双机热备旁挂组网实验-优快云博客

本文链接：https://blog.youkuaiyun.com/naaaaw/article/details/145926152

一、实验拓扑

二、实验需求

1、SW3的流量
正常情况下：SW1_VRF-->FW1--->SW1_Public--->R5
故障情况下：SW2_VRF-->FW2--->SW2_Public--->R6
2、SW4的流量
正常情况下：SW2_VRF-->FW2--->SW2_Public--->R6
故障情况下：SW1_VRF-->FW1--->SW1_Public--->R5
3、交换网络负载均衡

三、操作过程

1、二层交换配置

使用传统三层架构中MSTP+VRRP组网形式
VLAN 2--->SW3,SW4作为备份
VLAN 3--->SW4,SW3作为备份

MSTP设计--->SW3、4、5运行
        实例1：VLAN 2
        实例2：VLAN 3
                SW3是实例1的主根，实例2的备份根；SW4是实例2的主根，实例1的备份根

IP地址规划：
SW3：
        VLAN 2:192.168.2.1/24
        VLAN 3:192.168.3.1/24
SW4：
        VLAN 2:192.168.2.2/24
        VLAN 3:192.168.3.2/24

虚拟IP：
VLAN 2:192.168.2.254/24
VLAN 3:192.168.3.254/24

配置

（1）SW3

[SW3]vlan batch 2 3
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW3]interface GigabitEthernet 0/0/3
[SW3-GigabitEthernet0/0/3]port link-type trunk
[SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[SW3-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[SW3-GigabitEthernet0/0/4]port link-type trunk
[SW3-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 to 3
[SW3-GigabitEthernet0/0/4]
[SW3]stp enable
[SW3]stp mode mstp
[SW3]stp region-configuration
[SW3-mst-region]region-name aa
[SW3-mst-region]instance 1 vlan 2         
[SW3-mst-region]instance 2 vlan 3         
[SW3-mst-region]active region-configuration      激活
Info: This operation may take a few seconds. Please wait for a moment....done.
[SW3]stp instance 1 root primary
[SW3]stp instance 2 root secondary
[SW3]stp instance 0 root primary
[SW3]
[SW3]interface Vlanif 2
[SW3-Vlanif2]ip address 192.168.2.1 24
[SW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254       
[SW3-Vlanif2]vrrp vrid 1 priority 120                    
[SW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[SW3-Vlanif2]
[SW3]interface Vlanif 3
[SW3-Vlanif3]ip add 192.168.3.1 24
[SW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[SW3-Vlanif3]

（2）SW4

[SW4]vlan batch 2 3
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW4]interface GigabitEthernet 0/0/3
[SW4-GigabitEthernet0/0/3]port link-type trunk
[SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[SW4-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[SW4-GigabitEthernet0/0/4]port link-type trunk
[SW4-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 to 3
[SW4-GigabitEthernet0/0/4]
[SW4]stp enable
[SW4]stp mode mstp
[SW4]stp region-configuration
[SW4-mst-region]region-name aa
[SW4-mst-region]instance 1 vlan 2
[SW4-mst-region]instance 2 vlan 3
[SW4-mst-region]active region-configuration 
[SW4-mst-region]q
[SW4]stp instance 1 root secondary 
[SW4]stp instance 2 root primary
[SW4]stp instance 0 root secondary
[SW4]
[SW4]interface Vlanif 2
[SW4-Vlanif2]ip add 192.168.2.2 24
[SW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[SW4-Vlanif2]
[SW4-Vlanif2]interface Vlanif3
[SW4-Vlanif3]ip address 192.168.3.2 255.255.255.0
[SW4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[SW4-Vlanif3]vrrp vrid 1 priority 120
[SW4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 15
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 15
[SW4-Vlanif3]

