2020 Huawei ICT Competition National Finals Network Track Experiment Analysis and Verification

Enterprise 2023-10-04 17:14:57 views: null

Author information: Miao Hao 15515026488 WeChat account

This article is excerpted from "Huawei ICT Competition-Network Track Learning Space (China)". If there is any infringement, please contact the author in time to delete the article.

Original link: https://talent.shixizhi.huawei.com/course/1365189427395223554/application-learn?status=published&courseId=1680760185478529026&id=554759065239212032&appId=554759065222434816&class Id=554759065222434817&courseType=1&sxz-lang=zh_CN&headershow=false

1. Project background

        A large company established a provincial company private network in 2008, and relied on this network to achieve unified networking for multiple branches across the province.

        At present, due to problems such as insufficient basic network bandwidth, old equipment, chaotic network planning, and low overall network performance, office efficiency is low, and support for new technologies and new terminals is poor, which affects the company's business development. In order to improve the company's overall performance, stability and scalability, the company decided to replace old equipment and upgrade the overall network in stages at the headquarters and branches.

        The first phase of the network solution needs to meet the interconnection between the company's headquarters and branches.

        In order to increase the reliability and security of the system, it is planned to carry out redundant backup on the core switching and AC. Different gateways will be set up for wired and wireless services. The core switching will realize load sharing and also improve the reliability of the network; the headquarters Communication with branches is realized using MPLS VPN technology. All terminals in branches can access the server resources of the headquarters network, integrating resources and reducing management and operation and maintenance costs.

        At the same time, in order to meet the mobile office needs of headquarters employees, in the first phase, a WLAN network was deployed at the company headquarters to cover the entire headquarters network and improve office efficiency.

2. Exam description

2.1 Total score of the test paper

        The exam is divided into three parts: routing and switching, security and wireless, with a total score of 1,000 points.

2.2 Equipment introduction

2.2.1 Equipment list

        <1>Two USG6000 firewalls (FW1-FW2)

        <2>Five AR2220 routers (AR1-AR5)

        <3>Five S5700 switches (SW1-SW5)

        <4>Two AC6605 controllers (AC1-AC2)

        <5>One AP7050 (AP1)

        <6>Two PCs (PC1 and PC2)

        <7>A laptop (STA1)

        <8>Two FTP terminals (FTP terminal 1-FTP terminal 2)

        <9>An FTP Server

        <10>A DHCP Server

2.2.2 Exam Tools

        <1>Three exam PCs, the PCs already have relevant software required for the exam, as well as product documentation for all products involved.

3. Exam text

3.1 Network planning

3.2 Device naming

        Please configure or confirm the name of the corresponding network device according to Figure 3-1 network topology.

Configuration process:

#AR1
<Huawei>system-view 
[Huawei]sysname AR1
[AR1]

#AR2
<Huawei>system-view 
[Huawei]sysname AR2
[AR2]

#AR3
<Huawei>system-view 
[Huawei]sysname AR3
[AR3]

#AR4
<Huawei>system-view 
[Huawei]sysname AR4
[AR4]

#AR5
<Huawei>system-view 
[Huawei]sysname AR5
[AR5]

#SW1
<Huawei>system-view 
[Huawei]sysname SW1
[SW1]

#SW2
<Huawei>system-view 
[Huawei]sysname SW2
[SW2]

#SW3
<Huawei>system-view 
[Huawei]sysname SW3
[SW3]

#SW4
<Huawei>system-view 
[Huawei]sysname SW4
[SW4]

#SW5
<Huawei>system-view 
[Huawei]sysname SW5
[SW5]

#AC1
<AC6605>system-view 
[AC6605]sysname AC1
[AC1]

#AC2
<AC6605>system-view 
[AC6605]sysname AC2
[AC2]

#FW1
<USG6000V>system-view 
[USG6000V]sysname FW1
[FW1]

#FW2
<USG6000V>system-view 
[USG6000V]sysname FW2
[FW2]

#DHCP Server
<Huawei>system-view 
[Huawei]sysname DHCP Server
[DHCP Server]

3.3 Headquarters network deployment

3.3.1 Device link deployment

3.3.1.1 Link aggregation deployment
  1. Deploy link aggregation technology between core switches SW1 and SW2, and create an aggregation interface numbered 12 to double the bandwidth and improve link redundancy.
  2. The link aggregation mode is LACP static mode, and SW1 serves as the active device.

 Configuration process:

#SW1
[SW1-Eth-Trunk12]mode lacp-static 
[SW1]interface Eth-Trunk 12
[SW1-Eth-Trunk12]trunkport GigabitEthernet 0/0/1 0/0/2 0/0/8
[SW1]lacp priority 100

#SW2
[SW2-Eth-Trunk12]mode lacp-static 
[SW2]interface Eth-Trunk 12
[SW2-Eth-Trunk12]trunkport GigabitEthernet 0/0/1 0/0/2 0/0/8

verify:

3.3.2 Layer 2 network deployment

3.3.2.1 VLAN planning and deployment 

The VLAN planning of the headquarters network is shown in Table 3-3.

Note: In order to ensure network connectivity and avoid layer 2 loop hazards, the switch port only allows specified VLANs to pass. Excessive VLANs will affect the overall network stability assessment.

Configuration process:

#SW1
[SW1]vlan batch 12 100 200 201 202 203
[SW1]interface Eth-Trunk 12
[SW1-Eth-Trunk12]port link-type trunk 
[SW1-Eth-Trunk12]port trunk allow-pass vlan 12 100 200 201 202 203
[SW1-Eth-Trunk12]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk 
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 200 201
[SW1-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk 
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 200 201 
[SW1-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type access
[SW1-GigabitEthernet0/0/5]port default vlan 203
[SW1]interface GigabitEthernet 0/0/6
[SW1-GigabitEthernet0/0/6]port link-type trunk 
[SW1-GigabitEthernet0/0/6]port trunk allow-pass vlan 200 201 202
[SW1-GigabitEthernet0/0/6]undo port trunk allow-pass vlan 1

