Shulou(Shulou.com)06/01 Report--

Blogger QQ:819594300

Blog address: http://zpf666.blog.51cto.com/

Friends who have any questions can contact the blogger, the blogger will help you answer, thank you for your support!

With the deepening of enterprise informatization, higher requirements are put forward for the reliability, security and manageability of network equipment and links. Through the topology and configuration of an enterprise network headquarters and branches, this paper lists the current mainstream technologies for the construction of small and medium-sized enterprise networks, including gateway backup, link redundancy, routing control, access control, device management and other network technologies.

In the case, there are seven devices, three switches and two routers in the corporate network headquarters, one router in the branch communicates with the headquarters through the telecom 10m private line and Unicom's 2m dedicated backup line, and the other router simulates internet.

In the case, the headquarters has two application network segments: one is the service 192network segment, and the other is the OA's 172network, which communicates with the branch service network segment and the OA network segment respectively.

1. Pre-knowledge points

1 、 MSTP

MSTP is defined by the 802.1S standard developed by IEEE, which can make up for the shortcomings of STP and RSTP. It can not only converge quickly, but also forward different VLAN traffic along their respective paths, thus providing a better complex sharing mechanism for redundant links. MSTP has the following characteristics:

1) MSTP divides a switching network into multiple domains, and multiple spanning trees are formed in each domain, and the spanning trees are independent of each other.

2) MSTP associates VLAN with spanning tree by setting the corresponding relationship between VLAN and spanning tree (VLAN mapping table). Through the concept of "instance", several VLAN are bundled into one instance, thus saving communication overhead and reducing resource occupancy rate.

3) MSTP builds the loop network into a non-loop tree network, which avoids the proliferation and wireless circulation of packets in the loop network. At the same time, it also provides multiple redundant paths for data forwarding, and realizes the load sharing of VLAN data in the process of data forwarding.

4) MSTP is compatible with STP and RSTP.

2 、 VRRP

VRRP divides a group of routers in a local area network into a group called a backup group. The backup group consists of a master router and multiple backup routers, which is functionally equivalent to a virtual router. VRRP backup groups have the following characteristics.

1) the virtual router has an IP address, called a virtual address. Hosts on the LAN only need to know the ip address of the virtual router and set it as the next-hop address of the default route. Hosts in the network communicate with the external network through this virtual router.

2) according to the priority, the routers in the backup group elect the master router to assume the gateway function. Other routers, as backup routers, continue to perform gateway duties instead of master routers when the master router fails, so as to ensure that the hosts in the network communicate with the external network continuously.

3 、 ACL

Basic ACL: the number range is 2000-2999, and the source ip address of the message is supported.

Advanced ACL: numbering range 3000-3999, supporting layer 3 and 4 information such as source ip address, destination ip address, priority of message, protocol class and characteristics carried by ip.

4. Command reference

1) configuration of ospf

Ospf 1

Default-route-advertise always publishes external default routes in the ospf area

Area 1

Net 10.255.23.1 0.0.0.0

Abr-summary 172.17.0.0 255.255.0.0 not-advertise does not publish aggregated route entries

Int g0/0

Ospf cost 1000 configure interface routing cost, routing

Dis ip routing-table protocol ospf looks at the routing entries learned by ospf

2) configuration of stp:

Stp instance 1 root primary is set to the root bridge of instance 1

Stp instance 2 root secondary is set to the backup root bridge of instance 2

Stp region-configuration enters the domain view of stp. A domain must have the same domain name, correction level, and vlan mapping.

Region-name H4c stp domain name

Revision-level 3 correction level (optional to determine a domain, default 0)

Instance 1 vlan10 instance 1 maps to vlan10

Instance 2 vlan 20

Active region-configure activation domain

Dis stp brief view stp information: root root port, desi designated port, alte blocking port

3) configuration of vrrp: vlan10 as an example

Int vlan 10

Vrrp vrid 1 virtual-ip 172.16.0.254 configure virtual ip for vrrp

Priority of vrrp vrid 1 priority 120 vrrp

Vrrp vrid 1 track 2 priority reduced 30 tracking reduces priority by 30% when vlan2,vlan2 goes down

Dis vrrp to check the status of vrrp

4) configuration of esay_ip:

Acl basic 2000 configure acl

Rule 0 permit source 172.16.0.0 0.0.0.255 networks that allow nat

Rule 5 permit source 172.17.0.0 0.0.255.255

Int g0/0

Nat outbound 2000 App easy_ip

Dis nat session verbos to view nat conversion information

Ping-a 172.16.0.10 202.98.192.57 specifies the ping destination host with 172.16.0.10 as the source address

Second, experimental cases

1. Case topology diagram

2. Experimental requirements:

1) configure ip address, vlan and default route according to the topology requirements. R4 simulates the route from the external network to the internal network.

