山东省职业院校技能大赛高职组“网络系统管理”赛项样题模块A答案(非官方)

时间:2022-02-22 01:08:01

地址规划表

山东省职业院校技能大赛高职组“网络系统管理”赛项样题模块A答案(非官方)


山东省职业院校技能大赛高职组“网络系统管理”赛项样题模块A答案(非官方)


(一)网络基础信息配置

1.根据附录1拓扑图及附录2地址规划表,配置设备接口信息

S1:
vlan 20
name Xiaoshou
int vlan 20
ip address 192.1.20.254 255.255.255.0
description 销售部

vlan 30
name Caiwu
int vlan 30
ip address 192.1.30.254 255.255.255.0
description 财务部

vlan 100
name Manage 
int vlan 100
ip address 192.1.100.254 255.255.255.0
description 管理与互联VLAN

interface gi 1/0/1
no switchport
ip address 10.1.0.9 255.255.255.252
description AG1

interface gi 2/0/1
no switchport 
ip address 10.1.0.9 255.255.255.252
description AG1

interface gi 1/0/2
switchport mode trunk 
description AG2

interface gi 2/0/2
switchport mode trunk 
description AG2

interface gi 1/0/3
switchport mode trunk 
description AG3

interface gi 2/0/3
switchport mode trunk 
description AG3

interface gi 1/0/4
switchport mode trunk 
description AG3

interface gi 2/0/4
switchport mode trunk 
description AG3

interface loopback 0
ip address 11.1.0.31 255.255.255.255
S7:
vlan 20
name Xiaoshou
add interface gi 0/13
add interface gi 0/14
add interface gi 0/15
add interface gi 0/16
interface vlan 20
description 销售部

vlan 30
name Caiwu
add interface gi 0/17
add interface gi 0/18
add interface gi 0/19
add interface gi 0/20
interface vlan 30
description 财务部

vlan 100
name Manage
interface vlan 100
ip address 192.1.100.1 255.255.255.0
interface vlan 100
description 管理与互联VLAN

interface gi 0/1
switchport mode trunk
description AG1

interface gi 0/2
switchport mode trunk
description AG1
AC1:
interface loopback 0
ip address 11.1.0.21 255.255.255.255

vlan 100
name Manage
interface vlan 100
ip address 192.1.100.2 255.255.255.0
description 管理与互联VLAN

interface gi 0/1
switchport mode trunk
description AG1

interface gi 0/2
switchport mode trunk
description AG1
AC2:
interface loopback 0
ip address 11.1.0.21 255.255.255.0
description 管理与互联VLAN

interface gi 0/1
switchport mode trunk
description AG1

interface gi 0/2
switchport mode trunk
description AG1
S6:
vlan 10
name AP
add interface gi 0/1
add interface gi 0/2
add interface gi 0/3
add interface gi 0/4
interface vlan 10
description Native vlan

vlan 20
name Xiaoshou
add interface gi 0/5
add interface gi 0/6
add interface gi 0/7
add interface gi 0/8
interface vlan 20
description 销售部

vlan 30
name Caiwu
add interface gi 0/9
add interface gi 0/10
add interface gi 0/11
add interface gi 0/12
interface vlan 30
description 财务部

vlan 40
name Shichang
add interface gi 0/13
add interface gi 0/14
add interface gi 0/15
add interface gi 0/16
interface vlan 40
description 市场部

vlan 100
name Manage
interface vlan 100
ip address 193.1.100.1 255.255.255.0
description 设备管理VLAN
S3:
vlan 10
name AP
interface vlan 10
ip address 193.1.10.252 255.255.255.0
description AP

vlan 20
name Xiaoshou
interface vlan 20
ip address 193.1.20.252 255.255.255.0
description 销售部无线用户

vlan 30
name Caiwu
interface vlan 30
ip address 193.1.30.252 255.255.255.0
description 财务部

vlan 40
name Shichang
interface vlan 40
ip address 193.1.40.252 255.255.255.0
description 市场部

vlan 100
name Manage
interface vlan 100
ip address 193.1.100.252 255.255.255.0

interface gi 0/1
switchport mode trunk

interface gi 0/13
switchport mode trunk
description AG1成员口

interface gi 0/14
switchport mode trunk
description AG1成员口

interface gi 0/24
no switchport
ip address 10.1.0.1 255.255.255.252

interface loopback 0
ip address 11.1.0.33 255.255.255.255
S4:
vlan 10
name AP
interface vlan 10
ip address 193.1.10.253 255.255.255.0
description AP

vlan 20
name Xiaoshou
interface vlan 20
ip address 193.1.20.253 255.255.255.0
description 销售部无线用户

vlan 30
name Caiwu
interface vlan 30
ip address 193.1.30.253 255.255.255.0
description 财务部

vlan 40
name Shichang
interface vlan 40
ip address 193.1.40.253 255.255.255.0
description 市场部

vlan 100
name Manage
interface vlan 100
ip address 193.1.100.253 255.255.255.0
description 设备管理VLAN

interface gi 0/1
switchport mode trunk

interface gi 0/13
switchport mode trunk
description AG1成员口

interface gi 0/14
switchport mode trunk
description AG1成员口

interface gi 0/24
no switchport
ip address 10.1.0.5 255.255.255.252

interface loopback 0
ip address 11.1.0.11 255.255.255.255
EG1:
interface gi 0/1
ip address 10.1.0.2 255.255.255.252

interface gi 0/2
ip address 10.1.0.6 255.255.255.252

interface gi 0/3
ip address 10.1.1.17 255.255.255.252

interface loopback 0
ip address 11.1.0.35 255.255.255.255.0
S5:
vlan 10
name AP
add interface gi 0/1
add interface gi 0/2
add interface gi 0/3
add interface gi 0/4
interface vlan 10
ip address 194.1.20.254 255.255.255.0
description 无线用户

