2020華為ICT大賽全國總決賽網(wǎng)絡(luò)賽道實(shí)驗(yàn)解析及驗(yàn)證

這篇具有很好參考價(jià)值的文章主要介紹了2020華為ICT大賽全國總決賽網(wǎng)絡(luò)賽道實(shí)驗(yàn)解析及驗(yàn)證。希望對(duì)大家有所幫助。如果存在錯(cuò)誤或未考慮完全的地方，請(qǐng)大家不吝賜教，您也可以點(diǎn)擊"舉報(bào)違法"按鈕提交疑問。

作者信息：苗浩15515026488微信同號(hào)

本文摘抄自《華為ICT大賽-網(wǎng)絡(luò)賽道學(xué)習(xí)空間（中國區(qū)）》，如有侵權(quán)，請(qǐng)及時(shí)聯(lián)系作者刪除文章

原文鏈接：https://talent.shixizhi.huawei.com/course/1365189427395223554/application-learn?status=published&courseId=1680760185478529026&id=554759065239212032&appId=554759065222434816&classId=554759065222434817&courseType=1&sxz-lang=zh_CN&headershow=false

一、項(xiàng)目背景

? ? ? ? 某大型公司于2008年組建了全省公司專網(wǎng)，并依托該網(wǎng)絡(luò)實(shí)現(xiàn)了全省多個(gè)分公司的統(tǒng)一組網(wǎng)。

? ? ? ? 現(xiàn)在由于基礎(chǔ)網(wǎng)絡(luò)帶寬不足、設(shè)備老舊、網(wǎng)絡(luò)規(guī)劃混亂以及網(wǎng)絡(luò)整體性能水平低下等問題，導(dǎo)致辦公效率低下，對(duì)新技術(shù)、新終端支撐較差，影響公司業(yè)務(wù)發(fā)展。為了提高公司為了的整體性能、穩(wěn)定性及可擴(kuò)展性，該公司決定對(duì)總部和各分公司分階段進(jìn)行老舊設(shè)備替換以及整體網(wǎng)絡(luò)改造升級(jí)。

? ? ? ? 第一階段的網(wǎng)絡(luò)方案需滿足公司總部與分公司之間的互聯(lián)互通。

? ? ? ? 為增加系統(tǒng)的可靠性和安全性，本次擬在核心交換、AC上進(jìn)行冗余備份，有線與無線業(yè)務(wù)分設(shè)不同的網(wǎng)關(guān)，核心交換實(shí)現(xiàn)負(fù)載分擔(dān)的同時(shí)，也提升了網(wǎng)絡(luò)的可靠性；總部與分公司之間的通信使用MPLS VPN技術(shù)來實(shí)現(xiàn)，分公司的終端均能夠訪問總部網(wǎng)絡(luò)的服務(wù)器資源，整合資源，減少管理和運(yùn)維成本。

? ? ? ? 同時(shí)為了滿足總部員工移動(dòng)辦公的需求，第一階段，先在公司總部部署WLAN網(wǎng)絡(luò)，覆蓋整個(gè)總部網(wǎng)絡(luò)，提升辦公效率。

二、考試說明

2.1 試卷總分

? ? ? ? 考試分為路由交換、安全以及無線三個(gè)部分，總分為1000分。

2.2 設(shè)備介紹

2.2.1 設(shè)備清單

? ? ? ? <1>兩臺(tái)USG6000防火墻（FW1-FW2）

? ? ? ? <2>五臺(tái)AR2220路由器（AR1-AR5）

? ? ? ? <3>五臺(tái)S5700交換機(jī)（SW1-SW5）

? ? ? ? <4>兩臺(tái)AC6605控制器（AC1-AC2）

? ? ? ? <5>一臺(tái)AP7050（AP1）

? ? ? ? <6>兩臺(tái)PC（PC1和PC2）

? ? ? ? <7>一臺(tái)筆記本（STA1）

????????<8>兩臺(tái)FTP終端（FTP終端1-FTP終端2）

? ? ? ? <9>一臺(tái)FTP Server

? ? ? ? <10>一臺(tái)DHCP Server

2.2.2 考試工具

? ? ? ? <1>三臺(tái)考試PC，PC上已有考試所需相關(guān)軟件，以及所有涉及產(chǎn)品的產(chǎn)品文檔。

三、考試正文

3.1 網(wǎng)絡(luò)規(guī)劃

2020華為ICT大賽全國總決賽網(wǎng)絡(luò)賽道實(shí)驗(yàn)解析及驗(yàn)證,華為ICT大賽真題解析,華為,信息與通信,網(wǎng)絡(luò)協(xié)議,網(wǎng)絡(luò)安全

3.2 設(shè)備命名

? ? ? ? 請(qǐng)根據(jù)Figure 3-1網(wǎng)絡(luò)拓?fù)?，配置或確認(rèn)對(duì)應(yīng)網(wǎng)絡(luò)設(shè)備的名稱。

配置過程：

#AR1
<Huawei>system-view 
[Huawei]sysname AR1
[AR1]

#AR2
<Huawei>system-view 
[Huawei]sysname AR2
[AR2]

#AR3
<Huawei>system-view 
[Huawei]sysname AR3
[AR3]

#AR4
<Huawei>system-view 
[Huawei]sysname AR4
[AR4]

#AR5
<Huawei>system-view 
[Huawei]sysname AR5
[AR5]

#SW1
<Huawei>system-view 
[Huawei]sysname SW1
[SW1]

#SW2
<Huawei>system-view 
[Huawei]sysname SW2
[SW2]

#SW3
<Huawei>system-view 
[Huawei]sysname SW3
[SW3]

#SW4
<Huawei>system-view 
[Huawei]sysname SW4
[SW4]

#SW5
<Huawei>system-view 
[Huawei]sysname SW5
[SW5]

#AC1
<AC6605>system-view 
[AC6605]sysname AC1
[AC1]

#AC2
<AC6605>system-view 
[AC6605]sysname AC2
[AC2]

#FW1
<USG6000V>system-view 
[USG6000V]sysname FW1
[FW1]

#FW2
<USG6000V>system-view 
[USG6000V]sysname FW2
[FW2]

#DHCP Server
<Huawei>system-view 
[Huawei]sysname DHCP Server
[DHCP Server]

3.3 總部網(wǎng)絡(luò)部署

3.3.1 設(shè)備鏈路部署

3.3.1.1 鏈路聚合部署

在核心交換SW1和SW2之間部署鏈路聚合技術(shù)，創(chuàng)建聚接口合編號(hào)為12，在實(shí)現(xiàn)帶寬翻倍的同時(shí)，提高鏈路的冗余性。
鏈路聚合模式為LACP靜態(tài)模式，SW1作為主動(dòng)端設(shè)備。

?配置過程：

#SW1
[SW1-Eth-Trunk12]mode lacp-static 
[SW1]interface Eth-Trunk 12
[SW1-Eth-Trunk12]trunkport GigabitEthernet 0/0/1 0/0/2 0/0/8
[SW1]lacp priority 100

#SW2
[SW2-Eth-Trunk12]mode lacp-static 
[SW2]interface Eth-Trunk 12
[SW2-Eth-Trunk12]trunkport GigabitEthernet 0/0/1 0/0/2 0/0/8