（3）SW5

[SW5]vlan batch 2 3
[SW5]interface GigabitEthernet 0/0/3
[SW5-GigabitEthernet0/0/3]port link-type access
[SW5-GigabitEthernet0/0/3]port default vlan 2
[SW5-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[SW5-GigabitEthernet0/0/4]port link-type access
[SW5-GigabitEthernet0/0/4]port default vlan 3
[SW5-GigabitEthernet0/0/4]interface GigabitEthernet 0/0/1
[SW5-GigabitEthernet0/0/1]port link-type trunk 
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
[SW5-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 to 3
[SW5-GigabitEthernet0/0/2]
[SW5]stp enable
[SW5]stp mode mstp
[SW5]stp region-configuration
[SW5-mst-region]region-name aa
[SW5-mst-region]instance 1 vlan 2
[SW5-mst-region]instance 2 vlan 3
[SW5-mst-region]active region-configuration 
[SW5-mst-region]

（4）查看STP

测试

2、汇聚到核心层路由配置

SW1-SW2：VLAN 102---10.10.2.0/24
SW1-SW3：VLAN 103---10.10.3.0/24
SW1-SW4：VLAN 104---10.10.4.0/24
SW2-SW3：VLAN 203---10.20.3.0/24
SW2-SW4：VLAN 204---10.20.4.0/24

（1）SW3

[SW3]vlan batch 103 203
[SW3]interface GigabitEthernet 0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access 
[SW3-GigabitEthernet0/0/1]port default vlan 103
[SW3-GigabitEthernet0/0/1]undo stp enable   
[SW3]interface GigabitEthernet 0/0/2	
[SW3-GigabitEthernet0/0/2]port link-type access 
[SW3-GigabitEthernet0/0/2]port default vlan 203
[SW3-GigabitEthernet0/0/2]undo stp enable
[SW3]interface Vlanif 103
[SW3-Vlanif103]ip add 10.10.3.3 24
[SW3]interface Vlanif 203
[SW3-Vlanif203]ip add 10.20.3.3 24
[SW3]ospf 1 router-id 3.3.3.3
[SW3-ospf-1]area 0
[SW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0	
[SW3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[SW3-ospf-1]silent-interface Vlanif 2     
[SW3-ospf-1]silent-interface Vlanif 3

（2）SW4

[SW4]vlan batch 104 204
[SW4]interface GigabitEthernet 0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 204
[SW4-GigabitEthernet0/0/1]undo stp enable
[SW4]interface GigabitEthernet 0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access 
[SW4-GigabitEthernet0/0/2]port default vlan 104
[SW4-GigabitEthernet0/0/2]undo stp enable 
[SW4]interface Vlanif 104
[SW4-Vlanif104]ip address 10.10.4.4 24
[SW4]interface Vlanif 204
[SW4-Vlanif204]ip add 10.20.4.4 24
[SW4]ospf 1 router-id 4.4.4.4
[SW4-ospf-1]area 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 10.10.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 10.20.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.3.2 0.0.0.0
[SW4-ospf-1]silent-interface Vlanif 2
[SW4-ospf-1]silent-interface Vlanif 3

创建VRF空间并配置VRF信息

因为SW1和SW2需要被分割为两台设备，分别与上下行设备连接，故需要先创建VRF空间，其中GE0/0/3-GE0/0/6属于该空间接口。

VRF空间配置信息：
名称：VRF
RD：100:1
RT：100:1

[SW1]ip vpn-instance VRF          
[SW1-vpn-instance-VRF]route-distinguisher 100:1      
[SW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both    
 
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SW2
[SW2]ip vpn-instance VRF
[SW2-vpn-instance-VRF]route-distinguisher 100:1	
[SW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both

配置VLAN信息

（1）SW1

[SW1]vlan batch 102 103 104
[SW1]interface GigabitEthernet 0/0/6
[SW1-GigabitEthernet0/0/6]port link-type access 
[SW1-GigabitEthernet0/0/6]port default vlan 103	
[SW1-GigabitEthernet0/0/6]undo stp enable
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk 
[SW1-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW1-GigabitEthernet0/0/5]undo stp enable
[SW1]interface GigabitEthernet 0/0/7
[SW1-GigabitEthernet0/0/7]port link-type access 
[SW1-GigabitEthernet0/0/7]port default vlan 104
[SW1-GigabitEthernet0/0/7]undo stp enable

