eNSP综合拓扑

致谢刘同学和林同学的帮助

L2S1

• 创建vlan

vlan batch 11 to 14

• 配置生成树,创建实例

stp mode mstp
stp en
stp region-config
region-name instance1
revision-level 1
instance 1 vlan 11 12
instance 2 vlan 13 14
active region-config

• 配置LSW1各端口类型

interface Ethernet0/0/1
 port link-type access
 port default vlan 11
 
interface Ethernet0/0/2
 port link-type access
 port default vlan 12
 
interface Ethernet0/0/3
 port link-type access
 port default vlan 13
 
interface Ethernet0/0/4
 port link-type access
 port default vlan 14

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan all

interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan all

• 配置内网主机访问权限

source any / destination any 可以不写

 time-range worktime 09:00 to 17:00 working-day

acl number 3000
 rule permit tcp (source any) destination 192.168.15.100 0 destination-port eq ftp time-ran
ge worktime
 rule permit tcp (source any) destination 192.168.15.100 0 destination-port eq www time-ra
nge worktime
 rule deny tcp (source any destination any) destination-port eq ftp time-range worktime
 rule deny tcp (source any destination any) destination-port eq www time-range worktime
 rule permit ip (source any destination any)

• 不允许vlan11与vlan12互相访问，创建acl3001

acl number 3001
 rule 5 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.12.0 0.0.0.255

• 加入对应访问控制列表

interface GigabitEthernet0/0/1
 traffic-filter outbound acl 3000

interface GigabitEthernet0/0/2
 traffic-filter outbound acl 3000

interface Ethernet0/0/1
 traffic-filter inbound acl 3001

L3S1

• 创建vlan，并配置相应端口（23和24端口不用配置，一会要链路聚合）

vlan batch 11 to 15 21

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 21

interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan all

interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 15

• 配置链路聚合，模式为手动，负载均衡源目地

interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan all
mode manual load-balance 
load-balance src-dst-ip
interface GigabitEthernet0/0/23
 eth-trunk 1
interface GigabitEthernet0/0/24
 eth-trunk 1

• 配置DHCP

dhcp enable

ip pool lan11
 gateway-list 192.168.11.254
 network 192.168.11.0 24
 excluded-ip-address 192.168.11.1 192.168.11.2
 lease day 7 hour 
 dns-list 125.216.112.19
 
ip pool lan12
 gateway-list 192.168.12.254
 network 192.168.12.0 24
 excluded-ip-address 192.168.12.1 192.168.12.2
 lease day 7 
 dns-list 125.216.112.19

• 配置vrrp并追踪上行接口

VRRP (Virtual Router RedundancyProtocol-虚拟路由冗余协议)，首先我们要知道VRRP是一种容错性协议，它是通过将多台设备虚拟化成一台设备，如果其中一台设备出现故障，那么另一台设备可以迅速接替其工作，已保证通讯的可靠性和连续性。

interface Vlanif21
 ip address 192.168.21.254 24

interface Vlanif11
 ip address 192.168.11.1 24
 vrrp vrid 11 virtual-ip 192.168.11.254
 vrrp vrid 11 priority 200
 vrrp vrid 11 track interface Vlanif21 reduced 150
 dhcp select global

interface Vlanif12
 ip address 192.168.12.1 24
 vrrp vrid 12 virtual-ip 192.168.12.254
 vrrp vrid 12 priority 200
 vrrp vrid 12 track interface Vlanif21 reduced 150
 dhcp select global

interface Vlanif13
 ip address 192.168.13.1 24
 vrrp vrid 13 virtual-ip 192.168.13.254

interface Vlanif14
 ip address 192.168.14.1 24
 vrrp vrid 14 virtual-ip 192.168.14.254

interface Vlanif15
 ip address 192.168.15.1 24
 vrrp vrid 15 virtual-ip 192.168.15.254

• 配置多生成树（mstp），创建2个实例

stp mode mstp
stp enable
stp region-configuration
 region-name instance1
 revision-level 1
 instance 1 vlan 11 12
 instance 2 vlan 13 14
 active region-configuration

• 配置主根桥

stp instance 1 root pri
stp instance 2 root sec

• 配置OSPF

ospf 1 router-id 1.1.1.1
 area 0
  network 192.168.11.0 0.0.0.255
  network 192.168.12.0 0.0.0.255
  network 192.168.13.0 0.0.0.255
  network 192.168.14.0 0.0.0.255
  network 192.168.15.0 0.0.0.255
  network 192.168.21.0 0.0.0.255