驗(yàn)證：

3.3.2 二層網(wǎng)絡(luò)部署

3.3.2.1 VLAN規(guī)劃與部署?

總部網(wǎng)絡(luò)的VLAN規(guī)劃如Table 3-3所示。

注：為了保證網(wǎng)絡(luò)的連通性，以及避免二層環(huán)路隱患，交換機(jī)端口只允許規(guī)定的VLAN通過，多余的VLAN通過將影響整體網(wǎng)絡(luò)穩(wěn)定性評(píng)估。

配置過程：

#SW1
[SW1]vlan batch 12 100 200 201 202 203
[SW1]interface Eth-Trunk 12
[SW1-Eth-Trunk12]port link-type trunk 
[SW1-Eth-Trunk12]port trunk allow-pass vlan 12 100 200 201 202 203
[SW1-Eth-Trunk12]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk 
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 200 201
[SW1-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk 
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 200 201 
[SW1-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type access
[SW1-GigabitEthernet0/0/5]port default vlan 203
[SW1]interface GigabitEthernet 0/0/6
[SW1-GigabitEthernet0/0/6]port link-type trunk 
[SW1-GigabitEthernet0/0/6]port trunk allow-pass vlan 200 201 202
[SW1-GigabitEthernet0/0/6]undo port trunk allow-pass vlan 1

#SW2
[SW2]vlan batch 10 12 100 200 201 202 203
[SW2]interface Eth-Trunk 12
[SW2-Eth-Trunk12]port link-type trunk 
[SW2-Eth-Trunk12]port trunk allow-pass vlan 12 100 200 201 202
[SW2-Eth-Trunk12]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk 
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 200 201
[SW2-GigabitEthernet0/0/3]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk 
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 100 200 201
[SW2-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type acces
[SW2-GigabitEthernet0/0/5]port default vlan 203
[SW2]interface GigabitEthernet 0/0/6
[SW2-GigabitEthernet0/0/6]port link-type trunk 
[SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan 200 201 202
[SW2-GigabitEthernet0/0/6]undo port trunk allow-pass vlan 1
[SW2]interface GigabitEthernet 0/0/7
[SW2-GigabitEthernet0/0/7]port link-type access
[SW2-GigabitEthernet0/0/7]port default vlan 10

#SW3
[SW3]vlan 100
[SW3]interface GigabitEthernet 0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk 
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[SW3-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[SW3]interface GigabitEthernet 0/0/2
[SW3-GigabitEthernet0/0/2]port link-type trunk 
[SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[SW3-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
[SW3]port-group group-member GigabitEthernet 0/0/3 GigabitEthernet 0/0/4
[SW3-port-group]port link-type access
[SW3-port-group]port default vlan 100

#SW4
[SW4]vlan batch 200 201
[SW4]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/3
[SW4-port-group]port link-type trunk 
[SW4-port-group]port trunk allow-pass vlan 200 201
[SW4]interface GigabitEthernet 0/0/3
[SW4-GigabitEthernet0/0/3]port trunk pvid vlan 200


#AC1
[AC1]vlan batch 200 202
[AC1]interface GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk 
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 200 202
[AC1-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1

#AC2
[AC2]vlan batch 200 202
[AC2]interface GigabitEthernet 0/0/1
[AC2-GigabitEthernet0/0/1]port link-type trunk 
[AC2-GigabitEthernet0/0/1]port trunk allow-pass vlan 200 202
[AC2-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1

#FW1
[FW1]vlan 203
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]portswitch 
[FW1-GigabitEthernet1/0/0]port link-type access
[FW1-GigabitEthernet1/0/0]port default vlan 203
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]portswitch 
[FW1-GigabitEthernet1/0/1]port link-type access
[FW1-GigabitEthernet1/0/1]port default vlan 203

驗(yàn)證：

3.3.2.2 MSTP部署?

SW1、SW2、SW3、SW4都運(yùn)行MSTP。?
VLAN100在Instance 1，在不使用命令修改橋優(yōu)先級(jí)的情況下，需保證SW1作為實(shí)例1的根橋，SW2為備根橋。
VLAN200和VLAN201在Instance 2，在不使用命令修改橋優(yōu)先級(jí)的情況下，需保證SW2作為實(shí)例1的根橋，SW1為備根橋。
MSTP的regoin name是huawei，Revision-level為12。

配置過程：

#SW1
[SW1]stp mode mstp 
[SW1]stp region-configuration 
[SW1-mst-region]region-name huawei
[SW1-mst-region]revision-level 12
[SW1-mst-region]instance 1 vlan 100
[SW1-mst-region]instance 2 vlan 200 201
[SW1-mst-region]active region-configuration
[SW1]stp instance 0 root primary 
[SW1]stp instance 1 root primary 
[SW1]stp instance 2 root secondary 

#SW2
[SW2]stp mode mstp 
[SW2]stp region-configuration 
[SW2-mst-region]region-name huawei
[SW2-mst-region]revision-level 12
[SW2-mst-region]instance 1 vlan 100
[SW2-mst-region]instance 2 vlan 200 201
[SW2-mst-region]active region-configuration
[SW2]stp instance 0 root secondary 
[SW2]stp instance 1 root secondary 
[SW2]stp instance 2 root primary 

#SW3
[SW3]stp mode mstp 
[SW3]stp region-configuration 
[SW3-mst-region]region-name huawei
[SW3-mst-region]revision-level 12
[SW3-mst-region]instance 1 vlan 100
[SW3-mst-region]instance 2 vlan 200 201
[SW3-mst-region]active region-configuration

#SW4
[SW4]stp mode mstp 
[SW4]stp region-configuration 
[SW4-mst-region]region-name huawei
[SW4-mst-region]revision-level 12
[SW4-mst-region]instance 1 vlan 100
[SW4-mst-region]instance 2 vlan 200 201
[SW4-mst-region]active region-configuration

驗(yàn)證：

3.3.3 三層網(wǎng)絡(luò)部署

3.3.3.1 IP地址規(guī)劃及配置

?IP地址規(guī)劃如Table 3-1 IP地址規(guī)劃表所示，請(qǐng)按照規(guī)劃正確配置IP地址。

配置過程：

#SW1
[SW1]interface LoopBack 0
[SW1-LoopBack0]ip address 11.11.11.11 32
[SW1]interface Vlanif 12
[SW1-Vlanif12]ip address 192.168.12.1 24
[SW1]interface Vlanif 100
[SW1-Vlanif100]ip address 192.168.100.1 24
[SW1]interface Vlanif 200
[SW1-Vlanif200]ip address 192.168.200.1 24
[SW1]interface Vlanif 201
[SW1-Vlanif201]ip address 192.168.201.1 24
[SW1]interface Vlanif 203
[SW1-Vlanif203]ip address 192.168.203.1 24

#SW2
[SW2]interface LoopBack 0
[SW2-LoopBack0]ip address 12.12.12.12 32
[SW2]interface Vlanif 10
[SW2-Vlanif12]ip address 192.168.10.1 24
[SW2]interface Vlanif 12
[SW2-Vlanif12]ip address 192.168.12.2 24
[SW2]interface Vlanif 100
[SW2-Vlanif100]ip address 192.168.100.2 24
[SW2]interface Vlanif 200
[SW2-Vlanif200]ip address 192.168.200.2 24
[SW2]interface Vlanif 201
[SW2-Vlanif201]ip address 192.168.201.2 24
[SW2]interface Vlanif 203
[SW2-Vlanif203]ip address 192.168.203.2 24

