项目背景
为了确保资源共享、办公自动化和节省人力成本,公司E申请两条专线将深圳总部和广州、北京两家分公司网络连接起来。公司原来运行OSFP路由协议,现打算迁移到IS-IS路由协议,张同学正在该公司实习,为了提高实际工作的准确性和工作效率,项目经理安排他在实验室环境下完成测试,为设备上线运行奠定坚实的基础。张同学用1台路由器模拟ISP的网络,总部通过静态默认路由实现到ISP的连接。分公司和总部内部网络通过三层交换机实现VLAN间路由,总部和分公司运行IS-IS路由协议实现网络互联
实验拓扑
项目目标
前期准备
- VLAN部署:在总部和分公司相应交换机上完成VLAN相关配置,包括VLAN创建和端口划分、Trunk配置等。在交换机S1和S2之间链路配置链路聚合
- MSTP部署:在交换机S1、S2和S3上配置MSTP,通过实例1(VLAN12和VLAN13)和实例2(VLAN14和VLAN15)选举不同的根桥实现负载分担。交换机S1是实例1的根桥(优先级为4096),是实例2的次根桥(优先级为8192);交换机S2是实例1的次根桥(优先级为8192),是实例2的根桥(优先级为4096)
- IP地址部署:在总部和分公司设备上完成IP地址配置,包括配置路由器接口的IP地址、三层交换机创建VLANIF并配置IP地址以及配置计算机和服务器的IP地址、子网掩码和网关
- VRRP部署:总部核心交换机S1和S2配置VRRP,为各个VLAN主机提供冗余网关。通过配置使得交换机S1作为VLAN12和VLAN13的Master,交换机S2作为VLAN14和VLAN15的Master。确保每个VLAN的VRRP的Master和MSTP的根一致
- NAT部署:配置NAT,使得总部和分公司的主机可以通过路由器SZ访问Internet
项目核心(ISIS)
- 配置IS-IS功能:创建IS-IS进程,配置开销类型、配置NET、动态主机名、激活运行IS-IS进程的路由器接口等。广州网络划分到IS-IS区域40.0002,北京网络划分到IS-IS区域49.0003,深圳总部网络到分公司的两条链路上修改IS-IS电路类型为Level-2。为了减少向局域网发送不必要的IS-IS更新,将分公司交换机适当接口配置为静默接口
- 配置IS-IS验证:为了提高网络安全性,在深圳总部到分公司的两条链路上,配置IS-IS接口MD5验证。在深圳总部的IS-IS区域49.0001配置区域MD5验证
- 配置IS-IS路由聚合:在三地边界路由器上分别配置路由聚合,以便减少路由表大小,提高路由表找效率
- 配置IS-IS 默认路由注入:在深圳总部路由器上配置只想ISP的静态默认路由,并向IS-IS网络注入默认路由
- 控制DIS选举:控制路由器SZ成为连接三层交换机S1和S2的相应网段的DIS
- 调整IS-IS计时器:在深圳和北京连接的链路上,将接口发送Hello报文周期改为5秒,邻居保持时间为Hello报文的发送间隔时间的4倍
| 设备 | VLAN ID | IP地址段 | VLAN接口地址 |
| S1 | VLAN 2 | 10.2.2.0/30 | 10.2.2.2/30 |
| VLAN 12 | 10.1.12.0/24 | 10.1.12.252/24 | |
| VLAN 13 | 10.1.13.0/24 | 10.1.13.252/24 | |
| VLAN 14 | 10.1.14.0/24 | 10.1.14.252/24 | |
| VLAN 15 | 10.1.15.0/24 | 10.1.15.252/24 | |
| S2 | VLAN 3 | 10.2.3.0/30 | 10.2.3.2/30 |
| VLAN 12 | 10.1.12.0/24 | 10.1.12.253/24 | |
| VLAN 13 | 10.1.13.0/24 | 10.1.13.253/24 | |
| VLAN 14 | 10.1.14.0/24 | 10.1.14.253/24 | |
| VLAN 15 | 10.1.15.0/24 | 10.1.15.253/24 | |
| S3 | VLAN 12 | 10.1.12.0/24 | 10.1.12.254/24 |
| VLAN 13 | 10.1.13.0/24 | 10.1.13.254/24 | |
| VLAN 14 | 10.1.14.0/24 | 10.1.14.254/24 | |
| VLAN 15 | 10.1.15.0/24 | 10.1.15.254/24 | |
| S5 | VLAN 22 | 172.16.8.0/24 | 172.16.8.254/24 |
| VLAN 33 | 172.16.9.0/24 | 172.16.9.254/24 | |
| VLAN 44 | 172.16.10.0/24 | 172.16.10.254/24 | |
| VLAN 55 | 172.16.11.0/24 | 172.16.11.254/24 | |
| VLAN 66 | 172.16.6.0/30 | 172.16.6.2/30 | |
| S6 | VLAN 223 | 192.168.2.0/24 | 192.168.2.254/24 |
| VLAN 333 | 192.168.3.0/24 | 192.168.3.254/24 | |
| VLAN 666 | 192.168.6.0/30 | 192.168.6.2/30 |
| 设备 | 接口 | 接口类型 | VLAN | 链路聚合 | 对端设备及接口 |
| S1 | G0/0/1 | Access | VLAN 2 | SZ G0/0/2 | |
| G0/0/2 | Trunk | S3 G0/0/2 | |||
| G0/0/10 | Trunk | 是 | S2 G0/0/10 | ||
| G0/0/11 | Trunk | 是 | S2 G0/0/11 | ||
| S2 | G0/0/1 | Access | VLAN 3 | SZ G0/0/2 | |
| G0/0/2 | Trunk | S3 G0/0/2 | |||
