2026年广州市“红棉匠才”“数智杯”职业技能竞赛云网智能运维(信息通信网络运行管理员)职工组样题解析-模块A

2026年6月10日 0 竞赛内容

目录:

网络拓扑

  • 网络拓扑结构图:

file

  • 网络设备IP地址分配表

file
file

任务一、基础配置

备注:

先按照以下方法,依次配置好每台设备的主机名,创建VLAN和配置IP地址。

<Huawei>system-view  //进入系统视图
[Huawei]sysname SW1  //设置主机名
[SW1]undo info-center enable  //关闭信息中心(消除信息提示)
Info: Information center is disabled.
  • SW2配置:
[SW3]vlan batch 10 20 30 40 //分别创建VLAN 10 20 30 40
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW3]interface Vlanif 10  //进入VLAN 10接口
[SW3-Vlanif10]ip address 192.168.10.253 24  //配置IP地址和掩码
[SW3-Vlanif10]quit
[SW3]

使用display ip interface brief验证IP地址是否配置好
使用display vlan验证VLAN是否创建好

1.根据“网络设备IP地址分配表”的要求,进行如下配置:

(1)在交换机上创建对应的业务Vlan,并将交换机的相应端口加入对应的Vlan,端口均为Access类型;

  • SW1配置:
# 下联口设置为Access模式并划分VLAN
[SW1]int GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]quit

# 下联口设置为Access模式并划分VLAN
[SW1]int GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 20
[SW1-GigabitEthernet0/0/2]quit
  • SW2配置:
# 下联口设置为Access模式并划分VLAN
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 30
[SW2-GigabitEthernet0/0/1]quit
  • SW6配置:
[SW6]interface GigabitEthernet 0/0/2
[SW6-GigabitEthernet0/0/2]port link-type access
[SW6-GigabitEthernet0/0/2]port default vlan 40
[SW6-GigabitEthernet0/0/2]quit
  • SW7配置:
[SW7]interface GigabitEthernet 0/0/2
[SW7-GigabitEthernet0/0/2]port link-type access
[SW7-GigabitEthernet0/0/2]port default vlan 60
[SW7-GigabitEthernet0/0/2]quit

(2)要求交换机之间互联接口既为二层备份也为三层备份:

(3)所有交换机互连的接口配置为Trunk接口,且只允许相关业务Vlan及管理Vlan通过:

  • SW1配置:
# 同时配置两个上联口为Trunk模式并允许VLAN通过
[SW1]port-group group-member GigabitEthernet 0/0/3 to GigabitEthernet 0/0/4
[SW1-port-group]port link-type trunk
[SW1-port-group]port trunk allow-pass vlan 10 20 30
[SW1-port-group]quit
  • SW2配置:
# 同时配置两个上联口为Trunk模式并允许VLAN通过
[SW2]port-group group-member GigabitEthernet 0/0/3 to GigabitEthernet 0/0/4
[SW2-port-group]port link-type trunk
[SW2-port-group]port trunk allow-pass vlan 10 20 30
[SW2-port-group]quit
  • SW3配置:
[SW3]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2
[SW3-port-group]port link-type trunk
[SW3-port-group]port trunk allow-pass vlan 10 20 30
[SW3-port-group]quit

[SW3]interface GigabitEthernet 0/0/3
[SW3-GigabitEthernet0/0/3]port link-type trunk
[SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 40
[SW3-GigabitEthernet0/0/3]port trunk pvid vlan 40
[SW3-GigabitEthernet0/0/3]quit
  • SW4配置:
[SW4]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2
[SW4-port-group]port link-type trunk
[SW4-port-group]port trunk allow-pass vlan 10 20 30
[SW4-port-group]quit