interface gi 0/24
ip address 10.1.0.13 255.255.255.252

interface loopback 0
ip address 11.1.0.35 255.255.255.255
EG2:
interface gi 0/1
ip address 10.1.0.14 255.255.255.252

interface gi 0/3
ip address 10.1.0.21 255.255.255.252

interface loopback 0
ip address 11.1.0.12 255.255.255.255
R1:
interface gi 1/0
ip address 10.1.0.14 255.255.255.0
switchport access vlan 20

interface gi 0/3
ip address 13.1.0.1 255.255.255.0
switchport access vlan 30

interface vlan 10
ip address 10.1.0.10 255.255.255.252

interface loopback 0
ip address 11.1.0.1 255.255.255.255
R2:
interface fa 1/0
ip address 12.1.0.2 255.255.255.0
R3:
interface fa1/1
switchport access vlan 40
vlan 40
interface vlan 40
ip address 14.1.0.3 255.255.255.0

interface fa 1/0
switchport access vlan 30
vlan 30
interface vlan 30
ip address 13.1.0.3 255.255.255.0
interface gi 0/0(fa 1/x)
(switch access vlan x
vlan x
interface vlan x)
ip address 10.1.0.22 255.255.255.252

interface loopback 0
ip address 11.1.0.3 255.255.255.255
PC:
自动获取
交换机描述:
Ruijie(config-if-GigabitEthernet 2/0/1)#description Trunk
Ruijie(config-vlan)#name xiaoshou

2.所有交换机和无线控制器开启SSH服务,用户名密码分别为admin、admin1234。密码为明文类型,特权密码为admin

SSH方式登录:

1、需要开启SSH功能
2、需要手工生成Key
3、如果PC与交换机不在同一个网段,需要配置交换机的默认网关
S1:
enable service ssh-server
crypto key generate dsa
interface vlan 100 
ip address 192.1.100.254 255.255.255.0

line vty 0 4
login local
exit
username admin password admin1234
enable password admin
end
write

show service
S2:
enable service ssh-server
crypto key generate dsa
interface vlan 100
ip address 192.1.100.254 255.255.255.0

line vty 0 4
login local
exit
username admin password admin1234
enable password admin
end
write

show service
S3:
enable service ssh-server
crypto key generate dsa
interface vlan 100
ip address 192.1.100.252 255.255.255.0

line vty 0 4
login local
exit
username admin password admin1234
enable password admin
end
write

show service
S4:
enable service ssh-server
crypto key generate dsa
interface vlan 192.168.1.1 255.255.255.0

line vty 0 4
login local
exit
username admin password admin1234
enable password admin
end
write

show service
S5:
S6:
enable service ssh-server
crypto key generate dsa
interface vlan 100
ip address 193.1.100.1 255.255.255.0

line vty 0 4
login local
exit
username admin password admin1234
enable password admin
end
write

show service
S7:
enable service ssh-server
crypto key generate dsa
interface vlan 100
ip address 192.1.100.1 255.255.255.0

line vty 0 4
login local
exit
username admin password admin1234
enable password admin
end
write

show service

3.S7设备配置SNMP功能,向主机172.16.0.254发送Trap消息版本采用V2C,读写的Community为“Test”,只读的Community为“public”,开启Trap消息

S7:
ip access-list standard abc
permit host 172.16.0.254 
exit

snmp-server community test rw abc
snmp-server community public ro abc

snmp-server host 172.16.0.254 version 2c test

snmp-server enable traps

(interface vlan 100
ip address 192.1.100.1 255.255.255.0)
show service
show snmp host

(二)配置有线网络

1.在全网Trunk链路上做VLAN修剪

S1:
interface gi 1/0/2
switchport mode trunk
 remove 1-19,21-29,31-99,101-4094 
interface gi 2/0/2
switchport mode trunk

interface gi 1/0/3
switchport mode trunk

interface gi 2/0/3
switchport mode trunk

interface gi 1/0/4
switchport mode trunk

interface gi 2/0/4
switchport mode trunk
S2:
S3:
S4:
S5:
S6:
S7:
https://blog.csdn.net/weixin_44906508/article/details/123646397

2.在S5、S6的Gi0/10-Gi0/15端口上启用端口保护

S5:
interface gi 0/10
switchport protected

interface gi 0/11
switchport protected

interface gi 0/12
switchport protected

interface gi 0/13
switchport protected

interface gi 0/14
switchport protected

interface gi 0/15
switchport protected
S6:
interface gi 0/10
switchport protected

interface gi 0/11
switchport protected

interface gi 0/12
switchport protected

interface gi 0/13
switchport protected

interface gi 0/14
switchport protected

interface gi 0/15
switchport protected

3.在S5、S6连接PC机端口上开启Portfast和BPDUguard防护功能

S5:
spanning-tree
interface range g0/1-16
spanning-tree bpduguard enable 
spanning-tree portfast 
interface gigabitEthernet 0/24
spanning-tree bpdufilter enable 
exit
errdisable recovery interval 300
end
wr

show rldp
S6:
spanning-tree
interface range g0/1-16
spanning-tree bpduguard enable 
spanning-tree portfast 
interface gigabitEthernet 0/24
spanning-tree bpdufilter enable 
exit
errdisable recovery interval 300
end
wr

show rldp

4.在S6上连接PC的接口开启BPDU防环,检测到环路后处理方式为 Shutdown-Port,并设置接口为边缘端口

rldp enable   ------>全局开启RLDP功能
interface gi 0/3
rldp port loop-detect shutdown-port ---->接口开启RLDP功能,如果检测出环路后shutdow该端口
exit
spanning-tree
spanning-tree mode rstp
spanning-tree port
spanning-tree portfast
spanning-tree bpduguard enable
SW3(config-if-FastEthernet 0/1)#exit

