华为网络工程师认证HCNP-IENP
MPLS协议原理级配置(最后附实验压缩包)
MPLS:多协议标签交换
LDP:标签分发协议
LSP:标签交换路径
LSR:标签交换路由器
MPLS LDP配置
基础配置
[S1]int Vlanif 1
[S1]ip add 10.0.1.2 24
[R1]int gi0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.1.1.1 24
[R1]int gi0/0/1
[R1-GigabitEthernet0/0/1]ip add 10.2.2.1 24
[R1]int gi 0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.0.1.1 24
[R1] int S4/0/0
[R1-Serial4/0/0Jip address 10.0.12.1 24
[R1] int loopback 0
[R1-LoopBackO]ip address 2.2.2.2 24
[R2] int S4/0/0
[R2-Serial4/0/0Jip address 10.0.12.2 24
[R2] int S4/0/1
[R2-Serial4/0/1Jip address 10.0.23.2 24
[R2] int loopback 0
[R2-LoopBackO]ip address 3.3.3.3 24
[R3] interface Gi0/0/0
[R3-GigabitEtherneto/0/2] ip address 10.0.2.1 24
[R3] int S4/0/0
[R3-Serial4/0/0Jip address 10.0.23.3 24
[R3-Serial2/0/0] quit
[R3] int loopback 0
[R3-LoopBackO]ip address 4.4.4.4 24
[S2] int Vlanif 1
[S2-VlaniflJip address 10.0.2.2 24
配置单区域ospf
[S1]ospf 1 router-id 1.1.1.1
[S1-ospf-1]area 0
[S1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255
[R1]ospf 1 router-id 2.2.2.2
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 2.2.2.0 0.0.0.255
[R2]ospf 1 router-id 3.3.3.3
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255[R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 3.3.3.0 0.0.0.255
[R3]ospf 1 router-id 4.4.4.4
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 10.0.2.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 4.4.4.0 0.0.0.255
[S2]ospf 1 router-id 5.5.5.5
[S2-ospf-1]area 0
[S2-ospf-1-area-0.0.0.0]network 10.0.2.0 0.0.0.255
配置完成以后查看连通性
MPLS LDP配置
在各MPLS路由器上配置全局MPLS和LDP.
[R1]mpls lsr-id 2.2.2.2 //配置标签交换路由器的id(不配置id不能启用全局MPLS)
[R1]mpls //启用MPLS
Info:Mpls starting,please wait...OK!
[R1-mpls]mpls ldp //启用LDP
[R2]mpls lsr-id 3.3.3.3
[R2]mpls
Info:Mpls starting,please wait...OK!
[R2-mpls]mpls ldp
[R3]mpls lsr-id 4.4.4.4
[R3]mpls
Info:Mpls starting,please wait...Ok!
[R3-mpls]mpls ldp
在各MPLS路由器接口上配置MPLS和LDP.
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]mpls //启用MPLS
[R1-Serial1/0/0]mpls ldp //启用LDP
[R2]interface Serial 1/0/0
[R2-Serial1/0/0]mpls
[R2-Serial1/0/0]mpls ldp
[R2-Serial1/0/0]quit
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]mpls
[R2-Serial2/0/0]mpls ldp
[R3]interface Serial 2/0/0
[R3-Serial2/0/0]mpls
[R3-Serial2/0/0]mpls ldp
配置完成后,在节点上执行display mpls ldp session命令,可以看到R1和R2和R3之间的本地LDP会话状态为"Operational"
LDP建立LSP
在配置完成后,各MPLS路由器已根据默认的LDP触发策略建立LSP,即所有主机路由触发建立LDP LSP.
在各MPLS路由器上执行display mpls ldp Isp命令,可以看到所有主机路由都触发建立了LDP LSP
通常情况下,使用缺省的触发策略,即由"host"方式触发建立LDP LSP.
在各MPLS路由器上将LDP LSP的触发策略修改为all,使路由表中的所有静态路由和IGP表项都可以触发建立LDP LSP.
