2023全国职业院校技能大赛网络系统管理A模块

原创

wx62f0a79442665 2024-03-01 14:13:46 ©著作权

文章标签 Ethernet Test R3 2023全国职业院网络系统管理 文章分类 运维

©著作权归作者所有：来自51CTO博客作者wx62f0a79442665的原创作品，请联系作者获取转载授权，否则将追究法律责任

2023全国职业院校技能大赛网络系统管理A模块

（一）基础配置

1.根据附录1拓扑图、附录2地址规划表、附录3设备编号表，配置设备接口及主机名信息。

hostname S1 ip vrf BG ! ip vrf GL ! ip vrf SC ! vlan 11 name SC1-Connect ! vlan 12 name BG1-Connect ! vlan 13 name GL1-Connect ! vlan 14 name IPv6-Connect ! interface GigabitEthernet 1/0/24 no switchport description Connect_To_R2 ip address 10.1.0.1 255.255.255.252 ipv6 address 2001:10:1::1/64 ipv6 enable
! interface Loopback 0 ip address 10.0.0.1 255.255.255.255 ! interface Loopback 11 ip vrf forwarding SC ip address 10.1.4.1 255.255.255.255 ! interface Loopback 12 ip vrf forwarding BG ip address 10.1.4.2 255.255.255.255 ! interface Loopback 13 ip vrf forwarding GL ip address 10.1.4.3 255.255.255.255 ! interface VLAN 11 ip vrf forwarding SC ip address 10.1.1.1 255.255.255.252 ! interface VLAN 12 ip vrf forwarding BG ip address 10.1.2.1 255.255.255.252 ! interface VLAN 13 ip vrf forwarding GL ip address 10.1.3.1 255.255.255.252 ! interface VLAN 14 ipv6 address 2001:10:1:4::1/64 ipv6 enable

hostname S2 ip vrf BG ! ip vrf GL ! ip vrf SC ! vlan 11 name SC2-Connect !

vlan 12 name BG2-Connect ! vlan 13 name GL2-Connect ! vlan 14 name IPv6-Connect ! interface GigabitEthernet 1/0/24 no switchport description Connect_To_R2 ip address 10.2.0.1 255.255.255.252 ipv6 address 2001:10:2::1/64 ipv6 enable ! interface Loopback 0 ip address 10.0.0.2 255.255.255.255 ! interface Loopback 11 ip vrf forwarding SC ip address 10.2.4.1 255.255.255.255 ! interface Loopback 12 ip vrf forwarding BG ip address 10.2.4.2 255.255.255.255 ! interface Loopback 13 ip vrf forwarding GL ip address 10.2.4.3 255.255.255.255 ! interface VLAN 11 ip vrf forwarding SC ip address 10.2.1.1 255.255.255.252 ! interface VLAN 12 ip vrf forwarding BG ip address 10.2.2.1 255.255.255.252 ! interface VLAN 13 ip vrf forwarding GL ip address 10.2.3.1 255.255.255.252 ! interface VLAN 14

ipv6 address 2001:10:2:4::1/64 ipv6 enable

hostname S3 vlan range 11,12,13,14,10,20,30,40 ! vlan 10 name SC1-Terminal ! vlan 11 name SC1-Connect ! vlan 12 name BG1-Connect ! vlan 13 name GL1-Connect ! vlan 14 name IPv6-Connect ! vlan 20 name BG1-Terminal ! vlan 30 name GL1-Terminal ! vlan 40 name IPv6-Terminal ! interface Loopback 11 ip address 10.1.4.4 255.255.255.255 ! interface Loopback 12 ip address 10.1.4.5 255.255.255.255 ! interface Loopback 13 ip address 10.1.4.6 255.255.255.255 ! interface Loopback 14 ip address 10.1.4.7 255.255.255.255 !
interface VLAN 1 ! interface VLAN 10 ip address 10.1.10.254 255.255.255.0 ! interface VLAN 11 ip address 10.1.1.2 255.255.255.252 ! interface VLAN 12 ip address 10.1.2.2 255.255.255.252 ! interface VLAN 13 ip address 10.1.3.2 255.255.255.252 ! interface VLAN 14 ipv6 address 2001:10:1:4::254/64 ! interface VLAN 20 ip address 10.1.20.254 255.255.255.0 ! interface VLAN 30 ip address 10.1.30.254 255.255.255.0 ! interface VLAN 40 ipv6 address 2001:10:1:40::254/64 ipv6 enable !

hostname S4 vlan range 11,12,13,14,10,20,30,40 ! vlan 10 name SC2-Terminal ! vlan 11 name SC2-Connect ! vlan 12 name BG2-Connect ! vlan 13 name GL2-Connect

! vlan 14 name IPv6-Connect ! vlan 20 name BG2-Terminal ! vlan 30 name GL2-Terminal ! vlan 40 name IPv6-Terminal ! interface Loopback 11 ip address 10.2.4.4 255.255.255.255 ! interface Loopback 12 ip address 10.2.4.5 255.255.255.255 ! interface Loopback 13 ip address 10.2.4.6 255.255.255.255 ! interface Loopback 14 ip address 10.2.4.7 255.255.255.255 ! interface VLAN 10 ip address 10.2.10.254 255.255.255.0 ! interface VLAN 11 ip address 10.2.1.2 255.255.255.252 ! interface VLAN 12 ip address 10.2.2.2 255.255.255.252 ! interface VLAN 13 ip address 10.2.3.2 255.255.255.252 ! interface VLAN 14 ipv6 address 2001:10:2:4::254/64 ! interface VLAN 20 ip address 10.2.20.254 255.255.255.0 ! interface VLAN 30

ip address 10.2.30.254 255.255.255.0 !

interface VLAN 40 ipv6 address 2001:10:2:40::254/64 ipv6 enable !

hostname R2 ip vrf BG ! ip vrf GL ! ip vrf SC ! interface GigabitEthernet 0/0 ip address 12.1.1.2 255.255.255.248 ipv6 enable duplex auto speed auto ! interface GigabitEthernet 0/0.21 encapsulation dot1Q 21 ip vrf forwarding BG ip address 21.1.1.2 255.255.255.248 description Connect_To_R1 ! interface GigabitEthernet 0/1 ip address 10.1.0.2 255.255.255.252 ipv6 address 2001:10:1::2/64 ipv6 enable duplex auto speed auto description Connect_To_S1 ! interface GigabitEthernet 0/2 ip address 10.2.0.2 255.255.255.252 ipv6 address 2001:10:2::2/64 duplex auto speed auto description Connect_To_S2 ! interface Loopback 0

ip address 10.0.0.22 255.255.255.255 !

interface Loopback 1 ip vrf forwarding GL ip address 172.16.0.2 255.255.255.0 !

interface Loopback 13 ip address 110.1.4.22 255.255.255.255 !

