HCIP(综合实验2)

1.实验拓补图

2.实验要求

1.根据提供材料划分VLAN以及IP地址，PC1/PC2属于生产一部员工划分VLAN10,PC3属于生产二部划分VLAN20
2.HJ-1HJ-2交换机需要配置链路聚合以保证业务数据访问的高带宽需求
3.VLAN的放通遵循最小VLAN透传原则
4.配置MSTP生成树解决二层环路问题，并且为考虑业务数据分流，生产一部流量（VLAN10）数据以HJ-1作为生成树主根/HJ-2作为备份，生产二部流量（vlan20）以HJ-2作为生成树主根/HJ-1作为备份
5.生成树需要配置边缘接口并且配置BPDU保护和BPDU过滤功能保证用户体验
6.配置虚拟路由器冗余VRRP以保证网关冗余，提高业务可靠性部署,HJ-1作为VLAN10主网关/HJ-2作为VLAN20主网关并且互为备份
7.VRRP需要主网关配置上行链路监控（直接监控物理接口）保证上行网络故障业务不中断，配置抢占延迟15s，以应对网络震荡
8.配置单区域OSPF访问互联网

3.VLAN及IP地址规划表

链路地址规划

HJ-1作为VLAN10 根网桥设备同时作为VLAN

10用户网关 HJ-2作为VLAN 20根网桥设备同时作为VLAN 20用户网关

除路由器外，所有设备均按照拓扑标注进行设备命名，如：ACC-1

OSPF Router-ID以设备编号手工命名

4.设备具体配置

HJ-1:

vlan batch 10 20 100
stp instance 1 root primary
stp instance 2 root secondary
cluster enable
ntdp enable
ndp enable
dhcp enable
diffserv domain default
drop illegal-mac alarm
stp region-configuration
region-name ACC
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
drop-profile default
ip pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
dns-list 8.8.8.8
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 15
vrrp vrid 1 track interface GigabitEthernet0/0/5 reduced 25
dhcp select global
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.254
dhcp select global
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
interface Eth-Trunk0
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/1
eth-trunk 0
interface GigabitEthernet0/0/2
eth-trunk 0
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/5
port link-type access
port default vlan 100
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.10.1 0.0.0.0
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.20.1 0.0.0.0
network 192.168.110.1 0.0.0.0
user-interface con 0
user-interface vty 0 4

HJ-2:

vlan batch 10 20 200
stp instance 1 root secondary
stp instance 2 root primary
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
dhcp enable
diffserv domain default
stp region-configuration
region-name ACC
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
drop-profile default
ip pool vlan10
gateway-list 192.168.10.254
ip pool vlan10
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
ip pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
dns-list 8.8.8.8
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.254
dhcp select global
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 15
vrrp vrid 1 track interface GigabitEthernet0/0/5 reduced 25
dhcp select global
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
interface Eth-Trunk0
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/1
eth-trunk 0
interface GigabitEthernet0/0/2
eth-trunk 0
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/5
port link-type access
port default vlan 200
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 192.168.10.2 0.0.0.0
network 192.168.20.2 0.0.0.0
network 192.168.200.1 0.0.0.0
user-interface con 0
user-interface vty 0 4

ACC-1:

vlan batch 10 20
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
stp region-configuration
region-name ACC
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
interface GigabitEthernet0/0/4
port link-type access
port default vlan 10
user-interface con 0
user-interface vty 0 4

ACC-2:

vlan batch 10 20
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
stp region-configuration
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
region-name ACC
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
user-interface con 0
user-interface vty 0 4

CORE:

vlan batch 100 110 200
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
ip address 192.168.110.1 255.255.255.0
interface Vlanif200
ip address 192.168.200.2 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
interface GigabitEthernet0/0/3
port link-type access
port default vlan 110
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 192.168.100.2 0.0.0.0
network 192.168.110.1 0.0.0.0
network 192.168.200.2 0.0.0.0
user-interface con 0
user-interface vty 0 4

5.设备之间的通讯状态：

接入层与汇聚层

• ACC - 1 与 HJ - 1：ACC - 1 上连接 PC1 和 PC2 的端口划分在 VLAN10，通过 GE 0/0/1 以 trunk 链路连接到 HJ - 1 的聚合链路。VLAN10 内的流量可以在两者间正常传输，实现 PC1、PC2 与 HJ - 1 的通讯。
• ACC - 2 与 HJ - 2：ACC - 2 上连接 PC3 的端口划分在 VLAN20，通过 GE 0/0/1 以 trunk 链路连接到 HJ - 2 的聚合链路。VLAN20 内的流量可在两者间正常传输，实现 PC3 与 HJ - 2 的通讯。

汇聚层之间

• HJ - 1 与 HJ - 2：通过链路聚合建立了高带宽连接，且配置为 trunk 链路允许 VLAN10 和 VLAN20 通过。MSTP 生成树协议避免了二层环路，VLAN10 和 VLAN20 的流量可在两者间按需传输，如 VLAN10 以 HJ - 1 为主根、VLAN20 以 HJ - 2 为主根进行流量路径选择 。

汇聚层与核心层

• HJ - 1、HJ - 2 与 CORE：HJ - 1 和 HJ - 2 与 CORE 通过 trunk 链路连接，允许 VLAN10 和 VLAN20 通过。在 OSPF 协议作用下，三层可达，可实现 VLAN10、VLAN20 与核心层设备的通讯。

核心层与路由器

• CORE 与 R1：通过 OSPF 协议建立邻居关系，宣告相关网络，实现三层互通，使得内部 VLAN 网络能够通过 R1 访问互联网。

冗余保障方面

• VRRP：在 VLAN10 中，HJ - 1 作为主网关，HJ - 2 作为备份网关；VLAN20 中反之。当主网关设备上行链路故障时，备份网关能在配置的抢占延迟（15s ）后接替工作，保证 VLAN 内设备网关层面的通讯不中断。
• MSTP：配置边缘接口及 BPDU 保护和过滤功能，保障了接入层设备与汇聚层设备间链路的稳定性，避免非法 BPDU 干扰，提升用户体验，保证了接入侧通讯的可靠性。