地址,比如172.16.1.21/32可能
分部在As100,也可能分部在AS200
2、 OSPF
-
CE1 和CE2之囘的鏈路,及該兩臺設備的Loopback0 ,通告入OSPF區域;
0,(已預配置) -
CE1 的GE0/0/2.10和GE0/0/2.20 , CE2的GE0/0/2.10和;
GE0/0/2.20 ,直連網段宣告入OSPF區域0 ,但這些介面不能收發OSPF報
文,
[E1-ospf-1-area-0.0.0.0]network 10.3.1.1 0.0.0.0
[CE1-ospf-1-area-0.0.0.0]network 10.3.2.1 0.0.0.0
[CE2-ospf-1-area-0.0.0.0]network 10.3.1.2 0.0.0.0
[CE2-ospf-1-area-0.0.0.0]network 10.3.2.2 0.0.0.0
[CE1-ospf-1]silent-interface g0/0/2.1O[CE1-ospf- 1]silent-interface g0/0/2.20
[CE2-ospf- 1]silent-interface g0/0/2.10[CE2-ospf- 1]silent-interface g0/0/2.20
-
RR2,P2,PE3,PE4在ospf區域0中,cost如圖所示(都已預配置)
-
PE3-PE4 的ospf鏈路型別為p2p
[PE3-GigabitEthernet0/0/0]ospf network-type p2p
[PE4-GigabitEthernet0/0/0]ospf network-type p2p
- PE4.上Loopback0 地址引入 OSPF.,AS200中,&各OSPF 到PE4 lookback0的路由,要包含內部cost,
[PE4]ip ip-prefix Loopback permit 172.16.1.2 32
[PE4]route-policy Loopback permit node 10
[PE4-route-policy]if-match ip-prefix Loopback
[PE4-ospf-1]import-route direct route-policy Loopback type 1
3、ISIS
- AS100 內Loopback0和互連介面全部開啟ISIS協議,其中PE1、PE2路
由型別L1 ,區域號為49.0001 ; RR1、P1路由型別L1/2,區域號為
49.0001 ; ASBR1、ASBR2路由型別L2 ,區域號為49.0002,各ISIS
System-lD唯一, cost-style 為wide ; cost值如圖配置
[PE1-Ip-Trunk8]jisis enable[PE1-|p-Trunk8]jsis cost 1500
[RR1-Ip-Trunk8]isis enable[RR1-Ip-Trunk8]isis cost 1500
RR2-P2的ISIS鏈路型別為R2P
[RR2-GigabitEthernet0/0/0]isis circuit-type p2p
[P2-GigabitEthernet0/0/0lisis circuit-type p2p
為了保證后續mpls.Vpn中的AS 100 公網LDP的可達,在RR1和P1上做172. 16. 0.0/16主機路由level-2向level-1路由的滲透
RR1上配置路由的滲透
[RR1]ip ip-jirefix Tigerlab permit 172.16.0.0 16 greater-equal 32 less-equal 32
[RR1jis- 1]import-route isis level-2 into level-1 fiter-policy ip-prefix Tigerlab
P1.上配置路由滲透:
[P1]ip ip-prefix Tigerlab permit 172.16.0.0 16 greater-equal 32 less-equal 32[P1-isis- 1]import-route isis level-2 into level-1 filter-policy ip-prefix Tigerlab
- 在RR2、P2上, ISIS和OSPF雙向引入前綴為172.160.0/16的主機路
由,被引入的協議的cost要繼承到引入后的協議中P2和PE4的
Loopback0互訪走最優路徑,配置要求有最好的擴展性,
[RR2-ospf- 1]default cost inherit-metric
[P2-ospf- 1]default cost inherit-metric
P2 和 PE4的lookback0互訪走最優路徑的解法二:
[RR2-ospf- 1]default cost inherit-metric
[P2-ospf- 1]default cost inherit-metric
接下來在RR2和P2上針對前綴為172.16.0.0/16的主機路由進行雙向映入
[RR2]ip ip-prefix Tigerlab permit 172.16.0.0 16 greater-eq?al 32 less-equal 32
[RR2]route-policy Tigerlab permit node 10
[RR2-route-policyif-match ip-prefix Tigerlab
[RR2-ospf- 1]import-route isis route-policy Tigerlab
[RR2-isis- 1]import-route ospf inherit-cost route-policy Tigerlab
[P2]ip ip-prefix Tigerlab permit 172.16.6.O 16 greater-equal 32 less-equal 32
[P2]route-policy Tigerlab permit nodè i0
[P2-route-policy]if-match ip-prefix Tigerlab
[P2-isis- 1]import-route ospf inherit-cost route-policy Tigerlab
[P2-ospf-1]import-route isis route-policy Tigerlab
1、在RR2上將ospf的路由引入到isis中去,添加tag為100,并拒絕tag為200的ospf路由(即從P2上ISIS路由引入到ospf的路由)
[RR2]route-policy ospftoisis deny node 10
[RR2-route-policy] if-match tag 200
[RR2]route-policy ospftoisis permit node 20
[RR2-route-policy]if- match ip-prefix Tigerlab
[RR2-route-policy]apply tag 100
[R2-isis -1]import-route ospf inherit-cost route-policy ospftoisis
2、在P2上將ISIS的路由引入到ospf協議中,添加tag為200,并拒絕tag為100的isis路由(即從RR2上ospf路由引入到ISIS的路由)
[P2]route-policy isistoospf deny node 10
[P2-route-polcy]if-match tag 100
[P2]route-policy isistoospf permit node 20
[P2-route-policy]if-match ip-prefix Tigerlab
[P2-route-policy]apply tag 200
[P2-ospf- 1]import-route isis route-policysistoospf
3、在RR2上將TAG為200的路由優先級配置為150 (即從P2上引入到ospf協議的isis路由)
[RR2]route-policy preference permit node 10
[RR2-route-policy]if-match tag200
[RR2-route-policy]apply.pPeference 150
[RR2-ospf- 1]preference ase route-policy preference 10
4、在P2上將ospf的路由引入到ISIS協議,添加tag為300, 并決絕引入tag
為400的osgf路由(即從RR2.上引入到ospf的路由)
[P2]route-policy ospftoisis deny node 10
[P2-roufe-policy]if-match tag 400
[P2]route- policy ospftoisis permit node 20
[P2-route-policy]if-match ip-prefix Tigerlab
[P2-route-policy]apply tag 300
[P2-isis- 1]import-route ospf inherit-cost route- policy ospftoisis
5、在RR2上將ISIS路由引入到ospf協議,添加tag為400, 并拒絕tag為300的ISIS路由(即從RR2上引入的ISIS的路由)
[RR2]route-policy isistoospf deny node 10
[RR2-route-policyJif-match tag 300
[RR2]route-policy isistoospf permit node 20
[RR2-route-policy]if-match ip-prefix Tigerlab
[RR2-route-policy]apply tag 400
[RR2-ospf- 1]import-route isis route policy isistoospf
6、在P2上將tag為400的路由優先級設定為200(即從P2上引入到ospf協議
中的isis路由)
[P2]route-policy preference permit node 10
[P2-route-policyJif-match tag 400
[P2-route-policy]apply preference 150
[P2-ospf- 1]preference ase route-policy preference 10
- P1的ISIS行程:產生LSP的最大延遲時間是1s ,初始延遲為50ms ,遞增
時間為50ms;使能LSP的快速擴散特性; SPF計算最大延遲為1s ,初始延
遲為100ms ,遞增時間為100ms,
[P1-isis- 1]timer lsp-generation 150 50
[P1-isis- 1]flash-flood
[P1-isis- 1]timer spf 1100 100
分別在S3,S4的Trunk介面配置非邊緣埠,
interface GigabitEthernet0/0/1
stp edged-port disable
interface GigabitEthernet0/02
s!p edgod- porl disable
Lab第二/三部分
ospf 1
import isis 1 type 1 route-policy ito