interface VLAN 1 ip address 192.168.1.1 255.255.255.0 !

interface Tunnel 0 ip vrf forwarding GL ip address 172.17.0.2 255.255.255.0 !

hostname R1 interface GigabitEthernet 0/0 ip address 17.1.1.1 255.255.255.248 duplex auto speed auto description Connect_To_S7 ! interface GigabitEthernet 0/1 ip address 12.1.1.1 255.255.255.248 duplex auto speed auto description Connect_To_R2 ! interface GigabitEthernet 0/1.21 encapsulation dot1Q 21 ip address 21.1.1.1 255.255.255.248 description Connect_To_R2 ! interface GigabitEthernet 0/2 ip address 13.1.1.1 255.255.255.248 duplex auto speed auto description Connect_To_R3 ! interface Loopback 20

ip address 20.0.0.1 255.255.255.255 !

interface Loopback 30 ip address 30.0.0.1 255.255.255.255 !

hostname R3 ip address 13.1.1.2 255.255.255.248 duplex auto speed auto description Connect_To_R1

interface GigabitEthernet 0/1 !

interface GigabitEthernet 0/2 ip address 10.3.0.1 255.255.255.252 duplex auto speed auto description Connect_To_S5

interface Loopback 0 ip address 10.3.1.3 255.255.255.255 !

interface VLAN 1 ip address 192.168.1.1 255.255.255.0 !

interface Tunnel 0 ip address 172.17.0.3 255.255.255.0 !

hostname S5 no switchport

interface GigabitEthernet 0/1 !

interface GigabitEthernet 0/2 no switchport !

interface GigabitEthernet 0/21 no switchport description Connect_To_IOM

ip address 192.1.100.254 255.255.255.0 !

interface GigabitEthernet 0/22 no switchport description Connect_To_AAA ip address 194.1.100.254 255.255.255.0 !

interface GigabitEthernet 0/24 no switchport description Connect_To_R3 ip address 10.3.0.2 255.255.255.252 !

interface AggregatePort 1 no switchport description Connect_To_VAC ip address 10.3.0.10 255.255.255.252 !

interface Loopback 0 ip address 10.3.1.5 255.255.255.255 !

interface GigabitEthernet 0/1 port-group 1 mode active !

interface GigabitEthernet 0/2 port-group 1 mode active !

VAC

hostname AC1 virtual-ac domain 1 device 1 device 1 priority 200 device 1 description AC1 exit vac-port port-member interface gi 0/3 port-member interface gi 0/4 end device convert mode virtual y hostname AC2 virtual-ac domain 100
device 2 device 2 priority 150 device 2 description AC2 exit vac-port port-member interface gi 0/3 port-member interface gi 0/4 end device convert mode virtual y hostname VAC interface AggregatePort 1 no switchport description Connect_To_S5 ip address 10.3.0.9 255.255.255.252 ! interface Loopback 0 ip address 10.3.1.12 255.255.255.255 ! interface GigabitEthernet 1/0/2 no switchport port-group 1 mode active ! interface GigabitEthernet 2/0/2 no switchport port-group 1 mode active !

GW1

hostname GW1 interface GigabitEthernet 0/0 description Connect_To_R1 ip address 17.1.1.2 255.255.255.248 ip nat inside ! interface GigabitEthernet 0/1 ! interface GigabitEthernet 0/1.10 encapsulation dot1Q 10 description SC1-Terminal ip address 10.4.10.254 255.255.255.0 !

interface GigabitEthernet 0/1.11 encapsulation dot1Q 11 description SC2-Terminal ip address 10.4.11.254 255.255.255.0 !

interface GigabitEthernet 0/1.20

encapsulation dot1Q 20

description AP-Manag ip address 10.4.20.254 255.255.255.0 ! interface GigabitEthernet 0/1.30 encapsulation dot1Q 30 description Net-Manage ip address 10.4.30.254 255.255.255.0

interface Loopback 0 ip address 10.4.1.1 255.255.255.255 !

interface Virtual-ppp 1 ip address 172.16.0.3 255.255.255.0 !

GW2

hostname GW2 interface GigabitEthernet 0/0 description Connect_To_R1 ip address 17.1.1.3 255.255.255.248 ip nat inside !

interface GigabitEthernet 0/1 ! interface GigabitEthernet 0/1.10 encapsulation dot1Q 10 description SC1-Terminal ip address 10.4.10.253 255.255.255.0 !

interface GigabitEthernet 0/1.11 encapsulation dot1Q 11 description SC2-Terminal ip address 10.4.11.253 255.255.255.0 ! interface GigabitEthernet 0/1.20

encapsulation dot1Q 20

description AP-Manage ip address 10.4.20.253 255.255.255.0 !

interface GigabitEthernet 0/1.30 encapsulation dot1Q 30 description Net-Manage ip address 10.4.30.253 255.255.255.0 !

interface Loopback 0 ip address 10.4.1.2 255.255.255.255 !

interface Virtual-ppp 1 ip address 172.16.0.4 255.255.255.0 !

hostname S6 vlan 10 name SC1-Terminal ! vlan 11 name SC2-Terminal ! vlan 20 name AP-Manage ! vlan 30 name Net-Manage ! interface GigabitEthernet 0/11 switchport access vlan 20 ! interface GigabitEthernet 0/21 no switchport description Connect_To_SDN ip address 192.168.1.6 255.255.255.0 ! interface VLAN 30 ip address 10.4.30.1 255.255.255.0s !

hostname S7 vlan 1 name HUB ! interface VLAN 1 ip address 17.1.1.4 255.255.255.248 !

2.在网络设备上均开启SSH服务端功能。其中用户名和密码为admin、 Test@123456。密码为明文类型。特权密码为Test@123456。

3.在网络设备上均部署SNMP功能，配置所有设备SNMP消息，向主机192.1.100.100发送Trap 消息。版本采用V2C，读写的Community为“Test@123”。

所有设备配置

no password policy min-size # 关闭密码长度 no password policy strong # 关闭密码强弱 no service password-encryption # 关闭密码加密 enable service snmp-agent # 启动snmp服务 enable service ssh-server # 启动ssh服务 snmp-server community Test@123 rw # 配置读写的Community snmp-server host 192.168.1.2 traps version 2c Test@123 # 设置SDN 主机

snmp-server host 192.1.100.100 traps version 2c Test@123 # 设置运维

平台主机

snmp-server host 194.1.100.100 traps version 2c Test@123 # 设置SMP+无线认证主机

snmp-server enable traps # 启动 snmp的traps username admin password Test@123456 # 创建ssh用户 username admin privilege 15 login mode ssh # 配置admin用户用于ssh

line vty 0 4 #

远程拨号配置

地用户认证

enable password Test@123456 # 配置特权密码

S6额外配置

of controller-ip 192.168.1.2 port 6653 interface GigabitEthernet 0/21 #

SDN配置

R1/S7#由于这里只有公网地址，所以需要额外配置

snmp-server host 13.1.1.3 traps version 2c Test@123

# 这里的主机地址是运维平台在R3上nat静态映射的地址

（二）有线网络配置

1.在全网Trunk链路上做VLAN修剪。

interface GigabitEthernet 0/11 switchport mode trunk switchport trunk allowed vlan only 10-11,20 switchport trunk native vlan 20 ! interface GigabitEthernet 0/23 switchport mode trunk switchport trunk allowed vlan only 10-11,20,30 ! interface GigabitEthernet 0/24 switchport mode trunk switchport trunk allowed vlan only 10-11,20,30 !