5.如果端口被 BPDU Guard检测进入 Err-Disabled状态,再过 300 秒后会自动恢复(基于接口部署策略),重新检测是否有环路

errdisable recovery interval 300    ---->如果端口被RLDP检测并shutdown,再过300秒后会自动恢复,重新检测是否有环路
end
wr

6.在S6交换机部署DHCP Snooping功能

S3核心交换机配置:
service dhcp 
interface vlan 1
ip address 192.168.1.254 255.255.255.0
exit

ip dhcp pool vlan1
network 192.168.1.0 255.255.255.0
dns-server 218.85.157.99   
default-router 192.168.1.254
end
wr

S3核心交换机配置:
service dhcp 
interface vlan 1
ip address 192.168.1.254 255.255.255.0
exit

ip dhcp pool vlan1
network 192.168.1.0 255.255.255.0
dns-server 218.85.157.99   
default-router 192.168.1.254
end
wr

S6接入交换机配置:
ip dhcp snooping
Ruijie(config)#interface gigabitEthernet 0/49
ip dhcp snooping trust
end
write

7.S6交换机部署端口安全,接口Gi0/13只允许PC2通过

interface GigabitEthernet 0/2
switchport port-security binding 0021.CCCF.6F70 vlan 10 192.168.1.1
switchport port-security
Ruijie(config-if-GigabitEthernet 0/2)#exit

interfac GigabitEthernet 0/3
switchport port-security binding 192.168.1.2
switchport port-security

8.在S3、S4、S6上配置MSTP防止二层环路。要求所有数据流经过S4转发,S4失效时经过S3转发。region-name为test。revision版本为1。S3作为实例中的从根, S4作为实例中的主根。主根优先级为4096,从根优先级为8192

RG-NBS5526XG:15#enable stp------>全局启用STP
RG-NBS5526XG:15#config stp version mstp------>配置STP的版本为MSTP
RG-NBS5526XG:15#config stp mst_config_id name ruijie revision_level 1------>配置MSTP的域名称为ruijie,修订级别为1
RG-NBS5526XG:15#create stp instance_id 1------>创建MSTP实例1
RG-NBS5526XG:15#create stp instance_id 2------>创建MSTP实例2
RG-NBS5526XG:15#config stp instance_id 1 add_vlan 10,20------>将VLAN10、20映射到MSTP实例1
RG-NBS5526XG:15#config stp instance_id 2 add_vlan 30,40------>将VLAN30、40映射到MSTP实例1
RG-NBS5526XG:15#config stp priority 0 instance_id 1------>配置MSTP实例1的优先级为0
RG-NBS5526XG:15#config stp priority 4096 instance_id 2------>配置MSTP实例2的优先级为4096
RG-NBS5526XG:15#config stp priority 0 instance_id 2------>配置MSTP实例2的优先级为0
RG-NBS5526XG:15#config stp priority 4096 instance_id 1------>配置MSTP实例1的优先级为4096

9.在S3和S4上配置VRRP,实现主机的网关冗余,所配置的参数要求如表1。S3、S4各VRRP组中高优先级设置为150,低优先级设置为120

山东省职业院校技能大赛高职组“网络系统管理”赛项样题模块A答案(非官方)


SW1:
SW1(config)#vlan range 10,20,30,40,50,100
SW1(config-vlan-range)#exit 
SW1(config)#interface VLAN 10
SW1(config-if-VLAN 10)#ip address 192.1.10.252 24
SW1(config-if-VLAN 10)# interface VLAN 20
SW1(config-if-VLAN 20)#ip address 192.1.20.252 24
SW1(config-if-VLAN 20)# interface VLAN 30
SW1(config-if-VLAN 30)#ip address 192.1.30.252 24
SW1(config-if-VLAN 30)# interface VLAN 40
SW1(config-if-VLAN 40)#ip address 192.1.40.252 24
SW1(config-if-VLAN 40)# interface VLAN 50
SW1(config-if-VLAN 50)#ip address 192.1.50.252 24
SW1(config-if-VLAN 50)# interface VLAN 100
SW1(config-if-VLAN 100)#ip address 192.1.100.252 24
SW1(config-if-VLAN 100)#exit
SW1(config)#interface range gigabitEthernet 0/23-24
SW1(config-if-range)#switchport mode trunk 
SW1(config-if-range)#exit 

SW1(config)#spanning-tree mode mstp 
SW1(config)#spanning-tree mst configuration 
SW1(config-mst)#instance 1 vlan 10,20,30
SW1(config-mst)#instance 2 vlan 40,50,100
SW1(config-mst)#revision 1
SW1(config-mst)#name test
SW1(config-mst)#exit 
SW1(config)#spanning-tree mst 1 priority 4096
SW1(config)#spanning-tree mst 2 priority 8192
SW1(config)#spanning-tree 
 
SW1(config)#interface VLAN 10
SW1(config-if-VLAN 10)#vrrp 10 ip 192.1.10.254
SW1(config-if-VLAN 10)#vrrp 10 vrrp 10 priority 150
SW1(config-if-VLAN 10)# interface VLAN 20
SW1(config-if-VLAN 20)#vrrp 20 ip 192.1.20.254
SW1(config-if-VLAN 20)#vrrp 20 vrrp 20 priority 150
SW1(config-if-VLAN 20)# interface VLAN 30
SW1(config-if-VLAN 30)#vrrp 30 ip 192.1.30.254
SW1(config-if-VLAN 30)#vrrp 30 vrrp 30 priority 150
SW1(config-if-VLAN 30)# interface VLAN 40
SW1(config-if-VLAN 40)#vrrp 40 ip 192.1.40.254
SW1(config-if-VLAN 40)#vrrp 40 vrrp 40 priority 120
SW1(config-if-VLAN 40)# interface VLAN 50
SW1(config-if-VLAN 50)#vrrp 50 ip 192.1.50.254
SW1(config-if-VLAN 50)#vrrp 50 vrrp 50 priority 120
SW1(config-if-VLAN 50)# interface VLAN 100
SW1(config-if-VLAN 100)#vrrp 100 ip 192.1.100.254
SW1(config-if-VLAN 100)#vrrp 100 vrrp 100 priority 120
SW2:
配置类似