#SW2
[SW2]vlan batch 10 12 100 200 201 202 203
[SW2]interface Eth-Trunk 12
[SW2-Eth-Trunk12]port link-type trunk 
[SW2-Eth-Trunk12]port trunk allow-pass vlan 12 100 200 201 202
[SW2-Eth-Trunk12]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk 
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 200 201
[SW2-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk 
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 100 200 201
[SW2-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type acces
[SW2-GigabitEthernet0/0/5]port default vlan 203
[SW2]interface GigabitEthernet 0/0/6
[SW2-GigabitEthernet0/0/6]port link-type trunk 
[SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan 200 201 202
[SW2-GigabitEthernet0/0/6]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/7
[SW2-GigabitEthernet0/0/7]port link-type access
[SW2-GigabitEthernet0/0/7]port default vlan 10

#SW3
[SW3]vlan 100
[SW3]interface GigabitEthernet 0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk 
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[SW3-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[SW3]interface GigabitEthernet 0/0/2
[SW3-GigabitEthernet0/0/2]port link-type trunk 
[SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[SW3-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
[SW3]port-group group-member GigabitEthernet 0/0/3 GigabitEthernet 0/0/4
[SW3-port-group]port link-type access
[SW3-port-group]port default vlan 100

#SW4
[SW4]vlan batch 200 201
[SW4]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/3
[SW4-port-group]port link-type trunk 
[SW4-port-group]port trunk allow-pass vlan 200 201
[SW4]interface GigabitEthernet 0/0/3
[SW4-GigabitEthernet0/0/3]port trunk pvid vlan 200


#AC1
[AC1]vlan batch 200 202
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk 
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 200 202
[AC1-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1

#AC2
[AC2]vlan batch 200 202
[AC2]interface GigabitEthernet 0/0/1
[AC2-GigabitEthernet0/0/1]port link-type trunk 
[AC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 200 202
[AC2-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1

#FW1
[FW1]vlan 203
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]portswitch 
[FW1-GigabitEthernet1/0/0]port link-type access
[FW1-GigabitEthernet1/0/0]port default vlan 203
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]portswitch 
[FW1-GigabitEthernet1/0/1]port link-type access
[FW1-GigabitEthernet1/0/1]port default vlan 203

verify:

3.3.2.2 MSTP deployment 
  1. SW1, SW2, SW3, and SW4 all run MSTP. 
  2. VLAN100 is in Instance 1. Without using any command to modify the bridge priority, ensure that SW1 serves as the root bridge of Instance 1 and SW2 serves as the backup root bridge.
  3. VLAN200 and VLAN201 are in Instance 2. Without using commands to modify the bridge priority, ensure that SW2 serves as the root bridge of Instance 1 and SW1 serves as the backup root bridge.
  4. The regoin name of MSTP is huawei, and the Revision-level is 12.

Configuration process:

#SW1
[SW1]stp mode mstp 
[SW1]stp region-configuration 
[SW1-mst-region]region-name huawei
[SW1-mst-region]revision-level 12
[SW1-mst-region]instance 1 vlan 100
[SW1-mst-region]instance 2 vlan 200 201
[SW1-mst-region]active region-configuration
[SW1]stp instance 0 root primary 
[SW1]stp instance 1 root primary 
[SW1]stp instance 2 root secondary 

#SW2
[SW2]stp mode mstp 
[SW2]stp region-configuration 
[SW2-mst-region]region-name huawei
[SW2-mst-region]revision-level 12
[SW2-mst-region]instance 1 vlan 100
[SW2-mst-region]instance 2 vlan 200 201
[SW2-mst-region]active region-configuration
[SW2]stp instance 0 root secondary 
[SW2]stp instance 1 root secondary 
[SW2]stp instance 2 root primary 

#SW3
[SW3]stp mode mstp 
[SW3]stp region-configuration 
[SW3-mst-region]region-name huawei
[SW3-mst-region]revision-level 12
[SW3-mst-region]instance 1 vlan 100
[SW3-mst-region]instance 2 vlan 200 201
[SW3-mst-region]active region-configuration

#SW4
[SW4]stp mode mstp 
[SW4]stp region-configuration 
[SW4-mst-region]region-name huawei
[SW4-mst-region]revision-level 12
[SW4-mst-region]instance 1 vlan 100
[SW4-mst-region]instance 2 vlan 200 201
[SW4-mst-region]active region-configuration

verify:

3.3.3 Layer 3 network deployment

3.3.3.1 IP address planning and configuration

 IP address planning is shown in Table 3-1 IP address planning table. Please configure the IP address correctly according to the plan.

Configuration process:

#SW1
[SW1]interface LoopBack 0
[SW1-LoopBack0]ip address 11.11.11.11 32
[SW1]interface Vlanif 12
[SW1-Vlanif12]ip address 192.168.12.1 24
[SW1]interface Vlanif 100
[SW1-Vlanif100]ip address 192.168.100.1 24
[SW1]interface Vlanif 200
[SW1-Vlanif200]ip address 192.168.200.1 24
[SW1]interface Vlanif 201
[SW1-Vlanif201]ip address 192.168.201.1 24
[SW1]interface Vlanif 203
[SW1-Vlanif203]ip address 192.168.203.1 24

#SW2
[SW2]interface LoopBack 0
[SW2-LoopBack0]ip address 12.12.12.12 32
[SW2]interface Vlanif 10
[SW2-Vlanif12]ip address 192.168.10.1 24
[SW2]interface Vlanif 12
[SW2-Vlanif12]ip address 192.168.12.2 24
[SW2]interface Vlanif 100
[SW2-Vlanif100]ip address 192.168.100.2 24
[SW2]interface Vlanif 200
[SW2-Vlanif200]ip address 192.168.200.2 24
[SW2]interface Vlanif 201
[SW2-Vlanif201]ip address 192.168.201.2 24
[SW2]interface Vlanif 203
[SW2-Vlanif203]ip address 192.168.203.2 24

#AC1
[AC1]interface LoopBack 0
[AC1-LoopBack0]ip address 21.21.21.21 32
[AC1]interface Vlanif 200
[AC1-Vlanif200]ip address 192.168.200.11 24
[AC1]interface vlan 202
[AC1-Vlanif202]ip address 192.168.202.1 24

