(一)基础配置
1.根据附录 1 拓扑图、附录 2 地址规划表及附录 3 设备清单表,完成设备连线及 设备接口信息配置; 网络系统管理赛项-模块 A:
略…
2.所有设备采用 SSH 认证,设定用户名:admin,密码:987321Aa,特权密 码:Admin123!,密码呈现需加密;
S5
service password-encryption
username admin password 987321Aa
username admin privilege 15
crypto key generate rsa
ip ssh version 2
enable service ssh-server
enable password Admin123!
line vty 0 4
transport input ssh
login local
3.S5设备启用SNMPv3功能;用户名Admin!@#(隶属组test),认证方式为sha2-256, 认证密码为 Test!@#,加密算法为 aes128,加密密码为 Test$#@!;安全级别为认证 加密模式 priv;用户 admin 对 MIB 具有读写权限;交换机能够主动向 SNMP 服务器 172.16.0.254 发送验证加密的消息。
S5
enable service snmp-agent
snmp-server group test v3 priv read default write default
snmp-server user Admin!@# test v3 auth sha Test!@# priv des56 Test$#@!
(二)有线网络配置
1.局域网二层网络部署 RSTP 防环协议;
S1
spanning-tree mode rstp
spanning-tree mst 0 priority 0
spanning-tree
S2
spanning-tree mode rstp
spanning-tree mst 0 priority 4096
spanning-tree
AC1\AC2\S3\S4
spanning-tree mode rstp
spanning-tree
2.局域网接入设备启用环路功能优化,规避不同设备间、同一设备不同端口、同 一设备单一端口下的多种环路现象;检测到环路后处理方式 Shutdown-Port;
S3/S4
rldp enable
int range gigabitEthernet 0/3-4
errdisable recovery interval 300
rldp port loop-detect shutdown-port
3.局域网接入设备启用安全优化功能,控制局域网二层广播传播范围;限制接入层终端设备间广播交互;
S3
interface GigabitEthernet 0/1
arp-check
4.北京总部启用 VRRP 功能实现网关冗余备份的目的,其中 S1 为主设备,优先级 255;S2 为备设备,优先级为 100;
S1
interface VLAN 10
ip address 172.16.1.1 255.255.255.128
vrrp 10 ip 172.16.1.1
vrrp 10 priority 254
interface VLAN 20
ip address 172.16.1.254 255.255.255.128
vrrp 20 ip 172.16.1.254
vrrp 20 priority 254
interface VLAN 100
ip address 172.16.100.254 255.255.255.0
vrrp 100 ip 172.16.100.254
vrrp 100 priority 254
S2
interface VLAN 10
ip address 172.16.1.2 255.255.255.128
vrrp 10 ip 172.16.1.1
interface VLAN 20
ip address 172.16.1.253 255.255.255.128
vrrp 20 ip 172.16.1.254
interface VLAN 100
ip address 172.16.100.253 255.255.255.0
vrrp 100 ip 172.16.100.254
5.S1、S2 的 2 条互联链路(Gi0/7、Gi0/8),启用二层链路聚合,采取 LACP 动态 聚合模式;
S1/S2
interface GigabitEthernet 0/7
port-group 1 mode active
interface GigabitEthernet 0/8
port-group 1 mode active
interface AggregatePort 1
switchport mode trunk
switchport trunk allowed vlan only 10,20,100
6.总部 R1 与分部 R2、R3 上启用 DHCP,为局域网 VLAN10、VLAN20 终端自动分配 地址;
R1
service dhcp
ip dhcp pool VLAN10
network 172.16.1.0 255.255.255.128
default-router 172.16.1.1
ip dhcp pool VLAN20
network 172.16.1.128 255.255.255.128
default-router 172.16.1.254
R2
service dhcp
ip dhcp pool VLAN10
network 172.16.2.0 255.255.255.128
default-router 172.16.2.1
ip dhcp pool VLAN20
network 172.16.2.128 255.255.255.128
default-router 172.16.2.254
R3
service dhcp
ip dhcp pool VLAN10
network 172.16.3.0 255.255.255.128
default-router 172.16.3.1
ip dhcp pool VLAN20
network 172.16.3.128 255.255.255.128
default-router 172.16.3.254
S1/S2
service dhcp
ip helper-address 10.10.10.10
7.总部局域网内启用 DHCP 安全防护机制,通过硬件 IP/MAC 表项过滤匹配,保证 动态环境下网关及终端主机安全;
8.分部局域网内启用 DHCP 安全防护机制,规避动态环境下用户私设 IP 地址;
S4
#不做此配置的话,终端IPV6将无法通信
ipv6 access-list v6
10 permit ipv6 any any
security global access-group v6
ip dhcp snooping