interface GigabitEthernet 0/21 switchport mode trunk switchport trunk allowed vlan only 10,20,30,40 switchport trunk native vlan 30 ! interface GigabitEthernet 0/24 switchport mode trunk switchport trunk allowed vlan only 11-14 !

interface GigabitEthernet 0/21 switchport mode trunk switchport trunk allowed vlan only 10,20,30,40 switchport trunk native vlan 30 ! interface GigabitEthernet 0/24 switchport mode trunk switchport trunk allowed vlan only 11-14 !

interface GigabitEthernet 1/0/1 switchport mode trunk

switchport trunk allowed vlan only 11-14 !

interface GigabitEthernet 2/0/1 switchport mode trunk

switchport trunk allowed vlan only 11-14

2.在S3、S4开启边缘端口和BPDU防护功能；检测到环路后处理方式为关闭端口。如果端口检测进入禁用状态，设置200秒后会自动恢复。

S3/S4

rldp enable # 启动链路检测机制 errdisable recovery interval 200 # 配置接口down后回复时间

int ran gi 0/1-23 # 进入边缘接口 spanning-tree bpduguard enable # 不在此接口上发送或接收BPDU

spanning-tree portfast # 向上转发链接 rldp port loop-detect shutdown-port # 配置环路检测模式为

关闭端口

errdisable recovery interval 200 # 接口关闭恢复时间

3.DHCP服务器搭建于S3、S4、GW1、GW2设备上，为局域网终端动态分配IP地址。

service dhcp ip dhcp pool vlan10 network 10.2.10.0 255.255.255.0 default-router 10.2.10.254 !

ip dhcp pool vlan20 network 10.2.20.0 255.255.255.0 default-router 10.2.20.254 !

ip dhcp pool vlan30 option 138 ip 10.3.1.12 network 10.2.30.0 255.255.255.0 default-router 10.2.30.254 !

service dhcp ip dhcp pool vlan10 network 10.1.10.0 255.255.255.0 default-router 10.1.10.254 !

ip dhcp pool vlan20 network 10.1.20.0 255.255.255.0 default-router 10.1.20.254 !

ip dhcp pool vlan30 option 138 ip 10.3.1.12 network 10.1.30.0 255.255.255.0 default-router 10.1.30.254 !

GW1

service dhcp ip dhcp pool vlan10 network 10.4.10.0 255.255.255.0 default-router 10.4.10.1 ! ip dhcp pool vlan11 network 10.4.11.0 255.255.255.0 default-router 10.4.11.1 ! ip dhcp pool vlan20 option 138 ip 10.3.1.12 network 10.4.20.0 255.255.255.0 default-router 10.4.20.1 !

GW2

service dhcp ip dhcp pool vlan10 network 10.4.10.0 255.255.255.0 default-router 10.4.10.1 ! ip dhcp pool vlan11 network 10.4.11.0 255.255.255.0 default-router 10.4.11.1 !

ip dhcp pool vlan20 option 138 ip 10.3.1.12 network 10.4.20.0 255.255.255.0 default-router 10.4.20.1 !

S5的2条互联链路（G 0/1、G 0/2）启用链路聚合，采取LACP动态聚合模式。

interface AggregatePort 1 no switchport description Connect_To_VAC ip address 10.3.0.10 255.255.255.252 ! interface GigabitEthernet 0/1 no switchport

port-group 1 mode active ! interface GigabitEthernet 0/2 no switchport port-group 1 mode active !

VAC

interface AggregatePort 1 no switchport description Connect_To_S5 ip address 10.3.0.9 255.255.255.252 ! interface GigabitEthernet 1/0/2 no switchport port-group 1 mode active ! interface GigabitEthernet 2/0/2 no switchport port-group 1 mode active !

5.北京综合服务中心R2、S1、S2间运行OSPF，归属区域0，进程号10；S1、 S3间及S2、S4间分别运行OSPF，归属区域0，基于生产、办公、管理业务分别定义进程号为11、12、13。

router ospf 10 router-id 10.0.0.22 network 10.0.0.22 0.0.0.0 area 0 network 10.1.0.0 0.0.0.3 area 0 network 10.2.0.0 0.0.0.3 area 0

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_02

router ospf 10 router-id 10.0.0.1 graceful-restart network 10.0.0.1 0.0.0.0 area 0 network 10.1.0.0 0.0.0.3 area 0 !

router ospf 11 vrf SC router-id 10.1.4.1 graceful-restart network 10.1.1.0 0.0.0.3 area 0 network 10.1.4.1 0.0.0.0 area 0 !

router ospf 12 vrf BG router-id 10.1.4.2 graceful-restart network 10.1.2.0 0.0.0.3 area 0 network 10.1.4.2 0.0.0.0 area 0 !

router ospf 13 vrf GL router-id 10.1.4.3 graceful-restart network 10.1.3.0 0.0.0.3 area 0 network 10.1.4.3 0.0.0.0 area 0 !

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_03

router ospf 10 router-id 10.0.0.2 graceful-restart network 10.0.0.2 0.0.0.0 area 0 network 10.2.0.0 0.0.0.3 area 0 !

router ospf 11 vrf SC router-id 10.2.4.1 graceful-restart network 10.2.1.0 0.0.0.3 area 0 network 10.2.4.1 0.0.0.0 area 0 !

router ospf 12 vrf BG router-id 10.2.4.2 graceful-restart network 10.2.2.0 0.0.0.3 area 0 network 10.2.4.2 0.0.0.0 area 0 !

router ospf 13 vrf GL router-id 10.2.4.3 graceful-restart network 10.2.3.0 0.0.0.3 area 0 network 10.2.4.3 0.0.0.0 area 0 !

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_04

router ospf 11 router-id 10.1.4.4 graceful-restart network 10.1.1.0 0.0.0.3 area 0 network 10.1.4.4 0.0.0.0 area 0 network 10.1.10.0 0.0.0.255 area 0 ! router ospf 12 router-id 10.1.4.5 graceful-restart network 10.1.2.0 0.0.0.3 area 0 network 10.1.4.5 0.0.0.0 area 0 network 10.1.20.0 0.0.0.255 area 0 ! router ospf 13 router-id 10.1.4.6 graceful-restart network 10.1.3.0 0.0.0.3 area 0 network 10.1.4.6 0.0.0.0 area 0 network 10.1.30.0 0.0.0.255 area 0 !