#AC2
[AC2]interface LoopBack 0
[AC2-LoopBack0]ip address 22.22.22.22 32
[AC2]interface Vlanif 200
[AC2-Vlanif200]ip address 192.168.200.12 24
[AC2]interface Vlanif 202
[AC2-Vlanif202]ip address 192.168.202.2 24

#DHCP Server
[DHCP Server]interface GigabitEthernet 0/0/0
[DHCP Server-GigabitEthernet0/0/0]ip address 192.168.10.254 24

#FW1
[FW1]interface LoopBack 0
[FW1-LoopBack0]ip address 10.10.10.10 32
[FW1]interface Vlanif 203
[FW1-Vlanif203]ip address 192.168.203.3 24
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 200.1.11.2 30
[FW1]interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3]ip address 192.168.20.1 24

verify:

3.3.3.2 Core switching high reliability planning and configuration
  1. Create VRRP backup group 1 on SW1 and SW2. The virtual IP address is 192.168.12.254/24. Configure the priority of SW1 to 200 and the preemption delay to 15 seconds. It will serve as the master device. The priority of SW2 will be the default value and serve as the master device. Backup device.
  2. Enable MD5 authentication in VRRP backup group 1 and set the password to Huawei.
  3. Create VRRP backup group 2 on SW1 and SW2. The virtual IP address is 192.168.100.254/24. Configure the priority of SW1 to 200 and the preemption delay to 15 seconds. It will serve as the Master device. The priority of SW2 will be the default value and serve as the master device. Backup device.
  4. Create VRRP backup group 3 on SW1 and SW2. The virtual IP address is 192.168.200.254/24. Configure the priority of SW2 to 200 and the preemption delay to 15 seconds. It will serve as the master device. The priority of SW1 will be the default value and serve as the master device. Backup device.
  5. Create VRRP backup group 4 on SW1 and SW2. The virtual IP address is 192.168.201.254/24. Configure the priority of SW2 to 200 and the preemption delay to 15 seconds to serve as the Master device. The priority of SW1 is the default value and serves as the master device. Backup device.
  6. In VRRP backup group 1 and backup group 2, backup group 1 is the management group; in VRRP backup group 3 and backup group 4, backup group 3 is the management group.
  7. To speed up the active/standby switchover, create BFD sessions on backup group 1 and backup group 3 of SW1 and SW2 respectively, and bind them to the corresponding management groups.

 Configuration process:

#SW1
[SW1]bfd
[SW1]bfd vlanif12 bind peer-ip 192.168.12.2 source-ip 192.168.12.1 auto 
[SW1-bfd-session-vlanif12]commit 
[SW1]bfd vlanif200 bind peer-ip 192.168.200.2 source-ip 192.168.200.1 auto 
[SW1-bfd-session-vlanif200]commit 
[SW1]interface Vlanif 12
[SW1-Vlanif12]vrrp vrid 1 virtual-ip 192.168.12.254
[SW1-Vlanif12]vrrp vrid 1 priority 200
[SW1-Vlanif12]vrrp vrid 1 preempt-mode timer delay 15
[SW1-Vlanif12]vrrp vrid 1 authentication-mode md5 Huawei
[SW1-Vlanif12]admin-vrrp vrid 1 
[SW1-Vlanif12]vrrp vrid 1 track bfd-session session-name vlanif12 reduced 110
[SW1]interface Vlanif 100
[SW1-Vlanif100]vrrp vrid 2 virtual-ip 192.168.100.254
[SW1-Vlanif100]vrrp vrid 2 priority 200
[SW1-Vlanif100]vrrp vrid 2 preempt-mode timer delay 15
[SW1-Vlanif100]vrrp vrid 2 track admin-vrrp interface Vlanif 12 vrid 1 unflowdown 
[SW1]interface Vlanif 200
[SW1-Vlanif200]vrrp vrid 3 virtual-ip 192.168.200.254
[SW1-Vlanif200]admin-vrrp vrid 3
[SW1]interface Vlanif 201
[SW1-Vlanif201]vrrp vrid 4 virtual-ip 192.168.201.254
[SW1-Vlanif201]vrrp vrid 4 track admin-vrrp interface Vlanif 200 vrid 3 unflowdown 

#SW2
[SW2]bfd
[SW2]bfd vlanif12 bind peer-ip 192.168.12.1 source-ip 192.168.12.2 auto 
[SW2-bfd-session-vlanif12]commit 
[SW2]bfd vlanif200 bind peer-ip 192.168.200.1 source-ip 192.168.200.2 auto
[SW2-bfd-session-vlanif200]commit 
[SW2]interface Vlanif 12
[SW2-Vlanif12]vrrp vrid 1 virtual-ip 192.168.12.254
[SW2-Vlanif12]vrrp vrid 1 authentication-mode md5 Huawei
[SW2-Vlanif12]admin-vrrp vrid 1 
[SW2]interface Vlanif 100
[SW2-Vlanif100]vrrp vrid 2 virtual-ip 192.168.100.254
[SW2-Vlanif100]vrrp vrid 2 track admin-vrrp interface Vlanif 12 vrid 1 unflowdown 
[SW2]interface Vlanif 200
[SW2-Vlanif200]vrrp vrid 3 virtual-ip 192.168.200.254
[SW2-Vlanif200]vrrp vrid 3 priority 200
[SW2-Vlanif200]vrrp vrid 3 preempt-mode timer delay 15
[SW2-Vlanif200]admin-vrrp vrid 3
[SW2-Vlanif200]vrrp vrid 3 track bfd-session session-name vlanif200 reduced 110
[SW2]interface Vlanif 201
[SW2-Vlanif201]vrrp vrid 4 virtual-ip 192.168.201.254
[SW2-Vlanif201]vrrp vrid 4 priority 200
[SW2-Vlanif201]vrrp vrid 4 preempt-mode timer delay 15
[SW2-Vlanif201]vrrp vrid 4 track admin-vrrp interface Vlanif 200 vrid 3 unflowdown

verify:

 3.3.3.3 IGP protocol deployment
  1. In order to ensure interoperability between the headquarters wireless network and the wired network, the OSPF protocol is deployed between SW1, SW2, AC1, AC2, and FW1.
  2. The process number of OSPF is 64512. The interfaces of all devices are in the backbone area. Loopback 0 port is used as the router-id. Each network segment needs to be accurately announced.
  3. Use the import command to introduce the directly connected network segment of the DHCP server into OSPF (routes from other network segments cannot be imported).