L3S2

• 创建vlan，并配置相应端口（23和24不配，一会链路聚合）

vlan batch 11 to 14 22

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan all
 
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 22

• 配置链路聚合，手动模式,负载均衡源目地

interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan all
 mode manual load-balance
 load-balance src-dst-ip
 
 interface GigabitEthernet0/0/23
 eth-trunk 1
 
interface GigabitEthernet0/0/24
 eth-trunk 1

• 配置DHCP(关宣排租dns）

dhcp enable

ip pool lan13
 gateway-list 192.168.13.254
 network 192.168.13.0 24
 excluded-ip-address 192.168.13.1 192.168.13.2
 lease day 7 
 dns-list 125.216.112.19

ip pool lan14
 gateway-list 192.168.14.254
 network 192.168.14.0 24
 excluded-ip-address 192.168.14.1 192.168.14.2
 lease day 7 
 dns-list 125.216.112.19

配置vrrp，并追踪上行接口

interface Vlanif22
 ip address 192.168.22.254 255.255.255.0
 
interface Vlanif11
 ip address 192.168.11.2 24
 vrrp vrid 11 virtual-ip 192.168.11.254

interface Vlanif12
 ip address 192.168.12.2 24
 vrrp vrid 12 virtual-ip 192.168.12.254

interface Vlanif13
 ip address 192.168.13.2 24
 vrrp vrid 13 virtual-ip 192.168.13.254
 vrrp vrid 13 priority 200
 vrrp vrid 13 track interface Vlanif22 reduced 150
 dhcp select global

interface Vlanif14
 ip address 192.168.14.2 24
 vrrp vrid 14 virtual-ip 192.168.14.254
 vrrp vrid 14 priority 200
 vrrp vrid 14 track interface Vlanif22 reduced 150
  dhcp select global

配置生成树为mstp，创建两个实例

stp enable
stp mode mstp
stp region-configuration
 region-name instance1
 revision-level 1
 instance 1 vlan 11 to 12
 instance 2 vlan 13 to 14
 active region-configuration

• 配置主根桥

stp instance 1 root sec
stp instance 2 root pri

• OSPF

ospf 1 router-id 2.2.2.2
 area 0
  network 192.168.11.0 0.0.0.255
  network 192.168.12.0 0.0.0.255
  network 192.168.13.0 0.0.0.255
  network 192.168.14.0 0.0.0.255
  network 192.168.22.0 0.0.0.255

R1

配置各个端口,s1为ppp,s0为chap：

interface GigabitEthernet0/0/1
 ip address 192.168.21.1 24

interface GigabitEthernet0/0/2
 ip address 192.168.22.1 24
 
interface Serial0/0/0
 link-protocol ppp
 ppp authentication-mode chap
 ip address 192.168.1.1 30

interface Serial0/0/1
 link-protocol ppp
 ip address 20.22.1.1 28

• 配置3a

aaa
 local-user huawei password cipher wei privilege level 3
 local-user huawei service-type ppp

• 配置默认路由

ip route-static 0.0.0.0 0.0.0.0 20.22.1.2

• 配置rip，先默认ospf再配置rip

ospf 1 router-id 3.3.3.3
 default-route-advertise always
 
rip 1
 undo summary
 default-route originate
 version 2
 network 192.168.1.0
 import-route ospf 1

• 配置OSPF：

ospf 1 router-id 3.3.3.3
 import-route rip 1
 area 0.0.0.0
  network 192.168.21.0 0.0.0.255
  network 192.168.22.0 0.0.0.255

• nat：

NAT（Network Address Translation），是指网络地址转换，1994年提出的。当在专用网内部的一些主机本来已经分配到了本地IP地址（即仅在本专用网内使用的专用地址），但又想和因特网上的主机通信（并不需要加密）时，可使用NAT方法。

 nat address-group 1 20.22.1.3 20.22.1.13

acl number 2000
 rule 5 permit source 192.168.11.0 0.0.0.255
 rule 10 permit source 192.168.12.0 0.0.0.255
 rule 15 permit source 192.168.13.0 0.0.0.255
 rule 20 permit source 192.168.14.0 0.0.0.255
 rule 25 permit source 192.168.15.0 0.0.0.255
interface Serial0/0/1
 nat server protocol tcp global 20.22.1.14 www inside 192.168.15.100 www
 nat server protocol tcp global 20.22.1.14 443 inside 192.168.1.14 443
 nat server protocol tcp global 20.22.1.14 21（ftp） inside 192.168.1.14 21
 nat server protocol tcp global 20.22.1.14 20（ftp-data） inside 192.168.1.14 20
 nat server protocol udp global 20.22.1.14 53（dns） inside 192.168.1.14 53 
 nat server protocol tcp global 20.22.1.14 53（domain） inside 192.168.1.14 53
 nat outbound 2000 address-group 1
 
[]  
nat alg dns enable
nat alg ftp enable

R2

• 配置端口

interface GigabitEthernet0/0/1
 ip address 10.1.1.254 24

• 配置ppp认证，模式为chap

interface Serial0/0/0
 link-protocol ppp
 ppp authentication-mode chap
 ppp chap user huawei
 ppp chap password cipher wei
 ip address 192.168.1.2 30

• 配置RIP

rip 1
 undo summary
 version 2
 network 10.0.0.0
 network 192.168.1.0

ISP

interface Serial0/0/1
 link-protocol ppp
 ip address 20.22.1.2 28