#AC1
[AC1]interface LoopBack 0
[AC1-LoopBack0]ip address 21.21.21.21 32
[AC1]interface Vlanif 200
[AC1-Vlanif200]ip address 192.168.200.11 24
[AC1]interface vlan 202
[AC1-Vlanif202]ip address 192.168.202.1 24

#AC2
[AC2]interface LoopBack 0
[AC2-LoopBack0]ip address 22.22.22.22 32
[AC2]interface Vlanif 200
[AC2-Vlanif200]ip address 192.168.200.12 24
[AC2]interface Vlanif 202
[AC2-Vlanif202]ip address 192.168.202.2 24

#DHCP Server
[DHCP Server]interface GigabitEthernet 0/0/0
[DHCP Server-GigabitEthernet0/0/0]ip address 192.168.10.254 24

#FW1
[FW1]interface LoopBack 0
[FW1-LoopBack0]ip address 10.10.10.10 32
[FW1]interface Vlanif 203
[FW1-Vlanif203]ip address 192.168.203.3 24
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 200.1.11.2 30
[FW1]interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3]ip address 192.168.20.1 24

驗(yàn)證：

3.3.3.2?核心交換高可靠性規(guī)劃與配置

在SW1和SW2上創(chuàng)建VRRP備份組1，虛擬IP地址為192.168.12.254/24，配置SW1的優(yōu)先級(jí)為200，搶占延時(shí)為15秒，作為Master設(shè)備；SW2的優(yōu)先級(jí)為缺省值，作為Backup設(shè)備。
在VRRP備份組1中啟動(dòng)MD5認(rèn)證，并將密碼設(shè)置為Huawei。
在SW1和SW2上創(chuàng)建VRRP備份組2，虛擬IP地址為192.168.100.254/24，配置SW1的優(yōu)先級(jí)為200，搶占延時(shí)為15秒，作為Master設(shè)備；SW2的優(yōu)先級(jí)為缺省值，作為Backup設(shè)備。
在SW1和SW2上創(chuàng)建VRRP備份組3，虛擬IP地址為192.168.200.254/24，配置SW2的優(yōu)先級(jí)為200，搶占延時(shí)為15秒，作為Master設(shè)備；SW1的優(yōu)先級(jí)為缺省值，作為Backup設(shè)備。
在SW1和SW2上創(chuàng)建VRRP備份組4，虛擬IP地址為192.168.201.254/24，配置SW2的優(yōu)先級(jí)為200，搶占延時(shí)為15秒，作為Master設(shè)備；SW1的優(yōu)先級(jí)為缺省值，作為Backup設(shè)備。
在VRRP備份組1和備份組2中，備份組1為管理組；在VRRP備份組3和備份組4中，備份組3為管理組。
為了加速主備切換，在SW1和SW2的備份組1和備份組3上，分別創(chuàng)建BFD會(huì)話，并綁定到對(duì)應(yīng)的管理組中。

?配置過程：

#SW1
[SW1]bfd
[SW1]bfd vlanif12 bind peer-ip 192.168.12.2 source-ip 192.168.12.1 auto 
[SW1-bfd-session-vlanif12]commit 
[SW1]bfd vlanif200 bind peer-ip 192.168.200.2 source-ip 192.168.200.1 auto 
[SW1-bfd-session-vlanif200]commit 
[SW1]interface Vlanif 12
[SW1-Vlanif12]vrrp vrid 1 virtual-ip 192.168.12.254
[SW1-Vlanif12]vrrp vrid 1 priority 200
[SW1-Vlanif12]vrrp vrid 1 preempt-mode timer delay 15
[SW1-Vlanif12]vrrp vrid 1 authentication-mode md5 Huawei
[SW1-Vlanif12]admin-vrrp vrid 1 
[SW1-Vlanif12]vrrp vrid 1 track bfd-session session-name vlanif12 reduced 110
[SW1]interface Vlanif 100
[SW1-Vlanif100]vrrp vrid 2 virtual-ip 192.168.100.254
[SW1-Vlanif100]vrrp vrid 2 priority 200
[SW1-Vlanif100]vrrp vrid 2 preempt-mode timer delay 15
[SW1-Vlanif100]vrrp vrid 2 track admin-vrrp interface Vlanif 12 vrid 1 unflowdown 
[SW1]interface Vlanif 200
[SW1-Vlanif200]vrrp vrid 3 virtual-ip 192.168.200.254
[SW1-Vlanif200]admin-vrrp vrid 3
[SW1]interface Vlanif 201
[SW1-Vlanif201]vrrp vrid 4 virtual-ip 192.168.201.254
[SW1-Vlanif201]vrrp vrid 4 track admin-vrrp interface Vlanif 200 vrid 3 unflowdown 

#SW2
[SW2]bfd
[SW2]bfd vlanif12 bind peer-ip 192.168.12.1 source-ip 192.168.12.2 auto 
[SW2-bfd-session-vlanif12]commit 
[SW2]bfd vlanif200 bind peer-ip 192.168.200.1 source-ip 192.168.200.2 auto
[SW2-bfd-session-vlanif200]commit 
[SW2]interface Vlanif 12
[SW2-Vlanif12]vrrp vrid 1 virtual-ip 192.168.12.254
[SW2-Vlanif12]vrrp vrid 1 authentication-mode md5 Huawei
[SW2-Vlanif12]admin-vrrp vrid 1 
[SW2]interface Vlanif 100
[SW2-Vlanif100]vrrp vrid 2 virtual-ip 192.168.100.254
[SW2-Vlanif100]vrrp vrid 2 track admin-vrrp interface Vlanif 12 vrid 1 unflowdown 
[SW2]interface Vlanif 200
[SW2-Vlanif200]vrrp vrid 3 virtual-ip 192.168.200.254
[SW2-Vlanif200]vrrp vrid 3 priority 200
[SW2-Vlanif200]vrrp vrid 3 preempt-mode timer delay 15
[SW2-Vlanif200]admin-vrrp vrid 3
[SW2-Vlanif200]vrrp vrid 3 track bfd-session session-name vlanif200 reduced 110
[SW2]interface Vlanif 201
[SW2-Vlanif201]vrrp vrid 4 virtual-ip 192.168.201.254
[SW2-Vlanif201]vrrp vrid 4 priority 200
[SW2-Vlanif201]vrrp vrid 4 preempt-mode timer delay 15
[SW2-Vlanif201]vrrp vrid 4 track admin-vrrp interface Vlanif 200 vrid 3 unflowdown

驗(yàn)證：

?3.3.3.3 IGP協(xié)議部署

為了保證總部無線網(wǎng)絡(luò)與有線網(wǎng)絡(luò)之間能夠互通，在SW1、SW2、AC1、AC2以及FW1之間部署了OSPF協(xié)議。
OSPF的進(jìn)程號(hào)為64512，全部設(shè)備的接口均處于骨干區(qū)域內(nèi)，使用Loopback 0口作為router-id，各網(wǎng)段需要精確宣告。
使用import命令，將DHCP服務(wù)器的直連網(wǎng)段引入到OSPF當(dāng)中（不能引入其他網(wǎng)段路由）。