[SW4]interface GigabitEthernet 0/0/3
[SW4-GigabitEthernet0/0/3]port link-type trunk
[SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20 30 40
[SW4-GigabitEthernet0/0/3]port trunk pvid vlan 40
[SW4-GigabitEthernet0/0/3]quit
  • SW5配置:
[SW5]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2
[SW5-port-group]port link-type trunk
[SW5-port-group]port trunk allow-pass vlan 40 50 60
[SW5-port-group]quit
[SW5]interface GigabitEthernet 0/0/4
[SW5-GigabitEthernet0/0/4]port link-type trunk
[SW5-GigabitEthernet0/0/4]port trunk allow-pass vlan 40 50 60 70 100
[SW5-GigabitEthernet0/0/4]port trunk pvid vlan 70
[SW5-GigabitEthernet0/0/4]quit
  • SW6配置:
[SW6]interface GigabitEthernet 0/0/1
[SW6-GigabitEthernet0/0/1]port link-type trunk
[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan 40 50 60
[SW6-GigabitEthernet0/0/1]quit
  • SW7配置:
[SW7]interface GigabitEthernet 0/0/1
[SW7-GigabitEthernet0/0/1]port link-type trunk
[SW7-GigabitEthernet0/0/1]port trunk allow-pass vlan 40 50 60
[SW7-GigabitEthernet0/0/1]quit
  • AC1配置:
[AC1]int GigabitEthernet 0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 60 100
[AC1-GigabitEthernet0/0/1]quit

2.在SW3-5中,启用Telnet服务,远程登录账户仅包含“2026GZ”,密码为密文“GuangZhou2026”,要求最多允许5个用户同时telnet登录设备,配置用户级别为15。

SW3、SW4、SW5配置(一样):

# 启用telnet服务
[SW3]telnet server enable
[SW3]aaa
# 设置用户名和密码
[SW3-aaa]local-user 2026GZ password simple GuangZhou2026
# 设置最多允许5个用户登录
[SW3-aaa]local-user 2026GZ access-limit 5
# 设置服务类型为telnet
[SW3-aaa]local-user 2026GZ service-type telnet
# 设置用户级别(权限)为15
[SW3-aaa]local-user 2026GZ privilege level 15
[SW3-aaa]quit
# 配置远程线路
[SW3]user-interface vty 0 4
[SW3-ui-vty0-4]authentication-mode aaa
[SW3-ui-vty0-4]quit

3.在右侧的交换机之间运行MSTP协议,保障网络的稳定,以及解决环路问题:

(1)对MSTP进行如下设置:

MSTP域名为2026GZ:
实例1对应vlan 40;
实例2对应vlan 50:
修订级别为2;

[SW5]stp mode mstp
[SW5]stp region-configuration
[SW5-mst-region]region-name 2026GZ
[SW5-mst-region]instance 1 vlan 40
[SW5-mst-region]instance 2 vlan 50
[SW5-mst-region]revision-level 2
[SW5-mst-region]active region-configuration
[SW5-mst-region]quit

[SW6]stp mode mstp
[SW6]stp region-configuration
[SW6-mst-region]region-name 2026GZ
[SW6-mst-region]instance 1 vlan 40
[SW6-mst-region]instance 2 vlan 50
[SW6-mst-region]revision-level 2
[SW6-mst-region]active region-configuration
[SW6-mst-region]quit

[SW7]stp mode mstp
[SW7]stp region-configuration
[SW7-mst-region]region-name 2026GZ
[SW7-mst-region]instance 1 vlan 40
[SW7-mst-region]instance 2 vlan 50
[SW7-mst-region]revision-level 2
[SW7-mst-region]active region-configuration
[SW7-mst-region]quit

(2)设置SW6为实例1的根桥,实例2的备根,SW7为实例2的根桥,实例1的备根

  • 配置:
[SW6]stp instance 1 root primary
[SW6]stp instance 2 root secondary

[SW7]stp instance 2 root primary
[SW7]stp instance 1 root secondary
  • 验证:
[SW6]display stp region-configuration 
 Oper configuration
   Format selector    :0             
   Region name        :2026GZ             
   Revision level     :2