在RR2上將Tag為300的OSPF路由優先級配置為150,即從P2上引入到OSPF協議中的ISIS路由,
route-policy pre permit node 10
if-match tag 300
apply preference 150
ospf 1
preference ase route-policy pre 10
在P2上將OSPF的路由引入到ISIS協議,添加Tag為200,并拒絕引入Tag為400的OSPF路由,即從RR2上引入到OSPF的路由,
route-policy oti deny node 10
if-match tag 400
route-policy oti permit node 20
if-match ip-prefix 32
apply tag 200
isis 1
import-route ospf 1 inherit-cost route-policy oti
在RR2上將ISIS的路由引入到OSPF協議,添加Tag為400,并拒絕引入Tag為200的ISIS路由,即從P2上引入到ISIS的路由,
route-policy ito deny node 10
if-match tag 200
route-policy ito permit node 20
if-match ip-prefix 32
apply tag 400
ospf 1
import isis 1 type 1 route-policy ito
在P2上將Tag為400的OSPF路由優先級配置為150,即從RR2上引入到OSPF協議中的ISIS路由,
route-policy pre permit node 10
if-match tag 400
apply preference 150
ospf 1
preference ase route-policy pre 10
4.P1的ISIS行程:產生LSP的最大延遲時間是1s,初始延遲為50ms,遞增時間為50ms;使能LSP的快速擴散特性;SPF計算最大延遲為1s,初始延遲為100ms,遞増時間為100ms,(2分)
解法:在P1上配置LSP的優化
isis 1
timer lsp-generation 1 50 50
timer spf 1 100 100
flash-flood
3)MPLS VPN (35分)
1.CE1、CE2為VPN1的Hub-CE,PE1、PE2為Hub-PE;CE3、CE4為VPN1的Spoke站點;PE3、PE4為Spoke-PE,
2.CE4為Multi-VPN-instance CE,CE4的VPN實體VPN1,通過GE0/0/1連接PE4,
解法:在CE4上創建VPN實體VPN1,其中RD為100:14,將所有直連介面都系結到該實體中,
ip vpn-instance VPN1
route-distinguisher 100:14
interface GigabitEthernet0/0/1
ip binding vpn-instance VPN1
ip address 10.2.41.1 255.255.255.252
interface LoopBack0
ip binding vpn-instance VPN1
ip address 172.17.1.4 255.255.255.255
interface LoopBack1
ip binding vpn-instance VPN1
ip address 10.3.3.4 255.255.255.255
3.合理設定VPN1引數,使得Spoke站點互訪的流量必須經過Hub-CE設備,當CE1—PE1鏈路斷開的情況下,PE1仍然可以學習到CE1的業務路由,(PE3上VPN1的RD為100:13,Export RT為100:1,Import RT為200:1),(2分)
解法:分別在PE1,PE2上創建2個VPN實體,其中VPN1_IN用于接收Spoke站點的路由,VPN1_OUT用于發送路由,
VPN1_IN系結G0/0/0.1介面,RD為100:10,lmport RT為100:1,VPN1_OUT系結G0/0/1.2介面,RD 為100:12, Export RT為200:1,
PE1配置如下:
ip vpn-instance VPN1_IN
route-distinguisher 100:10
vpn-target 100:1 import-extcommunity
vpn-target 400:1 import-extcommunity
ip vpn-instance VPN1_OUT
route-distinguisher 100:12
vpn-target 200:1 export-extcommunity
vpn-target 300:1 import-extcommunity
interface GigabitEthernet0/0/1.1
ip binding vpn-instance VPN1_IN
ip address 10.2.11.2 255.255.255.252
arp broadcast enable
interface GigabitEthernet0/0/1.2
ip binding vpn-instance VPN1_OUT
ip address 10.2.11.6 255.255.255.252
arp broadcast enable
在PE1上配罝與CE1的EBGP鄰居關系,
bgp 100
ipv4-family vpn-instance VPN1_IN
peer 10.2.11.1 as-number 65000
ipv4-family vpn-instance VPN1_OUT
peer 10.2.11.5 as-number 65000
在CE1上配置與PE1的EBGP鄰居關系,在CE1的子介面開啟arp廣播功能,
interface GigabitEthernet0/0/1.1
arp broadcast enable
interface GigabitEthernet0/0/1.2
arp broadcast enable
bgp 65000
peer 10.2.11.2 as-number 100
peer 10.2.11.6 as-number 100
PE2配罝如下:
ip vpn-instance VPN1_IN
route-distinguisher 100:11
vpn-target 100:1 import-extcommunity
vpn-target 400:1 export-extcommunity
ip vpn-instance VPN1_OUT
route-distinguisher 100:15
PE2配置如下:
ip vpn-instance VPN1_IN
route-distinguisher 100:11
vpn-target 100:1 import-extcommunity
vpn-target 400:1 export-extcommunity
ip vpn-instance VPN1_OUT
route-distinguisher 100:15
vpn-target 200:1 export-extcommunity
vpn-target 300:1 export-extcommunity
interface GigabitEthernet0/0/1.1
ip binding vpn-instance VPN1_IN
ip address 10.2.22.2 255.255.255.252
arp broadcast enable
interface GigabitEthernet0/0/1.2
ip binding vpn-instance VPN1_OUT
ip address 10.2.22.6 255.255.255.252
arp broadcast enable
在PE2上配置與CE2的EBGP鄰居關系,
bgp 100
ipv4-family vpn-instance VPN1_IN
peer 10.2.22.1 as-number 65000
ipv4-family vpn-instance VPN1_OUT
peer 10.2.22.5 as-aumber 65000
在CE2上配置與PE2的EBGP鄰居關系,
interface GigabitEthernet0/0/1.1
arp broadcast enable
interface GigabitEthernet0/0/1.2
arp broadcast enable
bgp 65000
peer 10.2.22.2 as-number 100
peer 10.2.22.6 as-number 100
4.如圖4,CE1通過GE0/0/1.1和GE0/0/1.2建立直連EBGP鄰居,接入PE1,CE1通過GE0/0/0.2,向PE1通吿的BGP update中,某些路由的AS-Path中有200,在CE1上將OSPF路由匯入BGP(2分)
解法:在CE1將OSPF路由引入到BGP中,為了避免PE1訪問CE2的Loopback0的路由走MPLSVPN網路,引入時MED配置為0,
bgp 65000
import-route ospf 1 med 0
在PE1上為了保證CE1傳遞的路由正常被PE1接收,針對CE1傳遞的路由關閉EBGP路由AS-PATH防環檢測功能,
bgp 100
ipv4-family vpn-instance VPN1_OUT
peer 10. 2. 11.5 allow-as-loop
5.CE2通過GE0/0/1.1和GE0/0/1.2建立直連EBGP鄰居,接入PE2,CE2通過GE0/0/0.2,向PE2通告的BGP update中,某些路由的AS-Path中有200,在CE2上,將OSPF路由匯入BGP,(2分)
解法:在CE2上將OSPF路由引入到BGP中,為了避免PE2訪問CE1的 Loopback0的路由走MPLS VPN網路,引入時MED配置為0
bgp65000
import-route ospf 1 med 0
在PE2上為了保證CE2傳遞的路由正常被PE2接收,針對CE2傳遞的路由關閉EBGP路由AS-PATH防環檢測功能,
bgp 100
ipv4-family vpn-instance VPN1_OUT
peer 10. 2. 22. 5 allow-as-loop
6.CE3通過OSPF區域1接入PE3,通過PE3—CE3的邏輯介面互通,通告CE3的各環回口;CE4通過OSPF區域0接入PE4,通過PE4—CE4的GE0/0/1介面互通,通告CE4的各環回口,(2分)
解法:在PE3上創建VPN實體VPN1,系結Mp-group0/0/1口,RD為100:13,Export RT為100:1,Import RT為200:1,
ip vpn-instance VPN1
route-distinguisher 100: 13
mpls ldp
10如圖4.各站點通過 MPLS BGP VPN跨域 Option C方案一,能夠互相學習路由,MPLS域不能出現次優路徑,(15分)
解法:在AS100、AS200內建立 MP-IBGP IPV4鄰居關系,RR1是PE1、PE2、P1、ASBR1、ASBR2的反射器,在RR1上配置和客戶機傳遞標簽IPv4
路由的能力,RR1分別和PE1,PE2,P1ASBR1,ASBR2做為客戶機激活VPN4鄰居關系,并傳遞VPN4路由時保持下一跳不變,(要求這樣做)
bgp 100.