配置過程：

#SW1
[SW1]ospf 64512 router-id 11.11.11.11
[SW1-ospf-64512]area 0
[SW1-ospf-64512-area-0.0.0.0]network 11.11.11.11 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.12.1 0.0.0.0 
[SW1-ospf-64512-area-0.0.0.0]network 192.168.100.1 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.200.1 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.201.1 0.0.0.0
[SW1-ospf-64512-area-0.0.0.0]network 192.168.203.1 0.0.0.0
[SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.203.3

#SW2
[SW2]ip ip-prefix dhcp_direct permit 192.168.10.0 24
[SW2]route-policy dhcp_direct permit node 10
[SW2-route-policy]if-match ip-prefix dhcp_direct
[SW2]ospf 64512 router-id 22.22.22.22
[SW2-ospf-64512]import-route direct route-policy dhcp_direct type 1
[SW2-ospf-64512]area 0
[SW2-ospf-64512-area-0.0.0.0]network 22.22.22.22 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.12.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.100.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.200.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.201.2 0.0.0.0
[SW2-ospf-64512-area-0.0.0.0]network 192.168.203.2 0.0.0.0
[SW2]ip route-static 0.0.0.0 0.0.0.0 192.168.203.3

#AC1
[AC1]ospf 64512 router-id 21.21.21.21
[AC1-ospf-64512]area 0
[AC1-ospf-64512-area-0.0.0.0]network 21.21.21.21 0.0.0.0
[AC1-ospf-64512-area-0.0.0.0]network 192.168.200.11 0.0.0.0
[AC1-ospf-64512-area-0.0.0.0]network 192.168.202.1 0.0.0.0
[AC1]interface Vlanif 200
[AC1-Vlanif200]ospf dr-priority 0

#AC2
[AC2]ospf 64512 router-id 22.22.22.22
[AC2-ospf-64512]area 0
[AC2-ospf-64512-area-0.0.0.0]network 22.22.22.22 0.0.0.0
[AC2-ospf-64512-area-0.0.0.0]network 192.168.200.12 0.0.0.0
[AC2-ospf-64512-area-0.0.0.0]network 192.168.202.2 0.0.0.0
[AC2]interface Vlanif 200
[AC2-Vlanif200]ospf dr-priority 0

#FW1
[FW1]ip route-static 0.0.0.0 0.0.0.0 200.1.11.1
[FW1]ospf 64512 router-id 10.10.10.10
[FW1-ospf-64512]default-route-advertise type 1
[FW1-ospf-64512]area 0
[FW1-ospf-64512-area-0.0.0.0]network 10.10.10.10 0.0.0.0
[FW1-ospf-64512-area-0.0.0.0]network 192.168.20.1 0.0.0.0
[FW1-ospf-64512-area-0.0.0.0]network 192.168.203.3 0.0.0.0

?驗(yàn)證：沒有配置防火墻安全區(qū)域的時(shí)候，OSPF鄰居會(huì)卡在Exstart狀態(tài)。

3.3.4 服務(wù)器部署

3.3.4.1 DHCP服務(wù)器部署

在DHCP Server上創(chuàng)建基于全局的DHCP地址池為有線，無線終端及AP提供地址池分配服務(wù)，網(wǎng)關(guān)部署在SW1和SW2上，由于核心交換與DHCP服務(wù)器不在同一個(gè)網(wǎng)段，需要想辦法讓AP、PC和STA能夠獲取到IP地址，具體地址池信息如下表
地址池需排除已經(jīng)被使用過的IP地址。
要求PC1能夠獲取到固定的IP地址，為192.168.100.199。

配置過程：

#DHCP Server
[DHCP Server]ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
[DHCP Server]dhcp enable 
[DHCP Server]ip pool Wired
[DHCP Server-ip-pool-Wired]network 192.168.100.0 mask 255.255.255.0
[DHCP Server-ip-pool-Wired]gateway-list 192.168.100.254
[DHCP Server-ip-pool-Wried]dns-list 114.114.114.114
[DHCP Server-ip-pool-Wired]static-bind ip-address 192.168.100.199 mac-address 5489-985A-089A
[DHCP Server]ip pool AP
[DHCP Server-ip-pool-AP]network 192.168.200.0 mask 24
[DHCP Server-ip-pool-AP]gateway-list 192.168.200.254
[DHCP Server-ip-pool-AP]dns-list 202.96.128.66
[DHCP Server-ip-pool-AP]lease day 0 hour 12
[DHCP Server-ip-pool-AP]option 43 ip-address 21.21.21.21 22.22.22.22
[DHCP Server]ip pool Wireless
[DHCP Server-ip-pool-Wireless]network 192.168.201.0 mask 24
[DHCP Server-ip-pool-Wireless]gateway-list 192.168.201.254
[DHCP Server-ip-pool-Wireless]dns-list 8.8.8.8
[DHCP Server-ip-pool-Wireless]lease day 0 hour 8
[DHCP Server]interface GigabitEthernet 0/0/0
[DHCP Server-GigabitEthernet0/0/0]dhcp select global 

#SW1
[SW1]dhcp enable 
[SW1]interface Vlanif 100
[SW1-Vlanif100]dhcp select relay 
[SW1-Vlanif100]dhcp relay server-ip 192.168.10.254
[SW1]interface Vlanif 200
[SW1-Vlanif200]dhcp select relay 
[SW1-Vlanif200]dhcp relay server-ip 192.168.10.254
[SW1]interface Vlanif 201
[SW1-Vlanif201]dhcp select relay 
[SW1-Vlanif201]dhcp relay server-ip 192.168.10.254

#SW2
[SW2]dhcp enable 
[SW2]interface Vlanif 100
[SW2-Vlanif100]dhcp select relay 
[SW2-Vlanif100]dhcp relay server-ip 192.168.10.254
[SW2]interface Vlanif 200
[SW2-Vlanif200]dhcp select relay 
[SW2-Vlanif200]dhcp relay server-ip 192.168.10.254
[SW2]interface Vlanif 201
[SW2-Vlanif201]dhcp select relay 
[SW2-Vlanif201]dhcp relay server-ip 192.168.10.254

排除地址命令:
[DHCP Server-ip-pool-AP]excluded-ip-address xx.xx.xx.xx

驗(yàn)證：

3.3.4.2 FTP服務(wù)器部署

隨便找個(gè)目錄點(diǎn)啟動(dòng)就行

3.3.5 WLAN網(wǎng)絡(luò)部署?

3.3.5.1 WLAN基礎(chǔ)參數(shù)規(guī)劃

配置過程：

#AC1
[AC1]capwap source interface LoopBack 0
[AC1]wlan
[AC1-wlan-view]ap-group name huawei
[AC1-wlan-ap-group-huawei]quit 
[AC1-wlan-view]ap auth-mode mac-auth 
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc52-7250
[AC1-wlan-ap-1]ap-name AP1
[AC1-wlan-ap-1]ap-group huawei
[AC1-wlan-view]regulatory-domain-profile name huawei
[AC1-wlan-regulate-domain-huawei]country-code CN
[AC1-wlan-view]ssid-profile name huawei
[AC1-wlan-ssid-prof-huawei]ssid Huawei-ICT2020
[AC1-wlan-view]security-profile name huawei
[AC1-wlan-sec-prof-huawei]security wpa-wpa2 psk pass-phrase Huawei-ICT2020 aes-tkip
[AC1-wlan-view]vap-profile name huawei
[AC1-wlan-vap-prof-huawei]service-vlan vlan 201
[AC1-wlan-vap-prof-huawei]ssid-profile huawei
[AC1-wlan-vap-prof-huawei]security-profile huawei
[AC1-wlan-view]ap-group name huawei
[AC1-wlan-ap-group-huawei]regulatory-domain-profile huawei
[AC1-wlan-ap-group-huawei]vap-profile huawei wlan 1 radio all 