Configuration process:

#SW1
[SW1]ospf 64512 router-id 11.11.11.11
[SW1-ospf-64512]area 0
[SW1-ospf-64512-area-0.0.0.0]network 11.11.11.11 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.12.1 0.0.0.0 
[SW1-ospf-64512-area-0.0.0.0]network 192.168.100.1 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.200.1 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.201.1 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.203.1 0.0.0.0
[SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.203.3

#SW2
[SW2]ip ip-prefix dhcp_direct permit 192.168.10.0 24
[SW2]route-policy dhcp_direct permit node 10
[SW2-route-policy]if-match ip-prefix dhcp_direct
[SW2]ospf 64512 router-id 22.22.22.22
[SW2-ospf-64512]import-route direct route-policy dhcp_direct type 1
[SW2-ospf-64512]area 0
[SW2-ospf-64512-area-0.0.0.0]network 22.22.22.22 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.12.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.100.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.200.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.201.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.203.2 0.0.0.0
[SW2]ip route-static 0.0.0.0 0.0.0.0 192.168.203.3

#AC1
[AC1]ospf 64512 router-id 21.21.21.21
[AC1-ospf-64512]area 0
[AC1-ospf-64512-area-0.0.0.0]network 21.21.21.21 0.0.0.0
[AC1-ospf-64512-area-0.0.0.0]network 192.168.200.11 0.0.0.0
[AC1-ospf-64512-area-0.0.0.0]network 192.168.202.1 0.0.0.0
[AC1]interface Vlanif 200
[AC1-Vlanif200]ospf dr-priority 0

#AC2
[AC2]ospf 64512 router-id 22.22.22.22
[AC2-ospf-64512]area 0
[AC2-ospf-64512-area-0.0.0.0]network 22.22.22.22 0.0.0.0
[AC2-ospf-64512-area-0.0.0.0]network 192.168.200.12 0.0.0.0
[AC2-ospf-64512-area-0.0.0.0]network 192.168.202.2 0.0.0.0
[AC2]interface Vlanif 200
[AC2-Vlanif200]ospf dr-priority 0

#FW1
[FW1]ip route-static 0.0.0.0 0.0.0.0 200.1.11.1
[FW1]ospf 64512 router-id 10.10.10.10
[FW1-ospf-64512]default-route-advertise type 1
[FW1-ospf-64512]area 0
[FW1-ospf-64512-area-0.0.0.0]network 10.10.10.10 0.0.0.0
[FW1-ospf-64512-area-0.0.0.0]network 192.168.20.1 0.0.0.0
[FW1-ospf-64512-area-0.0.0.0]network 192.168.203.3 0.0.0.0

 Verification: When the firewall security zone is not configured, the OSPF neighbor will be stuck in the Exstart state.

3.3.4 Server deployment

3.3.4.1 DHCP server deployment
  1. Create a global-based DHCP address pool on the DHCP Server to provide address pool allocation services for wired and wireless terminals and APs. The gateways are deployed on SW1 and SW2. Since the core switching and DHCP server are not in the same network segment, it is necessary to find a way to let the AP, PC and STA can obtain IP addresses. The specific address pool information is as follows:
  2. The address pool needs to exclude IP addresses that have been used.
  3. PC1 is required to obtain a fixed IP address, which is 192.168.100.199.

Configuration process:

#DHCP Server
[DHCP Server]ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
[DHCP Server]dhcp enable 
[DHCP Server]ip pool Wired
[DHCP Server-ip-pool-Wired]network 192.168.100.0 mask 255.255.255.0
[DHCP Server-ip-pool-Wired]gateway-list 192.168.100.254
[DHCP Server-ip-pool-Wried]dns-list 114.114.114.114
[DHCP Server-ip-pool-Wired]static-bind ip-address 192.168.100.199 mac-address 5489-985A-089A
[DHCP Server]ip pool AP
[DHCP Server-ip-pool-AP]network 192.168.200.0 mask 24
[DHCP Server-ip-pool-AP]gateway-list 192.168.200.254
[DHCP Server-ip-pool-AP]dns-list 202.96.128.66
[DHCP Server-ip-pool-AP]lease day 0 hour 12
[DHCP Server-ip-pool-AP]option 43 ip-address 21.21.21.21 22.22.22.22
[DHCP Server]ip pool Wireless
[DHCP Server-ip-pool-Wireless]network 192.168.201.0 mask 24
[DHCP Server-ip-pool-Wireless]gateway-list 192.168.201.254
[DHCP Server-ip-pool-Wireless]dns-list 8.8.8.8
[DHCP Server-ip-pool-Wireless]lease day 0 hour 8
[DHCP Server]interface GigabitEthernet 0/0/0
[DHCP Server-GigabitEthernet0/0/0]dhcp select global 

#SW1
[SW1]dhcp enable 
[SW1]interface Vlanif 100
[SW1-Vlanif100]dhcp select relay 
[SW1-Vlanif100]dhcp relay server-ip 192.168.10.254
[SW1]interface Vlanif 200
[SW1-Vlanif200]dhcp select relay 
[SW1-Vlanif200]dhcp relay server-ip 192.168.10.254
[SW1]interface Vlanif 201
[SW1-Vlanif201]dhcp select relay 
[SW1-Vlanif201]dhcp relay server-ip 192.168.10.254

#SW2
[SW2]dhcp enable 
[SW2]interface Vlanif 100
[SW2-Vlanif100]dhcp select relay 
[SW2-Vlanif100]dhcp relay server-ip 192.168.10.254
[SW2]interface Vlanif 200
[SW2-Vlanif200]dhcp select relay 
[SW2-Vlanif200]dhcp relay server-ip 192.168.10.254
[SW2]interface Vlanif 201
[SW2-Vlanif201]dhcp select relay 
[SW2-Vlanif201]dhcp relay server-ip 192.168.10.254