peer 172. 16. 1. 1 label-route-capability
peer 172. 16. 1. 4 label-route-capability
peer 172. 16. 1.5 label-route-capability
peer 172. 16. 1. 6 label-route-capability
peer 172. 16. 1. 20 label-route-capability
ipv4-family vpnv4
undo policy vpn-target
peer 172. 16. 1. 1 enable
peer 172. 16. 1.1 reflect-client
peer 172. 16. 1. 1 next-hop-invariable
peer 172. 16. 1. 4 enable,
peer 172. 16. 1. 4 reflect-client
peer 172.16. 1.4 next-hop-invariable
peer 172. 16. 1. 6 enable
peer 172. 16. 1. 6 reflect-client
peer 172. 16. 1. 6 next-hop-invariable
peer 172. 16. 1. 20 enable,
peer 172. 16. 1. 20 reflect-client,
peer 172. 16. 1. 20 next-hop-invariable.
分別在PE1、PE2、P1、ASBR1、ASBR2上配置和RR1傳遞標簽PV4路由的能力以及傳遞vpn4路由的能力,配置如下
bgp 100
peer 172.16.1.3 label-route-capability
ipv4-family vpnv4
peer 172.16.1.3 enable
在RR2上配置和客戶機傳遞標簽IPv4路由的能力,RR2分別和ASBR3,ASBR4,P2,PE3,PE4做為客戶機激活VPNv4鄰居關系,并傳遞VPNv4路由時保持下一跳不變,
bgp 200
peer 172.16.1.2 label-route-capability
peer 172.16.1.7 label-route-capability
peer 172.16.1.8 label-route-capability
peer 172.16.1.10 label-route-capability
peer 172.16.1.11 label-route-capability
ipv4-family vpnv4
undo policy vpn-target
peer 172.16.1.2 enable
peer 172.16.1.2 reflect-client
peer 172.16.1.2 next-hop-invariable
peer 172.16.1.7 enable
peer 172.16.1.7 reflect-client
peer 172.16.1.7 next-hop-invariable
peer 172.16.1.8 enable
peer 172.16.1.8 reflect-client
peer 172.16.1.8 next-hop-invariable
peer 172.16.1.10 enable
peer 172.16.1.10 reflect-client
peer 172.16.1.10 next-hop-invariable
peer 172.16.1.11 enable
peer 172.16.1.11 reflect-client
peer 172.16.1.11 next-hop-invariable
分別在PE3、PE4、P2、ASBR3、ASBR4上配置和RR2傳遞標簽IPv4路由的能力,以及傳遞vpnv4 路由的能力,配置如下:
bgp 200
peer 172.16.1.9 label-route-capability
ipv4-family vpnv4
peer 172.16.1.9 enable
在ASBR1 上 配 置 與 ASBR3之間開啟傳遞標簽IPv4路由的能力,并互聯介面啟用MPLS,配置如下:
bgp 100
peer 10.1.57.2 label-route-capability
interface GigabitEthernet0/0/2
mpls
在ASBR3上配置與ASBR1之間開啟傳遞標簽IPv4路由的能力,并互聯介面啟用MPLS,配置如下:
bgp 200
peer 10.1.57.1 label-route-capability
interface GigabitEthernet0/0/2
mpls
在ASBR2上配置與ASBR4之間開啟傳遞標簽IPv4路由的能力,并互聯介面啟用MPLS,配置如下:
bgp 100
peer 10.1.68.2 label-route-capability
interface GigabitEthernet0/0/2
mpls
在ASBR4上配置與ASBR2之間開啟傳遞標簽IPv4路由的能力,并互聯介面啟用Mpls,配置如下:
bgp 200
peer 10.1.68.1 label-route-capability
interface GigabitEthernet0/0/2
mpls
在RR1上配置RR2之間的MP-EBGP鄰居關系,激活VPNv4鄰居傳遞路由下一跳不變,并禁用RR2的IPv4的EBGP鄰居,
bgp 100
peer 172.16.1.9 as-number 200
peer 172.16.1.9 ebgp-max-hop 10
peer 172.16.1.9 connect-interface LoopBack0
undo peer 172.16.1.9 enable
ipv4-family vpnv4
peer 172.16.1.9 enable
peer 172.16.1.9 next-hop-invariable
在RR2上配置RR1之間的MP-EBGP鄰居關系,激活VPNv4鄰居關系傳遞路由下一跳不變,并禁用RR1的IPv4的EBGP鄰居,關閉和RR1的AS-PATH 防環檢測機制,
bgp 200
peer 172.16.1.3 as-number 100
peer 172.16.1.3 ebgp-max-hop 10
peer 172.16.1.3 connect-interface LoopBack0
undo peer 172.16.1.3 enable
ipv4-familv vpnv4
peer 172.16.1.3 enable
peer 172.16.1.3 next-hop-invariable
peer 172.16.1.3 allow-as-loop
在ASBR1針對RR1和ASBR3配置路由策略控制標簽分配
route-policy RR permit node 10
if-match mpls-label
apply mpls-label
route-policy ASBR permit node 10
apply mpls-label
bgp 100
peer 10.1.57.2 route-policy ASBR export
peer 172.16.1.3 route-policy RR export
在ASBR2 針對RR1和ASBR4 配置路由策略控制標簽分配
route-policy RR permit node 10
if-match mpls-label
apply mpls-label
route-policy ASBR permit node 10
apply mpls-label
bgp 100
peer 10.1.68.2 route-policy ASBR export
peer 172.16.1.3 route-policy RR export
在ASBR3針對RR2和ASBR1配置路由策略控制標簽分配
route-policy RR permit node 10
if-match mpls-label
apply mpls-label
route-policy ASBR permit node 10
apply mpls-label
bgp 200
peer 10.1.57.1 route-policy ASBR export
peer 172.16.1.9 route-policy RR export
在ASBR4針對RR2和ASBR2配置路由策路控制標簽分配
route-policy RR permit node 10
if-match mpls-label
apply mpls-label
route-policy ASBR permit node 10
apply mpls-label
bgp 200
peer 10.1.68.1 route-policy ASBR export
peer 172.16.1.9 route-policy RR export
在PE3上將VPNv4路由引入到OSPF中,將OSPF路由引入到MP-BGP成為VPNv4路由,
ospf 2 vpn-instance VPN1
import-route bgp
bgp 200
ipv4-family vpn-instance VPN1