   Instance   VLANs Mapped
      0       1 to 39, 41 to 49, 51 to 4094
      1       40
      2       50
[SW6]display stp brief
 MSTID  Port                        Role  STP State     Protection
   0    Ethernet0/0/1               DESI  FORWARDING      NONE
   0    Ethernet0/0/2               DESI  FORWARDING      NONE
   0    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/2        DESI  FORWARDING      NONE
   1    GigabitEthernet0/0/1        DESI  FORWARDING      NONE
   1    GigabitEthernet0/0/2        DESI  FORWARDING      NONE
   2    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE

[SW7]display stp region-configuration 
 Oper configuration
   Format selector    :0             
   Region name        :2026GZ             
   Revision level     :2

   Instance   VLANs Mapped
      0       1 to 39, 41 to 49, 51 to 4094
      1       40
      2       50
[SW7]display stp brief
 MSTID  Port                        Role  STP State     Protection
   0    Ethernet0/0/1               ALTE  DISCARDING      NONE
   0    Ethernet0/0/2               ALTE  DISCARDING      NONE
   0    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/2        DESI  FORWARDING      NONE
   1    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   2    GigabitEthernet0/0/1        DESI  FORWARDING      NONE

4.在SW6和SW7之间配置链路聚合,模式为LACP,根据目标物理地址来进行负载均衡。

  • 配置:
[SW6]interface Eth-Trunk 1
[SW6-Eth-Trunk1]mode lacp-static
[SW6-Eth-Trunk1]trunkport Ethernet 0/0/1 0/0/2
[SW6-Eth-Trunk1]load-balance dst-mac
[SW6-Eth-Trunk1]port link-type trunk
[SW6-Eth-Trunk1]port trunk allow-pass vlan 40 50 60
[SW6-Eth-Trunk1]quit

[SW7]interface Eth-Trunk 1
[SW7-Eth-Trunk1]mode lacp-static
[SW7-Eth-Trunk1]trunkport Ethernet 0/0/1 0/0/2
[SW7-Eth-Trunk1]load-balance dst-mac
[SW7-Eth-Trunk1]port link-type trunk
[SW7-Eth-Trunk1]port trunk allow-pass vlan 40 50 60
[SW7-Eth-Trunk1]quit
  • 验证:
[SW6]display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1                   WorkingMode: STATIC                               
Preempt Delay: Disabled     Hash arithmetic: According to DA                  
System Priority: 32768      System ID: 4c1f-ccab-41d9                         
Least Active-linknumber: 1  Max Active-linknumber: 8                          
Operate status: up          Number Of Up Port In Trunk: 2                     
--------------------------------------------------------------------------------
ActorPortName          Status   PortType PortPri PortNo PortKey PortState Weight
Ethernet0/0/1          Selected 100M     32768   2      289     10111100  1     
Ethernet0/0/2          Selected 100M     32768   3      289     10111100  1     

Partner:
--------------------------------------------------------------------------------
ActorPortName          SysPri   SystemID        PortPri PortNo PortKey PortState
Ethernet0/0/1          32768    4c1f-ccc5-106b  32768   2      289     10111100
Ethernet0/0/2          32768    4c1f-ccc5-106b  32768   3      289     10111100

[SW7]display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1                   WorkingMode: STATIC                               
Preempt Delay: Disabled     Hash arithmetic: According to DA                  
System Priority: 32768      System ID: 4c1f-ccc5-106b                         
Least Active-linknumber: 1  Max Active-linknumber: 8                          
Operate status: up          Number Of Up Port In Trunk: 2                     
--------------------------------------------------------------------------------
ActorPortName          Status   PortType PortPri PortNo PortKey PortState Weight
Ethernet0/0/1          Selected 100M     32768   2      289     10111100  1     
Ethernet0/0/2          Selected 100M     32768   3      289     10111100  1     