排除地址命令:
[DHCP Server-ip-pool-AP]excluded-ip-address xx.xx.xx.xx

verify:

3.3.4.2 FTP server deployment

Just find a directory and start it

3.3.5 WLAN network deployment 

3.3.5.1 WLAN basic parameter planning

Configuration process:

#AC1
[AC1]capwap source interface LoopBack 0
[AC1]wlan
[AC1-wlan-view]ap-group name huawei
[AC1-wlan-ap-group-huawei]quit 
[AC1-wlan-view]ap auth-mode mac-auth 
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc52-7250
[AC1-wlan-ap-1]ap-name AP1
[AC1-wlan-ap-1]ap-group huawei
[AC1-wlan-view]regulatory-domain-profile name huawei
[AC1-wlan-regulate-domain-huawei]country-code CN
[AC1-wlan-view]ssid-profile name huawei
[AC1-wlan-ssid-prof-huawei]ssid Huawei-ICT2020
[AC1-wlan-view]security-profile name huawei
[AC1-wlan-sec-prof-huawei]security wpa-wpa2 psk pass-phrase Huawei-ICT2020 aes-tkip
[AC1-wlan-view]vap-profile name huawei
[AC1-wlan-vap-prof-huawei]service-vlan vlan 201
[AC1-wlan-vap-prof-huawei]ssid-profile huawei
[AC1-wlan-vap-prof-huawei]security-profile huawei
[AC1-wlan-view]ap-group name huawei
[AC1-wlan-ap-group-huawei]regulatory-domain-profile huawei
[AC1-wlan-ap-group-huawei]vap-profile huawei wlan 1 radio all 

#AC2
[AC2]capwap source interface LoopBack 0
[AC2]wlan
[AC2-wlan-view]ap-group name huawei
[AC2-wlan-ap-group-huawei]quit 
[AC2-wlan-view]ap auth-mode mac-auth 
[AC2-wlan-view]ap-id 1 ap-mac 00e0-fc52-7250
[AC2-wlan-ap-1]ap-name AP1
[AC2-wlan-ap-1]ap-group huawei
[AC2-wlan-view]regulatory-domain-profile name huawei
[AC2-wlan-regulate-domain-huawei]country-code CN
[AC2-wlan-view]ssid-profile name huawei
[AC2-wlan-ssid-prof-huawei]ssid Huawei-ICT2020
[AC2-wlan-view]security-profile name huawei
[AC2-wlan-sec-prof-huawei]security wpa-wpa2 psk pass-phrase Huawei-ICT2020 aes-tkip
[AC2-wlan-view]vap-profile name huawei
[AC2-wlan-vap-prof-huawei]service-vlan vlan 201
[AC2-wlan-vap-prof-huawei]ssid-profile huawei
[AC2-wlan-vap-prof-huawei]security-profile huawei
[AC2-wlan-view]ap-group name huawei
[AC2-wlan-ap-group-huawei]regulatory-domain-profile huawei
[AC2-wlan-ap-group-huawei]vap-profile huawei wlan 1 radio all

verify:

3.3.5.2 Wireless radio frequency planning ( this is not perfect, students who know more can share it )
  1. Carry out unified planning for radio frequency resources under the AP group.
  2. Set the 2.4GHz channel bandwidth to 40MHz, and use channels 1 and 5 for channel bonding.
  3. Set the channel bandwidth of the first 5GMHz RF port to 80MHz, and use channels 36~48 for channel binding.
  4. Set the channel bandwidth of the second 5GMHz RF port to 80MHz, and use channels 149~161 for channel binding. 

Configuration process:

#AC2
[AC2]wlan 
[AC2-wlan-view]rrm-profile name huawei
[AC2-wlan-rrm-prof-huawei]calibrate auto-channel-select disable
[AC2-wlan-rrm-prof-huawei]calibrate auto-txpower-select disable 
[AC2-wlan-view]air-scan-profile name huawei
[AC2-wlan-air-scan-prof-huawei]scan-channel-set country-channel 
[AC2-wlan-air-scan-prof-huawei]scan-period 80
[AC2-wlan-air-scan-prof-huawei]scan-interval 80000
[AC2-wlan-view]radio-2g-profile name huawei
[AC2-wlan-radio-2g-prof-huawei]rrm-profile huawei
[AC2-wlan-radio-2g-prof-huawei]air-scan-profile huawei
[AC2-wlan-view]radio-5g-profile name huawei
[AC2-wlan-radio-5g-prof-huawei]rrm-profile huawei
[AC2-wlan-radio-5g-prof-huawei]air-scan-profile huawei
[AC2-wlan-ap-group-huawei]radio-2g-profile huawei radio 0
[AC2-wlan-ap-group-huawei]radio-5g-profile huawei radio 1
[AC2-wlan-ap-group-huawei]radio-5g-profile huawei radio 2
3.3.5.3 AC dual-machine hot standby 
  1. Deploy dual-link backup, making AC1 the active AC and AC2 the backup AC.
  2. Deploy dual-machine hot backup, and the active and standby ACs can synchronize AP information and STA information. 

Configuration process: When doing main and backup here, follow the address required by the question. I finished it and was too lazy to change it.

#AC1
[AC1]wlan
[AC1-wlan-view]ac protect enable 
[AC1-wlan-view]ac protect protect-ac 22.22.22.22 priority 0
[AC1-wlan-view]ap-reset all
[AC1]hsb-service 0
[AC1-hsb-service-0]service-ip-port local-ip 21.21.21.21 peer-ip 22.22.22.22 local-data-port 10241 peer-data-port 10241
[AC1]hsb-service-type ap hsb-service 0
[AC1]hsb-service-type access-user hsb-service 0

#AC2
[AC2]wlan
[AC2-wlan-view]ac protect enable 
[AC2-wlan-view]ac protect protect-ac 21.21.21.21 priority 1
[AC2-wlan-view]ap-reset all
[AC2]hsb-service 0
[AC2-hsb-service-0]service-ip-port local-ip 22.22.22.22 peer-ip 21.21.21.21 local-data-port 10241 peer-data-port 10241
[AC2]hsb-service-type ap hsb-service 0
[AC2]hsb-service-type access-user hsb-service 0

verify:

 

3.3.6 Security policy deployment

3.3.6.1 Security policy deployment for mutual visits within the headquarters
  1. Divide the security zone and divide the VLANIF 203 interface into the TrustZone, the GE1/0/2 interface into the UntrustZone, and the GE1/0/3 interface into the DMZZone.
  2. In order to allow the FTP server to be accessed by internal PCs, create a security policy FTP on the firewall to only allow internal FTP terminals to access the FTP server.