10.S1和S2设置为虚拟化,S1和S2间的Te0/51-52端口作为VSL链路,其中S2为主,S1为备。规划S1和S2间的Gi0/48端口作为双主机检测链路。主设备:Domain id:1,switch id:2,priority 150, description: S6000-2;备设备:Domain id:1,switch id:1,priority 120, description: S6000-1

1、开启虚拟化功能    
Ruijie(config)#virt vm-support enable 
2、开启KVM虚拟机OUI的识别
Ruijie(config)#virt vm-oui 5254.0000.0000 
3、 接口上开启支持虚拟化和虚拟化反射口功能
Ruijie(config)#int te 0/1
Ruijie(config-if-TenGigabitEthernet 0/1)#virt vm-server-port 
Ruijie(config-if-TenGigabitEthernet 0/1)#virt vm-reflect-port 
4、交换机配置服务器限速策略
Ruijie(config)#virt vm-profile vmtest 
Ruijieconfig-vm-profile)#rate-limit input 1024 1024   
Ruijie(config)#virt vm-group 1
Ruijie(config-vm-group)#profile vmtest
1、配置S2910-24GT4XS-E-1、S2910-24GT4XS-E-2及S2910-24GT4XS-E-3的VSU域标识,设备编号和优先级
S2910-24GT4XS-E-1交换机配置
S2910-24GT4XS-E-1# configure terminal 
S2910-24GT4XS-E-1(config)# switch virtual domain 1     ------>创建VSU domain id
S2910-24GT4XS-E-1(config-vs-domain)# switch 1          ------>创建switch id
S2910-24GT4XS-E-1(config-vs-domain)# switch 1 priority 200  ------>配置switch id的优先级
S2910-24GT4XS-E-1(config-vs-domain)# switch 1 description S2910-24GT4XS-E-1   ------>配置switch id的描述信息
S2910-24GT4XS-E-1(config-vs-domain)# exit
S2910-24GT4XS-E-1(config)# vsl-port------>进入VSL配置模式,建议至少采用2条VSL链路来提升VSU的可靠性,如果条件限制,一条VSL链路也可以
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/25  ------>将Tengigabitethernet 1/0/25加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/26  ------>将Tengigabitethernet 1/0/26加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/27  ------>将Tengigabitethernet 1/0/27加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/28  ------>将Tengigabitethernet 1/0/28加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# exit
S2910-24GT4XS-E-1(config)# exit
S2910-24GT4XS-E-2交换机配置
S2910-24GT4XS-E-2# configure terminal 
S2910-24GT4XS-E-2(config)# switch virtual domain 1   ------>创建VSU domain id
S2910-24GT4XS-E-2(config-vs-domain)# switch 2     ------>创建switch id
S2910-24GT4XS-E-2(config-vs-domain)# switch 2 priority 150   ------>配置switch id的优先级
S2910-24GT4XS-E-2(config-vs-domain)# switch 2 description  S2910-24GT4XS-E-2------>配置switch id的描述信息
S2910-24GT4XS-E-2(config-vs-domain)# exit
S2910-24GT4XS-E-1(config)# vsl-port------>进入VSL配置模式,建议至少采用2条VSL链路来提升VSU的可靠性,如果条件限制,一条VSL链路也可以
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/25  ------>将Tengigabitethernet 1/0/25加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/26  ------>将Tengigabitethernet 1/0/26加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/27  ------>将Tengigabitethernet 1/0/27加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/28  ------>将Tengigabitethernet 1/0/28加入VSL
S2910-24GT4XS-E-2(config-vsl-port)# exit
S2910-24GT4XS-E-2(config)# exit
S2910-24GT4XS-E-3交换机配置
S2910-24GT4XS-E-3# configure terminal 
S2910-24GT4XS-E-3(config)# switch virtual domain 1   ------>创建VSU domain id
S2910-24GT4XS-E-3(config-vs-domain)# switch 3     ------>创建switch id
S2910-24GT4XS-E-3(config-vs-domain)# switch 3 priority 150   ------>配置switch id的优先级
S2910-24GT4XS-E-3(config-vs-domain)# switch 3 description S2910-24GT4XS-E-3    ------>配置switch id的描述信息
S2910-24GT4XS-E-3(config-vs-domain)# exit
S2910-24GT4XS-E-1(config)# vsl-port------>进入VSL配置模式,建议至少采用2条VSL链路来提升VSU的可靠性,如果条件限制,一条VSL链路也可以
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/25  ------>将Tengigabitethernet 1/0/25加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/26  ------>将Tengigabitethernet 1/0/26加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/27  ------>将Tengigabitethernet 1/0/27加入VSL
S2910-24GT4XS-E-1(config-vsl-port)# port-member interface Tengigabitethernet 0/28  ------>将Tengigabitethernet 1/0/28加入VSL
S2910-24GT4XS-E-3(config-vsu-ap)# exit
S2910-24GT4XS-E-3(config)# exit
S2910-24GT4XS-E-3(config)# exit
2、把S2910-24GT4XS-E-1、S2910-24GT4XS-E-2和S2910-24GT4XS-E-3转换到VSU模式
S2910-24GT4XS-E-1#switch convert mode virtual   ------>将交换机转换为VSU模式
Convert switch mode will automatically backup the "config.text" file and then delete it, and reload the switch. Do you want to convert switch to virtual mode? [no/yes]y------>输入y
S2910-24GT4XS-E-2#switch convert mode virtual   ------>将交换机转换为VSU模式
Convert switch mode will automatically backup the "config.text" file and then delete it, and reload the switch. Do you want to convert switch to virtual mode? [no/yes]y------>输入y
S2910-24GT4XS-E-3#switch convert mode virtual   ------>将交换机转换为VSU模式
Convert switch mode will automatically backup the "config.text" file and then delete it, and reload the switch. Do you want to convert switch to virtual mode? [no/yes]y------>输入y
接着交换机会进行重启,并且进行VSU的选举,这个时间可能会比较长,请耐心等待
3、等待VSU建立成功后,进行BFD配置
Ruijie#configure terminal 
Ruijie(config)#interface GigabitEthernet 1/0/24  ------>第一台VSU设备的第24个接口
Ruijie(config-if-GigabitEthernet 1/0/24)#no switchport   ------>只需要在BFD接口上敲no sw,无需其他配置
Ruijie(config-if-GigabitEthernet 1/0/24)#exit
Ruijie(config)#interface GigabitEthernet 2/0/24  ------>第二台VSU设备的第24个接口
Ruijie(config-if-GigabitEthernet 1/0/24)#no switchport  ------>只需要在BFD接口上敲no sw,无需其他配置
Ruijie(config-if-GigabitEthernet 2/0/24)#exit
Ruijie(config)#switch virtual domain 1
Ruijie(config-vs-domain)#dual-active detection bfd
Ruijie(config-vs-domain)#dual-active bfd interface GigabitEthernet 1/0/24
Ruijie(config-vs-domain)#dual-active bfd interface GigabitEthernet 2/0/24
4、VSU情况下,需要增加一条VSL线路设置
VSU模式下可以配置增加或者删除某个VSL链路,11.X软件平台中,修改直接生效无需重启设备。
举例:
1)当前要把S2910-24GT4XS-E-1设备的VSL 1/1口中将Te1/0/25移除
Ruijie(config)#vsl-port 
Ruijie(config-vsl-port)#port-member interface tenGigabitEthernet 1/0/25
The configuration of port TenGigabitEthernet 1/0/25 will be removed, confirm to continue?[yes/no]:y  ---》1/0/25口下的配置将被清空,并确认加入到VSL链路中
2)将Te1/0/25再加入到S2910-24GT4XS-E-1设备的VSL 1/1口中
Ruijie(config-vsl-port)#no port-member interface tenGigabitEthernet 1/0/25
% The port TenGigabitEthernet 1/0/25 will be in shutdown status after the port type is converted.  ---》当1/0/25口从VSL链路移除后,1/0/25口将被Shutdown