2023全国职业院校技能大赛网络系统管理A模块_2023全国职业院网络系统管理_05

router ospf 11 router-id 10.2.4.4 graceful-restart network 10.2.1.0 0.0.0.3 area 0 network 10.2.4.4 0.0.0.0 area 0 network 10.2.10.0 0.0.0.255 area 0 ! router ospf 12 router-id 10.2.4.5 graceful-restart network 10.2.2.0 0.0.0.3 area 0 network 10.2.4.5 0.0.0.0 area 0 network 10.2.20.0 0.0.0.255 area 0

! router ospf 13 router-id 10.2.4.6 graceful-restart network 10.2.3.0 0.0.0.3 area 0 network 10.2.4.6 0.0.0.0 area 0 network 10.2.30.0 0.0.0.255 area 0 !

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_06

6.上海管理中心R3、S5间运行OSPF，归属区域0，进程号20。AC1、AC2与 S5间运行静态路由协议。

router ospf 20 router-id 10.3.1.3 network 10.3.0.0 0.0.0.3 area 0 network 10.3.1.3 0.0.0.0 area 0 default-information originate metric-type 1

2023全国职业院校技能大赛网络系统管理A模块_Test_07

router ospf 20 router-id 10.3.1.5 graceful-restart

redistribute static metric-type 1 subnets network 10.3.0.0 0.0.0.3 area 0 network 10.3.1.5 0.0.0.0 area 0 network 192.1.100.0 0.0.0.255 area 0 network 194.1.100.0 0.0.0.255 area 0 !

ip route 10.3.1.12 255.255.255.255 10.3.0.9

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_08

VAC

ip route 0.0.0.0 0.0.0.0 10.3.0.10

7.各中心出口设备至互联网使用静态路由协议。

ip route 0.0.0.0 0.0.0.0 13.1.1.1

S7/GW1/GW2

ip route 0.0.0.0 0.0.0.0 17.1.1.1

ip route 0.0.0.0 0.0.0.0 12.1.1.1 ip route vrf BG 0.0.0.0 0.0.0.0 21.1.1.1

ip route 0.0.0.0 0.0.0.0 10.4.30.253 ip route 0.0.0.0 0.0.0.0 10.4.30.254

8.R2、S1、S2间部署IBGP，AS号为100；定义R2为路由反射器RR，使用 Loopback 0接口建立BGP邻居关系。

9.北京综合服务中心局域网间通过MPLS VPN技术实现各业务安全隔离。R2、 S1、S2开启MPLS报文转发及LDP标签转发协议。

10.生产VRF名称为SC，RD值为100:1、RT值自定义；办公VRF名称为BG， RD值为100:2、RT值自定义；管理VRF名称为GL，RD值为100:3、RT值自定义。

ip vrf BG rd 100:2 route-target both 1:1 ! ip vrf GL rd 100:3 route-target both 1:1 ! ip vrf SC rd 100:1 route-target both 1:1 ! router bgp 100 bgp log-neighbor-changes neighbor 10.0.0.1 remote-as 100 neighbor 10.0.0.1 update-source 10.0.0.22 neighbor 10.0.0.2 remote-as 100 neighbor 10.0.0.2 update-source 10.0.0.22 ! address-family ipv4 no neighbor 10.0.0.1 activate no neighbor 10.0.0.2 activate exit-address-family ! address-family vpnv4 unicast
neighbor 10.0.0.1 activate neighbor 10.0.0.1 route-reflector-client neighbor 10.0.0.1 send-community extended neighbor 10.0.0.2 activate neighbor 10.0.0.2 route-reflector-client neighbor 10.0.0.2 send-community extended exit-address-family ! address-family ipv4 vrf BG maximum-prefix 10000 network 0.0.0.0 exit-address-family ! address-family ipv4 vrf GL maximum-prefix 10000 exit-address-family ! address-family ipv4 vrf SC maximum-prefix 10000 exit-address-family ! mpls ip # 全局启动mpls mpls router ldp # 配置ldp ldp router-id 10.0.0.22 # 配置ldp ID exit interface range gigabitEthernet 0/1-2 # mpls邻居接口 mpls ip # 接口启动mpls label-switching # 接口开启ldp转发

ip vrf BG rd 100:2 route-target both 1:1 ! ip vrf GL rd 100:3 route-target both 1:1 ! ip vrf SC rd 100:1 route-target both 1:1 !

mpls ip mpls router ldp ldp router-id 10.0.0.1 exit interface gigabitEthernet 1/0/24 mpls ip label-switching ! router bgp 100 bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart neighbor 10.0.0.22 remote-as 100 neighbor 10.0.0.22 update-source 10.0.0.1 address-family ipv4 no neighbor 10.0.0.22 activate exit-address-family address-family vpnv4 unicast neighbor 10.0.0.22 activate neighbor 10.0.0.22 send-community extended exit-address-family ! address-family ipv4 vrf SC maximum-prefix 10000 exit-address-family ! address-family ipv4 vrf GL maximum-prefix 10000 exit-address-family ! address-family ipv4 vrf BG maximum-prefix 10000 exit-address-family

ip vrf BG rd 100:2 route-target both 1:1 ! ip vrf GL

rd 100:3 route-target both 1:1 ! ip vrf SC rd 100:1 route-target both 1:1 ! mpls ip mpls router ldp ldp router-id 10.0.0.2 exit interface gigabitEthernet 1/0/24 mpls ip label-switching ! router bgp 100 bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart neighbor 10.0.0.22 remote-as 100 neighbor 10.0.0.22 update-source 10.0.0.2 address-family ipv4 no neighbor 10.0.0.22 activate exit-address-family address-family vpnv4 unicast neighbor 10.0.0.22 activate neighbor 10.0.0.22 send-community extended exit-address-family ! address-family ipv4 vrf SC maximum-prefix 10000 exit-address-family ! address-family ipv4 vrf GL maximum-prefix 10000 exit-address-family ! address-family ipv4 vrf BG maximum-prefix 10000 exit-address-family