#AC2
[AC2]capwap source interface LoopBack 0
[AC2]wlan
[AC2-wlan-view]ap-group name huawei
[AC2-wlan-ap-group-huawei]quit 
[AC2-wlan-view]ap auth-mode mac-auth 
[AC2-wlan-view]ap-id 1 ap-mac 00e0-fc52-7250
[AC2-wlan-ap-1]ap-name AP1
[AC2-wlan-ap-1]ap-group huawei
[AC2-wlan-view]regulatory-domain-profile name huawei
[AC2-wlan-regulate-domain-huawei]country-code CN
[AC2-wlan-view]ssid-profile name huawei
[AC2-wlan-ssid-prof-huawei]ssid Huawei-ICT2020
[AC2-wlan-view]security-profile name huawei
[AC2-wlan-sec-prof-huawei]security wpa-wpa2 psk pass-phrase Huawei-ICT2020 aes-tkip
[AC2-wlan-view]vap-profile name huawei
[AC2-wlan-vap-prof-huawei]service-vlan vlan 201
[AC2-wlan-vap-prof-huawei]ssid-profile huawei
[AC2-wlan-vap-prof-huawei]security-profile huawei
[AC2-wlan-view]ap-group name huawei
[AC2-wlan-ap-group-huawei]regulatory-domain-profile huawei
[AC2-wlan-ap-group-huawei]vap-profile huawei wlan 1 radio all

驗(yàn)證：

3.3.5.2?無線射頻規(guī)劃（這個(gè)做的不完善，有懂得同學(xué)可以交流一下）

對(duì)AP組下的射頻資源進(jìn)行統(tǒng)一規(guī)劃。
將2.4GHz的信道帶寬設(shè)置成40MHz，且使用1和5信道進(jìn)行信道綁定。
將第一個(gè)5GMHz射頻口的信道帶寬設(shè)置成80MHz，且使用36~48信道進(jìn)行信道綁定。
將第二個(gè)5GMHz射頻口的信道帶寬設(shè)置成80MHz，且使用149~161信道進(jìn)行信道綁定。?

配置過程：

#AC2
[AC2]wlan 
[AC2-wlan-view]rrm-profile name huawei
[AC2-wlan-rrm-prof-huawei]calibrate auto-channel-select disable
[AC2-wlan-rrm-prof-huawei]calibrate auto-txpower-select disable 
[AC2-wlan-view]air-scan-profile name huawei
[AC2-wlan-air-scan-prof-huawei]scan-channel-set country-channel 
[AC2-wlan-air-scan-prof-huawei]scan-period 80
[AC2-wlan-air-scan-prof-huawei]scan-interval 80000
[AC2-wlan-view]radio-2g-profile name huawei
[AC2-wlan-radio-2g-prof-huawei]rrm-profile huawei
[AC2-wlan-radio-2g-prof-huawei]air-scan-profile huawei
[AC2-wlan-view]radio-5g-profile name huawei
[AC2-wlan-radio-5g-prof-huawei]rrm-profile huawei
[AC2-wlan-radio-5g-prof-huawei]air-scan-profile huawei
[AC2-wlan-ap-group-huawei]radio-2g-profile huawei radio 0
[AC2-wlan-ap-group-huawei]radio-5g-profile huawei radio 1
[AC2-wlan-ap-group-huawei]radio-5g-profile huawei radio 2

3.3.5.3 AC雙機(jī)熱備?

部署雙鏈路備份，使AC1作為主用AC，AC2作為備用AC。
部署雙機(jī)熱備份，主備AC能夠同步AP信息以及STA信息。?

配置過程：這里做主備時(shí)候按照題目要求的地址做，我是做完了懶得改了

#AC1
[AC1]wlan
[AC1-wlan-view]ac protect enable 
[AC1-wlan-view]ac protect protect-ac 22.22.22.22 priority 0
[AC1-wlan-view]ap-reset all
[AC1]hsb-service 0
[AC1-hsb-service-0]service-ip-port local-ip 21.21.21.21 peer-ip 22.22.22.22 local-data-port 10241 peer-data-port 10241
[AC1]hsb-service-type ap hsb-service 0
[AC1]hsb-service-type access-user hsb-service 0

#AC2
[AC2]wlan
[AC2-wlan-view]ac protect enable 
[AC2-wlan-view]ac protect protect-ac 21.21.21.21 priority 1
[AC2-wlan-view]ap-reset all
[AC2]hsb-service 0
[AC2-hsb-service-0]service-ip-port local-ip 22.22.22.22 peer-ip 21.21.21.21 local-data-port 10241 peer-data-port 10241
[AC2]hsb-service-type ap hsb-service 0
[AC2]hsb-service-type access-user hsb-service 0

驗(yàn)證：

2020華為ICT大賽全國總決賽網(wǎng)絡(luò)賽道實(shí)驗(yàn)解析及驗(yàn)證,華為ICT大賽真題解析,華為,信息與通信,網(wǎng)絡(luò)協(xié)議,網(wǎng)絡(luò)安全 ?

3.3.6??安全策略部署

3.3.6.1?總部內(nèi)互訪安全策略部署

劃分安全區(qū)域，將VLANIF 203接口劃分進(jìn)TrustZone，GE1/0/2接口劃分進(jìn)UntrustZone，GE1/0/3接口劃分進(jìn)DMZZone。
為了讓FTP服務(wù)器能夠被內(nèi)部PC訪問，在防火墻上創(chuàng)建安全策略FTP，僅允許內(nèi)部FTP終端訪問FTP服務(wù)器。

配置過程：

#FW1
[FW1]firewall zone trust 
[FW1-zone-trust]add interface Vlanif 203
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2
[FW1]firewall zone dmz 
[FW1-zone-dmz]add interface GigabitEthernet 1/0/3
[FW1]security-policy 
[FW1-policy-security]rule name FTP
[FW1-policy-security-rule-FTP]source-zone trust 
[FW1-policy-security-rule-FTP]source-zone untrust 
[FW1-policy-security-rule-FTP]destination-zone dmz
[FW1-policy-security-rule-FTP]source-address 192.168.100.0 mask 255.255.255.0
[FW1-policy-security-rule-FTP]source-address 10.1.37.2 mask 255.255.255.255
[FW1-policy-security-rule-FTP]destination-address 192.168.20.254 mask 255.255.255.0
[FW1-policy-security-rule-FTP]action permit

3.3.6.2?總部與分公司互通安全策略部署

為了實(shí)現(xiàn)總部與分公司網(wǎng)絡(luò)的互通，在防火墻上創(chuàng)建安全策略Branch_1，允許總部的PC與分公司1的PC進(jìn)行通信，同時(shí)分公司1的FTP終端也能夠訪問總部的FTP服務(wù)器。?