2) publish the headquarters network in ospf area 0 and the branch network in ospf1 area

3) configure stp,sw1 as the primary root of instance 0 and instance 1 (vlan10), and the backup root of vlan20, on the contrary, sw2

4) configure master,sw2 with vrrp,sw1 as vlan10 and master as vlan20 and track to monitor the uplink port

5) configure ospf path selection, all communications between headquarters and branches communicate through telecom links, and Unicom links only do backup.

And when the telecommunication link fails, only vlan20 data can use the backup link.

6) configure easy_ip so that only vlan10 can access R4 (public network)

3. Experimental steps

1) configure ip address, vlan and default route according to the topology requirements, and R4 simulates the route from the external network to the internal network.

Configure SW1:

SW2:

SW3:

R1:

R2:

R3:

R4:

2) publish the headquarters network in ospf area 0 and the branch network in ospf1 area

SW1:

SW2:

SW3:

R1:

R2:

R3:

View the routing table on R1

Then test ping connectivity on R1:

3) configure stp,sw1 as the primary root of instance 0 and instance 1 (vlan10), and the backup root of vlan20, on the contrary, sw2

SW1:

SW2:

SW3:

View MSTP on each of the three switches: the command is dis stp brief

Description: Port status ALTE: indicates that the port is blocked in this example.

The two ports under the same instance of the same device are in DESI status: this means that the device is the primary root under the instance.

If a port with MAST status appears, it indicates that the domain configuration information is incorrect and multiple domains appear.

4) configure master,sw2 with vrrp,sw1 as vlan10 and master as vlan20 and track to monitor the uplink port

SW1:

SW2:

Query dis vrrp (display master-slave devices) on SW1 and SW2 respectively:

5) configure ospf path selection, all communications between headquarters and branches communicate through telecommunications links, Unicom links only do backup, and when telecommunications links fail, only vlan20 data can use backup links.

R3:

Description: it is found that there are 2 next hops to reach 172.16.0.0Accord24, which are 10.255.13.1 (R1) and 10.255.23.1 (R2) respectively.

Then execute dis ip routing-table protocol ospf to see the routes associated with ospf.

Execute the following command:

Then perform dis ip routing-table again to find that only 10.222.13.1 (telecom) is left for the next hop to 172.16.0.

Next, you can also use R3 ping 172.16.0.10 (sw3's vlan10) to communicate:

Testing 172.17.1.1 to 172.16.0.10 on R3 (that is, the connectivity from the vlan10 of the test division to the vlan10 of the headquarters) can be connected:

Then test the connectivity from 192.168.100.1 to 172.16.0.10 on R3 (that is, the connectivity from the vlan20 of the test division to the vlan10 of the headquarters):

R2:

In the figure above, an aggregation branch is done to prevent the 172.17.0.0Universe 16 network segment from being sent to the headquarters.

Test: if you break the line between R3 and R1 (that is, you can close the g0Unip 1 port of R3), ping-a 192.168.100.1 172.16.0.10 can be connected on R3, and ping-a 172.17.1.1 172.16.0.10 can not be connected, which is a success:

Continue to configure on R3:

In the figure above, it is found that the next hop is all 10.255.13.1.

In the previous two screenshots, you can see that ping-a 172.16.0.10202.98.192.57 does not work.

Ping-a 192.168.0.10 202.98.192.57 does not work.

6) configure easy_ip so that only vlan10 can access R4 (public network)

R1:

Then again on SW3, ping-a 192.168.0.10202.98.192.57 still fails, and ping-a 172.16.0.10 202.98.192.57 does not work either, because the default route is not introduced because of the ospf problem on R1.

On R1:

Then execute dis ip routing-table protocolospf on SW3:

Two more default routes to 0.0.0.0 were found in the figure above.

Ping-a 172.16.0.10202.98.192.57 on SW3 again

Ping-a 192.168.0.10 202.98.192.57 is still not working:

Execute: disnat session verbose on R1 to view nat translation information:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.