import-route ospf 2
在PE4上將VPNv4路由引入到OSPF中,將OSPF路由引入到MP-BGP成為VPNv4路由,
ospf 2 vpn-instance VPN1
import-route bgp
bgp 200
ipv4-family vpn-instance VPN1
import-route ospf 2
11.CE1—PE1之間鏈路斷,CE1設備上仍可學到Spoke業務網段;當CE2—PE2之間鏈路斷,CE2仍可學習到Spoke業務網段,配置保證有最好的擴展性,(6分)
解法:在CE1上將BGP路由引入到CE1的OSPF協議中,并配置路由的Tag為100,并拒絕Tag為200的OSPF路由再次引入到BGP協議中,
route-policy tag permit node 10
apply tag 100
ospf 1
import-route bgp route-policy tag
route-policy import_bgp deny node 10
if-match tag 200
route-policy import_bgp permit node 20
bgp 65000
import-route ospf 1 med 0 route-policy import_bgp
在CE2上將BGP路由引入到CE2的OSPF協議中,并配置路由的Tag為200,并拒絕Tag為100的OSPF路由再次引入到BGP協議中,
route-policy tag permit node 10
apply tag 200
ospf 1
import-route bgp route-policy tag
route-policy import_bgp deny node 10
if-match tag 100
route-policy import_bgp permit node 20
bgp 65000
import-route ospf 1 med 0 route-policy import_bgp
12.在拓撲正常的情況下,要求CE1、CE2訪問Spoke業務網段時,不從本AS內部繞行(1分)
解法:分別在CE1和CE2上將EBGP路由的優先級修改為120
bgp 65000
preference 120 255 255
13.在PE3/PE4上修改BGP Local-preference屬性,實作CE3/CE4訪問非直連的10.3.X.0/24網段時,若X為奇數,PE3/PE4優選的下一跳為PE1;
若X為偶數,PE3/PE4優選的下一跳為PE2.不用考慮來冋路徑是否一致,(3分)
解法:分別在PE3/PE4上配置以下命令:
第四部分
4. VRRP 的master設備重啟時,在G0/0/2變為up 1分鐘后,才能重新成為master,(4分) ,
解法:在CE1的G0/0/2.10和G0/0/2.20介面上配置VRRP協議,介面地址已經預配,
interface GigabitEthernet0/0/2.10
Vrrp vrid 1 virtual-ip 10. 3.1. 254.
vrrp vrid 1 priority 120
vrrp vrid 1 preempt mode timer deIay 60
arp broadcast enable
interface Gi gabitEthernet0/0/2. 20
vrrp vrid 2 virtual-ip 10.3.2. 254
arp broadcast enable
在CE2的G0/0/2.10和G0/0/2.20介面上配置VRRP協議,介面地址已經預配,
interface GigabitEthernet0/0/2.10
vrrp vrid 1 virtual-ip 10. 3.1.254
arp broadcast enable.
interface Gi gabi tEthernet0/0/2.20
5. СЕ2通過GЕ0/0/1.1和GЕ0/0/1.2建立直連ЕВGР鄰居, 接入РЕ2.,СЕ2通過GЕ0/0/0.2,向РЕ2 通告的ВGР uрdаtе中, 某些路由的А? -Раth中有200,在CE2上,將OSPF路由匯入BGP,(2分)
解法:在СЕ2上將О?РF路由引入到ВGР 中, 為了避免РЕ2訪問СЕ1的Lоорbасk0的路由走МРL? VРN網路, 引入時МЕD配置為0,
bgp 65000
import- route ospf 1 med O
在РЕ2上為了保證СЕ2傳遞的路由正常被РЕ2接收,針對СЕ2傳遞的路由關閉ЕВGР路由А?- РАТН防環檢測功能,
bgp 100.
ipv4 family vpn-instance VPN1_ OUT
peer 10. 2.22.5 allow -as-loop.
6. CE3通過OSPF區域1接入PE3, 通過PE3- -CE3的邏輯介面互通,通告CE3的各環路回口; CE4通過OSPF區域0接入PE4, 通過PE4 -CE4的GE0/0/1介面互通,通告CE4的各環路回口(2分)
解法:在PE3上創建VPN實體VPN1,系結Mp-group0/0/1口,RD為100:13,Export RT為100:1,Import RT為200:1
ip vpn-instance VPN1.
route-distinguisher 100:13.
配置CE4上的OSPF協議
ospf 2 vpn instance VPN1
vpn- instance -capability simple
areaI0,0,0,0
network 10.2.41.1 0.0.0.0 .
network 10.3.3.4 0.0.0.0 .
network 172. 17.1.4 0.0.0. 0
CE4 為Multi-VPN-instance CE, CE4的VPN實體VPN1,通過GE0/0/1連接PE4,
解法:在CE4上創建VPN實體VPN1,其中RD為100:14,將所有直連介面都邦定到該實體中,i IP
Ip vpn-instance VPNI
route-distinguisher 100:14
interface Gigabi tEthernet0/0/1
in binding vpn instance VPN1
ip address 10.2. 41. I 255. 255.255.252
interface LoopBack0.
i binding vpn-instance VPN1,
ip address 172. 17.1.4 255. 255. 255. 255
interface LoopBack1
ip binding vpn-instance VPN1
ip address 10. 3.3.4255. 255.255.2554
3.合理設定VPN1引數,使得Spoke站點互訪的流量必須經過Hub-CE設備,當CE1- PE1 鏈路斷開的情況下,PE1 仍然可以學習到CE1的業務路由,(PE3 上VPN1的RD為100:13, Export RT為100:1, Import RT為200:1),(2分),
解法:分別在PE1, PE2 上創建2個VPN實體,其中VPN1 IN 用于接收Spoke站點的路由,VPN1 OUT 用于發送路由,
VPN1 IN系結G0/0/0.1介面,RD為100:10, Import RT為100:1, VPN1 OUT系結G0/0/1.2介面,RD為100:12, Export RT為200:1,,
vpn-instance capability simple (OSPF)
命令功能
vpn-instance-capability simple命令用來禁止路由環路檢測,直接進行路由計算,
undo vpn-instance capability命令用來使能DN位檢查,以防止發生路由環路,
預設情況下,使能路由環路檢查,
命令格式
vpn-instance-capability simple
undo vpn-instance capability
應用場景
在MCE (Muti-VPN-InstanceCE)設備上部署OSPF VPN多實體時,如果有Iype3、Type5或Type7 LSA中設定DN Bit,就會導致這些路由無法計算,因為OSPF進行路由計算會進行防壞路檢測,這種情況下,通過配置vpn-instance capability simple命令可以取消OSPF路由環路檢測,不檢查DN Bit和Route-tag而真接計算出所有OSPF路由,Route-tag恢復為預設值1,
前提條件
在MCE上通過ospf process id vpn instance vpn instance namc命令部署OSPF VPN多實體,
配置影響
在MCE上配置vpn instance capability simple命令后,如果OSPF沒有配置骨干區域0,則該MCE不會成為ABR.
配置vpn instance capability simple命令后,OSPF行程不可以引入IBGP路由,
配置vpn instance capability simple命令后, BGP引入的OSPF路由中不會攜帶OSPF Domain ID. OSPF Route tag和OSPF Router ID.