11.通过MPLS VPN技术实现同VPN终端间互访，生产与办公不同VPN间禁止互访，管理VPN可与生产及办公VPN互通。北京综合服务中心办公VPN终端用户可访问互联网。

ip prefix-list BG seq 5 permit 10.1.20.0/24 ip prefix-list BG seq 10 permit 10.2.20.0/24 ! ip prefix-list SC seq 5 permit 10.1.10.0/24 ip prefix-list SC seq 10 permit 10.2.10.0/24 ! route-map SC deny 5 match ip address prefix-list BG ! route-map SC permit 10 ! route-map BG deny 5 match ip address prefix-list SC ! route-map BG permit 10 ! router bgp 100 bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart neighbor 10.0.0.22 remote-as 100 neighbor 10.0.0.22 update-source 10.0.0.1 address-family ipv4 no neighbor 10.0.0.22 activate exit-address-family address-family vpnv4 unicast neighbor 10.0.0.22 activate neighbor 10.0.0.22 send-community extended exit-address-family ! address-family ipv4 vrf SC maximum-prefix 10000 redistribute ospf 11 match internal external exit-address-family ! address-family ipv4 vrf GL maximum-prefix 10000
redistribute ospf 13 match internal external exit-address-family ! address-family ipv4 vrf BG maximum-prefix 10000 redistribute ospf 12 match internal external exit-address-family ! router ospf 11 vrf SC router-id 10.1.4.1 graceful-restart redistribute bgp metric-type 1 route-map SC subnets network 10.1.1.0 0.0.0.3 area 0 network 10.1.4.1 0.0.0.0 area 0 ! router ospf 12 vrf BG router-id 10.1.4.2 graceful-restart default-information originate metric-type 1 redistribute bgp metric-type 1 route-map BG subnets network 10.1.2.0 0.0.0.3 area 0 network 10.1.4.2 0.0.0.0 area 0 ! router ospf 13 vrf GL router-id 10.1.4.3 graceful-restart redistribute bgp metric-type 1 subnets network 10.1.3.0 0.0.0.3 area 0 network 10.1.4.3 0.0.0.0 area 0 !

ip prefix-list BG seq 5 permit 10.1.20.0/24 ip prefix-list BG seq 10 permit 10.2.20.0/24 ! ip prefix-list SC seq 5 permit 10.1.10.0/24 ip prefix-list SC seq 10 permit 10.2.10.0/24 ! route-map SC deny 5 match ip address prefix-list BG ! route-map SC permit 10 !

route-map BG deny 5 match ip address prefix-list SC ! route-map BG permit 10 ! router bgp 100 bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart neighbor 10.0.0.22 remote-as 100 neighbor 10.0.0.22 update-source 10.0.0.2 address-family ipv4 no neighbor 10.0.0.22 activate exit-address-family address-family vpnv4 unicast neighbor 10.0.0.22 activate neighbor 10.0.0.22 send-community extended exit-address-family ! address-family ipv4 vrf SC maximum-prefix 10000 redistribute ospf 11 match internal external exit-address-family ! address-family ipv4 vrf BG maximum-prefix 10000 redistribute ospf 12 match internal external exit-address-family ! address-family ipv4 vrf GL maximum-prefix 10000 redistribute ospf 13 match internal external exit-address-family ! router ospf 11 vrf SC router-id 10.2.4.1 graceful-restart redistribute bgp metric-type 1 route-map SC subnets network 10.2.1.0 0.0.0.3 area 0 network 10.2.4.1 0.0.0.0 area 0 ! router ospf 12 vrf BG router-id 10.2.4.2
graceful-restart default-information originate metric-type 1 redistribute bgp metric-type 1 route-map BG subnets network 10.2.2.0 0.0.0.3 area 0 network 10.2.4.2 0.0.0.0 area 0 ! router ospf 13 vrf GL router-id 10.2.4.3 graceful-restart redistribute bgp metric-type 1 subnets network 10.2.3.0 0.0.0.3 area 0 network 10.2.4.3 0.0.0.0 area 0 !

12.北京综合服务中心内网部署IPv6网络，内网启用OSPF V3路由协议，进程号14。R2、S1、S2间归属区域0，S1、S3间归属区域1，S2、S4间归属区域 2。VLAN40业务终端可通过无状态自动从网关S3、S4处获取地址。

ipv6 router ospf 14 router-id 10.0.0.22 ! interface range gigabitEthernet 1/0/1-2 ipv6 ospf 14 area 0

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_09

ipv6 router ospf 14 router-id 10.0.0.1 !

interface VLAN 14 ipv6 ospf 14 area 1 !

interface GigabitEthernet 1/0/24 ipv6 ospf 14 area 0

2023全国职业院校技能大赛网络系统管理A模块_R3_10

ipv6 router ospf 14 router-id 10.0.0.2 ! interface VLAN 14 ipv6 ospf 14 area 2 ! interface GigabitEthernet 1/0/24 ipv6 ospf 14 area 0

2023全国职业院校技能大赛网络系统管理A模块_Test_11

ipv6 router ospf 14 router-id 10.1.4.7 ! interface VLAN 14 ipv6 ospf 14 area 1 ! interface VLAN 40 ipv6 ospf 14 area 1 no ipv6 nd suppress-ra !

2023全国职业院校技能大赛网络系统管理A模块_2023全国职业院网络系统管理_12

ipv6 router ospf 14 router-id 10.2.4.7 ! interface VLAN 14 ipv6 ospf 14 area 2 ! interface VLAN 40 ipv6 ospf 14 area 2 no ipv6 nd suppress-ra !

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_13

13.北京综合服务中心内网VLAN40 IPv6终端有访问广域网30.0.0.1地址需求，为此在R2路由器部署NAT-PT实现IPv6地址的动态转换，具体规划内网

IPv6地址转换地址池为12.1.1.3-12.1.1.5，30.0.0.1转换为2001:21:1::2。

ipv6 access-list NAT64 # 抓出口流量

10 permit ipv6 2001:10:1:40::/64 any

20 permit ipv6 2001:10:2:40::/64 any

! ipv6 route ::/0 GigabitEthernet 0/0 # 配置默认路由 ipv6 router ospf 14 default-information originate metric-type 1 ! ipv6 nat prefix 2001:21:1::2/96 # 配置NAT 前缀

ipv6 nat v6v4 pool NAT64V4 12.1.1.3 12.1.1.5 prefix-length 24 # NAT64V4地址池

ipv6 nat v6v4 source list NAT64 pool NAT64V4 overload # NAT64 ipv6 nat v4v6 source 30.0.0.1 2001:21:1::2 # NAT46转换

interface range gigabitEthernet 0/0-2 # 进入NAT内外接口

ipv6 nat

# 打开NATv6服务

测试NAT成功性

2023全国职业院校技能大赛网络系统管理A模块_R3_14

（三）无线网络配置

4.配置两台AC设备，使用虚拟化方案组合成1台虚拟AC。

5.AC1和AC2之间的G 0/3-4端口作为虚拟交换链路。配置AC1为主，AC2为备。主设备 description为AC1，备用设备description为AC2。

AC1

hostname AC1 virtual-ac domain 1 device 1 device 1 priority 200 device 1 description AC1 exit vac-port port-member interface gi 0/3 port-member interface gi 0/4 end device convert mode virtual y