11.R1、S1/S2、AC1、AC2间运行OSPF,进程号为10。EG1、S3、S4间运行OSPF,进程号为10。S5、EG2使用静态路由

R1(config)#interface gigabitEthernet 0/0
R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0
R1(config-GigabitEthernet 0/0)#exit
R1(config)#interface gigabitEthernet 0/1
R1(config-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0
R1(config-GigabitEthernet 0/1)#exit
R1(config)#interface loopback 0        ----->配置loopback 0接口的地址做为ospf 的router-id
R1(config-if-Loopback 0)#ip address 1.1.1.1 255.255.255.255  
R1(config-if-Loopback 0)#exit
R1(config)#router ospf 1      ----->启用ospf协议,进程号为1
R1(config-router)#network 192.168.1.1 0.0.0.0 area 1     ----->对192.168.1.1的接口启用ospf,区域号为1
R1(config-router)#network 10.1.1.1 0.0.0.0 area 1
R1(config-router)#exit
1、配置路由器R1接口IP
Ruijie>enable// 进入特权模式
Ruijie#configure terminal     // 进入全局配置模式
Ruijie(config)#interface fastethernet 0/1
Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.1.254 255.255.255.0
Ruijie(config-if-FastEthernet 0/1)#interface fastethernet 0/0
Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.1 255.255.255.0
Ruijie(config-if-FastEthernet 0/0)#exit
2、配置路由器R2接口IP
Ruijie>enable
 Ruijie#configure terminal     
Ruijie(config)#interface fastethernet 0/1
Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.2.254 255.255.255.0
Ruijie(config-if-FastEthernet 0/1)#interface fastethernet 0/0
Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.2 255.255.255.0
 Ruijie(config-if-FastEthernet 0/0)#exit
3、配置路由器R1静态路由
注意:
1)配置静态路由的下一跳有2种表现形式(下一跳ip地址和本地出接口),两种情况推荐配置如下:
2)在以太网链路,配置静态路由的时候,配置为出接口+下一跳的ip地址的形式。
3)在ppp、hdlc广域网链路,推荐静态路由配置为本地出接口。
Ruijie(config)#ip route 192.168.2.0 255.255.255.0 fastethernet 0/0 192.168.3.2   // 目的地址是192.168.2.0/24的数据包,转发给192.168.3.2
3、配置路由器R2静态路由
Ruijie(config)#ip route 192.168.1.0 255.255.255.0 fastethernet 0/0 192.168.3.1   // 目的地址是192.168.1.0/24的数据包,转发给192.168.3.1
4、保存配置
Ruijie(config)#end// 退出到特权模式
Ruijie#write        // 确认配置正确,保存配置
1、全网路由器的ip地址及基本ospf配置
配置参考 ”OSPF基础配置“章节(典型配置--->IP路由--->OSPF--->基础配置)
2、在R1上配置一条到网络10.1.2.0/24的静态路由
R1(config)#ip route 10.1.2.0 255.255.255.0 192.168.11.2
3、将静态路由重分发进ospf
注意:
1)ospf重分发其他路由协议学习到的路由命令如下,
R1(config)#router ospf 1
R1(config-router)#redistribute ? 
  bgp        Border Gateway Protocol (BGP)
  connected  Connected
  ospf       Open Shortest Path First (OSPF)
  rip        Routing Information Protocol (RIP)
  static     Static routes
2)ospf在引入外部路由的时候,引入的外部路由有2种metric类型,类型1和2
a、类型1,路由在ospf域内传输时叠加内部cost,若内部网络需要对该外部路由选路时,建议使用类型1(默认引入的外部路由为类型2)
b、类型2,路由在ospf域内传输时不叠加内部cost
R1(config)#router ospf 1
R1(config-router)#redistribute static metric-type ?
1  Set OSPF External Type 1 metrics      
2  Set OSPF External Type 2 metrics
3)ospf引入的外部路由,引入的是本路由器有效的路由,必须是本路由器上show ip route 能够看到的路由
4)将路由重分发进ospf,一定要加subnets,否则只会重分发主类网络路由
如下是以ospf引入静态路由做为示例,其他路由协议也一样。
R1(config)#router ospf 1
R1(config-router)#redistribute static subnets   //重分发静态路由
R1(config-router)#exit