預設情況下,當BGP引入OSPF路由時, MED值(MED屬性相當于IGP使用的度量值)為OSPF的Cost值加1, 配置vpn instance capability simple命令后, Cost值不會加1, 即MED值變為OSPFE的Cost值,因此,會引起BGP5LXOSPF路由的MED值變化,影響BGP選路,
第五部分
4.3 QoS (7 分)
1.在CE1的GE2/0/1. CE2的GE2/0/2的出方向、周一至周五的8:00 ——1 8:00點,對TCP目的埠號6881- 6999的流量, 承諾的平均速率1Mbps,(3分)
解法: 在CE1 上的 GE2/0/1 介面配置流量接管
time- range work 08:00 to 18:00 working-day
acl number 3000
rule 5 permit tcp destination-port range 6881 6999 time- range wrok·
interface GigabitEthernet2/0/1
qos car outbound acl 3000 cir 1024
在CE2.上的 GE2/0/2 介面配置流量監管,
time- range worktime 08:00 to 18:00 working-day
acl number 3000
rule 5 permit tcp destination-port range 6881 6999 time- range wrok
interface GigabitEthernet2/0/2
qos car outbound acI 3000 cir 1024
2.CE4- PE4 的QoS規劃如下表所示:
在CE4的G0/0/1出方向對流量進行802.1p標記,在PE4的G0/0/1入方向,繼承CE4的802.1p值映射為DSCP,(2分)
解法:在CE4的G0/0/1出方向對流量進行802.1p標記
?cl name office 3996
rule 5 permit ip destination 10. 3.4.0.0.0.0.255
acl name moni tor 3997
rule 5 permit ip destination 10.3.3.0 0.0.0.255
ac1 name signal 3998
rule 5 permit ?p. destination 10.3.2.0 0.0.0.255
acl name realtime 3999
rule 5 permit ip destination 10.3.1.0 0. 0.0.255
traffic classifier Signal
if-match acl signal
traffic classifier Office
traf'ic classifier Monitor
if- match acl monitor
traffic classifier RealTime
if- -match acl realtime
traffic behavior Signal
remark 8021p 4
traffic behavior 0ffice
remark 8021p 2
traffic behavior Monitor
remark 8021p 3
traffic behavior RealTime
remark 8021p 5
traffic behavior Other
remark 8021p 0
traffic policy remark
classifier RealTime behavior RealTime
classifier Signal behavior Signal
classifier Monitor behavior Monitor
classifier Office behavior 0ffice
classifier default- class behavior Othere
interface GigabitEthernet0/0/1
traffic- -policy remark outbound
在PE4上的GE0/0/1的入方向,繼承CE4的802.1p值,并將802.1p映射為DSCP
qos map-table dotlp-dscp
input 5 output 46
input 4 output 32
input 3 output 24
input 2 output 16
input 0 output 0
interface GigabitEthernet0/0/1
trust 8021p override
3. PE4 的GE0/0/0和GEO/0/2匹配DSCP値,根據表-1,配置押塞管理和捫塞避免,(2 分)
解法:在PE4上配置WRED去棄模版,
drop-profile cs4?
wred dscp
dscp cs4 low-limit 70 high-limit 100 discard-percentage 50
drop-profile cs3
wred dscp
dscp cs3 low-limit 50 high-limit 90 discard-percentage 50
drop-profile cs2
wred dscp
dscp cs2 low-limit 50 high-limit 80 discard-percentage 50
drop-profile default.
wred dscp+
dscp default low-limit 50 high-limit 80 discard-percentage 50
配置佇列權重和套用WRED模板
qos queue-profile test,
queue 0 weight 1
queue 2 we1ght 9
queue 3 weight 21
queue 4 weight 63
queue 0 drop-profile default
schedule wfq 0 to 4 pq 5
queue 2 drop-profile cs2
queue 3 drop-profile cs3
queue 4 drop-profile cs4
interface GigabitEthernet0/0/0
qos queue- profile test
interface GigabitEthernet0/0/2
qos queue -profile test
補充:華為設備QOS報文進入佇列的方法
qos map-table dscp-lp報文進 入介面時DSCP值為46,映射到LP值1,則報文進入到1號佇列
input 46 output 1
qos map-table dscp-dscp報文進入1號佇列后,將報文的DSCP值修改為10后再發出去
input 46 output 10
#
interface GigabitEthemnet0/0/0
ip address 10.1.12.2 255.255.255.0
trust dscp override
使用命令dis qos queue statistics interface查看報文進入的佇列
第六部分
1.Layer 2 (16分)
1.1鏈路聚合(2分)
1.S1和S2之間配置鏈路聚合,使用手動負載分擔模式,使用基于源目MAC的負載分擔(2分)
解法:分別在S1和S2配置Eth-Trunk,
S1配置如下:
Interface Eth-Trunk 12
Mode manual load-banlance
Load-banlance src-dst-mac
Trunkport GigabitEthernet 0/0/23 0/0/24
S2配置如下:
Interface Eth-Trunk 12
Mode manual load-banlance
Load-banlance src-dst-mac
Trunkport GigabitEthernet 0/0/23 0/0/24
1.2 Link-Type(7分)
1. S1 S2 S3 S4互聯介面的鏈路型別為Trunk,允許除VLAN 1外所有VLAN通過(3分)
解法:在S1 S2 S3 S4上分別創建VLAN 10 VLAN20, 配置交換機間的鏈路為Trunk,并放行除VLAN 1外的VLAN 通過,
S1配置如下:
VLAN batch 10 20
Interface GigabitEthernet 0/0/1
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface GigabitEthernet 0/0/2
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface GigabitEthernet 0/0/12
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface eth-trunk 12
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
S2配置如下:
VLAN batch 10 20
Interface GigabitEthernet 0/0/1
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface GigabitEthernet 0/0/2
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface GigabitEthernet 0/0/12
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface eth-trunk 12
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
S3配置如下:
VLAN batch 10 20
Interface GigabitEthernet 0/0/1
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface GigabitEthernet 0/0/2
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface Ethernet 0/0/1
Port link-type access
Port default vlan 10
S4配置如下:
VLAN batch 10 20
Interface GigabitEthernet 0/0/1