| G0/0/10 | Trunk | 是 | S2 G0/0/10 | ||
| G0/0/11 | Trunk | 是 | S2 G0/0/11 | ||
| S3 | Ethernet0/0/1 | Access | VLAN 12 | PC1 | |
| Ethernet0/0/2 | Access | VLAN 13 | PC9 | ||
| Ethernet0/0/3 | Access | VLAN 14 | PC10 | ||
| Ethernet0/0/4 | Access | VLAN 15 | Server1 | ||
| G0/0/1 | Trunk | S2 G0/0/2 | |||
| G0/0/2 | Trunk | S1 G0/0/2 | |||
| S5 | G0/0/1 | Access | VLAN 66 | GZ G0/0/1 | |
| G0/0/2 | Access | VLAN 22 | PC2 | ||
| G0/0/3 | Access | VLAN 33 | PC3 | ||
| G0/0/4 | Access | VLAN 44 | PC7 | ||
| G0/0/5 | Access | VLAN 55 | PC8 | ||
| S6 | G0/0/1 | Access | VLAN 666 | BJ G0/0/0 | |
| G0/0/2 | Access | VLAN 222 | PC4 | ||
| G0/0/3 | Access | VLAN 333 | PC5 | ||
| SZ | G0/0/0 | GZ G0/0/0 | |||
| G0/0/1 | BJ G0/0/1 | ||||
| G0/0/2 | S1 G0/0/1 | ||||
| G4/0/1 | S2 G0/0/1 | ||||
| G4/0/0 | LSP G0/0/1 | ||||
| GZ | G0/0/0 | SZ G0/0/0 | |||
| G0/0/1 | S5 G0/0/1 | ||||
| BJ | G0/0/0 | S6 G0/0/0 | |||
| G0/0/1 | SZ G0/0/1 | ||||
| LSP | G0/0/0 | SZ G4/0/0 | |||
| LoopBack0 |
| 设备 | 接口 | IP地址 | 备注 |
| SZ | G0/0/0 | 172.16.12.2/30 | |
| G0/0/1 | 192.168.12.1/30 | ||
| G0/0/2 | 10.2.2.1/30 | ||
| G4/0/1 | 10.2.3.1/30 | ||
| G4/0/0 | 218.18.12.1/30 | ||
| GZ | G0/0/0 | 172.16.12.1/30 | |
| G0/0/1 | 172.16.6.2/30 | ||
| BJ | G0/0/0 | 192.168.6.1/30 | |
| G0/0/1 | 192.168.12.2/30 | ||
| LSP | G0/0/1 | 218.18.12.2/30 | |
| LoopBack0 | 8.8.8.8/24 | 模拟Internet上主机 | |
| PC1 | 10.1.12.100/24 | 网关:10.1.12.254 | |
| PC2 | 172.16.8.100/24 | 网关:172.16.8.254 | |
| PC3 | 172.16.9.100/24 | 网关:172.16.9.254 | |
| PC4 | 192.168.2.100/24 | 网关:192.168.2.254 | |
| PC5 | 192.168.3.100/24 | 网关:192.168.3.254 | |
| PC7 | 172.16.10.100/24 | 网关:172.16.10.254 | |
| PC8 | 172.16.11.100/24 | 网关:172.16.11.254 | |
| PC9 | 10.1.13.100/24 | 网关:10.1.13.254 | |
| PC10 | 10.1.14.100/24 | 网关:10.1.14.254 | |
| Server1 | 10.1.15.100/24 | 网关:10.1.15.254 |
别问为什么PC机的序号是乱的,因为我是乱放的。。。
呃呃呃,上面的跟OSPF的那篇博客的内容,除了核心那一部分外,其他都一样,因为懒人就是这样啦
项目步骤
准备工作
(1)配置VLAN
在总部和分公司相应交换机上完成VLAN相关配置,包括VLAN创建和端口划分、Trunk配置。在交换机S1和S2之间链路配置链路聚合
S1配置
[S1]vlan batch 2 12 to 15
[S1]interface Eth-Trunk1
[S1-Eth-Trunk1]port link-type trunk
[S1-Eth-Trunk1]port trunk allow-pass vlan 2 to 4094
# 设置负载均衡策略为源MAC和目的MAC
[S1-Eth-Trunk1]load-balance src-dst-mac
[S1-Eth-Trunk1]quit[S1]interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1]port link-type access
[S1-GigabitEthernet0/0/1]port default vlan 2
[S1-GigabitEthernet0/0/1]quit[S1]interface GigabitEthernet0/0/2
[S1-GigabitEthernet0/0/2]port link-type trunk
[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 to 4094
[S1-GigabitEthernet0/0/2]quit# 将G0/0/10和G0/0/11接口加入链路聚合组1
[S1]interface GigabitEthernet0/0/10
[S1-GigabitEthernet0/0/10]eth-trunk 1