12.要求业务网段中不出现协议报文。所有路由协议都发布具体网段。需要发布Loopback地址;

R1(config)#rou ospf 10
R1(config-router)#passive-interface vlan 20         
R1(config-router)#passive-interface vlan 30          
R1(config-router)#passive-interface vlan 10   

R2(config)#rou ospf 10
R2(config-router)#passive-interface vlan 20
R2(config-router)#passive-interface vlan 40
R2(config-router)#passive-interface gi 0/0

R3(config)#route ospf 10
R3(config-router)#passive-interface vlan 40
R3(config-router)#passive-interface vlan 30
R3(config-router)#passive-interface gi 0/0 

S1(config)#rou ospf 10
S1(config-router)#passive-interface vlan 20
S1(config-router)#passive-interface vlan 30
S1(config-router)#passive-interface vlan 100
S1(config-router)#passive-interface gi 1/0/1

S2(config)#rou ospf 10
S2(config-router)#passive-interface vlan 20
S2(config-router)#passive-interface vlan 30
S2(config-router)#passive-interface vlan 100
S2(config-router)#passive-interface gi 2/0/1

S3(config)#rou ospf 10
S3(config-router)#passive-interface vlan 10
S3(config-router)#passive-interface vlan 20
S3(config-router)#passive-interface vlan 30
S3(config-router)#passive-interface vlan 40
S3(config-router)#passive-interface vlan 100
S3(config-router)#passive-interface gi 0/24 

S4(config)#rou ospf 10
S4(config-router)#passive-interface vlan 10
S4(config-router)#passive-interface vlan 20
S4(config-router)#passive-interface vlan 30
S4(config-router)#passive-interface vlan 40
S4(config-router)#passive-interface vlan 100
S4(config-router)#passive-interface gi 0/24 

S5(config)#rou ospf 10
S5(config-router)#passive-interface vlan 10
S5(config-router)#passive-interface vlan 20
S5(config-router)#passive-interface gi 0/24

AC1(config)#rou ospf 10
AC1(config-router)#passive-interface vlan 100

AC2(config)#rou ospf 10 
AC2(config-router)#passive-interface vlan 100

EG1(config)#rou ospf 10
EG1(config-router)#passive-interface gi 0/1
EG1(config-router)#passive-interface gi 0/2
EG1(config-router)#passive-interface gi 0/3
EG1(config-router)#

13.优化OSPF相关配置,以尽量加快OSPF收敛。广州分部需要重分发默认路由到OSPF中。本部出口路由器R1上不允许配置默认路由,但需要让本部所有设备都学习到指向R1的默认路由。重发布路由进OSPF中使用类型1

R1(config)#rou ospf 10
R1(config-router)#redistribute static subnets 
R1(config-router)#redistribute connected subnets 

S1(config)#rou ospf 10
S1(config-router)#redistribute connected subnets 
S1(config-router)#redistribute static subnets 

S2(config)#rou ospf 10
S2(config-router)#redistribute static subnets 
S2(config-router)#redistribute connected subnets 
S2(config-router)#

AC1(config)#rou ospf 10
AC1(config-router)#redistribute static subnets 
AC1(config-router)#redistribute connected subnets 


AC2(config)#rou ospf 10 
AC2(config-router)#redistribute static subnets 
AC2(config-router)#redistribute connected subnets 

EG1(config)#rou ospf 10
EG1(config-router)#redistribute static subnets 
EG1(config-router)#redistribute connected subnets 

S3(config)#rou ospf 10
S3(config-router)#redistribute static subnets 
S3(config-router)#redistribute connected subnets 


S4(config)#rou ospf 10
S4(config-router)#redistribute static subnets           
S4(config-router)#redistribute connected subnets 

R1(config-router)#redistribute static subnets metric 1
R1(config-router)#

14.R1、R2、R3间部署IBGP,AS号为100, 使用Loopback接口建立Peer,建立全互联的IBGP邻居;

R1(config)#rou ospf 10
R1(config-router)#redistribute static metric 1
% Only classful networks will be redistributed
R1(config-router)#redistribute static metric 1 ?
  metric-type  OSPF exterior metric type for 
R1(config-router)#redistribute static subnets metric 1
R1(config-router)#neighbor 11.1.0.2 remote-as 100
R1(config-router)#neighbor 11.1.0.2 update-source lo
R1(config-router)#neighbor 11.1.0.2 update-source loopback 0
R1(config-router)#redistribute ospf 10 metric 1 
R1(config-router)#neighbor 12.1.0.2 remote-as 100
R1(config-router)#neighbor 12.1.0.2 update-source fa 1/0
R1(config-router)#neighbor 11.1.0.3 remote-as 100
R1(config-router)#neighbor 11.1.0.3 update-source lo
R1(config-router)#neighbor 11.1.0.3 update-source loopback 0
R1(config-router)#neighbor 13.1.0.3 remote-as 100 
R1(config-router)#neighbor 13.1.0.3 update-source fa 1/0