Partner:
--------------------------------------------------------------------------------
ActorPortName          SysPri   SystemID        PortPri PortNo PortKey PortState
Ethernet0/0/1          32768    4c1f-ccab-41d9  32768   2      289     10111100
Ethernet0/0/2          32768    4c1f-ccab-41d9  32768   3      289     10111100

任务二、有线网络配置

为保障公司内部主机能够访问网络,请按照以下要求完成主机通信,并完成相关路由表和对应邻居的配置,所有配置须在重启后依然生效。

1.为了保障单点网关故障,请在SW3与SW4中设置VRRP协议:

(1)要求虚拟IP为该网段最后一个可用地址,VRID为VLANID;

(2)设置Master与Backup设备的优先级与默认值相差20,并且设置SW3为PC1和PC2的根桥,设置SW4为PC3的根桥;

(3)侦测上行链路,如果上行链路发生故障,则降低50优先级:

(4)设置VRRP抢占延迟为15;

  • 配置:
# SW3配置:
[SW3]interface Vlanif 10
#配置虚拟IP
[SW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
# 默认优先值100,SW3为PC1(VLAN10)根桥,所以设置为120,越大越优先
[SW3-Vlanif10]vrrp vrid 10 priority 120
# 侦测上行链路,若发生故障降低50优先级
[SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/3 reduced 50
# 抢占延迟为15
[SW3-Vlanif10]vrrp vrid 10 preempt-mode timer delay 15
[SW3-Vlanif10]quit

[SW3]interface Vlanif 20
[SW3-Vlanif10]vrrp vrid 20 virtual-ip 192.168.20.254
[SW3-Vlanif10]vrrp vrid 20 priority 120
[SW3-Vlanif10]vrrp vrid 20 track interface GigabitEthernet 0/0/3 reduced 50
[SW3-Vlanif10]vrrp vrid 20 preempt-mode timer delay 15
[SW3-Vlanif10]quit

[SW3]interface Vlanif 30
[SW3-Vlanif10]vrrp vrid 30 virtual-ip 192.168.30.254
[SW3-Vlanif10]vrrp vrid 30 priority 80
[SW3-Vlanif10]vrrp vrid 30 track interface GigabitEthernet 0/0/3 reduced 50
[SW3-Vlanif10]vrrp vrid 30 preempt-mode timer delay 15
[SW3-Vlanif10]quit

[SW3]interface Vlanif 40
[SW3-Vlanif10]vrrp vrid 40 virtual-ip 10.1.1.254
[SW3-Vlanif10]vrrp vrid 40 priority 120
[SW3-Vlanif10]vrrp vrid 40 track interface GigabitEthernet 0/0/3 reduced 50
[SW3-Vlanif10]vrrp vrid 40 preempt-mode timer delay 15
[SW3-Vlanif10]quit

# SW4配置:
[SW4]interface Vlanif 10
[SW4-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW4-Vlanif10]vrrp vrid 10 priority 80
[SW4-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/3 reduced 50
[SW4-Vlanif10]vrrp vrid 10 preempt-mode timer delay 15
[SW4-Vlanif10]quit

[SW4]interface Vlanif 20
[SW4-Vlanif10]vrrp vrid 20 virtual-ip 192.168.20.254
[SW4-Vlanif10]vrrp vrid 20 priority 80
[SW4-Vlanif10]vrrp vrid 20 track interface GigabitEthernet 0/0/3 reduced 50
[SW4-Vlanif10]vrrp vrid 20 preempt-mode timer delay 15
[SW4-Vlanif10]quit

[SW4]interface Vlanif 30
[SW4-Vlanif10]vrrp vrid 30 virtual-ip 192.168.30.254
[SW4-Vlanif10]vrrp vrid 30 priority 120
[SW4-Vlanif10]vrrp vrid 30 track interface GigabitEthernet 0/0/3 reduced 50
[SW4-Vlanif10]vrrp vrid 30 preempt-mode timer delay 15
[SW4-Vlanif10]quit