[R1]mpls
[R1-mpls]lsp-trigger all //策略修改为all
[R2]mpls
[R2-mpls]lsp-trigger all
[R3]mpls
[R3-mpls]lsp-trigger all
LDP Inbound策略配置
R1性能较低,如果不对R1收到的标签进行控制,则会建立大量的LSP,消耗大量内存,R1无法承受。
配置LDP Inbound策略,R1只接收到达R2的标签映射消息,使R1只建立到R2的LSP,从而减少资源的浪费。
在R1上执行display mpls Isp命令,查看已经建立的LSP.
[R1]ip ip-prefix prefix1 permit 10.0.12.0 24 //允许此网段的路由
[R1]mpls ldp
[R1-mpls-ldpJinbound peer 3.3.3.3 fec ip-prefix prefix1
[R1-mpls-ldp]quit
[R1]display mpls lsp
路由区分符(Route Distinguisher:RD)
路由目标(Route Target:RT)
MPLS VPN配置(半成品)
分部1与分部2只能与总部通信,分部之间不能通信。根据图上信息进行正确配置,使总部的用户能正确访问各分部的用户。
运营商网络基础配置
[R1]int loop 0
[R1-LoopBack0]ip add 1.1.1.1 32
[R2]int gi0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.1.1.1 24
[R2]int gi0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.2.2.1 24
[R1-LoopBack0]int s4/0/0
[R1-Serial4/0/0]ip add 12.12.12.1 24
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]net 1.1.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]net 12.12.12.0 0.0.0.255
[R2]int s4/0/0
[R2-Serial4/0/0]int loop 0
[R2-LoopBack0]ip add 2.2.2.2 32
[R2-LoopBack0]int s4/0/0
[R2-Serial4/0/0]ip add 12.12.12.2 24
[R2-Serial4/0/0]int s4/0/1
[R2-Serial4/0/1]ip add 23.23.23.2 24
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]net 12.12.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]net 23.23.23.0 0.0.0.255
[R3]int loop 0
[R3-LoopBack0]ip add 3.3.3.3 32
[R3-LoopBack0]int s4/0/0
[R3-Serial4/0/0]ip add 23.23.23.3 24
[R3-Serial4/0/0]int s4/0/1
[R3-Serial4/0/1]ip add 34.34.34.3 24
[R3]ospf 1 router-id 3.3.3.3
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]net 23.23.23.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]net 34.34.34.0 0.0.0.255
[R4]int loop 0
[R4-LoopBack0]ip add 4.4.4.4 32
[R4-LoopBack0]int s4/0/0
[R4-Serial4/0/0]ip add 34.34.34.4 24
[R4]int gi0/0/0
[R4-GigabitEthernet0/0/0]ip add 10.3.3.1 24
[R4]ospf 1 router-id 4.4.4.4
[R4-ospf-1]area 0
[R4-ospf-1-area-0.0.0.0]net 4.4.4.4 0.0.0.0
[R4-ospf-1-area-0.0.0.0]net 34.34.34.0 0.0.0.255
CE端网络配置
[CE1]int gi0/0/0
[CE1-GigabitEthernet0/0/0]ip add 10.1.1.2 24
[CE1]int loop 0
[CE1-LoopBack0]ip add 10.0.0.1 32
[CE1]ospf 1 router-id 10.0.0.1
[CE1-ospf-1]area 0
[CE1-ospf-1-area-0.0.0.0]net 10.0.0.1 0.0.0.0
[CE1-ospf-1-area-0.0.0.0]net 10.1.1.0 0.0.0.255
[CE2]int loop 0
[CE2-LoopBack0]ip add 10.0.0.2 32
[CE2-LoopBack0]int gi0/0/0
[CE2-GigabitEthernet0/0/0]ip add 10.2.2.2 24
[CE2]ip route-static 0.0.0.0 0 10.2.2.1
[CE3]int gi0/0/0
[CE3-GigabitEthernet0/0/0]ip add 10.3.3.2 24
[CE3-GigabitEthernet0/0/0]int loop 0
[CE3-LoopBack0]ip add 10.0.0.3 32
[CE3-GigabitEthernet0/0/0]bgp 200
[CE3-bgp]peer 10.3.3.1 as 100
[CE3-bgp]net 10.0.0.3 32
VPN配置
[R1]ip vpn-instance vpn1 //设置VPN1
[R1-vpn-instance-vpn1]route-distinguisher 100:1 //配置VPN1路由区分符
[R1-vpn-instance-vpn1-af-ipv4]vpn-target 100:1 export-extcommunity //VPN1的出口标签
[R1-vpn-instance-vpn1-af-ipv4]vpn-target 100:3 import-extcommunity //VPN1的入口标签
[R1]ip vpn-instance vpn2