[S1-GigabitEthernet0/0/10]quit[S1]interface GigabitEthernet0/0/11
[S1-GigabitEthernet0/0/11]eth-trunk 1
[S1-GigabitEthernet0/0/11]quit
S2配置
[S2]vlan batch 2 to 3 12 to 15
[S2]interface Eth-Trunk1
[S2-Eth-Trunk1]port link-type trunk
[S2-Eth-Trunk1]port trunk allow-pass vlan 2 to 4094
[S2-Eth-Trunk1]load-balance src-dst-mac
[S2-Eth-Trunk1]quit[S2]interface GigabitEthernet0/0/1
[S2-GigabitEthernet0/0/1]port link-type access
[S2-GigabitEthernet0/0/1]port default vlan 3
[S2-GigabitEthernet0/0/1]quit[S2]interface GigabitEthernet0/0/2
[S2-GigabitEthernet0/0/2]port link-type trunk
[S2-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 to 4094
[S2-GigabitEthernet0/0/2]quit# 将G0/0/10和G0/0/11加入链路聚合组1
[S2]interface GigabitEthernet0/0/10
[S2-GigabitEthernet0/0/10]eth-trunk 1
[S2-GigabitEthernet0/0/10]quit[S2]interface GigabitEthernet0/0/11
[S2-GigabitEthernet0/0/11]eth-trunk 1
[S2-GigabitEthernet0/0/11]quit
S3配置
其实这里的S3交换机就是二层(傻瓜)交换机
[S3]vlan batch 12 to 15
[S3]interface Ethernet0/0/1
[S3-Ethernet0/0/1]port link-type access
[S3-Ethernet0/0/1]port default vlan 12
[S3-Ethernet0/0/1]quit[S3]interface Ethernet0/0/2
[S3-Ethernet0/0/2]port link-type access
[S3-Ethernet0/0/2]port default vlan 13
[S3-Ethernet0/0/2]quit[S3]interface Ethernet0/0/3
[S3-Ethernet0/0/3]port link-type access
[S3-Ethernet0/0/3]port default vlan 14
[S3-Ethernet0/0/3]quit[S3]interface Ethernet0/0/4
[S3-Ethernet0/0/4]port link-type access
[S3-Ethernet0/0/4]port default vlan 15
[S3-Ethernet0/0/4]quit[S3]interface GigabitEthernet0/0/1
[S3-GigabitEthernet0/0/1]port link-type trunk
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 4094
[S3-GigabitEthernet0/0/1]quit
[S3]interface GigabitEthernet0/0/2
[S3-GigabitEthernet0/0/2]port link-type trunk
[S3-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 to 4094
[S3-GigabitEthernet0/0/2]quit
S5配置
[S5]vlan batch 22 33 44 55 66
[S5]interface GigabitEthernet0/0/1
[S5-GigabitEthernet0/0/1]port link-type access
[S5-GigabitEthernet0/0/1]port default vlan 66
[S5-GigabitEthernet0/0/1]quit[S5]interface GigabitEthernet0/0/2
[S5-GigabitEthernet0/0/2]port link-type access
[S5-GigabitEthernet0/0/2]port default vlan 22
[S5-GigabitEthernet0/0/2]quit[S5]interface GigabitEthernet0/0/3
[S5-GigabitEthernet0/0/3]port link-type access
[S5-GigabitEthernet0/0/3]port default vlan 33
[S5-GigabitEthernet0/0/3]quit[S5]interface GigabitEthernet0/0/4
[S5-GigabitEthernet0/0/4]port link-type access
[S5-GigabitEthernet0/0/4]port default vlan 44
[S5-GigabitEthernet0/0/4]quit[S5]interface GigabitEthernet0/0/5
[S5-GigabitEthernet0/0/5]port link-type access
[S5-GigabitEthernet0/0/5]port default vlan 55