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface GigabitEthernet 0/0/2
Port link-type trunk
Port trunk allow-pass vlan all
Undo port trunk allow-pass vlan 1
Interface Ethernet 0/0/1
Port link-type access
Port default vlan 20
2.CE1 CE2的VRRP虛擬IP地址10.3.1.254,為PC1的網關,CE1會周期性發送sender IP為10.3.1.254 , 源MAC為00—00—5E—00—01—01 的免費ARP,PC1與網關之間的資料包封裝在VLAN10中(PC1收發untag的幀),
3 . CE1 CE2的VRRP虛擬地址10.3.2.254,為Server1的網關,CE2會周期性發送Sender IP為10.3.2.254,源MAC為00—00—5E—00—01—02的免費ARP,Server1與網關之間的資料包封裝在VLAN20中(Server1收發untag的幀)
4.VRRP的master設備重啟時,在G0/0/2變成up 1分鐘后,才能重新成為master,(4分)
解法:在CE1的G0/0/2.10和G0/0/2.20介面上配置VRRP協議,介面地址已經預配,
Interface GigabitEthernet 0/0/2.10
Vrrp vrid 1 virtual-ip 10.3.1.254
Vrrp vrid 1 priority 120
Vrrp vrid 1 preempt-mode timer delay 60
Arp broadcast enable
Interface GigabitEthernet 0/0/2.20
Vrrp vrid 2 virtual-ip 10.3.2.254
Arp broadcast enable
在CE2的G0/0/2.10和G0/0/2.20介面上配置VRRP協議,介面地址已經預配,
Interface GigabitEthernet 0/0/2.10
Vrrp vrid 1 virtual-ip 10.3.1.254
Arp broadcast enable
Interface GigabitEthernet 0/0/2.20
Vrrp vrid 2 virtual-ip 10.3.2.254
Vrrp vrid 2 priority 120
Vrrp vrid 2 preempt-mode timer delay 60
Arp broadcast enable
使用dis vrrp 查看CE1 CE2上VRRP備份組狀態,CE1為vrid 1的master,vrid 2的Backup,CE2為vrid 2的Master,vrid 1的Backup,如果不是請完成MSTP配置后再次查看,如果還不是,請檢查Trunk介面配置是否錯誤,
1.3: MSTP(5分)
1. S1 S2 S3 S4都運行MSTP,VLAN 10在Instance 10,S1作為Primary Root, S2作為Secondary Root, VLAN 20在instance 20 ,S2 作為Primary Root ,S1作為Secondary Root , MSTP的region name時HUAWEI ,Revision-Level為12,(3分)
2.除了交換機互聯的介面,其它介面要確保不參與MSTP計算,由Disabled會直接轉到Fordwarding狀態(2分)
解法:分別在S1 S2 S3 S4上配置 MSTP ,配置如下:
Stp region-configuration
Region-name HUAWEI
Revision-level 12
Instance 10 vlan 10
Instance 20 vlan 20
Active region-configuration
在S1上配置instance 10和instance 20的根橋和備份根橋
Stp instance 10 root primary
Stp instance 20 root secondary
在S2上配置instance 10和instance 20的根橋和備份根橋
Stp instance 10 root secondary
Stp instance 20 root primary
在S3 S4分別以下命令查看MSTP實體埠角色是否正確,S3的G0/0/1是instance 10的 RP ,是instance 20 的AP ,G0/0/2是instance 10 的 AP,是instance 20 的RP ,S4的G0/0/1是instance 10 的AP ,instance 20的RP ,G0/0/2是instance 10的RP ,instance 20的AP,
分別在S1 S2 S3 S4配置邊緣埠,
[S1]:stp edged-port default
[S2]: stp edged-port default
[S3]: stp edged-port default
[S4]: stp edged-port default
分別在S1 S2的Trunk介面配置非邊緣埠
Interface Eth-trunk 12
Stp edged-port disable
Interface GigabitEthernet0/0/1
Stp edged-port disable
Interface GigabitEthernet0/0/12
Stp edged-port disable
分別在S3 S4的Trunk介面配置非邊緣埠
Interface GigabitEthernet0/0/1
Stp edged-port disable
Interface GigabitEthernet0/0/2
Stp edged-port disable
1.4 WAN(2分)
1.PE1—RR1的互聯Serial介面,系結成一個邏輯介面,成員鏈路采用HDLC,邏輯介面的IPv4地址,IPv6地址,請按照圖1,圖5進行配置(1分),
解法:在PE1配置IP-Trunk,并配置IPv4和IPv6地址
Int s0/0/0
Link-protocal hdlc
Y
Int s0/0/1
Link-protocal hdlc
Y
Int IP-Trunk1
Trunkport Serial 0/0/0 0/0/1
Ip address 10.1.13.1 30
IPv6 enable
Ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1300 127
在RR1上配置IP-Trunk,并配置IPv4和IPv6地址
Int s0/0/0
Link-protocal hdlc
Y
Int s0/0/1
Link-protocal hdlc
Y
Int IP-Trunk1
Trunkport Serial 0/0/0 0/0/1
Ip address 10.1.13.2 30
IPv6 enable
Ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1301 127
2.PE3—CE3的互聯POS介面,系結為一個邏輯介面,成員鏈路采用PPP,邏輯介面的IPv4地址,請按照圖1配置,(1分)
解法:在PE3上配置MP-Group介面,并配置IPv4地址,
Interface MP-Group 0/0/1
Ip address 10.2.33.2 30
Int pos 4/0/0
Ppp mp Mp-group 0/0/1
Int pos 6/0/0
Ppp mp Mp-group 0/0/1
在CE3上配置MP-Group介面,并配置IPv4地址,
Interface MP-Group 0/0/1
Ip address 10.2.33.1 30
Int pos 4/0/0
Ppp mp Mp-group 0/0/1
Int pos 6/0/0
Ppp mp Mp-group 0/0/1
2.IPv4 IGP(18分)
2.1 基本配置:
1.所有設備的介面IPv4地址,按照圖1配置,(除了PE1—RR1的邏輯介面之外,已經預配)
2.Router-id與Loopback0的IPv4地址相同,MPLS域中各設備的Loopback0為172.16.0.0/16的32位主機地址(已經預配),未來擴展的MPLS域各設備的Loopback0,從172.16.0.0/16取可用的主機地址,比如172.16.1.21/32可能分布在AS100,也可能分布在AS200,
2.2 OSPF(6分)
1.CE1和CE2之間的鏈路,及該兩臺設備的Loopback0,通告入OSPF區域0.(已預配)
2.CE1的G0/0/2.10和G0/0/2.20 ,CE2的G0/0/2.10和G0/0/2/20,直連網段宣告入OSPF區域0,但這些介面不能收發OSPF報文(2分)
解法:在CE1上配置將介面加入到OSPF協議中:
Ospf 1 router-id 172.17.1.1
Silent-interface GigabitEthernet 0/0/2.10
Silent-interface GigabitEthernet 0/0/2.20
Area 0.0.0.0
Network 10.3.1.1 0.0.0.0
Network 10.3.2.1 0.0.0.0
在CE2上配置將介面加入到OSPF協議中:
Ospf 1 router-id 172.17.1.2
Silent-interface GigabitEthernet 0/0/2.10
Silent-interface GigabitEthernet 0/0/2.20
Area 0.0.0.0
Network 10.3.1.2 0.0.0.0
Network 10.3.2.2 0.0.0.0
RR2 P2 PE3 PE4在OSPF區域0中,cost如圖2配置(已經預配)
3.PE3—PE4的OSPF鏈路型別位P-2-P(1分),
解法:分別在PE3 PE4的G0/0/0介面配置OSPF鏈路型別為P2P,
Interface GigabitEthernet 0/0/0
Ospf network-type P2P
4. PE4上將Loopback0地址引入OSPF,AS200中,各OSPF網元到PE4 Loopback的路由,要包含內部cost,(3分)
解法:在PE4上引入Loopback0介面的直連路由,由于route-policy不支持匹配Loopback介面,使用前綴串列來匹配Loopback0介面的路由,
