HCL基礎(chǔ)實驗(vrrp+mstp+ospf+ipsec vpn+鏈路聚合)

SW1
?
sys
sys SW1
vlan 10
vlan 20
vlan 30
vlan 40
quit
stp region-configuration
region-name mstp
?instance 1 vlan 10 30
?instance 2 vlan 20 40
?active region-configuration
?stp instance 1 root primary
?stp instance 2 root secondary
?stp global enable
interface Bridge-Aggregation1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface Vlan-interface10
?ip add 192.168.10.1 255.255.255.0
?vrrp vrid 10 virtual-ip 192.168.10.254
?vrrp vrid 10 priority 254
?vrrp vrid 10 preempt-mode delay 5
interface Vlan-interface20
?ip add 192.168.20.1 255.255.255.0
?vrrp vrid 20 virtual-ip 192.168.20.254
?vrrp vrid 20 preempt-mode delay 5
interface Vlan-interface30
?ip add 192.168.30.1 255.255.255.0
?vrrp vrid 30 virtual-ip 192.168.30.254
?vrrp vrid 30 priority 254
?vrrp vrid 30 preempt-mode delay 5
interface Vlan-interface40
?ip add 192.168.40.1 255.255.255.0
?vrrp vrid 40 virtual-ip 192.168.40.254
?vrrp vrid 40 preempt-mode delay 5
interface Vlan-interface100
?ip add 100.1.1.1 255.255.255.0
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/3
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/4
?port access vlan 100
interface GigabitEthernet1/0/47
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
?port link-aggregation group 1
interface GigabitEthernet1/0/48
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
?port link-aggregation group 1
ospf 1
?area 0
?network 100.1.1.0 0.0.0.255
?network 192.168.10.0 0.0.0.255
?network 192.168.20.0 0.0.0.255
?network 192.168.30.0 0.0.0.255
?network 192.168.40.0 0.0.0.255
?
?
SW2
sys
sys SW2
vlan 10
vlan 20
vlan 30
vlan 40
vlan 101
stp region-configuration
region-name mstp
?instance 1 vlan 10 30
?instance 2 vlan 20 40
?active region-configuration
?stp instance 1 root secondary
?stp instance 2 root primary
?stp global enable
interface Bridge-Aggregation1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface Vlan-interface10
?ip add 192.168.10.2 255.255.255.0
?vrrp vrid 10 virtual-ip 192.168.10.254
?vrrp vrid 10 preempt-mode delay 5
interface Vlan-interface20
?ip add 192.168.20.2 255.255.255.0
?vrrp vrid 20 virtual-ip 192.168.20.254
?vrrp vrid 20 priority 254
?vrrp vrid 20 preempt-mode delay 5
interface Vlan-interface30
?ip add 192.168.30.2 255.255.255.0
?vrrp vrid 30 virtual-ip 192.168.30.254
?vrrp vrid 30 preempt-mode delay 5
interface Vlan-interface40
?ip add 192.168.40.2 255.255.255.0
?vrrp vrid 40 virtual-ip 192.168.40.254
?vrrp vrid 40 priority 254
?vrrp vrid 40 preempt-mode delay 5
interface Vlan-interface101
?ip add 101.1.1.1 255.255.255.0
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/3
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/4
?port access vlan 101
interface GigabitEthernet1/0/47
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
?port link-aggregation group 1
interface GigabitEthernet1/0/48
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
?port link-aggregation group 1
ospf 1
?area 0.0.0.0
?network 101.1.1.0 0.0.0.255
?network 192.168.20.0 0.0.0.255
?network 192.168.30.0 0.0.0.255
?network 192.168.40.0 0.0.0.255
?
?
SW3
system-view
?sysname SW3
vlan 10
vlan 20
vlan 30
vlan 40
stp region-configuration
region-name mstp
?instance 1 vlan 10 30
?instance 2 vlan 20 40
?active region-configuration
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/3
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
?
?
SW4
system-view
?sysname SW4
vlan 10
vlan 20
vlan 30
vlan 40
stp region-configuration
region-name mstp
?instance 1 vlan 10 30
?instance 2 vlan 20 40
?active region-configuration
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/3
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
?
?
SW5
system-view
?sysname SW5
vlan 10
vlan 20
vlan 30
vlan 40
stp region-configuration
region-name mstp
?instance 1 vlan 10 30
?instance 2 vlan 20 40
?active region-configuration
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/3
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
?
?
SW6
system-view
?sysname SW6
vlan 10
vlan 20
vlan 30
vlan 40
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port access vlan 10
?
?