（2）SW2

[SW2]vlan batch 102 203 204
[SW2]interface GigabitEthernet 0/0/6
[SW2-GigabitEthernet0/0/6]port link-type access 	
[SW2-GigabitEthernet0/0/6]port default vlan 204
[SW2-GigabitEthernet0/0/6]undo stp enable
 
[SW2]interface GigabitEthernet 0/0/7
[SW2-GigabitEthernet0/0/7]port link-type access 
[SW2-GigabitEthernet0/0/7]port default vlan 203
[SW2-GigabitEthernet0/0/7]undo stp enable 
 
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk 
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW2-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW2-GigabitEthernet0/0/5]undo stp enable

创建Vlanif接口，并将接口划入VRF空间

SW1：
[SW1]interface Vlanif 102
[SW1-Vlanif102]ip binding vpn-instance VRF   
[SW1-Vlanif102]ip address 10.10.2.1 24
[SW1]interface Vlanif 103
[SW1-Vlanif103]ip binding vpn-instance VRF
[SW1-Vlanif103]ip add 10.10.3.1 24
[SW1]interface Vlanif 104
[SW1-Vlanif104]ip binding vpn-instance VRF
[SW1-Vlanif104]ip add 10.10.4.1 24
 
SW2：
[SW2]interface Vlanif 102
[SW2-Vlanif102]ip binding vpn-instance VRF
[SW2-Vlanif102]ip address 10.10.2.2 24
[SW2]interface Vlanif 203
[SW2-Vlanif203]ip binding vpn-instance VRF
[SW2-Vlanif203]ip address 10.20.3.2 24
[SW2]interface Vlanif 204
[SW2-Vlanif204]ip binding vpn-instance VRF
[SW2-Vlanif204]ip add 10.20.4.2 24

3、VRF交换机和防火墙的路由交互

FW1为主
VRRP备份组1---VRRP备份组5
VRRP备份组3---VRRP备份组7
FW2为主
VRRP备份组2---VRRP备份组6
VRRP备份组4---VRRP备份组8

VRF区域配置

（1）SW1

[SW1]vlan batch 401 402
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk 	
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 401 402
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk 
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402
[SW1]interface Vlanif 401
[SW1-Vlanif401]ip binding vpn-instance VRF
[SW1-Vlanif401]ip address 10.40.1.1 24
[SW1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW1-Vlanif401]vrrp vrid 1 priority 120
[SW1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60
[SW1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 30
[SW1]interface Vlanif 402
[SW1-Vlanif402]ip binding vpn-instance VRF
[SW1-Vlanif402]ip address 10.40.2.1 24
[SW1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100

（2）SW2

[SW2]vlan batch 401 402
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk 
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 401 402
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk 
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402
[SW2]interface Vlanif 401
[SW2-Vlanif401]ip binding vpn-instance VRF
[SW2-Vlanif401]ip address 10.40.1.2 24
[SW2-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW2]interface Vlanif 402
[SW2-Vlanif402]ip binding vpn-instance VRF
[SW2-Vlanif402]ip address 10.40.2.2 24
[SW2-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[SW2-Vlanif402]vrrp vrid 2 priority 120
[SW2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60
[SW2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30

（3）FW1

[FW1]vlan batch 401 402 403 404
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.10.10.1 30
[FW1]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]ip add 10.40.1.10 24
[FW1-GigabitEthernet1/0/1.401]vlan-type dot1q 401
[FW1]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]ip address 10.40.2.10 24
[FW1-GigabitEthernet1/0/1.402]vlan-type dot1q 402
[FW1]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]ip address 10.40.3.10 24
[FW1-GigabitEthernet1/0/2.403]vlan-type dot1q 403
[FW1]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]ip add 10.40.4.10 24
[FW1-GigabitEthernet1/0/2.404]vlan-type dot1q 404