Ip ip-prefix 1 index 10 permit 172.16.1.2 32 greater-equal 32 less-equal 32
Route-policy import permit node 10
If-match ip-prefix 1
Ospf 1
Import-route direct type 1 route-policy import
注意:P2和PE4使用Loopback0介面建立LDP會話,由于P2的Loopback0加入的是IS-IS網路,故在做雙點雙向引入之前,P2和PE4的LDP會話無法正常建立,
2.3 IS-IS(12分)
1.AS100內Loopback0和互聯介面全部開啟ISIS協議,其中PE1 PE2路由型別L1,區域號為49.0001;RR1 P1路由型別L1/2,區域號為49.0001;ASBR1 ASBR2路由型別為L2,區域號為49.0002,各網元System-ID唯一,cost-style為wide;cost值如圖2配置(除PE1—RR1之間的邏輯介面外,已經預配),(1分)
解法:分別在PE1 RR1之間的邏輯介面啟用ISIS協議,并設定鏈路的開銷,
Interface IP-Trunk1
Isis enable 1
Isis cost 1500
2.RR2—P2的ISIS鏈路型別為P2P (1分)
解法:分別在RR2 P2的G0/0/0介面設定鏈路型別P2P
Interface GigabitEthernet 0/0/0
Isis circuit-type p2p
為了保證后續MPLS VPN中AS100公網LSP可達,在RR1和P1上做172.16.0.0/16主機路由L2向L1路由的泄露,
RR1上配置路由泄露:
Ip ip-prefix 1 index 10 permit 172.16.0.0 greater-equal 32 less-equal 32
Isis 1
Import-route isis level-2 into level-1 filter-policy ip-prefix 1
P1上配置路由泄露:
Ip ip-prefix 1 index 10 permit 172.16.0.0 greater-equal 32 less-equal 32
Isis 1
Import-route isis level-2 into level-1 filter-policy ip-prefix 1
3.在RR2 P2上,ISIS和OSPF雙向引入前綴為172.16.0.0/16的主機路由,被引入的協議的cost要繼承到引入后的協議中,P2和PE4的Loopback0互訪走最優路徑,配置要求有最好的擴展性,(8分)
解法:為了將ISIS協議引入到OSPF后能繼承cost,在RR2和P2的OSPF行程下先執行如下命令:
Ospf 1
Default cost inherit-metric
在RR2上將OSPF的路由引入到ISIS協議,添加TAG為100,并拒絕引入TAG為300的OSPF路由,即從P2上引入到OSPF的路由,
Ip ip-prefix 32 index 10 permit 172.16.0.0 16 greater-equal 32 less-equal 32
Route-policy oti deny node 10
If-match tag 300
Route-policy oti permit node 20
If-match ip-prefix 32
Apply tag 100
Isis 1
Import-route ospf 1 inherit-cost route-policy oti
在P2上將ISIS路由引入到OSPF協議,添加TAG為300,并拒絕引入TAG為100的ISIS路由,即從RR2上引入到ISIS的路由,
Ip ip-prefix 32 index 10 permit 172.16.0.0 16 greater-equal 32 less-equal 32
Route-policy ito deny node 10
If-match tag 100
Route-policy ito permit node 20
If-match ip-prefix 32
Apply tag 300
Ospf 1
Import isis 1 type 1 route-policy ito
在RR2上將TAG為300的OSPF路由優先級設定為150,即從P2上引入到OSPF協議的ISIS路由,
Route-policy pre permit node 10
If-match tag 300
Apply preference 150
Ospf 1
Preference ase route-policy pre 10
在P2上將OSPF的路由引入到ISIS協議,添加TAG為200,并拒絕引入TAG為400的OSPF路由,即從RR2上引入到OSPF的路由,
Route-policy oti deny node 10
If-match tag 400
Route-policy oti permit node 20
If-match ip-prefix 32
Apply tag 200
Isis 1
Import-route ospf 1 inherit-cost route-policy oti
在RR2上將ISIS的路由引入到OSPF協議,添加TAG為400,并拒絕引入TAG為200的ISIS路由,即從P2上引入到ISIS的路由,
Route-policy ito deny node 10
If-match tag 200
Route-policy ito permit node 20
If-match ip-prefix 32
Apply tag 400
Ospf 1
Import isis 1 type 1 route-policy ito
在P2上將TAG為400的OSPF路由優先級設定為150,即從RR2上引入到OSPF協議的ISIS路由,
Route-policy pre permit node 10
If-match tag 400
Apply preference 150
Ospf 1
Preference ase route-policy pre 10
4. P1的ISIS行程:產生LSP的最大延遲時間是1S,初始延遲為50ms,遞增時間為50ms;使能LSP的快速擴散特性;SPF計算最大延遲為1S,初始延遲為100ms,遞增時間為100ms,(2分)
解法:在P1上配置LSP的優化
Isis 1
Timer lsp-generation 1 50 50
Timer spf 1 100 100
Flash-flood
3.MPLS VPN(35分)
1.CE1 CE2為VPN1的Hub-CE, PE1 PE2為Hub-PE , CE3 CE4為VPN1的Spoke站點;PE3 PE4為Spoke-PE,
2.CE4為Multi-VPN-instance CE , CE4的VPN實體VPN1 ,通過G0/0/1連接PE4,
解法:在CE4上創建VPN實體VPN1,其中RD為100:14 ,將所有直連路由都系結到該實體中,
Ip vpn-instance VPN1
Route-distinguisher 100:14
Interface GigabitEthernet 0/0/1
Ip binding vpn-instance VPN1
Ip address 10.2.41.1 255.255.255.252
Interface loopback 0
Ip binding vpn-instance VPN1
Ip address 172.17.1.4 255.255.255.255
Interface loopback 1
Ip binding vpn-instance VPN1
Ip address 10.3.3.4 255.255.255.255
3.合理設定VPN1引數,使得Spoke站點互訪的流量必須經過Hub-CE設備,當CE1—PE1鏈路斷開的情況下,PE1仍然可以學到CE1的業務路由,(PE3 上的VPN1的RD為100:13 , Export RT為100:1 , Import RT為200:1) ,(2分)
解法:分別在PE1,PE2上創建2個VPN實體,其中VPN1_IN用于接收Spoke站點路由,VPN1_OUT用于發送路由,
VPN1_IN系結G0/0/0.1介面,RD為100:10 , Import RT為100:1 , VPN1_OUT系結G0/0/1.2介面,RD為100:12 , Export RT為200:1,
PE1配置如下:
Ip vpn-instance VPN1_IN
Route-distinguisher 100:10
Vpn-target 100:1 import-extcommunity
Vpn-target 400:1 import-extcommunity
Ip vpn-instance VPN1_OUT
Route-distinguisher 100:12
Vpn-target 200:1 export-extcommunity
Vpn-target 300:1 import-extcommunity
Interface GigabitEthernet 0/0/1.1
Ip binding vpn-instance VPN1_IN
Ip address 10.2.11.2 255.255.255.252
Arp broadcast enable
Interface GigabitEthernet 0/0/1.2
Ip binding vpn-instance VPN1_OUT
Ip address 10.2.11.6 255.255.255.252
Arp broadcast enable
在PE1上配置與CE1的EBGP鄰居關系
Bgp 100
Ipv4-family vpn-instance VPN1_IN
Peer 10.2.11.1 as-number 65000
Ipv4-family vpn-instance VPN1_OUT
Peer 10.2.11.5 as-number 65000
在CE1上配置與PE1的EBGP鄰居關系,在CE1的子介面開啟arp廣播功能,
Interface GigabitEthernet 0/0/1.1
Arp broadcast enable
Interface GigabitEthernet 0/0/1.2
Arp broadcast enable
Bgp 65000
Peer 10.2.11.2 as-number 100