[R1-vpn-instance-vpn2]route-distinguisher 100:2 //配置VPN2路由区分符
[R1-vpn-instance-vpn2-af-ipv4]vpn-target 100:2 export-extcommunity
[R1-vpn-instance-vpn2-af-ipv4]vpn-target 100:3 import-extcommunity
[R4]ip vpn-instance vpn3
[R4-vpn-instance-vpn3]route-distinguisher 100:3
[R4-vpn-instance-vpn3-af-ipv4]vpn-target 100:3 export-extcommunity
[R4-vpn-instance-vpn3-af-ipv4]vpn-target 100:1 import-extcommunity
[R4-vpn-instance-vpn3-af-ipv4]vpn-target 100:2 import-extcommunity
[R1]int gi0/0/0
[R1-GigabitEthernet0/0/0]ip binding vpn-instance vpn1 //此接口和VPN1实例绑定
[R1-GigabitEthernet0/0/0]int gi0/0/1
[R1-GigabitEthernet0/0/1]ip binding vpn-instance vpn2 //此接口和VPN2实例绑定
[R4]int gi0/0/0
[R4-GigabitEthernet0/0/0]ip binding vpn-instance vpn3
运营商网络和ce互通的配置
[R1]ospf 2 vpn-instance vpn1 //VPN1内部的ospf
[R1-ospf-2]area 0
[R1-ospf-2-area-0.0.0.0]net 10.1.1.0 0.0.0.255
[R1]ip route-static vpn-instance vpn2 10.0.0.2 32 10.2.2.2 //vpn2内部的静态路由
[R4]bgp 100
[R4-bgp]ipv4 vpn-instance vpn3
[R4-bgp-vpn3]peer 10.3.3.2 as 200
DHCP协议原理及配置
DHCP:动态主机配置协议
DHCP Relary:DHCP中续
DHCP配置
掌握IP Pool的配置方法
掌握DHCP服务器的配置方法
掌握DHCP客户端的配置方法
掌握DHCP中继的配置方法
掌握DHCP Snooping的基本功能配置方法
你是公司的网络管理员,由于公司网络主机数量较多,使用静态地址分配难以管理,因此需要架设DHCP服务器。
R1路由器做DHCP服务器,R4为DHCP客户端,R2作为交换机S1下各设备的网关,由于DHCP Discover是广播报文不能穿越路由器,因此部署DHCP Relay将请求报文从R2发送到R1,S2不做任何配置,仅透明转发。为了提升网络的安全性,防止其他DHCP服务器让客户端获取到错误的地址在S1交换机上部署DHCP Snooping,要求R4可以获取到DHCP服务器1(R1)
的地址,不应该获取到DHCP服务器2(R3)的地址。为了进一步增强安全防范开启DHCP Snooping的部分特性防止DHCP饿死攻击和DHCP中间人攻击。
步骤一.基础配置与IP编址
[R1]int gi0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.0.12.1 24
[R1-GigabitEthernet0/0/0]int loop 0
[R1-LoopBack0]ip add 1.1.1.1 32
[R2]int gi0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.10.10.2 24
[R2-GigabitEthernet0/0/0]int gi0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.0.12.2 24
[R3]int gi0/0/0
[R3-GigabitEthernet0/0/0]ip add 192.168.1.1 24
步骤二 DHCP客户端的配置(相当获取IP的方式为DHCP的PC)
[R4]dhcp enable
[R4]int gi0/0/0
[R4-GigabitEthernet0/0/0]ip add dhcp-alloc
配置R1和R2之间的路由(为了实现和外网的互通和DHCP中继)
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]net 1.1.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]net 10.0.12.0 0.0.0.255
[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 10.0.12.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]net 10.10.10.0 0.0.0.255
步骤三.配置IP Pool
[R1]ip pool server1
[R1-ip-pool-server1]gateway-list 10.10.10.1
[R1-ip-pool-server1]net 10.10.10.0 mask 255.255.255.0
[R1-ip-pool-server1]excluded-ip-address 10.10.10.2 10.10.10.10 //保留这些地址不被分配2-10
[R1-ip-pool-server1]dns-list 1.1.1.1
[R1-ip-pool-server1]lease day 3 //IP地址租期为3天
[R3]ip pool server2
[R3-ip-pool-server2]gateway-list 192.168.1.1
[R3-ip-pool-server2]net 192.168.1.0 mask 24
[R3-ip-pool-server2]excluded-ip-address 192.168.1.2 192.168.1.10
[R3-ip-pool-server2]dns-list 192.168.1.1
[R3-ip-pool-server2]lease day 3
步骤四.配置基于全局地址池的DHCP服务器
[R3]dhcp en
Info: The operation may take a few seconds. Please wait for a moment.done.