[S5-GigabitEthernet0/0/5]quit
S6配置
[S6]vlan batch 222 333 666
[S6]interface GigabitEthernet0/0/1
[S6-GigabitEthernet0/0/1]port link-type access
[S6-GigabitEthernet0/0/1]port default vlan 666
[S6-GigabitEthernet0/0/1]quit[S6]interface GigabitEthernet0/0/2
[S6-GigabitEthernet0/0/2]port link-type access
[S6-GigabitEthernet0/0/2]port default vlan 222
[S6-GigabitEthernet0/0/2]quit[S6]interface GigabitEthernet0/0/3
[S6-GigabitEthernet0/0/3]port link-type access
[S6-GigabitEthernet0/0/3]port default vlan 333
[S6-GigabitEthernet0/0/3]quit
验证
可以用以下三个命令验证是否配置好
# 验证VLAN配置
[S1]display vlan # 验证Eth-Trunk配置
[S1]display eth-trunk 1# 验证Trunk配置
[S1]display port vlan (2)配置MSTP
在交换机S1、S2和S3上配置MSTP,通过实例1(VLAN12和VLAN13)和实例2(VLAN14和VLAN15)选举不同的根桥实现负载分担。交换机S1是实例1的根桥(优先级为4096),是实例2的次根桥(优先级为8192);交换机S2是实例1的次根桥(优先级为8192),是实例2的根桥(优先级为4096)
S1配置
# 配置实例优先级
[S1]stp instance 1 priority 4096
[S1]stp instance 2 priority 8192
# 进入STP区域配置模式
[S1]stp region-configuration# 设置MSTP区域名称为HQ
[S1-mst-region]region-name HQ# 将VLAN 12和13分配到实例1
[S1-mst-region]instance 1 vlan 12 to 13# 将VLAN 14和15分配到实例2
[S1-mst-region]instance 2 vlan 14 to 15# 激活MSTP区域配置
[S1-mst-region]active region-configuration
[S1-mst-region]quitS2配置
# 配置实例优先级
[S2]stp instance 1 priority 8192
[S2]stp instance 2 priority 4096# 进入STP区域配置模式
[S2]stp region-configuration# 设置MSTP区域名称为HQ
[S2-mst-region]region-name HQ# 将VLAN 12和13分配到实例1
[S2-mst-region]instance 1 vlan 12 to 13# 将VLAN 14和15分配到实例2
[S2-mst-region]instance 2 vlan 14 to 15# 激活MSTP区域配置
[S2-mst-region]active region-configuration
[S2-mst-region]quitS3配置
[S3]stp region-configuration
[S3-mst-region]region-name HQ
[S3-mst-region]instance 1 vlan 12 to 13
[S3-mst-region]instance 2 vlan 14 to 15
[S3-mst-region]active region-configuration
[S3-mst-region]验证
[S1]display stp brief MSTID Port Role STP State Protection0 GigabitEthernet0/0/1 DESI FORWARDING NONE0 GigabitEthernet0/0/2 DESI FORWARDING NONE0 Eth-Trunk1 ROOT FORWARDING NONE1 GigabitEthernet0/0/2 DESI FORWARDING NONE1 Eth-Trunk1 DESI FORWARDING NONE2 GigabitEthernet0/0/2 DESI FORWARDING NONE2 Eth-Trunk1 ROOT FORWARDING NONE
(3)配置IP地址
在总部和分公司设备上完成IP地址配置,包括配置路由器接口的IP地址、三层交换机创建VLANIF并配置IP地址以及配置计算机和服务器的IP地址、子网掩码和网关
SZ配置
[SZ]interface GigabitEthernet0/0/0
[SZ-GigabitEthernet0/0/0]ip address 172.16.12.2 255.255.255.252
[SZ-GigabitEthernet0/0/0]quit[SZ]interface GigabitEthernet0/0/1
[SZ-GigabitEthernet0/0/1]ip address 192.168.12.1 255.255.255.252
[SZ-GigabitEthernet0/0/1]quit[SZ]interface GigabitEthernet0/0/2
[SZ-GigabitEthernet0/0/2]ip address 10.2.2.1 255.255.255.252
[SZ-GigabitEthernet0/0/2]quit[SZ]interface GigabitEthernet4/0/1
[SZ-GigabitEthernet1/0/0]ip address 10.2.3.1 255.255.255.252