[SW4]interface Vlanif 40
[SW4-Vlanif10]vrrp vrid 40 virtual-ip 10.2.1.254
[SW4-Vlanif10]vrrp vrid 40 priority 80
[SW4-Vlanif10]vrrp vrid 40 track interface GigabitEthernet 0/0/3 reduced 50
[SW4-Vlanif10]vrrp vrid 40 preempt-mode timer delay 15
[SW4-Vlanif10]quit
  • 验证:

使用display vrrp briefdisplay vrrp进行验证

[SW3]display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
10    Master       Vlanif10                 Normal   192.168.10.254 
20    Master       Vlanif20                 Normal   192.168.20.254 
30    Backup       Vlanif30                 Normal   192.168.30.254 
40    Master       Vlanif40                 Normal   10.1.1.254     
----------------------------------------------------------------
Total:4     Master:3     Backup:1     Non-active:0

[SW4]display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
10    Backup       Vlanif10                 Normal   192.168.10.254 
20    Backup       Vlanif20                 Normal   192.168.20.254 
30    Master       Vlanif30                 Normal   192.168.30.254 
40    Master       Vlanif40                 Normal   10.2.1.254     
----------------------------------------------------------------
Total:4     Master:2     Backup:2     Non-active:0

2.在SW5中设置DHCP服务器,为PC4实现IP自动分配:

(1)设置172.16.1.0网段为vlan40的IP地址,地址池名称为vlan+vlanid,例如“vlan10”;

(2)设置网段中172.16.1.100-200的IP地址为不参与分配的IP地址;

(3)修改租期为12小时;

(4)在相关设备中进行设置,使得业务vlan能够获取到IP地址:

  • 配置:
[SW5]dhcp enable
[SW5]ip pool vlan40
[SW5-ip-pool-vlan40]network 172.16.1.0 mask 24
[SW5-ip-pool-vlan40]gateway-list 172.16.1.254
[SW5-ip-pool-vlan40]excluded-ip-address 172.16.1.100 172.16.1.200
[SW5-ip-pool-vlan40]lease day 0 hour 12 minute 0
[SW5-ip-pool-vlan40]quit
[SW5]interface Vlanif 40
[SW5-Vlanif40]dhcp select global
[SW5-Vlanif40]quit
  • 验证:

file

file

[SW5]display ip pool name vlan40 used 
  Pool-name      : vlan40
  Pool-No        : 0
  Lease          : 0 Days 12 Hours 0 Minutes
  Domain-name    : -
  DNS-server0    : -               
  NBNS-server0   : -               
  Netbios-type   : -               
  Position       : Local           Status           : Unlocked
  Gateway-0      : 172.16.1.254    
  Mask           : 255.255.255.0
  VPN instance   : --
 -----------------------------------------------------------------------------
         Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 -----------------------------------------------------------------------------
      172.16.1.1    172.16.1.254   253     1        151(0)         0      101
 -----------------------------------------------------------------------------

  Network section : 
  --------------------------------------------------------------------------
  Index              IP               MAC      Lease   Status  
  --------------------------------------------------------------------------
    252    172.16.1.253    5489-9884-7efa        186   Used       
  --------------------------------------------------------------------------

3.在左侧R1、SW3和SW4中运行OSPF协议:

(1)router-id为loopback接口IP,进程号为10,区域为0.0.0.0;

(2)宜告精确网段;

(3)为了区域内更安全,开启区域认证,明文密钥为“md123456”

  • 配置:
[R1]ospf 10 router-id 1.1.1.1
[R1-ospf-10]area 0
[R1-ospf-10-area-0.0.0.0]network 20.1.1.2 0.0.0.0
[R1-ospf-10-area-0.0.0.0]network 10.1.1.2 0.0.0.0
[R1-ospf-10-area-0.0.0.0]network 10.2.1.2 0.0.0.0
[R1-ospf-10-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[R1-ospf-10-area-0.0.0.0]network 192.168.1.1 0.0.0.0
[R1-ospf-10-area-0.0.0.0]authentication-mode simple plain md123456
[R1-ospf-10-area-0.0.0.0]quit
[R1-ospf-10]quit