（4）FW2

[FW2]vlan batch 401 402 403 404
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.10.10.2 30
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]ip address 10.40.1.20 24
[FW2-GigabitEthernet1/0/2.401]vlan-type dot1q 401
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]ip add 10.40.2.20 24
[FW2-GigabitEthernet1/0/2.402]vlan-type dot1q 402
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]ip add 10.40.3.20 24
[FW2-GigabitEthernet1/0/1.403]vlan-type dot1q 403
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]ip add 10.40.4.20 24
[FW2-GigabitEthernet1/0/1.404]vlan-type dot1q 404

安全区域划分

（1）FW1

[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.401
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.402
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.403
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.404
[FW1]firewall zone dmz 
[FW1-zone-dmz]add interface GigabitEthernet 1/0/0

（2）FW2

[FW2]firewall zone trust 
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.402
[FW2]firewall zone untrust 
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.403
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.404
[FW2]firewall zone dmz 
[FW2-zone-dmz]add interface GigabitEthernet 1/0/0

SW1、SW2的Public区域配置

（1）SW1

[SW1]vlan batch 403 404
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk 
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 403 404
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk 
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW1]interface Vlanif 403
[SW1-Vlanif403]ip address 10.40.3.1 24
[SW1-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW1-Vlanif403]vrrp vrid 3 priority 120
[SW1-Vlanif403]vrrp vrid 3 preempt-mode timer delay 60
[SW1-Vlanif403]vrrp vrid 3 track interface GigabitEthernet 0/0/3 reduced 30
[SW1]interface Vlanif 404
[SW1-Vlanif404]ip add 10.40.4.1 24
[SW1-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100

（2）SW2

[SW2]vlan batch 403 404
[SW2]interface GigabitEthernet 0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk 
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 403 404
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk 
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW2]interface  Vlanif 403
[SW2-Vlanif403]ip address 10.40.3.2 24
[SW2-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW2]interface Vlanif 404
[SW2-Vlanif404]ip address 10.40.4.2 24
[SW2-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
[SW2-Vlanif404]vrrp vrid 4 priority 120
[SW2-Vlanif404]vrrp vrid 4 preempt-mode timer delay 60
[SW2-Vlanif404]vrrp vrid 4 track interface GigabitEthernet 0/0/2 reduced 30

路由补充

SW1上行路由：（VRF）
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70
SW1下行路由：（Public）
[SW1]ip route-static 192.168.0.0 16 10.40.3.200
[SW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70
 
SW2上行路由：（VRF）
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70
SW2下行路由：（Public）
[SW2]ip route-static 192.168.0.0 16 10.40.4.200	
[SW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

防火墙双机热备配置

（1）FW1

下行接口：（VRF）
[FW1]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]vrrp vrid 5 virtual-ip 10.40.1.200 active 
[FW1]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby 
上行接口：（Public）
[FW1]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]vrrp vrid 7 virtual-ip 10.40.3.200 active 
[FW1]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby 
  
[FW1]hrp mirror session enable      开启快速备份功能
[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2    定义心跳线和对端IP
[FW1]hrp enable    启动HRP协议
 
上行路由配置：
[FW1]ip route-static 0.0.0.0 0 10.40.3.100	
[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70
下行路由配置：
[FW1]ip route-static 192.168.0.0 16 10.40.1.100
[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70

（2）FW2

下行接口：（VRF）
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby 
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active 
上行接口：（Pubilc）
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby 
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]vrrp vrid 8 virtual-ip 10.40.4.200 active 
 
[FW2]hrp mirror session enable
[FW2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1
[FW2]hrp enable
 
上行路由配置：
[FW2]ip route-static 0.0.0.0 0 10.40.4.100
[FW2]ip route-static 0.0.0.0 0 10.40.3.100 preference 70
下行路由配置：
[FW2]ip route-static 192.168.0.0 16 10.40.2.100
[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70