Configuration process:

#FW1
[FW1]firewall zone trust 
[FW1-zone-trust]add interface Vlanif 203
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2
[FW1]firewall zone dmz 
[FW1-zone-dmz]add interface GigabitEthernet 1/0/3
[FW1]security-policy 
[FW1-policy-security]rule name FTP
[FW1-policy-security-rule-FTP]source-zone trust 
[FW1-policy-security-rule-FTP]source-zone untrust 
[FW1-policy-security-rule-FTP]destination-zone dmz
[FW1-policy-security-rule-FTP]source-address 192.168.100.0 mask 255.255.255.0
[FW1-policy-security-rule-FTP]source-address 10.1.37.2 mask 255.255.255.255
[FW1-policy-security-rule-FTP]destination-address 192.168.20.254 mask 255.255.255.0
[FW1-policy-security-rule-FTP]action permit
3.3.6.2 Deployment of security policies for communication between the headquarters and branches
  1. In order to realize the intercommunication between the headquarters and branch networks, create security policy Branch_1 on the firewall to allow the headquarters PC to communicate with the PC of branch 1. At the same time, the FTP terminal of branch 1 can also access the FTP server of the headquarters. 

Configuration process:

#FW1
[FW1]security-policy 
[FW1-policy-security]rule name Branch_1
[FW1-policy-security-rule-Branch_1]source-zone local 
[FW1-policy-security-rule-Branch_1]source-zone trust 
[FW1-policy-security-rule-Branch_1]source-zone untrust
[FW1-policy-security-rule-Branch_1]destination-zone local 
[FW1-policy-security-rule-Branch_1]destination-zone trust
[FW1-policy-security-rule-Branch_1]destination-zone untrust
[FW1-policy-security-rule-Branch_1]source-address 192.168.100.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]source-address 200.1.11.2 mask 255.255.255.255
[FW1-policy-security-rule-Branch_1]source-address 10.1.37.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]destination-address 192.168.100.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]destination-address 200.1.11.1 mask 255.255.255.255
[FW1-policy-security-rule-Branch_1]destination-address 10.1.37.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]action permit 
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]service-manage ping permit

Verification: Come back to verify after configuring MPLS VPN 

 3.4 ISP network deployment

3.4.1 VLAN planning and deployment

        The VLAN planning of the ISP network is shown in Table 3-3.

        Note: In order to ensure network connectivity and avoid layer 2 loop hazards, the switch port only allows specified VLANs to pass. Excess VLANs will affect the overall network stability evaluation.

3.4.2 IP address planning and configuration

        IP address planning is shown in Table 3-1 IP address planning table. Please configure the IP address correctly according to the plan.

Configuration process:

#AR1
[AR1]interface LoopBack 0
[AR1-LoopBack0]ip address 1.1.1.1 32
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 200.1.11.1 30
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 200.1.12.1 30

#AR2
[AR2]interface LoopBack 0
[AR2-LoopBack0]ip address 2.2.2.2 32
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 200.1.12.2 30
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 200.1.23.1 30

#AR3
[AR3]interface LoopBack 0
[AR3-LoopBack0]ip address 3.3.3.3 32
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]ip address 200.1.23.2 30
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 200.1.34.1 30

#AR4
[AR4]interface LoopBack 0
[AR4-LoopBack0]ip address 4.4.4.4 32
[AR4]interface GigabitEthernet 0/0/0
[AR4-GigabitEthernet0/0/0]ip address 200.1.34.2 30
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]ip address 200.1.45.1 30

#AR5
[AR5]interface LoopBack 0
[AR5-LoopBack0]ip address 5.5.5.5 32
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]ip address 200.1.45.2 30
[AR5]interface GigabitEthernet 0/0/1
[AR5-GigabitEthernet0/0/1]ip address 200.1.25.1 30

3.4.3 ISP1 network intermediate system-intermediate system deployment

  1. The interconnection interfaces and Loopback 0 between AR routers in the same ISP area are enabled with the protocol.
  2. The process number of the intermediate system between AR1, AR2, and AR3 in the ISP1 area is 10, and the area is 49.0001. The device System-id is 0000.0000.000X (X is the router number). For example, the System-id of AR1 is 0000.0000.0001. All routers are Level-2 type routers.
  3. In order to achieve rapid network convergence, the router can detect neighbor status changes faster. The dynamic BFD feature is adopted, and the minimum sending and receiving interval needs to be specified as 100ms, and the local detection time multiple is 4.

Configuration process:

#AR1
[AR1]bfd
[AR1]isis 10
[AR1-isis-10]network-entity 49.0001.0000.0000.0001.00
[AR1-isis-10]is-level level-2
[AR1-isis-10]bfd all-interfaces enable 
[AR1]interface LoopBack 0
[AR1-LoopBack0]isis enable 10
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]isis enable 10
[AR1-GigabitEthernet0/0/1]isis bfd enable 
[AR1-GigabitEthernet0/0/1]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

#AR2
[AR2]bfd
[AR2]isis 10
[AR2-isis-10]network-entity 49.0001.0000.0000.0002.00
[AR2-isis-10]is-level level-2
[AR2-isis-10]bfd all-interfaces enable 
[AR2]interface LoopBack 0
[AR2-LoopBack0]isis enable 10
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]isis enable 10
[AR2-GigabitEthernet0/0/0]isis bfd enable 
[AR2-GigabitEthernet0/0/0]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]isis enable 10
[AR2-GigabitEthernet0/0/1]isis bfd enable 
[AR2-GigabitEthernet0/0/1]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