[SW3]ospf 10 router-id 4.4.4.4
[SW3-ospf-10]area 0
[SW3-ospf-10-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]network 192.168.10.253 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]network 192.168.20.253 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]network 192.168.30.253 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[SW3-ospf-10-area-0.0.0.0]authentication-mode simple plain md123456
[SW3-ospf-10-area-0.0.0.0]quit
[SW3-ospf-10]quit

[SW4]ospf 10 router-id 5.5.5.5
[SW4-ospf-10]area 0
[SW4-ospf-10-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]network 192.168.10.252 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]network 192.168.20.252 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]network 192.168.30.252 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]network 10.2.1.1 0.0.0.0
[SW4-ospf-10-area-0.0.0.0]authentication-mode simple plain md123456
[SW4-ospf-10-area-0.0.0.0]quit
[SW4-ospf-10]quit
  • 验证:
display ospf brief
display ospf peer brief
display ospf nexthop
display ip routing-table protocol ospf

4.在右侧R3、FW1和SW5中运行OSPF协议:

(1)router-id为loopback接口IP,进程号为10,区域为0.0.0.0;

(2)宜告精确网段;

(3)为了区域内更安全,开启区域认证,明文密钥为“md123456”

  • 配置:
[R3]ospf 10 router-id 3.3.3.3
[R3-ospf-10]area 0
[R3-ospf-10-area-0.0.0.0]network 40.1.1.2 0.0.0.0
[R3-ospf-10-area-0.0.0.0]network 30.1.1.2 0.0.0.0
[R3-ospf-10-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[R3-ospf-10-area-0.0.0.0]network 192.168.1.2 0.0.0.0    
[R3-ospf-10-area-0.0.0.0]authentication-mode simple plain md123456
[R3-ospf-10-area-0.0.0.0]quit
[R3-ospf-10]quit

[FW1]ospf 10 router-id 6.6.6.6  
[FW1-ospf-10]area 0
[FW1-ospf-10-area-0.0.0.0]network 40.1.1.1 0.0.0.0
[FW1-ospf-10-area-0.0.0.0]network 40.2.1.1 0.0.0.0
[FW1-ospf-10-area-0.0.0.0]network 6.6.6.6 0.0.0.0
[FW1-ospf-10-area-0.0.0.0]authentication-mode simple plain md123456
[FW1-ospf-10-area-0.0.0.0]quit
[FW1-ospf-10]quit

[SW5]ospf 10 router-id 7.7.7.7
[SW5-ospf-10]area 0
[SW5-ospf-10-area-0.0.0.0]network 7.7.7.7 0.0.0.0
[SW5-ospf-10-area-0.0.0.0]network 172.16.1.254 0.0.0.0
[SW5-ospf-10-area-0.0.0.0]network 172.16.10.254 0.0.0.0
[SW5-ospf-10-area-0.0.0.0]network 172.16.60.254 0.0.0.0
[SW5-ospf-10-area-0.0.0.0]network 40.2.1.2 0.0.0.0
[SW5-ospf-10-area-0.0.0.0]network 172.16.100.254 0.0.0.0
[SW5-ospf-10-area-0.0.0.0]authentication-mode simple plain md123456
[SW5-ospf-10-area-0.0.0.0]quit
[SW5-ospf-10]quit

最后再配置一下R2和FW1:

[R2]ospf 10 router-id 2.2.2.2
[R2-ospf-10]area 0
[R2-ospf-10-area-0.0.0.0]network 20.1.1.1 0.0.0.0
[R2-ospf-10-area-0.0.0.0]network 30.1.1.1 0.0.0.0
[R2-ospf-10-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R2-ospf-10-area-0.0.0.0]authentication-mode simple plain md123456
[R2-ospf-10-area-0.0.0.0]quit
[R2-ospf-10]quit