配置過程：

#FW1
[FW1]security-policy 
[FW1-policy-security]rule name Branch_1
[FW1-policy-security-rule-Branch_1]source-zone local 
[FW1-policy-security-rule-Branch_1]source-zone trust 
[FW1-policy-security-rule-Branch_1]source-zone untrust
[FW1-policy-security-rule-Branch_1]destination-zone local 
[FW1-policy-security-rule-Branch_1]destination-zone trust
[FW1-policy-security-rule-Branch_1]destination-zone untrust
[FW1-policy-security-rule-Branch_1]source-address 192.168.100.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]source-address 200.1.11.2 mask 255.255.255.255
[FW1-policy-security-rule-Branch_1]source-address 10.1.37.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]destination-address 192.168.100.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]destination-address 200.1.11.1 mask 255.255.255.255
[FW1-policy-security-rule-Branch_1]destination-address 10.1.37.0 mask 255.255.255.0
[FW1-policy-security-rule-Branch_1]action permit 
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]service-manage ping permit

驗(yàn)證：配置完MPLS VPN之后回來驗(yàn)證?

?3.4 ISP網(wǎng)絡(luò)部署

3.4.1 VLAN規(guī)劃與部署

????????ISP網(wǎng)絡(luò)的VLAN規(guī)劃如Table 3-3所示。

? ? ? ? 注：為了保證網(wǎng)絡(luò)的連通性，以及避免二層環(huán)路隱患，交換機(jī)端口只允許規(guī)定的VLAN通過，? ? ? ? ? 多余的VLAN通過將影響整體網(wǎng)絡(luò)穩(wěn)定性評(píng)估。

3.4.2 IP地址規(guī)劃及配置

????????IP地址規(guī)劃如Table3-1 IP地址規(guī)劃表所示，請(qǐng)按照規(guī)劃正確配置IP地址。

配置過程：

#AR1
[AR1]interface LoopBack 0
[AR1-LoopBack0]ip address 1.1.1.1 32
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 200.1.11.1 30
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 200.1.12.1 30

#AR2
[AR2]interface LoopBack 0
[AR2-LoopBack0]ip address 2.2.2.2 32
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 200.1.12.2 30
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 200.1.23.1 30

#AR3
[AR3]interface LoopBack 0
[AR3-LoopBack0]ip address 3.3.3.3 32
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]ip address 200.1.23.2 30
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 200.1.34.1 30

#AR4
[AR4]interface LoopBack 0
[AR4-LoopBack0]ip address 4.4.4.4 32
[AR4]interface GigabitEthernet 0/0/0
[AR4-GigabitEthernet0/0/0]ip address 200.1.34.2 30
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]ip address 200.1.45.1 30

#AR5
[AR5]interface LoopBack 0
[AR5-LoopBack0]ip address 5.5.5.5 32
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]ip address 200.1.45.2 30
[AR5]interface GigabitEthernet 0/0/1
[AR5-GigabitEthernet0/0/1]ip address 200.1.25.1 30

3.4.3 ISP1網(wǎng)絡(luò)中間系統(tǒng)-中間系統(tǒng)部署

同一ISP區(qū)域內(nèi)的AR路由器之間的互連接口以及Loopback 0均使能協(xié)議。
ISP1區(qū)域中AR1、AR2、AR3之間中間系統(tǒng)-中間系統(tǒng)進(jìn)程號(hào)為10，區(qū)域?yàn)?9.0001.設(shè)備System-id為0000.0000.000X（X是路由器編號(hào)），例如AR1的System-id為0000.0000.0001，所有路由器均為Level-2類型路由器。
為了實(shí)現(xiàn)網(wǎng)絡(luò)的快速收斂，使路由器能夠更快地檢測到鄰居狀態(tài)變化。采用動(dòng)態(tài)BFD特性，同時(shí)需指定最小發(fā)送和接受間隔為100ms，本地檢測時(shí)間倍數(shù)為4。

配置過程：

#AR1
[AR1]bfd
[AR1]isis 10
[AR1-isis-10]network-entity 49.0001.0000.0000.0001.00
[AR1-isis-10]is-level level-2
[AR1-isis-10]bfd all-interfaces enable 
[AR1]interface LoopBack 0
[AR1-LoopBack0]isis enable 10
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]isis enable 10
[AR1-GigabitEthernet0/0/1]isis bfd enable 
[AR1-GigabitEthernet0/0/1]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

#AR2
[AR2]bfd
[AR2]isis 10
[AR2-isis-10]network-entity 49.0001.0000.0000.0002.00
[AR2-isis-10]is-level level-2
[AR2-isis-10]bfd all-interfaces enable 
[AR2]interface LoopBack 0
[AR2-LoopBack0]isis enable 10
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]isis enable 10
[AR2-GigabitEthernet0/0/0]isis bfd enable 
[AR2-GigabitEthernet0/0/0]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]isis enable 10
[AR2-GigabitEthernet0/0/1]isis bfd enable 
[AR2-GigabitEthernet0/0/1]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

#AR3
[AR3]bfd
[AR3]isis 10
[AR3-isis-10]network-entity 49.0001.0000.0000.0003.00
[AR3-isis-10]is-level level-2
[AR3-isis-10]bfd all-interfaces enable 
[AR3]interface LoopBack 0
[AR3-LoopBack0]isis enable 10
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]isis enable 10
[AR3-GigabitEthernet0/0/0]isis bfd enable
[AR3-GigabitEthernet0/0/0]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

?驗(yàn)證：

3.4.4 ISP2網(wǎng)絡(luò)中間系統(tǒng)-中間系統(tǒng)部署?

同一ISP區(qū)域內(nèi)的AR路由器之間的互連接口以及Loopback 0均使能協(xié)議。
ISP2區(qū)域中的AR4和AR5之間的互連接口以及Loopback 0也使能協(xié)議。
ISP2區(qū)域中AR4、AR5之間中間系統(tǒng)-中間系統(tǒng)進(jìn)程號(hào)為20，區(qū)域?yàn)?9.0002.設(shè)備System-id為0000.0000.000X（X是路由器編號(hào)），例如AR1的System-id為0000.0000.0001，所有路由器均為Level-2類型路由器。
為了實(shí)現(xiàn)網(wǎng)絡(luò)的快速收斂，使路由器能夠更快地檢測到鄰居狀態(tài)變化。采用動(dòng)態(tài)BFD特性，同時(shí)需指定最小發(fā)送和接受間隔為100ms，本地檢測時(shí)間倍數(shù)為4。

配置過程：

#AR4
[AR4]bfd
[AR4]isis 20
[AR4-isis-20]network-entity 49.0002.0000.0000.0004.00
[AR4-isis-20]is-level level-2
[AR4-isis-20]bfd all-interfaces enable 
[AR4]interface LoopBack 0
[AR4-LoopBack0]isis enable 20
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]isis enable 20
[AR4-GigabitEthernet0/0/1]isis bfd enable	
[AR4-GigabitEthernet0/0/1]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