R2(config)#rou bgp 100
R2(config-router)#neighbor 11.1.0.1 remote-as 100
R2(config-router)#neighbor 11.1.0.1 update-source loopback 0
R2(config-router)#neighbor 13.1.0.1 remote-as 100      
R2(config-router)#neighbor 13.1.0.1 update-source fa 1/1
R2(config-router)#redistribute ospf 10        
R2(config-router)#neighbor 11.1.0.3 remote-as 100       
R2(config-router)#neighbor 11.1.0.3 update-source fa 1/1
R2(config-router)#neighbor 11.1.0.3 update-source loopback 0
R2(config-router)#neighbor 14.1.0.3 remote-as 100
R2(config-router)#neighbor 14.1.0.3 update-source fa 1/1

R3(config)#rou bgp 100
R3(config-router)#neighbor 11.1.0.1 remote-as 100
R3(config-router)#neighbor 11.1.0.1 update-source loopback 0
R3(config-router)#neighbor 11.1.0.2 remote-as 100
R3(config-router)#neighbor 11.1.0.2 update-source loopback 0
R3(config-router)#redistribute ospf 10 
R3(config-router)#
1、全网基本ip地址配置
Ruijie(config)#hostname SW1
SW1(config)#interface gigabitEthernet 0/2
SW1(config-if-GigabitEthernet 0/2)#no switchport
SW1(config-if-GigabitEthernet 0/2)#ip address 192.168.1.1 255.255.255.0
SW1(config-if-GigabitEthernet 0/2)#exit
SW1(config)#interface gigabitEthernet 0/1
SW1(config-if-GigabitEthernet 0/1)#no switchport
SW1(config-if-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0
SW1(config-if-GigabitEthernet 0/1)#exit
SW1(config)#interface loopback 0        ----->配置loopback 0接口的地址做为bgp的更新源地址
SW1(config-if-Loopback 0)#ip address 1.1.1.1 255.255.255.255
SW1(config-if-Loopback 0)#exit
Ruijie(config)#hostname R2
R2(config)#interface gigabitEthernet 0/2
R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0
R2(config-if-FastEthernet 0/0)#exit
R2(config)#interface fastEthernet 0/1
R2(config-if-FastEthernet 0/1)#ip address 192.168.2.1 255.255.255.0
R2(config-if-FastEthernet 0/1)#exit
R2(config)#interface loopback 0
R2(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255
R2(config-if-Loopback 0)#exit
Ruijie(config)#hostname SW3
SW3(config)#interface gigabitEthernet 0/1
SW3(config-if-GigabitEthernet 0/1)#no switchport
SW3(config-if-GigabitEthernet 0/1)#ip address 10.4.1.1 255.255.255.0
SW3(config-if-GigabitEthernet 0/1)#exit
SW3(config)#interface gigabitEthernet 0/2
SW3(config-if-GigabitEthernet 0/2)#no switchport
SW3(config-if-GigabitEthernet 0/2)#ip address 192.168.2.2 255.255.255.0
SW3(config-if-GigabitEthernet 0/2)#exit
SW3(config)#interface loopback 0
SW3(config-if-Loopback 0)#ip address 3.3.3.3 255.255.255.255
SW3(config-if-Loopback 0)#exit
2、全网路由启用ospf,并把对应接口通告到ospf进程,使全网的loopback接口可达
SW1(config)#router ospf 1
SW1(config-router)#network 192.168.1.1 0.0.0.0 area 0
SW1(config-router)#network 1.1.1.1 0.0.0.0 area 0
SW1(config-router)#exit
R2(config)#router ospf 1
R2(config-router)#network 192.168.1.2 0.0.0.0 area 0
R2(config-router)#network 192.168.2.1 0.0.0.0 area 0
R2(config-router)#network 2.2.2.2 0.0.0.0 area 0
R2(config-router)#exit
SW3(config)#router ospf 1
SW3(config-router)#network 192.168.2.2 0.0.0.0 area 0
SW3(config-router)#network 3.3.3.3 0.0.0.0 area 0
SW3(config-router)#exit
3、配置IBGP邻居
注意:
1)若bgp邻居的AS号与自己的AS号一致,建立的是IBGP邻居关系,若bgp邻居的AS号与自己的AS号不一致,建立的是EBGP邻居关系。
SW1(config)#router bgp 123       ----->启用bgp进程,AS号为123
SW1(config-router)#neighbor 2.2.2.2 remote-as 123     ----->指定BGP邻居地址及邻居的AS号
SW1(config-router)#neighbor 2.2.2.2 update-source loopback 0       ----->配置BGP的更新源地址
SW1(config-router)#exit
R2(config)#router bgp 123
R2(config-router)#neighbor 1.1.1.1 remote-as 123
R2(config-router)#neighbor 1.1.1.1 update-source loopback 0
R2(config-router)#neighbor 3.3.3.3 remote-as 123
R2(config-router)#neighbor 3.3.3.3 update-source loopback 0
R2(config-router)#exit
SW3(config)#router bgp 123
SW3(config-router)#neighbor 2.2.2.2 remote-as 123
SW3(config-router)#neighbor 2.2.2.2 update-source loopback 0
SW3(config-router)#exit
4、将路由通告进BGP
注意:
1)network命令,在BGP里面是将哪些路由通告到BGP进程,并非对哪些接口启用BGP协议(与rip和ospf含义是不一样),network命令通告的路由,必须本地show ip route有这条路由,且掩码与mask参数的掩码一致,才能通告到BGP进程。
SW1(config)#router bgp 123
SW1(config-router)#network 10.1.1.0 mask 255.255.255.0
SW1(config-router)#exit
SW3(config)#router bgp 123
SW3(config-router)#network 10.4.1.0 mask 255.255.255.0 
SW3(config-router)#exit