interface GigabitEthernet 0/1
switchport protected
ip verify source port-security
ipv6 verify source port-security
interface range gigabitEthernet 0/23-24
ip dhcp snooping trust
R2
ip dhcp snooping
interface GigabitEthernet 1/1
ip verify source port-security
9.联通运营商 S5/S6/S7 骨干网设备间启用 OSPF 路由协议,进程号 10,区域号 0;
10.联通运营商只维护宽带业务与专线业务网段,对于客户私有网段不做转发;
S5
router ospf 10
redistribute connected metric-type 1 subnets
network 56.1.1.1 0.0.0.0 area 0
S6
router ospf 10
redistribute connected metric-type 1 subnets
network 56.1.1.2 0.0.0.0 area 0
network 67.1.1.2 0.0.0.0 area 0
S7
router ospf 10
redistribute connected metric-type 1 subnets
network 67.1.1.1 0.0.0.0 area 0
注意:S5/S6/S7连接用户的接口,试卷上没有提供地址,请自行根据对端的地址进行配置,这里就不做演示。
11.总部R1与分部R2、R3 上启用点到多点GRE隧道,隧道IP 地址段为10.5.1.0/24;
13.Tunnel 0 隧道口调整 OSPF 网络类型使其可以完成分支机构间路由交互的同时 自动优化下一跳的目的;
14.启用 IPSEC VPN 加密 GRE 隧道流量,对总部与分部,分部与分部间业务数据进行保护;规避报文分片导致的设备性能消耗,调整 IPSEC 隧道封装模式减小报文长度;
R1/R2/R3
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key 0 ruijie address 0.0.0.0 0.0.0.0
crypto ipsec transform-set trans esp-3des esp-md5-hmac
mode transport
crypto ipsec profile prof
set security-association lifetime seconds 900
set transform-set trans
R1
ip route 25.1.1.0 255.255.255.252 17.1.1.1
ip route 37.1.1.0 255.255.255.252 17.1.1.1
interface Tunnel 0
tunnel mode gre multipoint
tunnel source GigabitEthernet 0/2
tunnel protection ipsec profile prof
ip nhrp redirect
ip nhrp network-id 100
ip nhrp map multicast dynamic
ip ospf network broadcast
ip address 10.5.1.1 255.255.255.0
R2
ip route 17.1.1.0 255.255.255.252 25.1.1.1
ip route 37.1.1.0 255.255.255.252 25.1.1.1
interface Tunnel 0
tunnel mode gre multipoint
tunnel source GigabitEthernet 0/2
tunnel protection ipsec profile prof
ip nhrp shortcut
ip nhrp nhs 10.5.1.1
ip nhrp network-id 100
ip nhrp map 10.5.1.1 17.1.1.2
ip nhrp map multicast 17.1.1.2
ip ospf network broadcast
ip ospf priority 0
ip address 10.5.1.2 255.255.255.0
R3
ip route 17.1.1.0 255.255.255.252 37.1.1.1
ip route 25.1.1.0 255.255.255.252 37.1.1.1
interface Tunnel 0
tunnel mode gre multipoint
tunnel source GigabitEthernet 0/2
tunnel protection ipsec profile prof
ip nhrp shortcut
ip nhrp nhs 10.5.1.1
ip nhrp network-id 100
ip nhrp map 10.5.1.1 17.1.1.2
ip nhrp map multicast 17.1.1.2
ip ospf network broadcast
ip ospf priority 0
ip address 10.5.1.3 255.255.255.0
12.GRE 隧道内运行 OSPF 协议,实现总部与分部,分部与分部间局域网互联互通。 其中总部 S1/S2/EG1/EG2/R1 局域网内启用 OSPF 路由协议,进程号 11,区域号 0; 广州分部 R2 局域网内启用 OSPF 路由协议,进程号 12,区域号 0;上海分部 R3 局 域网内启用 OSPF 路由协议,进程号 13,区域号 0;
15.联通运营商、公司总部、各分支机构以 OSPF LSA5 OE1 的方式引入路由,并基 于业务网段各自汇总发布 C 类路由(包含 VLAN10、VLAN20、宽带业务网段、专线 业务网段);
R1
interface range gigabitEthernet 0/0-1
ip ospf network point-to-point
router ospf 11
redistribute connected metric-type 1 subnets
network 10.3.1.1 0.0.0.0 area 0
network 10.4.1.1 0.0.0.0 area 0
network 10.5.1.1 0.0.0.0 area 0
R2
router ospf 12
redistribute connected metric-type 1 subnets
network 10.5.1.2 0.0.0.0 area 0
summary-address 172.16.2.0 255.255.255.0
R3
router ospf 13
redistribute connected metric-type 1 subnets