[SZ-GigabitEthernet1/0/0]quit[SZ]interface GigabitEthernet4/0/0
[SZ-GigabitEthernet2/0/0]ip address 218.18.12.1 255.255.255.252
[SZ-GigabitEthernet2/0/0]quitGZ配置
[GZ]interface GigabitEthernet0/0/0
[GZ-GigabitEthernet0/0/0]ip address 172.16.12.1 255.255.255.252
[GZ-GigabitEthernet0/0/0]quit[GZ]interface GigabitEthernet0/0/1
[GZ-GigabitEthernet0/0/1]ip address 172.16.6.2 255.255.255.252
[GZ-GigabitEthernet0/0/1]quit
BJ配置
[BJ]interface GigabitEthernet0/0/0
[BJ-GigabitEthernet0/0/0]ip address 192.168.6.1 255.255.255.252
[BJ-GigabitEthernet0/0/0]quit[BJ]interface GigabitEthernet0/0/1
[BJ-GigabitEthernet0/0/1]ip address 192.168.12.2 255.255.255.252
[BJ-GigabitEthernet0/0/1]quit
LSP配置
[ISP]interface GigabitEthernet0/0/0
[ISP-GigabitEthernet0/0/0]ip address 218.18.12.2 255.255.255.252
[ISP-GigabitEthernet0/0/0]quit# 配置环回地址
[ISP]interface LoopBack0
[ISP-LoopBack0]ip address 8.8.8.8 255.255.255.0
[ISP-LoopBack0]quit
S1配置
[S1]interface Vlanif2
[S1-Vlanif2]ip address 10.2.2.2 255.255.255.252
[S1-Vlanif2]quit[S1]interface Vlanif12
[S1-Vlanif12]ip address 10.1.12.252 255.255.255.0
[S1-Vlanif12]quit[S1]interface Vlanif13
[S1-Vlanif13]ip address 10.1.13.252 255.255.255.0
[S1-Vlanif13]quit[S1]interface Vlanif14
[S1-Vlanif14]ip address 10.1.14.252 255.255.255.0
[S1-Vlanif14]quit[S1]interface Vlanif15
[S1-Vlanif15]ip address 10.1.15.252 255.255.255.0
[S1-Vlanif15]quit
S2配置
[S2]interface Vlanif3
[S2-Vlanif3]ip address 10.2.3.2 255.255.255.252
[S2-Vlanif3]quit[S2]interface Vlanif12
[S2-Vlanif12]ip address 10.1.12.253 255.255.255.0
[S2-Vlanif12]quit[S2]interface Vlanif13
[S2-Vlanif13]ip address 10.1.13.253 255.255.255.0
[S2-Vlanif13]quit[S2]interface Vlanif14
[S2-Vlanif14]ip address 10.1.14.253 255.255.255.0
[S2-Vlanif14]quit[S2]interface Vlanif15
[S2-Vlanif15]ip address 10.1.15.253 255.255.255.0
[S2-Vlanif15]quit
S5配置
[S5]interface Vlanif22
[S5-Vlanif2]ip address 172.16.8.254 255.255.255.0
[S5-Vlanif2]quit[S5]interface Vlanif33
[S5-Vlanif3]ip address 172.16.9.254 255.255.255.0
[S5-Vlanif3]quit[S5]interface Vlanif44
[S5-Vlanif4]ip address 172.16.10.254 255.255.255.0
[S5-Vlanif4]quit[S5]interface Vlanif55
[S5-Vlanif5]ip address 172.16.11.254 255.255.255.0
[S5-Vlanif5]quit[S5]interface Vlanif66
[S5-Vlanif6]ip address 172.16.6.1 255.255.255.252
[S5-Vlanif6]quit
S6配置
[S6]interface Vlanif222
[S6-Vlanif2]ip address 192.168.2.254 255.255.255.0
[S6-Vlanif2]quit[S6]interface Vlanif333
[S6-Vlanif3]ip address 192.168.3.254 255.255.255.0
[S6-Vlanif3]quit[S6]interface Vlanif666
[S6-Vlanif6]ip address 192.168.6.2 255.255.255.252
[S6-Vlanif6]quit
以PC1为例,配置IP地址、掩码、网关
验证
(4)配置VRRP