15.二级运营商通告EG1、EG2的直连网段到BGP中,实现R1能够访问到EG1、EG2的外网接口

1.Ruijie(config)#ip access-list extended 10  -->创建扩展IP访问控制规则10
Ruijie(config-ext-ip-nacl)#0 deny ip host 192.168.100.102 host 192.168.100.101 -->拒绝源IP为192.168.100.102,目的IP为192.168.100.101的报文
Ruijie(config-ext-ip-nacl)#1 permit ip any any  -->允许所有IP报文
Ruijie(config-ext-ip-nacl)#2 permit igmp any any  -->允许所有IGMP报文
Ruijie(config-ext-ip-nacl)#3 permit tcp any any   -->允许所有TCP报文
Ruijie(config-ext-ip-nacl)#4 permit udp any any  -->允许所有UDP报文
Ruijie(config-ext-ip-nacl)#exit  -->退出到上一模式
Ruijie(config)#interface gigabitEthernet 0/2  -->进入端口模式
Ruijie(config-if-gigabitEthernet-0/2)#ip access-list 10 commit   -->将扩展IP访问控制规则列表10应用到2号端口,commit为提交
2.Ruijie(config)#mac access-list extended 20   -->创建MAC访问控制规则
Ruijie(config-ext-mac-nacl)#0 deny host 0011.111.1114 host 0011.111.1113   -->拒绝源MAC为0011.111.1114,目的MAC为 0011.111.1113的报文
Ruijie(config-ext-mac-nacl)#1 permit any any   -->允许所有的报文通过
Ruijie(config-ext-mac-nacl)#exit  -->退出到上一模式
Ruijie(config)#interface gigabitEthernet 0/4 -->进入到端口模式
Ruijie(config-if-gigabitEthernet-0/4)#mac access-list 20 commit -->将MAC访问控制规则列表20应用到4号端口,commit为提交

16.可通过修改OSPF 路由COST达到分流的目的,且其值必须为5或10。广州分部有线IPV4用户与互联网互通主路径规划为:S6-S4-EG1;主链路故障时可无缝切换到备用链路上

17.S6的Gi0/5至Gi0/16接口入方向设置接口限速,限速10Mbps,猝发流量1024 kbytes。R3服务节点在带宽为2Mbps的S3/0接口做流量整形

18.R3服务节点在G0/0接口做流量监管,上行报文流量不能超过10Mbps,Burst-normal为1M bytes, Burst-max为2M bytes如果超过流量限制则将违规报文丢弃

RG-S1908+:15#create access_profile profile_id 3 profile_name test ip source_ip_mask 255.255.255.0------>创建模板名为test,模板ID为3的访问控制模板,类型为IP,源IP地址为255.255.255.0。
RG-S1908+:15#config access_profile profile_id 3 add access_id 1 ip source_ip 192.168.1.0 port 1 permit------>为上面创建的IPv4 ACL模板配置ACL规则,访问控制规则ID为1,源IP地址为192.168.1.0,端口号为1,规则动作为“permit“
RG-S1908+:15#config flow_meter profile_id 3 access_id 1 rate 10000 burst_size 1024 rate_exceed drop_packet------>配置ACL流量监管,ACL模板ID为3,访问控制规则ID为1,指定带宽为10000Kbs,突发量值为1024Kbs,数据报超出承诺速率时的动作为丢弃数据报。

(三)配置无线网络

1.使用 EG1 作为广州分部无线用户和无线 AP 的 DHCP 服务器;使用 S5 作为吉林分部无线用户和无线 AP 的 DHCP 服务器

2.创建广州分部内网中的 SSID 为 Test-GZ_XX(说明:XX 现场提供),WLAN ID 为 1,AP-Group 为 GZ,内网无线用户关联 SSID 后可自动获取地址。创建吉林分部内网 SSID 为 Test-JL_XX(XX 现场提供),WLAN ID 为 2,AP-Group 为 JL,内网无线用户关联 SSID 后可自动获取地址

3.本部 AC2 为主用,AC1 为备用。AP 与 AC1、AC2 均建立隧道,当 AP 与 AC2 失去连接时能无缝切换至 AC1 并提供服务

4.广州分部无线用户接入无线网络时,需要采用 WPA2 加密方式,加密密码为XX (说明:现场提供)。并启用白名单校验,仅放通 PC2 无线终端

5.要求内网无线网络均启用本地转发模式。对 WLAN ID 2 下的每个用户的下行平均速率为 800KB/s ,突发速率为 1600KB/s

6.吉林分部每 AP 最大带点人数为 30 人。广州分部通过时间调度,要求每周一至周五的 21:00 至 23:30 期间关闭无线服务

(五)出口网络配置

1.EG1、EG2、R1进行NAT配置实现本部与各分部的所有用户(ACL 110)均可访问互联网,通过NAPT方式将内网用户IP地址转换到互联网接口上。

2.EG2部署全局流表防火墙,ACL(编号为102)放通所有IP到本设备外网接口的ICMP、Telnet协议; 放通内网AP及终端IP到外网所有资源的访问; 根据上下文要求放通设备已启用的功能协议端口。

3.EG1针对访问外网WEB流量限速每IP 1000Kbps,内网WEB总流量不超过50Mbps。

4.使用IPSec对本部到各分部的数据流进行加密。要求使用动态隧道主模式,安全协议采用esp协议,加密算法采用3des,认证算法采用md5,以IKE方式建立IPsec SA。在R1上配置ipsec加密转换集名称为myset。动态ipsec加密图名称为dymymap。预共享密钥为明文123456。静态的ipsec加密图mymap。

5.在 EG1和EG2上配置ACL编号为101。静态的ipsec加密图mymap。预共享密钥为明文123456。