#AR5
[AR5]bfd 
[AR5]isis 20
[AR5-isis-20]network-entity 49.0002.0000.0000.0005.00
[AR5-isis-20]is-level level-2
[AR5-isis-20]bfd all-interfaces enable 
[AR5]interface LoopBack 0	
[AR5-LoopBack0]isis enable 20
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]isis enable 20
[AR5-GigabitEthernet0/0/0]isis bfd enable 
[AR5-GigabitEthernet0/0/0]isis bfd min-rx-interval 100 min-tx-interval 100 detect-multiplier 4

驗(yàn)證：

?3.4.5 總部ISP1/ISP2 BGP部署

ISP內(nèi)的全部路由器運(yùn)行BGP，其中AR1、AR2、AR3使用Loopback 0建立full-mesh的IBGP鄰居關(guān)系，其BGP AS號(hào)為100。
AR4和AR5為IBGP鄰居關(guān)系，且使用Loopback 0建立IBGP鄰居關(guān)系，AS號(hào)為200。
AR3和AR4通過直連接口建立EBGP鄰居。
AR1和FW1、AR5和FW2為EBGP鄰居，通過直連接口建立EBGP鄰居，其中FW1的AS號(hào)為64512，F(xiàn)W2的AS號(hào)為64513。?

配置過程：

#AR1
[AR1]bgp 100
[AR1-bgp]peer 2.2.2.2 as-number 100
[AR1-bgp]peer 3.3.3.3 as-number 100
[AR1-bgp]peer 200.1.11.2 as-number 64512
[AR1-bgp]peer 2.2.2.2 connect-interface LoopBack 0
[AR1-bgp]peer 3.3.3.3 connect-interface LoopBack 0

#AR2
[AR2]bgp 100
[AR2-bgp]peer 1.1.1.1 as-number 100
[AR2-bgp]peer 3.3.3.3 as-number 100
[AR2-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[AR2-bgp]peer 3.3.3.3 connect-interface LoopBack 0

#AR3
[AR3]bgp 100
[AR3-bgp]peer 1.1.1.1 as-number 100
[AR3-bgp]peer 2.2.2.2 as-number 100
[AR3-bgp]peer 200.1.34.2 as-number 200
[AR3-bgp]peer 1.1.1.1 connect-interface LoopBack 0
[AR3-bgp]peer 2.2.2.2 connect-interface LoopBack 0

#AR4
[AR4]bgp 200
[AR4-bgp]peer 5.5.5.5 as-number 200
[AR4-bgp]peer 5.5.5.5 connect-interface LoopBack 0
[AR4-bgp]peer 200.1.34.1 as-number 100

#AR5
[AR5]bgp 200
[AR5-bgp]peer 4.4.4.4 as-number 200
[AR5-bgp]peer 4.4.4.4 connect-interface LoopBack 0
[AR5-bgp]peer 200.1.25.2 as-number 64513

#FW1
[FW1]bgp 64512
[FW1-bgp]peer 200.1.11.1 as-number 100

#FW2
[FW2]bgp 64513	
[FW2-bgp]peer 200.1.25.1 as-number 200

驗(yàn)證：

?

3.4.6 ISP1/ISP2 MPLS BGP VPN部署

ISP1與ISP2之間使用BGP MPLS VPN Option B方案來實(shí)現(xiàn)路由互通。
ISP內(nèi)通過LDP協(xié)議實(shí)現(xiàn)標(biāo)簽分發(fā)，其中LSR-ID為各設(shè)備Loopback0地址。
總部和分公司都屬于同一個(gè)VPN實(shí)例，名稱為ict2020，總部和分支機(jī)構(gòu)的RD值為100:1，出入RT值為100:1.
在全部的CE設(shè)備上只將必要的路由條目引入BGP，保證各公司的FTP終端能夠訪問總部FTP服務(wù)器。

配置過程：

MPLS配置
#AR1
[AR1]mpls lsr-id 1.1.1.1
[AR1]mpls 
[AR1]mpls ldp
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]mpls
[AR1-GigabitEthernet0/0/1]mpls ldp

#AR2
[AR2]mpls lsr-id 2.2.2.2
[AR2]mpls
[AR2]mpls ldp
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]mpls
[AR2-GigabitEthernet0/0/0]mpls ldp
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]mpls
[AR2-GigabitEthernet0/0/1]mpls ldp

#AR3
[AR3]mpls lsr-id 3.3.3.3
[AR3]mpls
[AR3]mpls ldp
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]mpls 
[AR3-GigabitEthernet0/0/0]mpls ldp
[AR3]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]mpls

#AR4
[AR4]mpls lsr-id 4.4.4.4
[AR4]mpls
[AR4]mpls ldp
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]mpls
[AR4-GigabitEthernet0/0/1]mpls ldp
[AR4]interface GigabitEthernet 0/0/0
[AR4-GigabitEthernet0/0/0]mpls

#AR5
[AR5]mpls lsr-id 5.5.5.5
[AR5]mpls
[AR5]mpls ldp
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]mpls
[AR5-GigabitEthernet0/0/0]mpls ldp

Option B配置
#AR1
[AR1]ip vpn-instance ict2020
[AR1-vpn-instance-ict2020]route-distinguisher 100:1
[AR1-vpn-instance-ict2020-af-ipv4]vpn-target 100:1 both 
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip binding vpn-instance ict2020
[AR1-GigabitEthernet0/0/0]ip address 200.1.11.1 30
[AR1]bgp 100
[AR1-bgp]ipv4-family vpn-instance ict2020
[AR1-bgp-ict2020]peer 200.1.11.2 as-number 64512
[AR1-bgp]ipv4-family vpnv4
[AR1-bgp-af-vpnv4]peer 3.3.3.3 enable 
[AR1-bgp-af-vpnv4]peer 3.3.3.3 next-hop-local

#AR3
[AR3]bgp 100
[AR3-bgp]ipv4-family vpnv4
[AR3-bgp-af-vpnv4]undo policy vpn-target 
[AR3-bgp-af-vpnv4]peer 1.1.1.1 enable 
[AR3-bgp-af-vpnv4]peer 1.1.1.1 next-hop-local
[AR3-bgp-af-vpnv4]peer 200.1.34.2 enable 

#AR4
[AR4]bgp 200
[AR4-bgp]ipv4-family vpnv4 
[AR4-bgp-af-vpnv4]undo policy vpn-target 
[AR4-bgp-af-vpnv4]peer 5.5.5.5 enable 
[AR4-bgp-af-vpnv4]peer 5.5.5.5 next-hop-local
[AR4-bgp-af-vpnv4]peer 200.1.34.1 enable 

#AR5
[AR5]ip vpn-instance ict2020
[AR5-vpn-instance-ict2020]route-distinguisher 100:1
[AR5-vpn-instance-ict2020-af-ipv4]vpn-target 100:1 both 
[AR5]interface GigabitEthernet 0/0/1
[AR5-GigabitEthernet0/0/1]ip binding vpn-instance ict2020
[AR5-GigabitEthernet0/0/1]ip address 200.1.25.1 30
[AR5]bgp 200
[AR5-bgp]ipv4-family vpn-instance ict2020
[AR5-bgp-ict2020]peer 200.1.25.2 as-number 64513
[AR5-bgp]ipv4-family vpnv4
[AR5-bgp-af-vpnv4]peer 4.4.4.4 enable 
[AR5-bgp-af-vpnv4]peer 4.4.4.4 next-hop-local