#AR3
[AR3]bfd
[AR3]isis 10
[AR3-isis-10]network-entity 49.0001.0000.0000.0003.00
[AR3-isis-10]is-level level-2
[AR3-isis-10]bfd all-interfaces enable 
[AR3]interface LoopBack 0
[AR3-LoopBack0]isis enable 10
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]isis enable 10
[AR3-GigabitEthernet0/0/0]isis bfd enable
[AR3-GigabitEthernet0/0/0]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

 verify:

3.4.4 ISP2 network intermediate system-intermediate system deployment 

  1. The interconnection interfaces and Loopback 0 between AR routers in the same ISP area are enabled with the protocol.
  2. The interconnection interface between AR4 and AR5 in the ISP2 zone and Loopback 0 also enable the protocol.
  3. The intermediate system-intermediate system process number between AR4 and AR5 in the ISP2 area is 20, and the area is 49.0002. The device System-id is 0000.0000.000X (X is the router number). For example, the System-id of AR1 is 0000.0000.0001, and all routers All are Level-2 type routers.
  4. In order to achieve rapid network convergence, the router can detect neighbor status changes faster. The dynamic BFD feature is adopted, and the minimum sending and receiving interval needs to be specified as 100ms, and the local detection time multiple is 4.

Configuration process:

#AR4
[AR4]bfd
[AR4]isis 20
[AR4-isis-20]network-entity 49.0002.0000.0000.0004.00
[AR4-isis-20]is-level level-2
[AR4-isis-20]bfd all-interfaces enable 
[AR4]interface LoopBack 0
[AR4-LoopBack0]isis enable 20
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]isis enable 20
[AR4-GigabitEthernet0/0/1]isis bfd enable	
[AR4-GigabitEthernet0/0/1]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

#AR5
[AR5]bfd 
[AR5]isis 20
[AR5-isis-20]network-entity 49.0002.0000.0000.0005.00
[AR5-isis-20]is-level level-2
[AR5-isis-20]bfd all-interfaces enable 
[AR5]interface LoopBack 0	
[AR5-LoopBack0]isis enable 20
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]isis enable 20
[AR5-GigabitEthernet0/0/0]isis bfd enable 
[AR5-GigabitEthernet0/0/0]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

verify:

 

 3.4.5 Headquarters ISP1/ISP2 BGP deployment

  1. All routers in the ISP run BGP. Among them, AR1, AR2, and AR3 use Loopback 0 to establish full-mesh IBGP neighbor relationships, and their BGP AS number is 100.
  2. AR4 and AR5 are IBGP neighbor relationships, and Loopback 0 is used to establish the IBGP neighbor relationship. The AS number is 200.
  3. AR3 and AR4 establish EBGP neighbors through directly connected interfaces.
  4. AR1 and FW1, and AR5 and FW2 are EBGP neighbors. They establish EBGP neighbors through directly connected interfaces. The AS number of FW1 is 64512 and the AS number of FW2 is 64513. 

Configuration process:

#AR1
[AR1]bgp 100
[AR1-bgp]peer 2.2.2.2 as-number 100
[AR1-bgp]peer 3.3.3.3 as-number 100
[AR1-bgp]peer 200.1.11.2 as-number 64512
[AR1-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[AR1-bgp]peer 3.3.3.3 connect-interface LoopBack 0

#AR2
[AR2]bgp 100
[AR2-bgp]peer 1.1.1.1 as-number 100
[AR2-bgp]peer 3.3.3.3 as-number 100
[AR2-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[AR2-bgp]peer 3.3.3.3 connect-interface LoopBack 0

#AR3
[AR3]bgp 100
[AR3-bgp]peer 1.1.1.1 as-number 100
[AR3-bgp]peer 2.2.2.2 as-number 100
[AR3-bgp]peer 200.1.34.2 as-number 200
[AR3-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[AR3-bgp]peer 2.2.2.2 connect-interface LoopBack 0

#AR4
[AR4]bgp 200
[AR4-bgp]peer 5.5.5.5 as-number 200
[AR4-bgp]peer 5.5.5.5 connect-interface LoopBack 0
[AR4-bgp]peer 200.1.34.1 as-number 100

#AR5
[AR5]bgp 200
[AR5-bgp]peer 4.4.4.4 as-number 200
[AR5-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[AR5-bgp]peer 200.1.25.2 as-number 64513

#FW1
[FW1]bgp 64512
[FW1-bgp]peer 200.1.11.1 as-number 100

#FW2
[FW2]bgp 64513	
[FW2-bgp]peer 200.1.25.1 as-number 200

verify:

 

3.4.6 ISP1/ISP2 MPLS BGP VPN Department

  1. The BGP MPLS VPN Option B solution is used between ISP1 and ISP2 to achieve routing interoperability.
  2. Label distribution is implemented within the ISP through the LDP protocol, where the LSR-ID is the Loopback0 address of each device.
  3. Both the headquarters and branches belong to the same VPN instance named ict2020. The RD value of the headquarters and branches is 100:1, and the inbound and outbound RT value is 100:1.
  4. Import only necessary routing entries into BGP on all CE devices to ensure that the FTP terminals of each company can access the headquarters FTP server.

Configuration process:

MPLS配置
#AR1
[AR1]mpls lsr-id 1.1.1.1
[AR1]mpls 
[AR1]mpls ldp
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]mpls
[AR1-GigabitEthernet0/0/1]mpls ldp

#AR2
[AR2]mpls lsr-id 2.2.2.2
[AR2]mpls
[AR2]mpls ldp
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]mpls
[AR2-GigabitEthernet0/0/0]mpls ldp
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]mpls
[AR2-GigabitEthernet0/0/1]mpls ldp

#AR3
[AR3]mpls lsr-id 3.3.3.3
[AR3]mpls
[AR3]mpls ldp
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]mpls 
[AR3-GigabitEthernet0/0/0]mpls ldp
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]mpls

#AR4
[AR4]mpls lsr-id 4.4.4.4
[AR4]mpls
[AR4]mpls ldp
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]mpls
[AR4-GigabitEthernet0/0/1]mpls ldp
[AR4]interface GigabitEthernet 0/0/0
[AR4-GigabitEthernet0/0/0]mpls

#AR5
[AR5]mpls lsr-id 5.5.5.5
[AR5]mpls
[AR5]mpls ldp
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]mpls
[AR5-GigabitEthernet0/0/0]mpls ldp