总部核心交换机S1和S2配置VRRP,为各个VLAN主机提供冗余网关。通过配置使得交换机S1作为VLAN12和VLAN13的Master,交换机S2作为VLAN14和VLAN15的Master。确保每个VLAN的VRRP的Master和MSTP的根一致
S1配置
# 配置VLAN 12接口的VRRP组
[S1]interface Vlanif12
[S1-Vlanif12]vrrp vrid 12 virtual-ip 10.1.12.254
[S1-Vlanif12]vrrp vrid 12 priority 120
[S1-Vlanif12]quit# 配置VLAN 13接口的VRRP组
[S1]interface Vlanif13
[S1-Vlanif13]vrrp vrid 13 virtual-ip 10.1.13.254
[S1-Vlanif13]vrrp vrid 13 priority 120
[S1-Vlanif13]quit# 配置VLAN 14接口的VRRP组
[S1]interface Vlanif14
[S1-Vlanif14]vrrp vrid 14 virtual-ip 10.1.14.254
[S1-Vlanif14]quit# 配置VLAN 15接口的VRRP组
[S1]interface Vlanif15
[S1-Vlanif15]vrrp vrid 15 virtual-ip 10.1.15.254
[S1-Vlanif15]quitS2配置
[S2]interface Vlanif12
[S2-Vlanif12]vrrp vrid 12 virtual-ip 10.1.12.254
[S2-Vlanif12]quit[S2]interface Vlanif13
[S2-Vlanif13]vrrp vrid 13 virtual-ip 10.1.13.254
[S2-Vlanif13]quit[S2]interface Vlanif14
[S2-Vlanif14]vrrp vrid 14 virtual-ip 10.1.14.254
[S2-Vlanif14]vrrp vrid 14 priority 120
[S2-Vlanif14]quit[S2]interface Vlanif15
[S2-Vlanif15]vrrp vrid 15 virtual-ip 10.1.15.254
[S2-Vlanif15]vrrp vrid 15 priority 120
[S2-Vlanif15]quit
验证
(5)配置NAT
配置NAT使得总部和分公司的主机可以通过路由器SZ访问Internet
SZ配置
[SZ]acl number 2000
[SZ-acl-basic-2000]rule 10 permit source 192.168.2.0 0.0.1.255
[SZ-acl-basic-2000]rule 20 permit source 172.16.8.0 0.0.3.255
[SZ-acl-basic-2000]rule 30 permit source 10.1.12.0 0.0.3.255
[SZ-acl-basic-2000]quit
[SZ]interface GigabitEthernet4/0/0
[SZ-GigabitEthernet4/0/0]nat outbound 2000
[SZ-GigabitEthernet4/0/0]quit
项目核心(IS-IS)
(1)配置IS-IS基本功能
核心项目主要是完成IS-IS部署,针对IS-IS部署任务对项目整体拓扑进行简化,只保留运行IS-IS的设备,如图:
3台路由器和4台交换机配置基本IS-IS进程、配置开销类型、配置NET、动态主机名、激活运行IS-IS的路由器接口等,修改S1、S2、S5、S6的IS-IS路由器类型为Level-1。在深圳总部到分公司的两条链路上修改IS-IS电路类型为Level-2。将分公司交换机适当接口配置为静默接口
SZ配置
[SZ]isis 1
[SZ-isis-1]cost-style wide # 设置成本样式为 "wide",允许使用更宽范围的度量值
[SZ-isis-1]network-entity 49.0001.1111.1111.1111.00
[SZ-isis-1]is-name SZ
[SZ-isis-1]q[SZ]interface GigabitEthernet 0/0/0
[SZ-GigabitEthernet0/0/0]isis enable 1
[SZ-GigabitEthernet0/0/0]isis circuit-level level-2
[SZ-GigabitEthernet0/0/0]q[SZ]interface GigabitEthernet 0/0/1
[SZ-GigabitEthernet0/0/1]isis enable 1
[SZ-GigabitEthernet0/0/1]isis circuit-level level-2
[SZ-GigabitEthernet0/0/1]q[SZ]interface GigabitEthernet 0/0/2
[SZ-GigabitEthernet0/0/2]isis enable 1
[SZ-GigabitEthernet0/0/2]isis circuit-level level-1
[SZ-GigabitEthernet0/0/2]q[SZ]interface GigabitEthernet 4/0/1
[SZ-GigabitEthernet4/0/1]isis enable 1
[SZ-GigabitEthernet4/0/1]isis circuit-level level-1
[SZ-GigabitEthernet4/0/1]q
[SZ]GZ配置
[GZ]isis 1
[GZ-isis-1]cost-style wide
[GZ-isis-1]network-entity 49.0002.2222.2222.2222.00
[GZ-isis-1]is-name GZ
[GZ-isis-1]q[GZ]interface GigabitEthernet 0/0/0
[GZ-GigabitEthernet0/0/0]isis enable 1