AC2

hostname AC2 virtual-ac domain 100 device 2 device 2 priority 150 device 2 description AC2 exit vac-port port-member interface gi 0/3 port-member interface gi 0/4 end

device convert mode virtual y

6.无线网络采用FIT AP+AC方案，所有AP都关联到上海管理中心AC进行管理。

ip route 10.4.20.0 255.255.255.0 17.1.1.2 ip route 10.4.20.0 255.255.255.0 17.1.1.3

7.北京综合服务中心使用S3交换机作为无线生产1用户（VLAN 10）、办公1用户（VLAN 20）和无线FIT AP1（VLAN 30）的DHCP服务器。使用S4交换机作为无线生产2用户（VLAN 10）、办公2用户（VLAN 20）和无线FIT AP2（VLAN 30）的DHCP服务器。

service dhcp ! ip dhcp pool vlan10 network 10.1.10.0 255.255.255.0 default-router 10.1.10.254

ip dhcp pool vlan20 network 10.1.20.0 255.255.255.0 default-router 10.1.20.254 !

ip dhcp pool vlan30 option 138 ip 10.3.1.12 network 10.1.30.0 255.255.255.0 default-router 10.1.30.254 !

service dhcp ! ip dhcp pool vlan10 network 10.2.10.0 255.255.255.0 default-router 10.2.10.254 ! ip dhcp pool vlan20 network 10.2.20.0 255.255.255.0 default-router 10.2.20.254 !

ip dhcp pool vlan30 option 138 ip 10.3.1.12 network 10.2.30.0 255.255.255.0 default-router 10.2.30.254 !

8.北京综合服务中心无线网络部署中，创建SSID为BJ_SC_DOT1X_XX； WLANID为1；AP-GROUP为Admin_BJ；无线用户（认证用户名user1、密码为YY）关联SSID后使用802.1X认证方式，可自动获取VLAN10地址（XX、 YY现场提供）。

9.北京综合服务中心无线网络部署中，创建SSID为BJ_BG_WEB_XX； WLANID为2；AP-GROUP为Admin_BJ；无线用户（认证用户名user2、密码为YY）关联SSID后使用WEB认证方式，可自动获取VLAN20地址（XX、YY 现场提供）。

VAC

wlan-config 1 BG_SC_DOT1X_XX ssid-code utf-8 tunnel local ! wlan-config 2 BJ_BG_WEB_XX ssid-code utf-8 tunnel local ! ap-group Admin_BJ interface-mapping 1 10 # 绑定wlan1 业务使用vlan10 interface-mapping 2 20 # 绑定wlan2 业务使用vlan20 !

10.广州生产中心使用GW1/GW2作为无线生产1用户（VLAN 10）、生产2用户（VLAN 11）和无线FIT AP3（VLAN 20）的DHCP服务器。

GW1

service dhcp ! ip dhcp pool vlan10 network 10.4.10.0 255.255.255.0 default-router 10.4.10.1 ! ip dhcp pool vlan11 network 10.4.11.0 255.255.255.0 default-router 10.4.11.1 ! ip dhcp pool vlan20 option 138 ip 10.3.1.12 network 10.4.20.0 255.255.255.0 default-router 10.4.20.1

GW2

service dhcp ! ip dhcp pool vlan10 network 10.4.10.0 255.255.255.0 default-router 10.4.10.1 !

ip dhcp pool vlan11 network 10.4.11.0 255.255.255.0 default-router 10.4.11.1 !

ip dhcp pool vlan20 option 138 ip 10.3.1.12 network 10.4.20.0 255.255.255.0 default-router 10.4.20.1

11.广州生产中心无线网络部署中，创建SSID为GZ_SC_DOT1X_XX； WLANID为3；AP-GROUP为Admin_GZ；无线用户（认证用户名user11、密码为YY）关联SSID后使用802.1X认证方式，可自动获取VLAN10地址（XX、YY现场提供）。

12.广州生产中心无线网络部署中，创建SSID为：GZ_SC_WEB_XX；

WLANID为4；AP-GROUP为Admin_GZ；无线用户（认证用户名user12、密码为YY）关联SSID后使用WEB认证方式，可自动获取VLAN11地址（XX、 YY现场提供）。

VAC

wlan-config 3 GZ_SC_DOT1X_XX ssid-code utf-8 tunnel local ! wlan-config 4 GZ_SC_WEB_XX ssid-code utf-8 tunnel local ! ap-group Admin_GZ interface-mapping 3 10 interface-mapping 4 11

WEB认证底层配置 VAC

aaa new-model

aaa accounting network default start-stop group radius # 开启网络记账

aaa authentication web-auth default group radius # 开启web身份认证

web-auth portal key ruijie@123 # WEB身份认证密钥 radius-server host 194.1.100.100 key ruijie@123 # 配置记账服务器 web-auth template eportalv2 # WEB认证配置 ip 194.1.100.100 # WEB认证服务器地址 url http://194.1.100.100/portal/entry # WEB认证重定向！ ip portal source-interface Loopback 0 ip radius source-interface Loopback 0 wlansec 2 # WLAN2开启WEB认证 web-auth portal eportalv2 webauth ! wlansec 4 web-auth portal eportalv2 webauth

WEB认证网页配置

2023全国职业院校技能大赛网络系统管理A模块_2023全国职业院网络系统管理_15

2023全国职业院校技能大赛网络系统管理A模块_Test_16

WEB认证配置完后 VAC

ip portal source-interface Loopback 0 //这里的接口要和SMP+上面的IP的接口一致 ip radius source-interface Loopback 0 //这里的接口要和SMP+上面的IP的接口一致

802.1X认证 VAC

aaa new-model aaa accounting network default start-stop group radius aaa accounting network none start-stop none aaa authentication dot1x default group radius # 配置dot1x 认证 radius-server host 194.1.100.100 key ruijie@123 ip radius source-interface Loopback 0 dot1x authentication default # dot1x认证用默认配置 dot1x accounting default # dot1x记账采用默认配置 dot1x eapol-ta wlansec 1 security rsn enable security rsn ciphers aes enable security rsn akm 802.1x enable dot1x accounting none ! wlansec 3 security rsn enable security rsn ciphers aes enable security rsn akm 802.1x enable

dot1x accounting none !

14.所有AP均通过VAC的loopback 0接口建立隧道。

VAC

ac-controller

capwap ctrl-ip 10.3.1.12 # 配置Capwap的控制ip

15.无线用户的下行平均速率为1000KB/s，突发速率为1600KB/s。

VAC

wlan-config 1 BJ_SC_DOT1X_XX wlan-based per-user-limit down-streams average-data-rate 800 burst-data-rate

1600 ! wlan-config 2 BJ_BG_WEB_XX wlan-based per-user-limit down-streams average-data-rate 800 burst-data-rate

1600 ! wlan-config 3 GZ_SC_DOT1X_XX

wlan-based per-user-limit down-streams average-data-rate 800 burst-data-rate

1600 ! wlan-config 4 GZ_SC_WEB_XX wlan-based per-user-limit down-streams average-data-rate 800 burst-data-rate

1600 !