Peer 10.2.11.6 as-number 100
PE2配置如下:
Ip vpn-instance VPN1_IN
Route-distinguisher 100:11
Vpn-target 100:1 import-extcommunity
Vpn-target 400:1 export-extcommunity
Ip vpn-instance VPN1_OUT
Route-distinguisher 100:15
Vpn-target 200:1 export-extcommunity
Vpn-target 300:1 export-extcommunity
Interface GigabitEthernet 0/0/1.1
Ip binding vpn-instance VPN1_IN
Ip address 10.2.22.2 255.255.255.252
Arp broadcast enable
Interface GigabitEthernet 0/0/1.2
Ip binding vpn-instance VPN1_OUT
Ip address 10.2.22.6 255.255.255.252
Arp broadcast enable
在PE2上配置與CE2的EBGP鄰居關系:
Bgp 100
Ipv4-family vpn-instance VPN1_IN
Peer 10.2.22.1 as-number 65000
Ipv4-family vpn-instance VPN1_OUT
Peer 10.2.22.5 as-number 65000
在CE2上配置與PE2的EBGP鄰居關系:
Interface GigabitEthernet 0/0/1.1
Arp broadcast enable
Interface GigabitEthernet 0/0/1.2
Arp broadcast enable
Bgp 65000
Peer 10.2.22.2 as-number 100
Peer 10.2.22.6 as-number 100
4.如圖4,CE1通過G0/0/1.1和G0/0/1.2建立直連EBGP鄰居,接入PE1,CE1通過G0/0/0.2,向PE1通告的BGP update 中,某些路由的AS-Path中有200,在CE1上將OSPF路由匯入BGP,(2分),
解法:在CE1將OSPF路由引入到BGP中,為了避免PE1訪問CE2的Loopback0 的路由走MPLS VPN網路,引入時MED配置為0,
Bgp 65000
Import-route ospf 1 med 0
在PE1上為了保證CE1傳遞的路由正常被PE1接收,針對CE1傳遞的路由關閉EBGP路由AS-PATH防環檢測功能,
Bgp 100
Ipv4-family vpn-instance VPN1_OUT
Peer 10.2.11.5 allow-as-loop
5.CE2通過G0/0/1.1和G0/0/1/2建立直連EBGP鄰居,接入PE2,CE2通過G0/0/0.2,向PE2通告的BGP Update中,某些路由的AS-PATH中200,在CE2上,將OSPF路由引入到BGP,(2分)
解法:在CE2上將OSPF路由引入到BGP中,為了避免PE2訪問CE1的Loopback0的路由走MPLS VPN網路,引入時MED配置為0,
Bgp 65000
Import-route ospf 1 med 0
在PE2上為了保證CE2傳遞的路由正常被PE2接收,針對CE2傳遞的路由關閉EBGP路由AS-PATH防環檢測功能,
Bgp 100
Ipv4-family vpn-instance VPN1_OUT
Peer 10.2.22.5 allow-as-loop
6.CE3通過OSPF區域1接入PE3,通過PE3—CE3的邏輯介面互通,通告CE3的各環回口,CE4通過OSPF區域0接入PE4,通過PE4—CE4的G0/0/1介面互通,通告CE4的各環回口,(2分)
解法:在PE3創建VPN實體VPN1,系結Mp-Group0/0/1口,RD為100:13,Export-RT為100:1,Import-RT為200:1,
Ip vpn-instance VPN1
Route-distinguisher 100:13
Vpn-target 100:1 export-extcommunity
Vpn-target 200:1 import-extcommunity
Interface Mp-Group 0/0/1
Ip binding vpn-instance VPN1
Ip address 10.2.33.2 255.255.255.252
配置PE3上VPN1的OSPF協議
Ospf 2 vpn-instance VPN1
Area 0.0.0.1
Network 10.2.33.2 0.0.0.0
配置CE3上的OSPF協議
Ospf 2
Area 0.0.0.1
Network 10.2.33.1 0.0.0.0
Network 10.3.3.3 0.0.0.0
Network 172.17.1.3 0.0.0.0
在PE4上配置VPN實體VPN1,RD為100:14,Export RT為100:1,Import RT為200:1,系結G0/0/1介面,并配置OSPF協議,
Ip vpn-instance VPN1
Route-distinguisher 100:14
Vpn-target 100:1 export-extcommunity
Vpn-target 200:1 import-extcommunity
Interface GigabitEthernet 0/0/1
Ip binding vpn-instance VPN1
Ip address 10.2.41.2 255.255.255.252
Ospf 2 vpn-instance VPN1
Area 0.0.0.0
Network 10.2.41.2 0.0.0.0
配置CE4上的OSPF協議
Ospf 2 vpn-instance VPN1
Vpn-instance-capability simple
Area 0.0.0.0
Network 10.2.41.1 0.0.0.0
Network 10.3.3.4 0.0.0.0
Network 172.17.1.4 0.0.0.0
7.在ASBR上,將ISIS的Loopback0路由引入到BGP,(2分)
解法:分別在ASBR1 ASBR2上將ISIS協議的Loopback0路由引入到BGP協議中,命令如下:
Ip ip-prefix isis index 10 permit 172.16.1.1 32
Ip ip-prefix isis index 20 permit 172.16.1.3 32
Ip ip-prefix isis index 30 permit 172.16.1.4 32
Ip ip-prefix isis index 40 permit 172.16.1.5 32
Ip ip-prefix isis index 50 permit 172.16.1.6 32
Ip ip-prefix isis index 60 permit 172.16.1.20 32
Route-policy import bgp permit node 10
If-match ip-prefix isis
Bgp 100
Import-route isis 1 route-policy import bgp
分別在ASBR3 ASBR4上將ISIS協議中Loopback0路由引入到BGP協議中,命令如下:
Ip ip-prefix isis index 10 permit 172.16.1.7 32
Ip ip-prefix isis index 20 permit 172.16.1.8 32
Ip ip-prefix isis index 30 permit 172.16.1.9 32
Ip ip-prefix isis index 40 permit 172.16.1.10 32
Ip ip-prefix isis index 50 permit 172.16.1.11 32
Ip ip-prefix isis index 60 permit 172.16.1.2 32
Route-policy import bgp permit node 10
If-match ip-prefix isis
Bgp 200
Import-route isis 1 route-policy import bgp
最好在四臺ASBR互聯介面啟用MPLS,可能預配沒有,提前加上
Interface GigabitEthernet 0/0/2
mpls
8.如圖3,AS100 AS200內各網元配置MPLS LSR-ID,全域使能MPLS,MPLS LDP(已預配),AS100 AS200內各直連鏈路建立LDP鄰居(除PE1—RR1之間的邏輯鏈路外,已配置),(1分)
解法:分別在PE1和RR1互聯邏輯介面啟用MPLS以及LDP協議,配置如下:
Interface IP-Trunk1
Mpls
Mpls ldp
9.如圖4,各站點通過MPLS BGP VPN跨域Option C方案二,能夠互相學習路由,MPLS域不能出現次優路徑,(15分)
解法:在RR1上配置PE1 PE2的IPv4和VPNv4路由的反射器,并傳遞VPNv4路由保持下一跳不變,
Bgp 100
Peer 172.16.1.1 as-number 100
Peer 172.16.1.1 connect-interface Loopback0
Peer 172.16.1.20 as-number 100
Peer 172.16.1.20 connect-interface Loopback0
Ipv4-family unicast
Peer 172.16.1.1 reflect-client
Peer 172.16.1.20 reflect-client
Ipv4-family vpnv4
Undo policy vpn-target
Peer 172.16.1.1 enable
Peer 172.16.1.1 reflect-client
Peer 172.16.1.1 next-hop-invariable
Peer 172.16.1.20 enable
Peer 172.16.1.20 reflect-client
Peer 172.16.1.20 next-hop-invariable
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/316694.html
標籤:其他