network 10.5.1.3 0.0.0.0 area 0
summary-address 172.16.3.0 255.255.255.0
S1
int range gigabitEthernet 0/5-6
ip ospf network point-to-point
router ospf 11
redistribute connected metric-type 1 subnets
network 10.1.1.2 0.0.0.0 area 0
network 10.3.1.2 0.0.0.0 area 0
network 172.16.100.254 0.0.0.0 area 0
S2
int range gigabitEthernet 0/5-6
ip ospf network point-to-point
router ospf 11
redistribute connected metric-type 1 subnets
network 10.2.1.2 0.0.0.0 area 0
network 10.4.1.2 0.0.0.0 area 0
network 172.16.100.253 0.0.0.0 area 0
EG1
router ospf 11
redistribute connected metric-type 1 subnets
network 10.1.1.1 0.0.0.0 area 0
EG2
router ospf 11
redistribute connected metric-type 1 subnets
network 10.2.1.1 0.0.0.0 area 0
16.路由策略部署中如若过滤非必须路由,策略名称定义为 filter;
R2/R3
ip prefix-list filter seq 5 permit 172.16.0.0/22 le 24
ip prefix-list filter seq 10 permit 20.10.10.0/24
R2
router ospf 12
distribute-list prefix filter in
R3
router ospf 13
distribute-list prefix filter in
17.禁止物理接口、SVI 接口及重发布中修改 OSPF cost 值;
18.网络正常时业务连通路径要求:总部访问互联网的主路径为:S1-EG1-S5-S6; 总部访问分部的主路径为:S1-R1-(R2/R3);分部访问互联网的主路径为:(R2/R3)-R1-S1-EG1-S5-S6;要求来回数据一致;
19.网络异常时业务连通路径要求:EG1 宕机情况,总部访问互联网的路径切换为: S1-S2-EG2-S6-S5;S1/R1 间线路故障情况,总部访问分部的路径切换为: S1-S2-R1-(R2/R3)。
S2
router ospf 11
summary-address 172.16.1.0 255.255.255.0
EG1
ip route 20.10.10.5 255.255.255.255 15.1.1.1
ip route 20.10.10.6 255.255.255.255 15.1.1.1
router ospf 11
redistribute static metric-type 1 subnets
EG2
ip route 20.10.10.0 255.255.255.0 26.1.1.1
router ospf 11
redistribute static metric-type 1 subnets
20.IPV6 网络建设要求:总部与各分部通过隧道口 Tunnel 1 口建立 IPV6 点到多点 隧道,实现总部与分部间 VLAN20 IPV6 网段互联互通;总分部 VLAN20 IPV6 地址 自行规划计算。隧道内启动静态路由协议;北京总部局域网S1/S2/R1间启用OSPFV3 协议;总部 VLAN20 网段以 O 类路由引入,通过 cost 值修改(取值 5 或 10)实现 S1 主转发 IPV6 终端业务数据;重发布路由采用 OE1 方式;总分部 VLAN20 终端使 用无状态地址获取自动从网关获取 IPV6 前缀地址。
S1
ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:1101:102::254/64
vrrp 20 ipv6 FE80::
vrrp 20 ipv6 2002:1101:102::254
no ipv6 nd suppress-ra
vrrp ipv6 20 priority 254
vrrp ipv6 20 accept_mode
ipv6 ospf 11 area 0
ipv6 router ospf 11
S2
ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:1101:102::253/64
vrrp 20 ipv6 FE80::
vrrp 20 ipv6 2002:1101:102::254
no ipv6 nd suppress-ra
vrrp ipv6 20 accept_mode
ipv6 ospf 11 area 0
ipv6 router ospf 11
R1
ipv6 unicast-routing
interface GigabitEthernet 0/0
ipv6 enable
ipv6 ospf cost 5
ipv6 ospf 11 area 0
interface GigabitEthernet 0/1
ipv6 enable
ipv6 ospf cost 10
ipv6 ospf 11 area 0
interface Tunnel 1
ipv6 enable
tunnel mode ipv6ip 6to4
tunnel source GigabitEthernet 0/2
ipv6 route 2002:1901:102::/64 Tunnel 1
ipv6 route 2002:2501:102::/64 Tunnel 1
ipv6 router ospf 11
redistribute static metric-type 1
R2
ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:1901:102::254/64
no ipv6 nd suppress-ra
interface Tunnel 1
ipv6 enable
tunnel mode ipv6ip 6to4
tunnel source GigabitEthernet 0/2
ipv6 route 2002:1101:102::/64 Tunnel 1
ipv6 route 2002:2501:102::/64 Tunnel 1
R3
ipv6 unicast-routing
interface VLAN 20
ipv6 enable