[GZ-GigabitEthernet0/0/0]isis circuit-level level-2
[GZ-GigabitEthernet0/0/0]q[GZ]interface GigabitEthernet 0/0/1
[GZ-GigabitEthernet0/0/1]isis enable 1
[GZ-GigabitEthernet0/0/1]isis circuit-level level-1
[GZ-GigabitEthernet0/0/1]q
[GZ]BJ配置
[BJ]isis 1
[BJ-isis-1]cost-style wide
[BJ-isis-1]network-entity 49.0003.3333.3333.3333.00
[BJ-isis-1]is-name BJ
[BJ-isis-1]q[BJ]interface GigabitEthernet 0/0/0
[BJ-GigabitEthernet0/0/0]isis enable 1
[BJ-GigabitEthernet0/0/0]isis circuit-level level-1
[BJ-GigabitEthernet0/0/0]q[BJ]interface GigabitEthernet 0/0/1
[BJ-GigabitEthernet0/0/1]isis enable 1
[BJ-GigabitEthernet0/0/1]isis circuit-level level-2
[BJ-GigabitEthernet0/0/1]q
[BJ]qS1配置
[S1]isis 1
[S1-isis-1]is-level level-1
[S1-isis-1]cost-style wide
[S1-isis-1]network-entity 49.0001.4444.4444.4444.00
[S1-isis-1]is-name S1
[S1-isis-1]q[S1]interface Vlanif 2
[S1-Vlanif2]isis enable 1
[S1-Vlanif2]q
[S1]interface Vlanif 12
[S1-Vlanif12]isis enable 1
[S1-Vlanif12]q
[S1]interface Vlanif 13
[S1-Vlanif13]isis enable 1
[S1-Vlanif13]q
[S1]interface Vlanif 14
[S1-Vlanif14]isis enable 1
[S1-Vlanif14]q
[S1]interface Vlanif 15
[S1-Vlanif15]isis enable 1
[S1-Vlanif15]q
[S1]qS2配置
[S2]isis 1
[S2-isis-1]is-level level-1
[S2-isis-1]cost-style wide
[S2-isis-1]network-entity 49.0001.5555.5555.5555.00
[S2-isis-1]is-name S2
[S2-isis-1]q[S2]interface Vlanif 3
[S2-Vlanif3]isis enable 1
[S2-Vlanif3]q
[S2]interface Vlanif 12
[S2-Vlanif12]isis enable 1
[S2-Vlanif12]q
[S2]interface Vlanif 13
[S2-Vlanif13]isis enable 1
[S2-Vlanif13]q
[S2]interface Vlanif 14
[S2-Vlanif14]isis enable 1
[S2-Vlanif14]q
[S2]interface Vlanif 15
[S2-Vlanif15]isis enable 1
[S2-Vlanif15]q
[S2]qS5配置
[S5]isis 1
[S5-isis-1]is-level level-1
[S5-isis-1]cost-style wide
[S5-isis-1]network-entity 49.0002.6666.6666.6666.00
[S5-isis-1]is-name S5
[S5-isis-1]q[S5]interface Vlanif 22
[S5-Vlanif22]isis enable 1
[S5-Vlanif22]isis silent # 静默模式
[S5-Vlanif22]q
[S5]interface Vlanif 33
[S5-Vlanif33]isis enable 1
[S5-Vlanif33]isis silent
[S5-Vlanif33]q
[S5]interface Vlanif 44
[S5-Vlanif44]isis enable 1
[S5-Vlanif44]isis silent
[S5-Vlanif44]q
[S5]interface Vlanif 55
[S5-Vlanif55]isis enable 1
[S5-Vlanif55]isis silent
[S5-Vlanif55]q
[S5]interface Vlanif 66
[S5-Vlanif66]isis enable 1
[S5-Vlanif66]q
[S5]qS6配置
[S6]isis 1
[S6-isis-1]is-level level-1
[S6-isis-1]cost-style wide
[S6-isis-1]network-entity 49.0003.7777.7777.7777.00
[S6-isis-1]is-name S6
[S6-isis-1]q[S6]interface Vlanif 222
[S6-Vlanif222]isis enable
[S6-Vlanif222]isis silent
[S6-Vlanif222]q
[S6]interface Vlanif 333
[S6-Vlanif333]isis enable 1
[S6-Vlanif333]isis silent
[S6-Vlanif333]q
[S6]interface Vlanif 666