[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 0/0/1
[FW1-zone-trust]add interface GigabitEthernet 0/0/3
[FW1-zone-trust]quit
  • 验证:

PC1 PING PC4

file

display ospf brief
display ospf peer brief
display ospf nexthop
display ip routing-table protocol ospf

5.在R1和R3建立IPSecOver GRE VPN,保障数据通信:

(1)配置GRE通过物理接口建立,并且要求Tunnel接口能够实时感应到拓扑变化:

[R1]interface Tunnel 0/0/0
[R1-Tunnel0/0/0]tunnel-protocol gre
[R1-Tunnel0/0/0]source 20.1.1.2
[R1-Tunnel0/0/0]destination 30.1.1.2
[R1-Tunnel0/0/0]quit

[R1]bfd
[R1]bfd 1 bind peer-ip 30.1.1.2 source-ip 20.1.1.2 auto
[R1-bfd-session-1]quit

[R3]int Tunnel 0/0/0
[R3-Tunnel0/0/0]tunnel-protocol gre
[R3-Tunnel0/0/0]source 30.1.1.2
[R3-Tunnel0/0/0]destination 20.1.1.2
[R3-Tunnel0/0/0]quit

[R3]bfd
[R3-bfd]quit
[R3]bfd 1 bind peer-ip 20.1.1.2 source-ip 30.1.1.2 auto
[R3-bfd-session-1]quit

(2)IPSec安全提议的名称为gz1,安全协议使用esp,使用“sha2-256”的认证算法,使用“aes-128”的加密算法:

R1]ipsec proposal gz1
[R1-ipsec-proposal-gz1]esp authentication-algorithm sha2-256
[R1-ipsec-proposal-gz1]esp encryption-algorithm aes-128
[R1-ipsec-proposal-gz1]quit

[R3]ipsec proposal gz1
[R3-ipsec-proposal-gz1]esp authentication-algorithm sha2-256
[R3-ipsec-proposal-gz1]esp encryption-algorithm aes-128
[R3-ipsec-proposal-gz1]quit

(3)IPSec的隧道建立时有IKE自动协商建立,与共享密钥的方式验证身份,IKE安全提议为“5”,用“md5”的认证算法,使用“aes-cbc-128”的加密算法,使用group14,IKE对等体为“2026GZ”,取消V2的支持,明文预共享密钥为“2026GZ123456",IPSec profile 为GuangZhou.

[R1]ike proposal 5
[R1-ike-proposal-5]authentication-algorithm md5
[R1-ike-proposal-5]encryption-algorithm aes-cbc-128
[R1-ike-proposal-5]dh group14
[R1-ike-proposal-5]quit
[R1]ike peer 2026GZ v1
[R1-ike-peer-2026GZ]ike-proposal 5
[R1-ike-peer-2026GZ]pre-shared-key simple 2026GZ123456
[R1-ike-peer-2026GZ]quit
[R1]ipsec profile GuangZhou
[R1-ipsec-profile-GuangZhou]proposal gz1    
[R1-ipsec-profile-GuangZhou]ike-peer 2026GZ
[R1-ipsec-profile-GuangZhou]quit

[R3]ike proposal 5
[R3-ike-proposal-5]authentication-algorithm md5
[R3-ike-proposal-5]encryption-algorithm aes-cbc-128
[R3-ike-proposal-5]dh group14
[R3-ike-proposal-5]quit
[R3]ike peer 2026GZ v1
[R3-ike-peer-2026GZ]ike-proposal 5
[R3-ike-peer-2026GZ]pre-shared-key simple 2026GZ123456
[R3-ike-peer-2026GZ]quit
[R3]ipsec profile GuangZhou
[R3-ipsec-profile-GuangZhou]proposal gz1
[R3-ipsec-profile-GuangZhou]ike-peer 2026GZ
[R3-ipsec-profile-GuangZhou]quit