4、核心到边界配置

SW1-SW2：VLAN 201 --- 10.20.1.0/24
SW1-R5：VLAN 105 ---- 10.10.5.0/24
SW2-R6：VLAN 206 ---- 10.20.6.0/24
R5-R6： ---- 10.56.0.0/24

配置

（1）SW1

[SW1]vlan batch 11 12
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 11
[SW1-GigabitEthernet0/0/1]undo stp enable 
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW1-GigabitEthernet0/0/4]undo stp enable 
[SW1]interface Vlanif 11
[SW1-Vlanif11]ip address 10.11.1.1 24
[SW1]interface Vlanif 12
[SW1-Vlanif12]ip add 10.12.1.1 24
[SW1]ospf 2 router-id 1.1.1.1
[SW1-ospf-2]area 0。0.0.0
[SW1-ospf-2-area-0.0.0.0]network 10.11.1.1 0.0.0.0
[SW1-ospf-2-area-0.0.0.0]network 10.12.1.1 0.0.0.0

（2）SW2

[SW2]vlan batch 12 22
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access 
[SW2-GigabitEthernet0/0/1]port default vlan 22
[SW2-GigabitEthernet0/0/1]undo stp enable
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW2-GigabitEthernet0/0/4]undo stp enable 
[SW2]interface Vlanif 12
[SW2-Vlanif12]ip address 10.12.1.2 24
[SW2]interface Vlanif 22
[SW2-Vlanif22]ip address 10.22.2.1 24
[SW2]ospf 2 router-id 2.2.2.2
[SW2-ospf-2]area 0.0.0.0
[SW2-ospf-2-area-0.0.0.0]network 10.12.1.2 0.0.0.0
[SW2-ospf-2-area-0.0.0.0]network 10.22.2.1 0.0.0.0

（3）R1

[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.11.1.2 24
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24
 
[R1]ospf 1 router-id 3.3.3.3 
[R1-ospf-1]area 0.0.0.0 
[R1-ospf-1-area-0.0.0.0]network 10.11.1.2 0.0.0.0 
[R1-ospf-1-area-0.0.0.0]network 10.12.2.1 0.0.0.0

（4）R2

[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.22.2.2 24
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14
 
[R2]ospf 1 router-id 4.4.4.4
[R2-ospf-1]area 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.22.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.12.2.2 0.0.0.0

5、最外层网络

（1）R1

[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ip add 12.0.0.1 24
[R1]ip route-static 0.0.0.0 0 12.0.0.100
[R1-ospf-1]default-route-advertise           
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000

（2）R2

[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]ip add 13.0.0.1 24
[R2]ip route-static 0.0.0.0 0 13.0.0.100
[R2-ospf-1]default-route-advertise
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R2]int g 0/0/2
[R2-GigabitEthernet0/0/2]nat outbound 2000

（3）ISP

[ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.100 24
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24
[ISP]interface LoopBack 0
[ISP-LoopBack0]ip add 100.1.1.1 24

（4）引入静态路由

[SW1-ospf-2]import-route static 

[SW2-ospf-2]import-route static

双机热备旁挂组网实验

一、实验拓扑

二、实验需求

三、操作过程

1、二层交换配置

配置

（1）SW3

（2）SW4

（3）SW5

（4）查看STP

测试

2、汇聚到核心层路由配置

（1）SW3

（2）SW4

创建VRF空间并配置VRF信息

配置VLAN信息

（1）SW1

（2）SW2

创建Vlanif接口，并将接口划入VRF空间

3、VRF交换机和防火墙的路由交互

VRF区域配置

（1）SW1

（2）SW2

（3）FW1

（4）FW2

安全区域划分

（1）FW1

（2）FW2

SW1、SW2的Public区域配置

（1）SW1

（2）SW2

路由补充

防火墙双机热备配置

（1）FW1

（2）FW2

4、核心到边界配置

配置

（1）SW1

（2）SW2

（3）R1

（4）R2

5、最外层网络

（1）R1

（2）R2

（3）ISP

（4）引入静态路由

四、测试