CE路由引入
#FW1
[FW1]bgp 64512
[FW1-bgp]network 192.168.100.0 24
[FW1-bgp]network 192.168.20.0 24

#FW2
[FW2]bgp 64513
[FW2-bgp]network 10.1.37.0 24

驗(yàn)證：

?3.5 分公司1網(wǎng)絡(luò)部署

3.5.1 VLAN規(guī)劃與部署

????????分公司1網(wǎng)絡(luò)的VLAN規(guī)劃如Teble3-3所示。

????????注：為了保證網(wǎng)絡(luò)的連通性，以及避免二層環(huán)路隱患，交換機(jī)端口只允許規(guī)定的VLAN通過，? ? ? ? ? 多余的VLAN通過將影響整體網(wǎng)絡(luò)穩(wěn)定性評(píng)估。

配置過程：

#SW5
[SW5]vlan batch 27 37
[SW5]interface GigabitEthernet 0/0/1
[SW5-GigabitEthernet0/0/1]port link-type access
[SW5-GigabitEthernet0/0/1]port default vlan 27
[SW5]port-group group-member GigabitEthernet 0/0/2 GigabitEthernet 0/0/3
[SW5-port-group]port link-type access
[SW5-port-group]port default vlan 37

3.5.2 IP地址規(guī)劃及配置

? ? ? ? IP地址規(guī)劃如Table 3-1IP地址規(guī)劃表所示，請(qǐng)按照規(guī)劃正確配置IP地址。

配置過程：

#FW2
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip address 200.1.25.2 30
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 10.1.27.1 30

#SW5
[SW5]interface Vlanif 27
[SW5-Vlanif27]ip address 10.1.27.2 30
[SW5]interface vlanif 37
[SW5-Vlanif37]ip address 10.1.37.1 24

3.5.3 DHCP地址池部署

在SW5上通過接口模式部署DHCP地址池，為分公司1內(nèi)的PC提供服務(wù)。
DHCP地址池的網(wǎng)段為10.1.37.0/24，網(wǎng)關(guān)地址為10.1.37.1，排除地址10.1.37.2。

配置過程：

#S5
[SW5]dhcp enable 
[SW5]interface Vlanif 37
[SW5-Vlanif37]dhcp select interface 
[SW5-Vlanif37]dhcp server excluded-ip-address 10.1.37.2

驗(yàn)證：

3.5.4 靜態(tài)路由部署

通過配置靜態(tài)路由的方式內(nèi)部的，保證分公司1內(nèi)部的PC和FTP終端能夠訪問總部網(wǎng)絡(luò)。

配置過程：

#FW1
[FW2]ip route-static 0.0.0.0 0 200.1.25.1
[FW2]ip route-static 10.1.37.0 24 10.1.27.2

#SW5
[SW5]ip route-static 0.0.0.0 0 10.1.27.1

3.5.5 安全策略部署

3.3.5.1 分公司與總部網(wǎng)絡(luò)互通安全策略部署?

配置過程：文章來源地址http://www.zghlxwxcb.cn/news/detail-717364.html

#FW2
[FW2]security-policy 
[FW2-policy-security]rule name Branch_1
[FW2-policy-security-rule-Branch_1]source-zone local 
[FW2-policy-security-rule-Branch_1]source-zone trust 
[FW2-policy-security-rule-Branch_1]source-zone untrust
[FW2-policy-security-rule-Branch_1]destination-zone local 
[FW2-policy-security-rule-Branch_1]destination-zone trust
[FW2-policy-security-rule-Branch_1]destination-zone untrust
[FW2-policy-security-rule-Branch_1]source-address 192.168.100.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]source-address 200.1.25.2 mask 255.255.255.255
[FW2-policy-security-rule-Branch_1]source-address 10.1.27.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]source-address 10.1.37.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]destination-address 192.168.100.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]destination-address 200.1.25.1 mask 255.255.255.255
[FW2-policy-security-rule-Branch_1]destination-address 10.1.27.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]destination-address 10.1.37.0 mask 255.255.255.0
[FW2-policy-security-rule-Branch_1]action permit 
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]service-manage ping permit 
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]service-manage ping permit

到了這里，關(guān)于2020華為ICT大賽全國總決賽網(wǎng)絡(luò)賽道實(shí)驗(yàn)解析及驗(yàn)證的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！

2020華為ICT大賽全國總決賽網(wǎng)絡(luò)賽道實(shí)驗(yàn)解析及驗(yàn)證

一、項(xiàng)目背景

二、考試說明

2.1 試卷總分

2.2 設(shè)備介紹

2.2.1 設(shè)備清單

2.2.2 考試工具

三、考試正文

3.1 網(wǎng)絡(luò)規(guī)劃

3.2 設(shè)備命名

3.3 總部網(wǎng)絡(luò)部署

3.3.1 設(shè)備鏈路部署

3.3.1.1 鏈路聚合部署

3.3.2 二層網(wǎng)絡(luò)部署

3.3.2.1 VLAN規(guī)劃與部署?

3.3.2.2 MSTP部署?

3.3.3 三層網(wǎng)絡(luò)部署

3.3.3.1 IP地址規(guī)劃及配置

3.3.3.2?核心交換高可靠性規(guī)劃與配置

?3.3.3.3 IGP協(xié)議部署

3.3.4 服務(wù)器部署

3.3.4.1 DHCP服務(wù)器部署

3.3.4.2 FTP服務(wù)器部署

3.3.5 WLAN網(wǎng)絡(luò)部署?

3.3.5.1 WLAN基礎(chǔ)參數(shù)規(guī)劃

3.3.5.2?無線射頻規(guī)劃（這個(gè)做的不完善，有懂得同學(xué)可以交流一下）

3.3.5.3 AC雙機(jī)熱備?

3.3.6??安全策略部署

3.3.6.1?總部內(nèi)互訪安全策略部署

3.3.6.2?總部與分公司互通安全策略部署

?3.4 ISP網(wǎng)絡(luò)部署

3.4.1 VLAN規(guī)劃與部署

3.4.2 IP地址規(guī)劃及配置

3.4.3 ISP1網(wǎng)絡(luò)中間系統(tǒng)-中間系統(tǒng)部署

3.4.4 ISP2網(wǎng)絡(luò)中間系統(tǒng)-中間系統(tǒng)部署?

?3.4.5 總部ISP1/ISP2 BGP部署

?

3.4.6 ISP1/ISP2 MPLS BGP VPN部署

?3.5 分公司1網(wǎng)絡(luò)部署

3.5.1 VLAN規(guī)劃與部署

3.5.2 IP地址規(guī)劃及配置

3.5.3 DHCP地址池部署

3.5.4 靜態(tài)路由部署

3.5.5 安全策略部署

3.3.5.1 分公司與總部網(wǎng)絡(luò)互通安全策略部署?

相關(guān)文章

覺得文章有用就打賞一下文章作者

支付寶掃一掃打賞

微信掃一掃打賞

支付寶掃一掃領(lǐng)取紅包，優(yōu)惠每天領(lǐng)

二維碼1

二維碼2

一、項(xiàng)目背景

二、考試說明

三、考試正文

3.3.5.2?無線射頻規(guī)劃（這個(gè)做的不完善，有懂得同學(xué)可以交流一下）