(4)在相关接口上应用。

[R1]interface Tunnel 0/0/1
[R1-Tunnel0/0/1]ip address 192.168.2.1 24   
[R1-Tunnel0/0/1]tunnel-protocol ipsec   
[R1-Tunnel0/0/1]source Tunnel 0/0/0 
[R1-Tunnel0/0/1]destination 192.168.1.2
[R1-Tunnel0/0/1]ipsec profile GuangZhou
[R1-Tunnel0/0/1]quit
[R1]ospf 10 router-id 1.1.1.1
[R1-ospf-10]area 0
[R1-ospf-10-area-0.0.0.0]network 192.168.2.1 0.0.0.0
[R1-ospf-10-area-0.0.0.0]quit
[R1-ospf-10]quit

[R3]interface Tunnel 0/0/1
[R3-Tunnel0/0/1]ip address 192.168.2.2 24   
[R3-Tunnel0/0/1]tunnel-protocol ipsec
[R3-Tunnel0/0/1]source Tunnel 0/0/0
[R3-Tunnel0/0/1]destination 192.168.1.1
[R3-Tunnel0/0/1]ipsec profile GuangZhou
[R3-Tunnel0/0/1]quit
[R3]ospf 10 router-id 3.3.3.3
[R3-ospf-10]area 0
[R3-ospf-10-area-0.0.0.0]network 192.168.2.2 0.0.0.0
[R3-ospf-10-area-0.0.0.0]quit
[R3-ospf-10]quit

6.使用BGP协议,使得R1与R3之间建立路由连接。

(1)设置EBGP对等体,使用Tunnel接口地址:

[R1]bgp 65001
[R1-bgp]router-id 1.1.1.1
[R1-bgp]peer 192.168.1.2 as-number 65001
[R1-bgp]quit

[R3]bgp 65002
[R3-bgp]router-id 3.3.3.3
[R3-bgp]peer 192.168.1.1 as-number 65002
[R3-bgp]quit

(2)R1与R3上BGP中引入OSPF路由:

[R1]bgp 65001
[R1-bgp]import-route ospf 10

[R2]bgp 65002
[R2-bgp]import-route ospf 10

任务三、无线网络配置

为保障公司内部无线设备可以有无线网使用,需配置无线网络服务。

1.在右侧设置无线局域网,使设备能够通过无线接入访问互联网:

(1)DHCP地址池基于van编号进行命名,给连接AP的用户分配IP地址的地址池名称为ap;

[AC1]ip pool vlan50
[AC1-ip-pool-vlan50]network 172.16.10.0 mask 24
[AC1-ip-pool-vlan50]gateway-list 172.16.10.254
[AC1-ip-pool-vlan50]quit
[AC1]ip pool ap
[AC1-ip-pool-ap]network 172.16.60.0 mask 24
[AC1-ip-pool-ap]gateway-list 172.16.60.254
[AC1-ip-pool-ap]quit

(2)所有AP上线均采用MAC地址认证,设置AP1的名称为GZ2026,使用loopback建立capwap连接

(3)AP的上线、注册、数据转发都通过VLAN进行收发:

(4)设置安全模板”sec-gz”,安全策略为WPA/WPA2,密码为“md123456”设置SSID模板,模板名称为ssid-gz,ssid名称为GZ2026;

(5)设置SSID模板,模板名称为ssid-gz,ssid名称为GZ2026;

(6)设置VAP模板,分别为vap-gz,使用vlan60,并且将AP发布到2.5G频率上;

(7)射频调优:设置调优为自动,间隔为60分钟;创建RRM模板,名称为rrm-gz,配置频谱导航参数,配置接入用户数起始门限为90个,5G用户占比门限为80%,设置射频模板2g-gz和58-g2,并在所有radio中进行应用。

You may also like...

发表回复