[S6-Vlanif666]isis enable 1
[S6-Vlanif666]q
[S6]q(2)配置IS-IS验证
为了安全性,在深圳总部到分公司的两条链路中,配置IS-IS接口MD5验证。在深圳总部的IS-IS区域49.0001配置区域MD5验证
在深圳总部到分公司的两条链路中,配置IS-IS接口MD5验证
[SZ]interface GigabitEthernet 0/0/0
[SZ-GigabitEthernet0/0/0]isis authentication-mode md5 cipher 123456
[SZ-GigabitEthernet0/0/0]q
[SZ]interface GigabitEthernet 0/0/1
[SZ-GigabitEthernet0/0/1]isis authentication-mode md5 cipher 123456
[SZ-GigabitEthernet0/0/1]q[GZ]interface GigabitEthernet 0/0/0
[GZ-GigabitEthernet0/0/0]isis authentication-mode md5 cipher 123456
[GZ-GigabitEthernet0/0/0]q[BJ]interface GigabitEthernet 0/0/1
[BJ-GigabitEthernet0/0/1]isis authentication-mode md5 cipher 123456
[BJ-GigabitEthernet0/0/1]q
在深圳总部的IS-IS区域49.0001配置区域MD5验证
[SZ]isis 1
[SZ-isis-1]area-authentication-mode md5 cipher 123456
[SZ-isis-1]q[S1]isis 1
[S1-isis-1]area-authentication-mode md5 123456
[S1-isis-1]q[S2]isis 1
[S2-isis-1]area-authentication-mode md5 123456
[S2-isis-1]q(3)配置IS-IS路由聚合
配置IS-IS路由聚合,在深圳、广州和北京三地边界路由器上分别配置路由聚合,减少路由表大小
[SZ]isis 1
[SZ-isis-1]summary10.1.12.0 255.255.252.0 avoid-feedback generate_null0_route[GZ]isis 1
[GZ-isis-1]summary 172.16.8.0 255.255.252.0 avoid-feedback generate_null0_route[BJ]isis 1
[BJ-isis-1]summary 192.168.2.0 255.255.254.0 avoid-feedback generate_null0_route
(4)配置IS-IS默认路由注入
在深证路由器上配置指向ISP的静态默认路由,并指向IS-IS网络注入默认路由
[SZ]ip route-static 0.0.0.0 0.0.0.0 218.18.12.2
[SZ]isis 1
[SZ-isis-1]default-route-advertise always cost 20 tag 1111
[SZ-isis-1]q
[SZ](5)控制IS-IS DIS选举
控制路由器SZ成功连接三层交换机S1和S2的相应网段的DIS.交换机S1和S2成为Level-1路由器,只需要更改Level-1的优先级
[SZ]interface GigabitEthernet 0/0/2
[SZ-GigabitEthernet0/0/2]isis dis-priority 96 level-1
[SZ-GigabitEthernet0/0/2]q
[SZ]interface GigabitEthernet 4/0/1
[SZ-GigabitEthernet4/0/1]isis dis-priority 96 level-1
[SZ-GigabitEthernet4/0/1]q
[SZ](6)调整IS-IS接口计时器
在路由器SZ和BJ之间链路上调整IS-IS计时参数,将接口发送Hello报文周期改为5秒,邻居保存时间为Hello报文的发送间隔时间的4倍
[SZ]interface GigabitEthernet 0/0/1
[SZ-GigabitEthernet0/0/1]isis timer hello 5 level-2
[SZ-GigabitEthernet0/0/1]isi timer holding-multiplier 4 level-2
[SZ-GigabitEthernet0/0/1]q
[SZ][BJ]interface GigabitEthernet 0/0/1
[BJ-GigabitEthernet0/0/1]isis timer hello 5 level-2
[BJ-GigabitEthernet0/0/1]isis timer holding-multiplier 4 level-2
[BJ-GigabitEthernet0/0/1]q
[BJ]配置暂时就是这样
验证(以SZ为例)
查看IS-IS邻居信息
<SZ>display isis peer
查看IS-IS邻居的详细信息
<SZ>display isis peer interface GigabitEthernet 0/0/2 verbose
查看IS-IS接口的摘要信息
<SZ>display isis interface
查看IS-IS接口的摘要信息
<SZ>display isis interface GigabitEthernet 0/0/1 verbose
查看IS-IS的LSDB信息
<SZ>display isis lsdb
查看IS-IS LSDB LSP信息
<SZ>display isis lsdb 3333.3333.3333.00-00 verbose 
ok,搞到这里,我就完了。
实验包
配置集成ISIS实现企业网络互联
https://www.alipan.com/s/k8vDypR3Juw