[R3]int gi0/0/0
[R3-GigabitEthernet0/0/0]dhcp select global //此时R4即可获得IP
步骤五.配置DHCP中继
[R1]dhcp en
[R1]int gi0/0/2
[R1-GigabitEthernet0/0/2]int gi0/0/0
[R1-GigabitEthernet0/0/0]dhcp select global
[R2]dhcp en
[R2]dhcp server group dhcp //DHCP组:DHCP
[R2-dhcp-server-group-dhcp]dhcp-server 10.0.12.1 //服务器地址
[R2]int gi0/0/0
[R2-GigabitEthernet0/0/0]dhcp select relay //端口为DHCP中续
[R2-GigabitEthernet0/0/0]dhcp relay server-select dhcp
可以看到R2上配置了一个DHCP组,组里有一台服务器,地址为10.0.12.1并且在R2的GO/0/1接口上启用了DHCP中继,中继将会把DHCP请求发送到组内的服务器10.0.12.1.
关闭R3的0口,避免R4从R3上面获取地址。然后重启R4的0口
步骤六.配置DHCP Snooping和攻击防范特性
[SW1]dhcp enable //全局开启DHCP功能
[SW1]dhcp snooping en //开启DHCP snooping功能
[SW1]int gi0/0/3
[SW1-GigabitEthernet0/0/3]dhcp snooping enable //端口3为DHCP服务不信任端口
[SW1-GigabitEthernet0/0/3]int gi0/0/2
[SW1-GigabitEthernet0/0/2]dhcp snooping trusted //端口2为DHCP服务信任端口
此时R4就可以从R1上面获取IP
攻击防范,假设R4是一台不被信任的主机,有可能进行DHCP饥饿攻击、中间人攻击等,那么如何防止?
[SW1-GigabitEthernet0/0/1]dhcp snooping check dhcp-chaddr en 1口设置为防饥饿
[SW1]arp dhcp-snooping-detect enable //全局下配置防中间人攻击
镜像的配置
[Huawei]observe-port 1 int gi0/0/1 //观察端口配置
[Huawei]int gi0/0/2
[Huawei-GigabitEthernet0/0/2]port-mirroring to observe-port 1 both //镜像端口配置为2口,镜像发给观察端口1
基础网络与路由配置
[R1]int gi0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.0.145.1 24
[R1]int s4/0/0
[R1-Serial4/0/0]ip add 10.0.12.1 24
[R1]ip route-static 10.0.34.0 24 10.0.12.2
[R2]int s4/0/0
[R2-Serial4/0/0]ip add 10.0.12.2 24
[R2]int gi0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.0.34.2 24
[R2]ip route-static 10.0.145.0 24 10.0.12.1
[R3]int gi0/0/0
[R3-GigabitEthernet0/0/0]ip add 10.0.34.3 24
[R3]ip route-static 0.0.0.0 0 10.0.34.2
[R4]int gi0/0/0
[R4-GigabitEthernet0/0/0]ip add 10.0.145.4 24
[R4]ip route-static 0.0.0.0 0 10.0.145.1
[R5]int gi0/0/0
[R5-GigabitEthernet0/0/0]ip add 10.0.145.5 24
[R5]ip route-static 0.0.0.0 0 10.0.145.1
[S3-GigabitEthernet0/0/1]int vlanif 1
[S3-Vlanif1]ip add 10.0.145.3 24
[S3]ip route-static 0.0.0.0 0 10.0.145.1
[S4]int vlanif 1
[S4-Vlanif1]ip add 10.0.34.4 24
[S4]ip route-static 0.0.0.0 0 10.0.34.2