ipv6 address 2002:2501:102::254/64
no ipv6 nd suppress-ra
interface Tunnel 1
ipv6 enable
tunnel mode ipv6ip 6to4
tunnel source GigabitEthernet 0/2
ipv6 route 2002:1101:102::/64 Tunnel 1
ipv6 route 2002:1901:102::/64 Tunnel 1
无线部分
AC1:
ip route 0.0.0.0 0.0.0.0 172.16.1.1
vlan 10
interface VLAN 10
ip address 172.16.1.100 255.255.255.128
interface GigabitEthernet 0/7
switchport mode trunk
switchport trunk allowed vlan only 10,100
interface GigabitEthernet 0/8
switchport mode trunk
switchport trunk allowed vlan only 10,100
ac-controller
capwap ctrl-ip 172.16.1.100
AC2:
ip route 0.0.0.0 0.0.0.0 172.16.1.1
vlan 10
interface VLAN 10
ip address 172.16.1.101 255.255.255.128
interface GigabitEthernet 0/7
switchport mode trunk
switchport trunk allowed vlan only 10,100
interface GigabitEthernet 0/8
switchport mode trunk
switchport trunk allowed vlan only 10,100
ac-controller
capwap ctrl-ip 172.16.1.101
备注:由于题目要求北京总部不得将VLAN100的网段发布给分部,所以这里利用VLAN10网段作为AC隧道地址。
配置DHCP 138字段
R1/R2/R3
ip dhcp pool VLAN10
option 138 ip 172.16.1.100 172.16.1.101
4.创建广州分部内网 SSID 为 Test-GZ_XX(XX 现场提供),WLAN ID 为 1,AP-Group 为 GZ。创建上海分部内网 SSID 为 Test-SH_XX(XX 现场提供),WLAN ID 为 2, AP-Group 为 SH;创建北京总部内网 SSID 为 Test-BJ_XX(XX 现场提供),WLAN ID 为 3,AP-Group 为 BJ;
6.要求无线网络均启用本地转发模式;
7.无线用户接入网络时需要采用 WPA2 加密方式,加密密码现场提供;
创建AP组
同样的方法继续创建GZ和SH的AP组
添加wifi
添加相关WIFI,加密方式为WPA2,报文转发为集中转发
选择相关AP组及无线用户VLAN ID
同样的方法继续创建SH和BJ相关WIFI
5.AP 与 AC1、AC2 均建立隧道,当 AP 与主用 AC1 失去连接时能无缝切换至备用 AC2 并提供服务。
AC1上添加热备
wlan hot-backup 172.16.100.2
description AC2
local-ip 172.16.100.1
work-mode quick-switch
!
context 1
priority level 7
ap-group BJ
ap-group GZ
ap-group SH
ap-group default
!
wlan hot-backup enable
!
AC2上添加热备
wlan hot-backup 172.16.100.1
description AC1
local-ip 172.16.100.2
work-mode quick-switch
!
context 1
ap-group BJ
ap-group GZ
ap-group SH
ap-group default
!
wlan hot-backup enable
!
将AP关联到相关AP组上
备注:如果出现用户无法连接WIFI的情况,首先检查AC1与AC2关于AP的配置是否一致,检查一致后重启AP即可正常连接WIFI。
注意:以上所有操作都需要在AC2上再次操作一遍!!!
8.上海分部每个无线终端的下行平均速率为 800KB/s ,突发速率为 1600KB/s;
AC1/AC2:
wlan-config 2 Test-SH_25 #Test-SH_25为上海的AP组,根据实际情况填写
wlan-based per-user-limit down-streams average-data-rate 800 burst-data-rate 1600
9.关闭低速率(11b/g 1M、2M、5M,11a 6M、9M)应用接入。
AC1/AC2:
ac-controller
802.11b network rate 1 disabled
802.11b network rate 2 disabled
802.11b network rate 5 disabled
802.11g network rate 1 disabled
802.11g network rate 2 disabled
802.11g network rate 5 disabled
802.11a network rate 6 disabled
802.11a network rate 9 disabled
EG部分
1.出口网关上进行NAT配置实现总部与分部的所有终端均可访问互联网,通过NAPT 方式将内网用户 IP 地址转换到互联网接口上。
EG1/EG2:
ip access-list standard 10
10 permit 172.16.0.0 0.0.255.255
ip nat inside source list 10 interface GigabitEthernet 0/2 overload
interface GigabitEthernet 0/1
ip nat inside
interface GigabitEthernet 0/2
ip nat outside
注意:EG上可能预配了NAT,请将预配的NAT删除,否则可能会导致自己配NAT不生效
2.针对 WEB 流量限速每 IP 500Kbps,WEB 总流量不超过 50Mbps(通道名称为 web);
以下所有配置全在EG2上操作!
3.基于网站访问、邮件收发、IM 聊天、论坛发帖、搜索引擎多应用启用审计功能;
4.周一到周五工作时间 09:00-17:00(命名为 work)阻断并审计 P2P 应用软件使用;
5.禁止局域网用户通过浏览器访问 http://15.1.1.2。