Option B配置
#AR1
[AR1]ip vpn-instance ict2020
[AR1-vpn-instance-ict2020]route-distinguisher 100:1
[AR1-vpn-instance-ict2020-af-ipv4]vpn-target 100:1 both 
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip binding vpn-instance ict2020
[AR1-GigabitEthernet0/0/0]ip address 200.1.11.1 30
[AR1]bgp 100
[AR1-bgp]ipv4-family vpn-instance ict2020
[AR1-bgp-ict2020]peer 200.1.11.2 as-number 64512
[AR1-bgp]ipv4-family vpnv4
[AR1-bgp-af-vpnv4]peer 3.3.3.3 enable 
[AR1-bgp-af-vpnv4]peer 3.3.3.3 next-hop-local

#AR3
[AR3]bgp 100
[AR3-bgp]ipv4-family vpnv4
[AR3-bgp-af-vpnv4]undo policy vpn-target 
[AR3-bgp-af-vpnv4]peer 1.1.1.1 enable 
[AR3-bgp-af-vpnv4]peer 1.1.1.1 next-hop-local
[AR3-bgp-af-vpnv4]peer 200.1.34.2 enable 

#AR4
[AR4]bgp 200
[AR4-bgp]ipv4-family vpnv4 
[AR4-bgp-af-vpnv4]undo policy vpn-target 
[AR4-bgp-af-vpnv4]peer 5.5.5.5 enable 
[AR4-bgp-af-vpnv4]peer 5.5.5.5 next-hop-local
[AR4-bgp-af-vpnv4]peer 200.1.34.1 enable 

#AR5
[AR5]ip vpn-instance ict2020
[AR5-vpn-instance-ict2020]route-distinguisher 100:1
[AR5-vpn-instance-ict2020-af-ipv4]vpn-target 100:1 both 
[AR5]interface GigabitEthernet 0/0/1
[AR5-GigabitEthernet0/0/1]ip binding vpn-instance ict2020
[AR5-GigabitEthernet0/0/1]ip address 200.1.25.1 30
[AR5]bgp 200
[AR5-bgp]ipv4-family vpn-instance ict2020
[AR5-bgp-ict2020]peer 200.1.25.2 as-number 64513
[AR5-bgp]ipv4-family vpnv4
[AR5-bgp-af-vpnv4]peer 4.4.4.4 enable 
[AR5-bgp-af-vpnv4]peer 4.4.4.4 next-hop-local

CE路由引入
#FW1
[FW1]bgp 64512
[FW1-bgp]network 192.168.100.0 24
[FW1-bgp]network 192.168.20.0 24

#FW2
[FW2]bgp 64513
[FW2-bgp]network 10.1.37.0 24

verify:

 

 3.5 Branch 1 network deployment

3.5.1 VLAN planning and deployment

        The VLAN planning of branch 1 network is shown in Teble3-3.

        Note: In order to ensure network connectivity and avoid layer 2 loop hazards, the switch port only allows specified VLANs to pass. Excess VLANs will affect the overall network stability assessment.

Configuration process:

#SW5
[SW5]vlan batch 27 37
[SW5]interface GigabitEthernet 0/0/1
[SW5-GigabitEthernet0/0/1]port link-type access
[SW5-GigabitEthernet0/0/1]port default vlan 27
[SW5]port-group group-member GigabitEthernet 0/0/2 GigabitEthernet 0/0/3
[SW5-port-group]port link-type access
[SW5-port-group]port default vlan 37

3.5.2 IP address planning and configuration

        IP address planning is shown in Table 3-1 IP address planning table. Please configure the IP address correctly according to the plan.

Configuration process:

#FW2
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip address 200.1.25.2 30
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 10.1.27.1 30

#SW5
[SW5]interface Vlanif 27
[SW5-Vlanif27]ip address 10.1.27.2 30
[SW5]interface vlanif 37
[SW5-Vlanif37]ip address 10.1.37.1 24

3.5.3 DHCP address pool deployment

  1. Deploy a DHCP address pool in interface mode on SW5 to provide services for PCs in branch 1.
  2. The network segment of the DHCP address pool is 10.1.37.0/24, the gateway address is 10.1.37.1, and the excluded address is 10.1.37.2.

Configuration process:

#S5
[SW5]dhcp enable 
[SW5]interface Vlanif 37
[SW5-Vlanif37]dhcp select interface 
[SW5-Vlanif37]dhcp server excluded-ip-address 10.1.37.2

verify:

3.5.4 Static route deployment

  1. By configuring static routes internally, ensure that the PCs and FTP terminals inside Branch 1 can access the headquarters network.

Configuration process:

#FW1
[FW2]ip route-static 0.0.0.0 0 200.1.25.1
[FW2]ip route-static 10.1.37.0 24 10.1.27.2

#SW5
[SW5]ip route-static 0.0.0.0 0 10.1.27.1

3.5.5 Security policy deployment

3.3.5.1 Deployment of security policies for network interconnection between branch offices and headquarters 

Configuration process:

#FW2
[FW2]security-policy 
[FW2-policy-security]rule name Branch_1
[FW2-policy-security-rule-Branch_1]source-zone local 
[FW2-policy-security-rule-Branch_1]source-zone trust 
[FW2-policy-security-rule-Branch_1]source-zone untrust
[FW2-policy-security-rule-Branch_1]destination-zone local 
[FW2-policy-security-rule-Branch_1]destination-zone trust
[FW2-policy-security-rule-Branch_1]destination-zone untrust
[FW2-policy-security-rule-Branch_1]source-address 192.168.100.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]source-address 200.1.25.2 mask 255.255.255.255
[FW2-policy-security-rule-Branch_1]source-address 10.1.27.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]source-address 10.1.37.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]destination-address 192.168.100.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]destination-address 200.1.25.1 mask 255.255.255.255
[FW2-policy-security-rule-Branch_1]destination-address 10.1.27.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]destination-address 10.1.37.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]action permit 
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]service-manage ping permit 
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]service-manage ping permit

Guess you like

Origin blog.csdn.net/qq_45744971/article/details/133420762
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com