SW7
system-view
?sysname SW7
vlan 10
vlan 20
vlan 30
vlan 40
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port access vlan 20
?
?
SW8
system-view
?sysname SW8
vlan 10
vlan 20
vlan 30
vlan 40
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port access vlan 30
?
?
SW9
system-view
?sysname SW9
vlan 10
vlan 20
vlan 30
vlan 40
interface GigabitEthernet1/0/1
?port link-type trunk
?port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/2
?port access vlan 40
?
??
?
R1
sys
sys R1
interface GigabitEthernet0/0
?ip add 200.1.1.1 255.255.255.0
interface GigabitEthernet0/1
?ip add 100.1.1.2 255.255.255.0
interface GigabitEthernet0/2
?ip add 101.1.1.2 255.255.255.0
ospf 1
?area 0.0.0.0
?network 100.1.1.0 0.0.0.255
?network 101.1.1.0 0.0.0.255
?network 200.1.1.0 0.0.0.255
?
?
R2
sys
sys R2
interface GigabitEthernet0/0
?ip add 200.1.1.2 255.255.255.0
interface GigabitEthernet0/1
?ip add 201.1.1.2 255.255.255.0
ospf 1
?area 0.0.0.0
?network 172.16.1.0 0.0.0.255
?network 200.1.1.0 0.0.0.255
?network 201.1.1.0 0.0.0.255
?
?
R3
sys
sys R3
interface GigabitEthernet0/0
?ip add 201.1.1.3 255.255.255.0
interface GigabitEthernet0/1
?ip add 172.16.1.254 255.255.255.0
ospf 1
?area 0.0.0.0
?network 172.16.1.0 0.0.0.255
?network 201.1.1.0 0.0.0.255
VPN部分配置命令
R1的配置:
//配置感興趣流,匹配VPN流量
acl advanced 3000
rule 0 permit ip source 192.168.10.1 0.0.0.255 destination 172.16.1.0 0.0.0.255
quit
//配置acl,匹配連接外網(wǎng)流量
acl advanced 3005
?rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 //拒絕VPN流量,對于VPN流量不做NAT轉(zhuǎn)換
?rule 5 permit ip source 192.168.10.0 0.0.0.255
?quit
//內(nèi)網(wǎng)網(wǎng)關(guān)的默認路由,指向公網(wǎng)路由器
ip route-static 0.0.0.0 0 200.1.1.2
//創(chuàng)建ike proposal,由于ike提議的參數(shù)有默認值,本實驗就直接使用默認值,所以創(chuàng)建ike提議后,便直接退出了
ike proposal 1
quit
//創(chuàng)建預(yù)共享密鑰
ike keychain r3
pre-shared-key address 201.1.1.3 key simple 123
quit
//創(chuàng)建ike模板,指定源和目的地址、ike提議、預(yù)共享密鑰
ike profile r3
proposal 1
keychain r3
local-identity address 200.1.1.1
match remote identity address 201.1.1.3
quit
//創(chuàng)建ipsec轉(zhuǎn)換集,指定安全協(xié)議及其認證、加密算法
ipsec transform-set r3
encapsulation-mode tunnel //可不配置,默認為隧道模式
protocol esp //可不配置,默認安全協(xié)議為esp
esp authentication-algorithm md5
esp encryption-algorithm des-cbc
quit
//創(chuàng)建ipsec策略
ipsec policy r3 1 isakmp
security acl 3000
ike-profile r3
transform-set r3
remote-address 201.1.1.3
quit
//將ipsec策略應(yīng)用在接口g0/1
int g0/0
ipsec apply policy r3
//在g0/0口上做esay-ip
nat outbound 3005
R3的配置:
//R3的ipsec配置和R1的相差不大,因此就不解釋了
ip route-static 0.0.0.0 0 201.1.1.2
acl advance 3000
rule 0 permit ip source 172.16.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
quit
acl advanced 3005
?rule 0 deny ip source 172.16.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
?rule 5 permit ip source 172.16.1.0 0.0.0.255
?quit
ike proposal 1
quit
ike keychain r1
pre-shared-key address 200.1.1.1 key simple 123
quit
ike profile r1
proposal 1
keychain r1
local-identity address 201.1.1.3
match remote identity address 200.1.1.1
quit
ipsec transform-set r1
encapsulation-mode tunnel
protocol esp
esp authentication-algorithm md5
esp encryption-algorithm des-cbc
quit
ipsec policy r1 1 isakmp
security acl 3000
transform-set r1
ike-profile r1
remote-address 200.1.1.1
int g0/0
ipsec apply policy r1
nat outbound 3005