16.每AP最大带点人数为25人。

VAC

ap-config all sta-limit 25 !

（四）出口网络配置

1.北京综合服务中心办公终端可通过出口路由器R2 G 0/0.21子接口的NAPT方式访问互联网。

ip access-list extended BG

10 permit ip 10.1.20.0 0.0.0.255 any

20 permit ip 10.2.20.0 0.0.0.255 any ! interface GigabitEthernet 0/0.21 ip nat outside ! interface range gigabitEthernet 0/1-2 ip nat inside ! ip nat inside source list BG interface GigabitEthernet 0/0.21 overload vrf BG

2023全国职业院校技能大赛网络系统管理A模块_Test_17

2.上海管理中心局域网管理终端可通过出口路由器R3 NAPT方式访问互联网。

ip access-list extended NAT

20 permit ip any any ! interface GigabitEthernet 0/1 ip nat outside ! interface GigabitEthernet 0/2 ip nat inside ! ip nat inside source list NAT interface GigabitEthernet 0/1 ip nat inside source static 192.1.100.100 13.1.1.3 # 运维服务器转换地址

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_18

3.广州生产中心局域网生产终端可通过出口网关GW1/GW2 NAPT方式访问互联网。

GW1

specify interface gigabitEthernet 0/0 wan # 更改接口为外网接口 write reload y ip access-list extended 120 10 permit ip 10.4.10.0 0.0.0.255 any 20 permit ip 10.4.11.0 0.0.0.255 any 30 permit ip 10.4.20.0 0.0.0.255 any 40 permit ip 10.4.30.0 0.0.0.255 any ! interface GigabitEthernet 0/0 ip nat outside ! interface GigabitEthernet 0/1.10 ip nat inside ! interface GigabitEthernet 0/1.11 ip nat inside ! interface GigabitEthernet 0/1.20 ip nat inside ! interface GigabitEthernet 0/1.30 ip nat inside ! ip nat inside source list 120 interface GigabitEthernet 0/0 overload no ip nat inside source list 1 pool nat_pool overload

GW2

specify interface gigabitEthernet 0/0 wan # 更改接口为外网接口 write reload y ip access-list extended 120 10 permit ip 10.4.10.0 0.0.0.255 any 20 permit ip 10.4.11.0 0.0.0.255 any 30 permit ip 10.4.20.0 0.0.0.255 any 40 permit ip 10.4.30.0 0.0.0.255 any ! interface GigabitEthernet 0/0 ip nat outside ! interface GigabitEthernet 0/1.10 ip nat inside ! interface GigabitEthernet 0/1.11 ip nat inside ! interface GigabitEthernet 0/1.20 ip nat inside ! interface GigabitEthernet 0/1.30 ip nat inside ! ip nat inside source list 120 interface GigabitEthernet 0/0 overload no ip nat inside source list 1 pool nat_pool overload

2023全国职业院校技能大赛网络系统管理A模块_Test_19

4.广州生产中心出口网关内网启用VRRP功能，其中GW1为生产1、AP管理、网络设备管理网段的主设备，优先级255；GW2为生产2的主设备，优先级 255；两者互为备份，在其中一台宕机的情况下终端流量可以无缝切换到另一台设备，达到网关冗余备份的目的。

GW1

interface GigabitEthernet 0/1.10 vrrp 10 ip 10.4.10.1 vrrp 10 priority 254 vrrp 10 track GigabitEthernet 0/0 vrrp 10 preempt ! interface GigabitEthernet 0/1.11 vrrp 11 ip 10.4.11.1 vrrp 11 priority 250 vrrp 11 track GigabitEthernet 0/0 vrrp 11 preempt ! interface GigabitEthernet 0/1.20 vrrp 20 ip 10.4.20.1 vrrp 20 priority 254 vrrp 20 track GigabitEthernet 0/0 vrrp 20 preempt !

2023全国职业院校技能大赛网络系统管理A模块_R3_20

GW2

interface GigabitEthernet 0/1.10 vrrp 10 ip 10.4.10.1 vrrp 10 priority 250 vrrp 10 track GigabitEthernet 0/0 vrrp 10 preempt ! interface GigabitEthernet 0/1.11 vrrp 11 ip 10.4.11.1 vrrp 11 priority 254 vrrp 11 track GigabitEthernet 0/0 vrrp 11 preempt !

interface GigabitEthernet 0/1.20 vrrp 20 ip 10.4.20.1 vrrp 20 priority 250 vrrp 20 track GigabitEthernet 0/0 vrrp 20 preempt !

2023全国职业院校技能大赛网络系统管理A模块_Test_21

5.在R3与R2间启用GRE隧道，隧道内承载OSPF协议，使上海管理中心与北京综合服务中心内网连通（访问规则遵循MPLS VPN规划）。

interface Tunnel 0 tunnel source 12.1.1.2 tunnel destination 13.1.1.2 ip vrf forwarding GL ip address 172.17.0.2 255.255.255.0 ! router ospf 1 vrf GL redistribute bgp metric-type 1 subnets

network 172.17.0.0 0.0.0.255 area 0 ! router bgp 100 address-family ipv4 vrf GL redistribute ospf 1 match internal external

2023全国职业院校技能大赛网络系统管理A模块_Test_22

interface Tunnel 0 tunnel source 13.1.1.2 tunnel destination 12.1.1.2 ip address 172.17.0.3 255.255.255.0 !

router ospf 1 redistribute ospf 20 metric-type 1 subnets network 172.17.0.0 0.0.0.255 area 0 !

router ospf 20 redistribute ospf 1 metric-type 1 subnets !

2023全国职业院校技能大赛网络系统管理A模块_2023全国职业院网络系统管理_23

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_24

6.GW1/GW2与R2间启用L2TP隧道，隧道内承载OSPF协议，使广州生产中心与北京综合服务中心内网连通（访问规则遵循MPLS VPN规划）。两者互为备份，在其中一台宕机的情况下业务流量可自动切换到另一条L2TP隧道进行转发。

7.L2TP隧道验证用户名及密码均为Test@123，L2TP隧道密码为Test@123。

L2TP用户地址池为172.16.0.1—172.16.0.254，服务端L2TP隧道接口引用本地loopback 1接口地址。

R2 （LNS服务器）

vpdn enable # 打开VPDN服务 vpdn authorize domain # 授权前缀 vpdn domain-delimiter / suffix # 设置域前缀分隔符 username Test@123/GL password Tip est@123 # 创建VPDN域用户 username Test@123/GL privilege 15 interface loopback 1 ip vrf forwarding GL # 加入VRF取消IP ! ip local pool l2tp 172.16.0.1 172.16.0.254 # 设置l2tp地址池 interface Loopback 1 ip vrf forwarding GL ip address 172.16.0.2 255.255.255.0 # 创建地址池后设置ip 避免地址池冲突 ! interface Virtual-Template 1 # 创建虚拟模板接口 ppp authentication pap chap # 启动接口PAP CHAP认证 ip unnumbered Loopback 1 # 绑定回环1接口 peer default ip address pool l2tp # 绑定L2TP地
址池 ! vpdn-group l2tp # 创建VPDN组 domain GL vrf GL # VPDN VRF 域名 accept-dialin # VPDN接受拨入组配置 protocol l2tp # 使用L2tp 隧道协议 virtual-template 1 # 绑定L2tp接口 exit l2tp tunnel authentication # 启用l2tp隧道认证功能 l2tp tunnel password Test@123 # l2tp隧道密码 vpn vrf GL # 绑定GL VRF !

2023全国职业院校技能大赛网络系统管理A模块_R3_26

GW1 (LAC)客户端

vpdn enable l2tp-class LC authentication # 开启L2TP隧道认证 hostname GW1 # 主机名 password Test@123 # L2TP隧道认证密码（隧道密码） ! pseudowire-class PW encapsulation l2tpv2 # 指定使用l2tpv2封装 protocol l2tpv2 LC # 指定协议类型为l2tpv2作为隧道协议，并绑定L2tp class ! interface Virtual-ppp 1 # 虚拟PPP接口 ip address 172.16.0.3 255.255.255.0 ppp chap hostname Test@123/GL # 配置L2TP的用户名，使用CHAP认证 ppp chap password Test@123 # 配置L2TP的密码，使用CHAP认证 ppp pap sent-username Test@123/GL password Test@123 # 配置L2TP的用户名和密码，使用PAP认证 pseudowire 12.1.1.2 12 pw-class PW # 指定LNS的地址，并指定使用“PW”的pseudowire-class

2023全国职业院校技能大赛网络系统管理A模块_2023全国职业院网络系统管理_27

vpdn enable l2tp-class LC authentication hostname GW2 password Test@123 ! pseudowire-class PW encapsulation l2tpv2 protocol l2tpv2 LC ! interface Virtual-ppp 1 ip address 172.16.0.4 255.255.255.0 ppp chap hostname Test@123/GL ppp chap password Test@123 ppp pap sent-username Test@123/GL password Test@123 pseudowire 12.1.1.2 12 pw-class PW !

OSPF R2

router ospf 2 vrf GL

redistribute bgp metric-type 1 subnets network 172.16.0.0 0.0.0.255 area 0 !

router bgp 100 address-family ipv4 vrf GL

redistribute ospf 2 match internal external

2023全国职业院校技能大赛网络系统管理A模块_2023全国职业院网络系统管理_28

GW1 router ospf 2 graceful-restart network 10.4.10.0 0.0.0.255 area 0 network 10.4.11.0 0.0.0.255 area 0 network 10.4.20.0 0.0.0.255 area 0 network 10.4.30.0 0.0.0.255 area 0 network 172.16.0.0 0.0.0.255 area 0

2023全国职业院校技能大赛网络系统管理A模块_R3_29

GW2

router ospf 2 graceful-restart network 10.4.10.0 0.0.0.255 area 0 network 10.4.11.0 0.0.0.255 area 0 network 10.4.20.0 0.0.0.255 area 0 network 10.4.30.0 0.0.0.255 area 0 network 172.16.0.0 0.0.0.255 area 0

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_30

8.IPsecVPN针对GRE及L2TP隧道内数据进行加密，其中isakmp策略定义加密算法采用3des。散列算法采用md5，预共享密码为Test@123。DH使用组 2。此外，转换集myset定义加密验证方式为esp-des esp-md5-hmac。加密图定义为mymap。

ip access-list extended 120

10 permit ip 12.1.1.0 0.0.0.3 13.1.1.0 0.0.0.3 # R3 ipsec

20 permit ip 12.1.1.0 0.0.0.3 host 17.1.1.2 # GW1 ipsec 30 permit ip 12.1.1.0 0.0.0.3 host 17.1.1.3 # GW2 ipsec !

crypto isakmp key 0 Test@123 address 13.1.1.2 # R3 对端

crypto isakmp key 0 Test@123 address 17.1.1.2 # GW1 对端 crypto isakmp key 0 Test@123 address 17.1.1.3 # GW2 对端 crypto isakmp policy 1 encryption 3des authentication pre-share hash md5 group 2 ！ crypto ipsec transform-set myset esp-des esp-md5-hmac ！ crypto map mymap 1 ipsec-isakmp set peer 13.1.1.2 set peer 17.1.1.2 set peer 17.1.1.3 set transform-set myset match address 120 ！ interface GigabitEthernet 0/0 crypto map mymap

2023全国职业院校技能大赛网络系统管理A模块_Test_31

ip access-list extended 120 10 permit ip 13.1.1.0 0.0.0.3 12.1.1.0 0.0.0.3 ! crypto isakmp policy 1 encryption 3des authentication pre-share hash md5 group 2 !
crypto isakmp key 0 Test@123 address 12.1.1.2 crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 1 ipsec-isakmp set peer 12.1.1.2 set transform-set myset match address 120 ! interface GigabitEthernet 0/1 crypto map mymap

2023全国职业院校技能大赛网络系统管理A模块_Test_32

GW1

ip access-list extended 130 10 permit ip host 17.1.1.2 12.1.1.0 0.0.0.3 ! crypto isakmp policy 1 encryption 3des authentication pre-share hash md5 group 2 ! crypto isakmp key 0 Test@123 address 12.1.1.2 crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 1 ipsec-isakmp set peer 12.1.1.2 set transform-set myset match address 130 ! interface GigabitEthernet 0/0 crypto map mymap

2023全国职业院校技能大赛网络系统管理A模块_Test_33

GW2

ip access-list extended 130

10 permit ip host 17.1.1.3 12.1.1.0 0.0.0.3 !

crypto isakmp policy 1

encryption 3des authentication pre-share hash md5 group 2 ! crypto isakmp key 0 Test@123 address 12.1.1.2 crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 1 ipsec-isakmp set peer 12.1.1.2 set transform-set myset match address 130 ! interface GigabitEthernet 0/0 crypto map mymap

2023全国职业院校技能大赛网络系统管理A模块_Ethernet_34

9.出口网关GW1上，设置黑名单禁止局域网用户通过浏览器访问 www.exam.com网址。

GW1

url-class 1 url www.exam.com

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